Problem compiling pam_krb5 on Solaris 8

[Josef Kelbler]

> 1) This is what klist gives me on opening
> the FIRST ssh-session -
>
> Ticket cache: FILE:/tmp/krb5cc_502
> Default principal: paragg at MUMBAI.NCST.ERNET.IN
>
> Valid starting     Expires            Service principal
> 11/20/02 09:51:56  11/20/02 19:51:56
> krbtgt/MUMBAI.NCST.ERNET.IN at MUMBAI.NCST.ERNET.IN
>
>
> 2) Now if I open a SECOND ssh-session, klist for
> both FIRST AND SECOND ssh-session says -
>
> Ticket cache: FILE:/tmp/krb5cc_502
> Default principal: paragg at MUMBAI.NCST.ERNET.IN
>
> Valid starting     Expires            Service principal
> 11/20/02 09:56:14  11/20/02 19:56:14
> krbtgt/MUMBAI.NCST.ERNET.IN at MUMBAI.NCST.ERNET.IN
>
> Observe that I get the same ticket-cache - /tmp/krb5cc_502
> for both the sessions and the effective ticket-lifetime is that of
> the second session for both the first and second session.

I think it is the normal behaviour of this pam_krb5.
I tried it with PAM telnet with the same results.
In the beginning  pam_krb5 destroyes Credential Cache (CCache) and creates
the new one.
After logout the CCache is left.

When you login concurrently several times then last login set CCache that is
used in every session of the same user. The name of CCache - krb5cc_502 is
derived from user ID, which is the same in all sessions.

Kerberized aplication telnet from MIT suite uses a different algorithm of
this bahaviour.

>
> 3) After I close both sessions the /tmp/krb5cc_502 cache
> is not deleted. This may be a security risk - I don't know for sure.

I think it is the same security risk as if the user where connected for the
whole time of the ticket lifetime.
But you can place the kdestroy command in a logout script.

> I don't know how much of a problem this is, but nevertheless
> I get a ticket.

I think everything is all right.


Cheers
Josef