Subject: Re: Kerberos 5 credential forwarding support in network login daemons
To: None <thorpej@zembu.com>
From: Johan Danielsson <joda@pdc.kth.se>
List: tech-security
Date: 03/10/2001 16:49:56
Jason R Thorpe <thorpej@zembu.com> writes:

> What would seem more reasonable is for the network login daemon
> (telnetd, in my example) to create the credential cache with a more
> unique ID, e.g. "/tmp/krb5cc_uid_ptyname", set the KRB5CCNAME
> environment variable,

You might want to use the forwarding mechanism to move tickets to
another host, and still have them there when you log out, and you
can't do both of these, so pick one.

I'd probably use krb5_cc_gen_new for the cred file. Keeping uid's and
tty's in the name is nice, but in my experience it creates more
trouble than you need. The default of using the uid as a uniquifier is
very useful if you can't set the KRB5CCNAME variable, but otherwise
not.

/Johan