Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: None <>
From: Tracy J. Di Marco White <>
List: tech-security
Date: 03/08/2001 20:17:38
}I've noticed that when Kerberos 5 credentials are forwarded (such
}as via telnet -f), that a credential cache is created as if it were
}simply created by login(1) (i.e. "/tmp/krb5cc_uid").  This doesn't
}seem quite right to me.
}What would seem more reasonable is for the network login daemon (telnetd,
}in my example) to create the credential cache with a more unique ID,
}e.g. "/tmp/krb5cc_uid_ptyname", set the KRB5CCNAME environment variable,
}and when the session ends, destroy the credential cache that we created.
}My thought here is that you don't want to simply have a "kdestroy" in
}your logout script, because you might stomp on creds being used by
}another login session...

At work, a long time kerberos shop, login will set the cache file name
with "sprintf(tktfile, KRB_FILEFMT, tktprfx, tv.tv_sec, tv.tv_usec);"
where KRB_FILEFMT is "%s%08.8x%06.6x" and the names end up like
tkt_3aa426a001efae.  We're still using kerberos 4 on the clients,
so we haven't dealt with credential forwarding yet, but the reasoning
behind this was to have individual credentials for separate sessions,
and it's something I like.  While this may be overkill and not something
you're interested in, it's been fairly useful for us as a large site
with people logging into systems multiple times (some of our users have
yet to discover screen).  And, well, it makes it very unlikely you would
accidently kdestroy the wrong credentials.

Tracy J. Di Marco White
Project Vincent Systems Manager