Multiple principals in a single kerberos keytab file?

Russ Allbery rra at stanford.edu
Tue Apr 9 00:20:40 EDT 2013


Srivatsan vn <srivatsan.vn at gmail.com> writes:

> And just out of my curiosity, is this not a limitation on cache
> credential format to support multiple principals? if yes, any plans to
> address this in the near future:-)?

The credential cache format problem is relatively easy to fix.  (You can,
for example, just use a DIR cache without changing applications if the
applications link with the MIT Kerberos libraries.)  The harder problem is
that Kerberos APIs have a notion of the default principal, which is
normally read from the ticket cache or otherwise specified to the
application.  Since for many years it wasn't possible to have credentials
for more than one principal without maintaining separate ticket caches and
additional complexity, and since most applications assume they have a
single identity, application code generally just determines its identity
at startup and then has no mechanism for ever changing it.

There are some proposals to let a GSS-API client choose an identity based
on who it is connecting to, but I don't know if any of them have been
implemented.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list