On Tue, Aug 15, 2000 at 01:52:34PM -0500, Matt Crawford wrote: > > So? If you're forwarding a TGT why would you then run kinit? > > I was going to say "kinit -R", but that doesn't seem to have made me > a new ccache file. > > gungnir 325% ls -li $KRB5CCNAME > 20 -rw------- 1 crawdad dcg 1801 Aug 15 09:43 /tmp/krb5cc_console > gungnir 326% kinit -R > gungnir 327% ls -li $KRB5CCNAME > 20 -rw------- 1 crawdad dcg 905 Aug 15 13:39 /tmp/krb5cc_console > > > Anyway, i think it'll be great to have telnet able to forward a later > credential. That's one more thing I can cross off my "round tuit" > list. I've been copying newer ccache's across with rsh, which is > cumbersome, but at least I seldom need it. > > A really whizzo function would be the ability not to forward your > TGT, but to trap accesses to your remote ccache and get your local > host to do the TGS_REQ when needed and send back the needed cred. > Some sort of IPC: ccache type could do this without violence to the > applications. Actually, I've suggested something like this in a different thread. Imagine forwarding a proxy ticket, instead of a TGT, and the ticket is for accessing, on your behalf, a service on the host where you signed on, which can furnish remote hosts with service tickets on demand. That way you'd have a signle TGT, on your original sign-on host, and all other remote services you access would always contact your original sign-on host for any tickets they might need. Then users could watch in real-time, and even veto, requests for service tickets by remote services on their behalf. It's probably overkill, but when you start talking about having telnetd automatically retrieve TGTs from the telnet client when the one local to the telnetd expires, well, then it what you suggest becomes more attractive. And you're right, this could be done in the ccache, without any changes being needed for any applications, other than kinit and, maybe, klist, so they know about the "indirect TGT". > Matt Crawford Nico --
