Updates (multi-realm) to Leash32...

Jeffrey Altman jaltman at columbia.edu
Fri Jan 10 17:17:00 EST 2003 

John M. Lockard wrote:

>On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
>  
>
>>>By Multi-realm I mean "multiple realms"...  If you've used Krb5 much
>>>you know that you can authenticate to multiple realms easily using
>>>the kinit command.  I can do 'kinit jlockard at SI.UMICH.EDU' and then
>>>'kinit jlockard at UMICH.EDU' to get tickets in both realms.
>>>      
>>>
>>... except, of course, that unless you have two KRB5CCNAME environment
>>variables the second kinit will wipe out the credentials from the
>>first kinit.
>>    
>>
>
>Yep, I know of that "trick", and it's not the most convenient thing to
>try and explain to your normal University computer user.
>  
>
>I never said that I wanted to pick which princical, just the realm.
>In an application, such as mulberry, I can tell the app with realm
>I want to authenticate too.  I may have several identities in the
>client, and each identity would have a different realm that it would
>auth against.
>
It does not matter if you are talking about multiple user names or 
multiple realms, the fact is that you have multiple principals.  The 
Kerberos Credential Cache only allows credentials for a single principal 
to be stored within a cache.

When you issue "kinit jlockard at UMICH.EDU" and then "kinit 
jlockard at SI.UMICH.EDU" the credentials for jlockard at UMICH.EDU are erased 
when you perform the second kinit.

I frequently use Leash32 to get credentials for a variety of realms 
including CC.COLUMBIA.EDU, KERMIT.COLUMBIA.EDU and ATHENA.MIT.EDU.  The 
credentials are stored into the credential cache indicated on the 
Kerberos Five Properties page.  (While this appears to be an editable 
field Leash32 ignores changes made to it.)

Kermit 95 actually lets you specify from within the application which 
Credentials Cache you wish to use.  So you can in fact with K95 store 
multiple sets of credentials and toggle between them. However, there is 
no mechanism to specify which is the default.

Since Kerberos 5 applications reference the credential cache by name and 
most do not have a method for specifying the cache name, the best that 
could be done would be to allow Leash32 to manage multiple credential 
caches and move credentials in and out of the API:krb5cc cache when you 
select a specific principal as the active one.

Is this what you are looking for?

- Jeff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/08321f8d/attachment.htm

More information about the krbdev mailing list