I've been investigating options for minimizing the amount of credentials that need to be retyped as credentials expire. One of the big problems I'm having now is dealing with delegated credentials, which interferes with long-running SSH sessions.
It seems like the GSSAPIRenewalForcesRekey and GSSAPIStoreCredentialsOnRekey options do exactly what I want - when a client renews its ticket, the credentials would be re-sent to the server.
However, the options appear to have no effect at all. For example, once I set up an SSH connection, I expect that running kinit
or kinit -R
would eventually refresh the credential cache on the server.
Running ssh and sshd in verbose/debug mode doesn't shed any light on this either.
Do I have the wrong idea about what these options do? I would greatly appreciate any information on what I'm doing wrong or alternate ways of accomplishing this.
As usual, figured this out 5 minutes after posting. For future reference:
Turning GSSAPIKeyExchange on fixed the problem for me.
GSSAPIRenewalForcesRekey and GSSAPIStoreCredentialsOnRekey require GSSAPIKeyExchange to be turned on before they appear to have any effect. In hindsight, it makes some sense that GSSAPI needs to be in charge of the key exchange, but it would have helped a lot if the documentation pointed out this fact...