[OpenAFS-devel] token passing in modern ssh?

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 13 Dec 2004 14:03:12 -0500


On Monday, December 13, 2004 12:45:57 -0500 Jeffrey Altman 
<jaltman@columbia.edu> wrote:

> Douglas E. Engert wrote:
>
>
>> Your mutant PAM could create two seperate caches, then set KRB5CCNAME
>> and call aklog, reset KRB5CNAME and call aklog again.
>> Maybe add the principal name as part of the cache file name.
>> The trick is how to delegate or forward the TGTs.
>
> The tickets are forwarded in a KERB_CRED message.  There is no reason
> the receiver cannot accept multiple TGTs as KERB_CRED messages and then
> store them into separate credential caches.

Except, of course, that the protocol does not allow for this.

Ticket forwarding in ssh is done as a side-effect of GSSAPI credential 
delegation with the GSS_DELEG_FLAG set.  This method allows for the 
forwarding of only one TGT, selected by the GSSAPI mechanism (the Kerberos 
GSSAPI mechanism spec is not specific about how the ticket will be 
selected, but the expectation is that it will be the initial TGT from the 
ccache used for context establishment).

-- Jeff