[4255] in Kerberos
krlogind and forwarded TGTs
daemon@ATHENA.MIT.EDU (Stephen C. Pope)
Tue Nov 29 11:58:13 1994
To: kerberos@MIT.EDU
Date: 29 Nov 1994 16:36:51 GMT
From: scp@doneyet.acl.lanl.gov (Stephen C. Pope)
Reply-To: "Stephen C. Pope" <scp@acl.lanl.gov>
Curious situation using krb5 beta 4 and trying to get forwarded
tickets to work.
Using kinit -f and krlogin -F, the forwarded/forwardable tgt gets
created and cached on the remote host. krlogind sets KRB5CCNAME in
its environment to point at the right ccache file. However, when
login.krb5 is invoked, of course, the entire existing environment is
thrown away, including KRB5CCNAME, so that any clients run under the
resulting login shell do not have access to the ccache. The same
would occur if /bin/login were to be used instead of login.krb5, of
course.
Although login.krb5, like login, supports a -p option to preserve the
environment, this is not really desirable since krlogind runs in an
environment derived from the startup environment within which inetd is
initiated.
login.krb5 could be altered to always copy over KRB5CCNAME into the
new environment for the login shell, but I'm having a hard time
believing that a proper mechanism to promulgate a pointer to the
ccache isn't already coded in.
I'd appreciate any pointers to making this work like it seems it ought
to!
stephen pope
advanced computing lab
scp@acl.lanl.gov
--
Stephen C. Pope
scp@acl.lanl.gov
