[5582] in Kerberos
Re: Using multiple TGTs
daemon@ATHENA.MIT.EDU (Derrick J. Brashear)
Tue Aug 1 23:40:02 1995
To: kerberos@MIT.EDU
Date: Tue, 1 Aug 1995 22:11:26 -0400
From: "Derrick J. Brashear" <db74+@andrew.cmu.edu>
Excerpts from netnews.comp.protocols.kerberos: 1-Aug-95 Using multiple
TGTs by Kenneth D. Renard @arl.m
> 1. Allow multiple TGTs (for different realms) in the same ticket cache.
> When a user runs "kinit" to authenticate with a second realm, the TGT
> is put in the same cache as their current TGT and can be used
accordingly.
>
> (What do you do about the principal named in the cache??)
>
> 2. Allow the KRB5CCNAME variable to have multiple caches named. KRB5CCNAME
> would be an array of ticket cache identifiers that could be searched by
> krb5_cc_resolve() given the default realm in krb5_context, or by
> a seperate realm identifier.
A long time ago I implemented the equivalent of (2) for Kerberos 4, but
have since lost the code. My solution was to name each cache as
$KRBTKFILE/REALM.NAME (where $KRBTKFILE was a directory. The default
cache was the local realm cache, so if you didn't have a cache for a
given other realm, it would fall back to trying cross-realm
authentication with your local realm ticket cache. I do recall that some
pieces of the code weren't finished, but it doesn't matter since I
wasn't able to find it on my backup tapes a few months ago anyhow.
-D
