Subject: Kerberos 5 credential forwarding support in network login daemons
To: None <email@example.com>
From: Jason R Thorpe <firstname.lastname@example.org>
Date: 03/08/2001 17:59:16
I've noticed that when Kerberos 5 credentials are forwarded (such
as via telnet -f), that a credential cache is created as if it were
simply created by login(1) (i.e. "/tmp/krb5cc_uid"). This doesn't
seem quite right to me.
What would seem more reasonable is for the network login daemon (telnetd,
in my example) to create the credential cache with a more unique ID,
e.g. "/tmp/krb5cc_uid_ptyname", set the KRB5CCNAME environment variable,
and when the session ends, destroy the credential cache that we created.
My thought here is that you don't want to simply have a "kdestroy" in
your logout script, because you might stomp on creds being used by
another login session...
-- Jason R. Thorpe <email@example.com>