[5586] in Kerberos
Re: Using multiple TGTs
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Aug 2 11:46:13 1995
To: kdrenard@arl.mil (Kenneth D. Renard )
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "Tue, 01 Aug 1995 13:22:18 GMT."
<1995Aug1.132218.7611@arl.mil>
Date: Wed, 02 Aug 1995 11:32:50 EDT
From: Sam Hartman <hartmans@MIT.EDU>
> To: kerberos@MIT.EDU
> Date: Tue, 1 Aug 1995 13:22:18 GMT
> From: kdrenard@arl.mil (Kenneth D. Renard )
> Message-Id: <1995Aug1.132218.7611@arl.mil>
> Organization: U.S. Army Research Laboratory APG, MD.
> Sender: usenet@cam.ov.com
> Subject: Using multiple TGTs
>
> [Kerberos V5 Beta 5]
>
> I am looking for thoughts and ideas about using multiple ticket caches
> to access multiple Kerberos realms where cross-realm trust is not a
> possibility. Currently, users select a ticket cache by setting their
> KRB5CCNAME environment variable. I see 2 possible improvements
> to this:
>
> 1. Allow multiple TGTs (for different realms) in the same ticket cache.
> When a user runs "kinit" to authenticate with a second realm, the TGT
> is put in the same cache as their current TGT and can be used accordingly.
> (What do you do about the principal named in the cache??)
>
I just briefly looked at the source, and it looks like the
credentials cache code would probably handle this without
modification. Your main problem will be the authentication path that
it uses if it wants to get tickets in a third realm the user is not
authenticated to; I suspect you probably wouldn't encounter this
problem as you don't trust cross-realm authentication. Basically, the
principal name in the cache is a default; I believe there is a client
principal associated with each ticket.
Also, I only briefly looked at the code; there may be bugs or
design decisions I didn't notice that would make this hard to
implement. However, you might try modifying kinit so that it opens
the existing credentials cache instead of destroying it, and see what
happens.
--Sam
