Updates (multi-realm) to Leash32...
John M. Lockard
jlockard at umich.edu
Fri Jan 10 17:03:01 EST 2003
On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
> >By Multi-realm I mean "multiple realms"... If you've used Krb5 much
> >you know that you can authenticate to multiple realms easily using
> >the kinit command. I can do 'kinit jlockard at SI.UMICH.EDU' and then
> >'kinit jlockard at UMICH.EDU' to get tickets in both realms.
>
> ... except, of course, that unless you have two KRB5CCNAME environment
> variables the second kinit will wipe out the credentials from the
> first kinit.
Yep, I know of that "trick", and it's not the most convenient thing to
try and explain to your normal University computer user.
> >I would
> >expect that if my application recognizes Krb5 that my application
> >would allow me to choose the realm in which I want it to do things.
>
> In my years of using Kerberos 5, I've _never_ seen a Kerberized
> application that let you pick which principal you should be use to
> authenticate. I'm not counting the old Unix trick of setting the
> KRB5CCNAME environment variable.
I never said that I wanted to pick which princical, just the realm.
In an application, such as mulberry, I can tell the app with realm
I want to authenticate too. I may have several identities in the
client, and each identity would have a different realm that it would
auth against.
> The closest I've ever seen is what on the Mac, where you can
> manage multiple TGTs and select which principal is your primary
> principal. But again, that isn't a per-application thing.
>
> --Ken
--
--jlockard - "There is no 'I' in 'TEAM',
so 'I' am not a part of it." - Jeff VanDeRyt
More information about the krbdev
mailing list