Liam Healy <l...@healy.washington.dc.us> writes: > Because I use two Kerberos realms simultaneously, and I need to > distinguish them somehow. I rename them with the realm name as part of > the file name. I was using "KRB5CCNAME" in my report as a proxy for the > filename, what I should have said is that ticket file name is being > changed from what it is on the ssh client. In addition, it seems that > only $KRB5CCNAME ticket is forwarded; it would be nice to be able to > forward more than one ticket. If there's a better way to keep track of > tickets than renaming the file, I'll do that.
Ah, yes, that's a tricky problem. Basically, Kerberos on UNIX only understands one TGT at a time and will only forward one, so you have to hack together something else to handle multiple ticket forwarding and ticket renaming. Unfortunately, there isn't a good solution. The *right* solution is multi-ticket ticket caches with corresponding forwarding (although it's hard to forward a ticket from a realm other than the server's realm securely), but this isn't really there on UNIX. I would add some code to your shell initialization files (.bashrc or the like) to determine what realm of a ticket got forwarded with klist and then rename it after login, setting KRB5CCNAME to follow. That will be reliable in the face of whatever sshd does. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
