Apps aquiring tickets (was Re: gssapi/openssh)

Simon Wilkinson sxw at spud.inf.ed.ac.uk
Tue May 6 04:16:00 EDT 2003


On Mon, 5 May 2003, Dr. Greg Wettstein wrote:
> It would seem that Java would be the language of choice for something
> like this, it at least makes the graphical issues less of a problem.
> Since 1.4.x also supports GSSAPI there is low-level support for
> Kerberos credential management in at least the IBM and SUN
> distributions.

GSSAPI doesn't help, unfortunately, as it doesn't contain any routines
to do credential management.

> So again, all thats needed is someone with some spare coding
> cycles... :-)

Something like this has been on my list for a long time now. I think the
big problem is that exactly _what_ it does is going to be incredibly
dependent on the local system. For example, what I'd like is something
which uses PAM to do the reinitialization, so that other credentials (such
as those for x509 and AFS) can be renewed at the same time.

The key implementation issue is, I think, how you keep up with all of
things that a user can do with a credentials cache. When this cache is
administered via a shared-memory API, you've at least got a common entry
point you can monitor. With file based ccaches, you don't really have that
- as you need to handle situations such as the user removing the file,
changing KRB55CNAME to point elsewhere, and copying a different file over
their current cache.

S.



More information about the Kerberos mailing list