Updates (multi-realm) to Leash32...
jaltman at columbia.edu
Fri Jan 10 17:17:00 EST 2003
John M. Lockard wrote:
>On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
>>>By Multi-realm I mean "multiple realms"... If you've used Krb5 much
>>>you know that you can authenticate to multiple realms easily using
>>>the kinit command. I can do 'kinit jlockard at SI.UMICH.EDU' and then
>>>'kinit jlockard at UMICH.EDU' to get tickets in both realms.
>>... except, of course, that unless you have two KRB5CCNAME environment
>>variables the second kinit will wipe out the credentials from the
>Yep, I know of that "trick", and it's not the most convenient thing to
>try and explain to your normal University computer user.
>I never said that I wanted to pick which princical, just the realm.
>In an application, such as mulberry, I can tell the app with realm
>I want to authenticate too. I may have several identities in the
>client, and each identity would have a different realm that it would
It does not matter if you are talking about multiple user names or
multiple realms, the fact is that you have multiple principals. The
Kerberos Credential Cache only allows credentials for a single principal
to be stored within a cache.
When you issue "kinit jlockard at UMICH.EDU" and then "kinit
jlockard at SI.UMICH.EDU" the credentials for jlockard at UMICH.EDU are erased
when you perform the second kinit.
I frequently use Leash32 to get credentials for a variety of realms
including CC.COLUMBIA.EDU, KERMIT.COLUMBIA.EDU and ATHENA.MIT.EDU. The
credentials are stored into the credential cache indicated on the
Kerberos Five Properties page. (While this appears to be an editable
field Leash32 ignores changes made to it.)
Kermit 95 actually lets you specify from within the application which
Credentials Cache you wish to use. So you can in fact with K95 store
multiple sets of credentials and toggle between them. However, there is
no mechanism to specify which is the default.
Since Kerberos 5 applications reference the credential cache by name and
most do not have a method for specifying the cache name, the best that
could be done would be to allow Leash32 to manage multiple credential
caches and move credentials in and out of the API:krb5cc cache when you
select a specific principal as the active one.
Is this what you are looking for?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the krbdev