[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos



>On Mon, Jul 12, 1999 at 08:11:43AM -0400, Ken Hornstein wrote:
>> >FWIW when I built MIT krb5 + NRL AFS patches, login (but not kinit) used
>> >the basename of the tty instead of the pid.
>
>True - but I haven't seen any real need to do it this way. Should I?
>
>I just copied the kerberos 4 code in the heimdal login, which already
>uses the pid.

I suppose either way will work fine.  I think the idea here is if you
logout and log back in, you want new credentials to be associated with
that "session", which is most easily identifiable by a tty (in that case).

>> login by itself uses the ttyname (i.e. - when KRB5CCNAME isn't set).
>> If you're forwarding a ticket, it uses something based on the pid.
>> Now both of these work because they're the parents of everything to come
>> afterwards, so they can set KRB5CCNAME and it works.  The logic here is
>> that if you're using login/telnetd/rlogind, you want to have credentials
>> assigned to a particular "session".
>
>That raises something I haven't thought about yet - ticket forwarding.
>In fact, I am not even sure if /bin/login is involved in ticket
>forwarding - can anyone else confirm/deny? I don't particular like the
>idea of ticket forwarding automatically erasing your current ticket,
>which is what happens when it uses the default name.

For MIT, sorta-kinda.  The telnetd/rlogind writes the credential cache
into the filesystem as root, the login program rewrites it owned by the
userid.

>(while on this topic, I believe that in MIT kerberos V it is possible to
>store the ticket in memory rather then disk file. Anyone know how this
>is done?)

Nope, not possible.

>> In my deployment experience, I have found that this works rather
>> well ... it behaves the way that you expect in nearly all cases.  FWIW,
>> we don't delete credential caches on logout, but we clean them up after
>> they've expired.
>
>Now, I am afraid I am completely confused. How do you clean credential
>caches when they expire? I assume you mean that the file is deleted?

Yes.  We've got a cron job that runs twice an hour and goes through /tmp;
if the credential cache is expired, it's deleted.

--Ken