[OpenAFS-devel] token passing in modern ssh?

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 13 Dec 2004 14:15:30 -0500 

On Monday, December 13, 2004 13:15:16 -0500 Jim Rees <rees@umich.edu> wrote:

>   I am very confused by this statement.  In what way does MIT prevent you
>   from obtaining TGTs in multiple realms?
>
> Of course it's possible.  What I said was that MIT didn't think it would
> be useful.  If they had, they would have provided an api, or allowed
> multiple tgts in a single cache.

You can have multiple TGT's in a single ccache.  What you can't have is 
multiple tickets, and especially multiple TGT's, belonging to different 
principals.  This is not because "MIT didn't think it would be useful", but 
because allowing that would require solving difficult problems related to 
defining what the behaviour is when you request a service ticket that is 
not already in the ccache.  Particularly, it would require defining which 
TGT is used to request the service ticket, when there may be multiple TGT's 
in the ccache or obtainable via cross-realm from different initial tickets 
or, on some platforms, by prompting the user to obtain new tickets for a 
realm for which there is not currently an initial TGT in the ccache.

It is not at all clear what the correct behaviour would be in these cases, 
and it matters because the answer affects what client principal name will 
appear on the resulting tickets, and because it may affect whether and when 
the user is prompted to enter a principal name and password in order to 
obtain initial tickets for an additional realm.

The use of multiple credential caches, each potentially containing tickets 
belonging to a different principal, is supported on all platforms.  On 
those platforms where a GUI is provided, there is an interface allowing the 
user to select from among several ccaches or establish a new one.  The 
effect is that the user can control which initial ticket, and therefore 
which identity, is used for each operation.


At this point, I think this discussion has gone rather beyond the scope of 
openafs-devel.  If we're going to continue, it might be appropriate to move 
to the kerberos or krbdev mailing lists.

-- Jeff