KfW 3.2.2 multiple users via SSH

Jeffrey Altman jaltman at secure-endpoints.com
Mon Nov 9 18:23:44 EST 2009 

krbcc32s.exe is per session.  You can't run two instances in the same
session with different authentication contexts.  I don't know how the
sshd you are using is implemented but apparently it doesn't run the
underlying users in distinct logon sessions. 

petesea at bigfoot.com wrote:
> I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a 
> problem using kinit/klist when multiple users ssh to the host.
>
> If I ssh to the windows host as "userA", then run klist, I see the 
> following:
>
> (as userA - krbcc32s NOT running)
>    $ klist
>    klist.exe: No credentials cache found (ticket cache API:krb5cc)
>
> That's as expected.   And... looking at ProcessExplorer, the krbcc32s 
> process is now running as "userA".
>
> Now, ssh as "userB" and run klist:
>
> (as userB - krbcc32s running as userA)
>    $ klist
>    klist.exe: Credentials cache I/O operation failed XXX while getting default ccache
>
> If I kill krbcc32s and redo the test, but login as "userB" first, I see 
> just the reverse, ie:
>
> (as userB - krbcc32s NOT running)
>    $ klist
>    klist.exe: No credentials cache found (ticket cache API:krb5cc)
>
> (as userA - krbcc32s running as userB)
>    $ klist
>    klist.exe: Credentials cache I/O operation failed XXX while getting default ccache
>
> My first suspicion was the fact that the CC is the same for both users 
> (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to 
> something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it 
> fails the same way.
>
> If I use a unique "FILE:" credentials cache for each user (eg. 
> FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to 
> work, but krb5cc32s is running as the first user who started it, which 
> bothers me.
>
> Soooo... 2 questions:
>
>    1) Is is not possible to use an API: credentials cache for more then one 
> user?
>
>    2) Is it OK to use a FILE: credentials cache in this case even though 
> krb5cc32s is running as the first user who started it?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3368 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091109/91405797/attachment.bin

More information about the Kerberos mailing list