Keytab-based initiator creds design
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Jun 12 16:49:10 EDT 2012
If the UI for changing default cc's were as good as the UI for PAGs I'd have more sympathy for that viewpoint. I want a "give me a new default cc, I don't care what you call it" operation. I want a "pop" operation that destroys the current default cc and restores the previous one.
And I want multiple ssh logins to always have different cc's. I'm perplexed as to why this use case seems to be considered as an edge case instead of the primary use case.
On Jun 11, 2012, at 2:37 PM, Nico Williams wrote:
> On Mon, Jun 11, 2012 at 4:01 PM, Simo Sorce <simo at redhat.com> wrote:
>> On Mon, 2012-06-11 at 11:47 -0700, Henry B. Hotz wrote:
>>> The session ID, or per-session credential caches?
>>
>> The second.
>
> I've been comind around to that view in recent years too. People who
> run multiple apps in different PAGs, with different Kerberos
> credentials, but all with the same UID (euid) tend to do this for
> credential selection reasons. Credential selection is probably best
> addressed via a different mechanism altogether (see krb5_cc_select()).
>
> Also, PAGs provide no isolation. If isolation is required then either
> different UIDs or MAC are required.
>
> Nico
> --
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list