[OpenAFS-devel] token passing in modern ssh?
Douglas E. Engert
deengert@anl.gov
Mon, 13 Dec 2004 11:24:38 -0600
Ken Hornstein wrote:
>>You can forward your tgt, and use that to obtain a token on the remote side.
>>But that only works for a single realm/cell. I could get what I want if it
>>were possible to obtain tgts in multiple realms, but for some reason MIT
>>apparently didn't think that would be useful.
>
>
> The problem is that the it's not useful with the current MIT API. All
> of the programs out there today key off of the "primary principal"; if
> the TGT has a different client principal, none of the utilities will
> use it. MacOS X at least solves this problem (you can use kswitch to
> switch between different credential caches and different primary
> principals). I guess Heimdal has a different API, so it's not a problem.
> I've never figured out how to do what you want within the MIT API.
>
> I recall talking with someone (maybe they were at UMich) that had some
> mutant PAM module that put two TGTs in the same cache, but they couldn't
> get aklog to get tickets from both TGTs. I explained the problem to
> them, and I never heard from them again.
Your mutant PAM could create two seperate caches, then set KRB5CCNAME
and call aklog, reset KRB5CNAME and call aklog again.
Maybe add the principal name as part of the cache file name.
The trick is how to delegate or forward the TGTs.
>
> --Ken
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444