[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos



On Mon, Jul 12, 1999 at 08:11:43AM -0400, Ken Hornstein wrote:
> >FWIW when I built MIT krb5 + NRL AFS patches, login (but not kinit) used
> >the basename of the tty instead of the pid.

True - but I haven't seen any real need to do it this way. Should I?

I just copied the kerberos 4 code in the heimdal login, which already
uses the pid.

> It's slightly more complicated than that :-)
> 
> login by itself uses the ttyname (i.e. - when KRB5CCNAME isn't set).
> If you're forwarding a ticket, it uses something based on the pid.
> Now both of these work because they're the parents of everything to come
> afterwards, so they can set KRB5CCNAME and it works.  The logic here is
> that if you're using login/telnetd/rlogind, you want to have credentials
> assigned to a particular "session".

That raises something I haven't thought about yet - ticket forwarding.
In fact, I am not even sure if /bin/login is involved in ticket
forwarding - can anyone else confirm/deny? I don't particular like the
idea of ticket forwarding automatically erasing your current ticket,
which is what happens when it uses the default name.

> kinit _can't_ set KRB5CCNAME (well, it can, but because it's a child
> of your shell, it doesn't go anywhere).  So it falls back to whatever the
> default is for krb5_cc_default(), which is based on your userid.  There's
> no way for kinit to base something on your tty that would make any sense.

IMHO, Thats OK. If the user wants something different, it is easy enough
to set KRB5CCNAME to anything you want beforehand. This won't work
though unless you are already logged in.

(while on this topic, I believe that in MIT kerberos V it is possible to
store the ticket in memory rather then disk file. Anyone know how this
is done?)

> In my deployment experience, I have found that this works rather
> well ... it behaves the way that you expect in nearly all cases.  FWIW,
> we don't delete credential caches on logout, but we clean them up after
> they've expired.

Now, I am afraid I am completely confused. How do you clean credential
caches when they expire? I assume you mean that the file is deleted?

-- 
Brian May <bam@snoopy.apana.org.au>

PGP signature