Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: Tracy J. Di Marco White <gendalia@iastate.edu>
From: Jason R Thorpe <thorpej@zembu.com>
List: tech-security
Date: 03/08/2001 18:37:32
On Thu, Mar 08, 2001 at 08:17:38PM -0600, Tracy J. Di Marco White wrote:
> At work, a long time kerberos shop, login will set the cache file name
> with "sprintf(tktfile, KRB_FILEFMT, tktprfx, tv.tv_sec, tv.tv_usec);"
> where KRB_FILEFMT is "%s%08.8x%06.6x" and the names end up like
> tkt_3aa426a001efae. We're still using kerberos 4 on the clients,
> so we haven't dealt with credential forwarding yet, but the reasoning
> behind this was to have individual credentials for separate sessions,
> and it's something I like. While this may be overkill and not something
> you're interested in, it's been fairly useful for us as a large site
> with people logging into systems multiple times (some of our users have
> yet to discover screen). And, well, it makes it very unlikely you would
> accidently kdestroy the wrong credentials.
No, it actually sounds very much like what I would like. I don't
think I want quite as obscure a ticket file name as you have, but
the same kind of idea.
Actually, it looks like our login(1) almost does the right thing, but
e.g. telnetd(8) doens't quite cooperate.
--
-- Jason R. Thorpe <thorpej@zembu.com>