Subject: Kerberos 5 credential forwarding support in network login daemons
To: None <>
From: Jason R Thorpe <>
List: tech-security
Date: 03/08/2001 17:59:16

I've noticed that when Kerberos 5 credentials are forwarded (such
as via telnet -f), that a credential cache is created as if it were
simply created by login(1) (i.e. "/tmp/krb5cc_uid").  This doesn't
seem quite right to me.

What would seem more reasonable is for the network login daemon (telnetd,
in my example) to create the credential cache with a more unique ID,
e.g. "/tmp/krb5cc_uid_ptyname", set the KRB5CCNAME environment variable,
and when the session ends, destroy the credential cache that we created.

My thought here is that you don't want to simply have a "kdestroy" in
your logout script, because you might stomp on creds being used by
another login session...


        -- Jason R. Thorpe <>