Apps aquiring tickets (was Re: gssapi/openssh)
Sam Hartman
hartmans at MIT.EDU
Sat May 3 16:51:30 EDT 2003
>>>>> "James" == James F Hranicky <jfh at cise.ufl.edu> writes:
James> On Wed, 30 Apr 2003 18:25:47 +0100
James> Simon Wilkinson <sxw at warspite.inf.ed.ac.uk> wrote:
>> No, it doesn't. Philosophically, I don't think that its the job
>> of the client to go out and get credentials, if none
>> exist. Practically, doing so would require the client to know
>> about the underlying GSSAPI mechanism, which at present it
>> doesn't need to.
James> I understand this sentiment (especially with GSSAPI given
James> its a layer that uses Kerberos, but isn't itself Kerberos),
James> but I think that if the following were true it would be a
James> boon for the user:
James> 1) applications could get a TGT for a given realm
James> stored in a single common place that other apps could use
They can.
James> 2) the ticket cache could contain TGTs for multiple
James> realms
I think if you want this you need to think through exactly what it
would mean and come up with a concrete proposal that looks at
implementation issues. If you can do that then please write up your
proposal and send to krbdev at mit.edu.
More information about the Kerberos
mailing list