[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos

To: allbery@kf8nh.apk.net
Subject: Re: Debian /bin/login and heimdal kerberos
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Mon, 12 Jul 1999 08:11:43 -0400
cc: joda@pdc.kth.se, bam@snoopy.apana.org.au, heimdal-discuss@sics.se
In-reply-to: Your message of "Mon, 12 Jul 1999 07:41:48 EDT." <199907121141.HAA03392@speaker.kf8nh.apk.net>
Sender: owner-heimdal-discuss@sics.se

>FWIW when I built MIT krb5 + NRL AFS patches, login (but not kinit) used
>the basename of the tty instead of the pid.

It's slightly more complicated than that :-)

login by itself uses the ttyname (i.e. - when KRB5CCNAME isn't set).
If you're forwarding a ticket, it uses something based on the pid.
Now both of these work because they're the parents of everything to come
afterwards, so they can set KRB5CCNAME and it works.  The logic here is
that if you're using login/telnetd/rlogind, you want to have credentials
assigned to a particular "session".

kinit _can't_ set KRB5CCNAME (well, it can, but because it's a child
of your shell, it doesn't go anywhere).  So it falls back to whatever the
default is for krb5_cc_default(), which is based on your userid.  There's
no way for kinit to base something on your tty that would make any sense.

In my deployment experience, I have found that this works rather
well ... it behaves the way that you expect in nearly all cases.  FWIW,
we don't delete credential caches on logout, but we clean them up after
they've expired.

--Ken

Follow-Ups:
- Re: Debian /bin/login and heimdal kerberos
  - From: Brian May <bam@snoopy.apana.org.au>

References:
- Re: Debian /bin/login and heimdal kerberos
  - From: <allbery@kf8nh.apk.net>

Prev by Date: Re: Debian /bin/login and heimdal kerberos
Next by Date: Re: cvs and heimdal
Prev by thread: Re: Debian /bin/login and heimdal kerberos
Next by thread: Re: Debian /bin/login and heimdal kerberos
Index(es):
- Date
- Thread