Apps aquiring tickets (was Re: gssapi/openssh)

James F.Hranicky jfh at cise.ufl.edu
Fri May 2 10:24:33 EDT 2003


On Wed, 30 Apr 2003 18:25:47 +0100
Simon Wilkinson <sxw at warspite.inf.ed.ac.uk> wrote:

> No, it doesn't. Philosophically, I don't think that its the job of the
> client to go out and get credentials, if none exist. Practically, doing
> so would require the client to know about the underlying GSSAPI mechanism,
> which at present it doesn't need to.

I understand this sentiment (especially with GSSAPI given its a layer that
uses Kerberos, but isn't itself Kerberos), but I think that if the following 
were true it would be a boon for the user:

	1) applications could get a TGT for a given realm stored in a single
	   common place that other apps could use

	2) the ticket cache could contain TGTs for multiple realms

Then you could simply "be" however many principals you want to be at a given
time, and get prompted for re-authorization when necessary.

Perhaps 1) could be satified by "kinitd" that runs in the background and 
pops up a window when your TGT expires, or if your at a terminal, runs
in the background and spits out a message saying "run kinit for this realm".
However, "kinitd" probably wouldn't be tied to the apps in any way, e.g.,
receiving notification from an app when the app finds the TGT is expired.

2) would probably require code mods to Kerberos, though I'd think that would
be very useful.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------


More information about the Kerberos mailing list