Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: Tracy J. Di Marco White <>
From: Jason R Thorpe <>
List: tech-security
Date: 03/08/2001 18:37:32
On Thu, Mar 08, 2001 at 08:17:38PM -0600, Tracy J. Di Marco White wrote:

 > At work, a long time kerberos shop, login will set the cache file name
 > with "sprintf(tktfile, KRB_FILEFMT, tktprfx, tv.tv_sec, tv.tv_usec);"
 > where KRB_FILEFMT is "%s%08.8x%06.6x" and the names end up like
 > tkt_3aa426a001efae.  We're still using kerberos 4 on the clients,
 > so we haven't dealt with credential forwarding yet, but the reasoning
 > behind this was to have individual credentials for separate sessions,
 > and it's something I like.  While this may be overkill and not something
 > you're interested in, it's been fairly useful for us as a large site
 > with people logging into systems multiple times (some of our users have
 > yet to discover screen).  And, well, it makes it very unlikely you would
 > accidently kdestroy the wrong credentials.

No, it actually sounds very much like what I would like.  I don't
think I want quite as obscure a ticket file name as you have, but
the same kind of idea.

Actually, it looks like our login(1) almost does the right thing, but
e.g. telnetd(8) doens't quite cooperate.

        -- Jason R. Thorpe <>