[OpenAFS-devel] token passing in modern ssh?

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 13 Dec 2004 10:48:24 -0500


>You can forward your tgt, and use that to obtain a token on the remote side.
>But that only works for a single realm/cell.  I could get what I want if it
>were possible to obtain tgts in multiple realms, but for some reason MIT
>apparently didn't think that would be useful.

The problem is that the it's not useful with the current MIT API.  All
of the programs out there today key off of the "primary principal"; if
the TGT has a different client principal, none of the utilities will
use it.  MacOS X at least solves this problem (you can use kswitch to
switch between different credential caches and different primary
principals).  I guess Heimdal has a different API, so it's not a problem.
I've never figured out how to do what you want within the MIT API.

I recall talking with someone (maybe they were at UMich) that had some
mutant PAM module that put two TGTs in the same cache, but they couldn't
get aklog to get tickets from both TGTs.  I explained the problem to
them, and I never heard from them again.

--Ken