Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: Jason R Thorpe <thorpej@zembu.com>
From: Bill Studenmund <wrstuden@zembu.com>
List: tech-security
Date: 03/12/2001 15:00:47
On Thu, 8 Mar 2001, Jason R Thorpe wrote:
> On Thu, Mar 08, 2001 at 08:17:38PM -0600, Tracy J. Di Marco White wrote:
>
> > At work, a long time kerberos shop, login will set the cache file name
> > with "sprintf(tktfile, KRB_FILEFMT, tktprfx, tv.tv_sec, tv.tv_usec);"
> > where KRB_FILEFMT is "%s%08.8x%06.6x" and the names end up like
> > tkt_3aa426a001efae. We're still using kerberos 4 on the clients,
> > so we haven't dealt with credential forwarding yet, but the reasoning
> > behind this was to have individual credentials for separate sessions,
> > and it's something I like. While this may be overkill and not something
> > you're interested in, it's been fairly useful for us as a large site
> > with people logging into systems multiple times (some of our users have
> > yet to discover screen). And, well, it makes it very unlikely you would
> > accidently kdestroy the wrong credentials.
>
> No, it actually sounds very much like what I would like. I don't
> think I want quite as obscure a ticket file name as you have, but
> the same kind of idea.
What if someone had a program running using screen which needed that
ticket file?
Take care,
Bill