Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: Jason R Thorpe <>
From: Bill Studenmund <>
List: tech-security
Date: 03/12/2001 15:00:47
On Thu, 8 Mar 2001, Jason R Thorpe wrote:

> On Thu, Mar 08, 2001 at 08:17:38PM -0600, Tracy J. Di Marco White wrote:
>  > At work, a long time kerberos shop, login will set the cache file name
>  > with "sprintf(tktfile, KRB_FILEFMT, tktprfx, tv.tv_sec, tv.tv_usec);"
>  > where KRB_FILEFMT is "%s%08.8x%06.6x" and the names end up like
>  > tkt_3aa426a001efae.  We're still using kerberos 4 on the clients,
>  > so we haven't dealt with credential forwarding yet, but the reasoning
>  > behind this was to have individual credentials for separate sessions,
>  > and it's something I like.  While this may be overkill and not something
>  > you're interested in, it's been fairly useful for us as a large site
>  > with people logging into systems multiple times (some of our users have
>  > yet to discover screen).  And, well, it makes it very unlikely you would
>  > accidently kdestroy the wrong credentials.
> No, it actually sounds very much like what I would like.  I don't
> think I want quite as obscure a ticket file name as you have, but
> the same kind of idea.

What if someone had a program running using screen which needed that
ticket file?

Take care,