Folks...

I've noticed that when Kerberos 5 credentials are forwarded (such
as via telnet -f), that a credential cache is created as if it were
simply created by login(1) (i.e. "/tmp/krb5cc_uid").  This doesn't
seem quite right to me.

What would seem more reasonable is for the network login daemon (telnetd,
in my example) to create the credential cache with a more unique ID,
e.g. "/tmp/krb5cc_uid_ptyname", set the KRB5CCNAME environment variable,
and when the session ends, destroy the credential cache that we created.

My thought here is that you don't want to simply have a "kdestroy" in
your logout script, because you might stomp on creds being used by
another login session...

Comments?

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>