[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: heimdal & KCM

Brian May <bam@debian.org> writes:
>>>>>> "Steinar" == Steinar H Gunderson <sgunderson@bigfoot.com> writes:

>     Steinar> Does this mean other programs wanting to read tickets
>     Steinar> (say, rpc.gssd from nfs-common) will have to be patched
>     Steinar> to read the tickets? In that case, I very much object to
>     Steinar> having this by default before etch :-)

> If it uses the Heimdal client libraries, it should continue working
> without any problems (not tested yet).

The key point about programs like rpc.gssd is that they're not run by the
user.  They're system daemons that have to locate the ticket for the user
via other means.  Generally they do this by searching through /tmp for a
ticket cache owned by the appropriate user.

rpc.gssd is the main example of a program that does this, but sidentd has
the same issue.

It's for NFSv4 (and AFS) support that the MIT Kerberos developers are
looking at taking the KCM concept a step further and using a
kernel-mediated ticket cache of some kind so that NFSv4 has a more secure
path to locating the credentials for a particular user.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: