max_uid_ccaches = 1
This commit is contained in:
@@ -217,6 +217,21 @@ Using a random, non-existing cache name resulted in a failure, not in the creati
|
||||
So that self made PAM module would need to be extended to also create the cache.
|
||||
I assumed that the "End of PAM" solution would be easier to implement, so I opted for that.
|
||||
|
||||
|
||||
### Only One Cache
|
||||
The `sssd-kcm` limits the number of caches by default to 64, but that can be changed to 1 with the `max_uid_ccaches`.
|
||||
So there would be only one cache, shared by all sessions, but at least the `KCM` cannot serve anything but the latest.
|
||||
|
||||
I did not exactly test this, but I tested what happens when all 64 caches are used up.
|
||||
|
||||
It was not possible any more to authenticate on the lock screen:
|
||||
|
||||
```
|
||||
Okt 05 14:57:11 lxdev01.psi.ch krb5_child[43689]: Internal credentials cache error
|
||||
```
|
||||
So this causes a denial of service problem, we need to deal with somehow, e.g. by regulary removing expired caches.
|
||||
|
||||
|
||||
## Options for Next Steps
|
||||
|
||||
### Try out Start of PAM
|
||||
|
||||
Reference in New Issue
Block a user