Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: Johan Danielsson <>
From: Jason R Thorpe <>
List: tech-security
Date: 03/13/2001 07:45:32
On Tue, Mar 13, 2001 at 11:12:59AM +0100, Johan Danielsson wrote:

 > This is btw what our login does (it actually pass it further to the
 > local sysadmin), it can be configured to run a program when the shell
 > exits.

Hm... The login(1) in NetBSD, if it gets forwarded credentials, will
fork, and wait for the shell to exit... and then clean up the forwarded
credentials when it does.

That behavior could be modified by, say, a login_cap(3) option.

But that doesn't address the issue of e.g. using SSH to execute a
command which needs Kerberos credentials, and forwarding them along
to the process; you want to clean those up, but you don't have any
login(1) program running to do it for you.


        -- Jason R. Thorpe <>