multiple principals in one cache?
Greg Hudson
ghudson at MIT.EDU
Wed Nov 10 18:34:43 EST 2010
On Wed, 2010-11-10 at 17:31 -0500, Russ Allbery wrote:
> It's just not supported by the ticket cache format and ticket manager that
> is used by default on UNIX.
The cache format is fine with it, actually, and has been basically
forever as far as I know. What gets in the way is:
* kinit insists on overwriting the cache.
* kdestroy doesn't know how to destroy only one client principal.
* The krb5 GSS mech insists that the cache's default principal matches
the client name, not just that the cache contains an appropriate ticket.
And that's about it. If someone wanted to write their own code to
manage the cache, and swap around the cache's default client principal
for the sake of the GSS mech, I don't think anything in libkrb5 would
get in the way.
You can produce a ccache with multiple client principals using ksu.
More information about the Kerberos
mailing list