[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Debian /bin/login and heimdal kerberos

>FWIW when I built MIT krb5 + NRL AFS patches, login (but not kinit) used
>the basename of the tty instead of the pid.

It's slightly more complicated than that :-)

login by itself uses the ttyname (i.e. - when KRB5CCNAME isn't set).
If you're forwarding a ticket, it uses something based on the pid.
Now both of these work because they're the parents of everything to come
afterwards, so they can set KRB5CCNAME and it works.  The logic here is
that if you're using login/telnetd/rlogind, you want to have credentials
assigned to a particular "session".

kinit _can't_ set KRB5CCNAME (well, it can, but because it's a child
of your shell, it doesn't go anywhere).  So it falls back to whatever the
default is for krb5_cc_default(), which is based on your userid.  There's
no way for kinit to base something on your tty that would make any sense.

In my deployment experience, I have found that this works rather
well ... it behaves the way that you expect in nearly all cases.  FWIW,
we don't delete credential caches on logout, but we clean them up after
they've expired.