[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: idletimeout issues, and kerberos authentication

Bryan Stansell bryan@conserver.com
Fri, 9 Sep 2005 17:06:39 -0700 (PDT)

On Fri, Sep 09, 2005 at 02:00:32PM +0100, Peter Saunders wrote:
> Could this be changed, or another option be enabled? As it stands we have 
> terminal servers that timeout after 15 minutes, so have an idletimeout of 10.
> However, most of the time, the hosts have actually written to the
> console in that time, so the idletimeout isn't required to actually send
> its string.

so, would most term servers reset their disconnect timer when data flows
either way?  my first impression was that data had to be sent to the
term server to keep it alive.  but if that's not the case, it can
certainly be changed so that the idletimeout doesn't fire until it's
totally quiet.

if anyone can prove that the idle bits work as i expected (data needs to
come into the term server), please let me know.  otherwise, i'll just go
on the assumption that data in either direction prevents the term server
from shutting things down and fix things as requested.  it certainly
makes sense (well, they both do, but this slightly more).

> The other useful option would be direct Kerberos support. That way, it
> would still authenticate users, but if they had an existing Kerberos
> credential a password would not be required. I'm not sure how easy or
> hard this would be to do in reality however :)

me either.  perhaps the PAM hooks would work?  i've never tried,
honestly.  i'd certainly put any kerberos patches into the distribution.
i don't have an environment to develop and test against (or any
knowledge of the kerberos api).