[32884] in Kerberos
Re: multiple principals in one cache?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Nov 10 18:35:28 2010
From: Greg Hudson <ghudson@mit.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <874obooloq.fsf@windlord.stanford.edu>
Date: Wed, 10 Nov 2010 18:34:43 -0500
Message-ID: <1289432083.2633.1148.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 2010-11-10 at 17:31 -0500, Russ Allbery wrote:
> It's just not supported by the ticket cache format and ticket manager that
> is used by default on UNIX.
The cache format is fine with it, actually, and has been basically
forever as far as I know. What gets in the way is:
* kinit insists on overwriting the cache.
* kdestroy doesn't know how to destroy only one client principal.
* The krb5 GSS mech insists that the cache's default principal matches
the client name, not just that the cache contains an appropriate ticket.
And that's about it. If someone wanted to write their own code to
manage the cache, and swap around the cache's default client principal
for the sake of the GSS mech, I don't think anything in libkrb5 would
get in the way.
You can produce a ccache with multiple client principals using ksu.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
