From owner-freebsd-security  Tue Nov  2 12:54:32 1999
Delivered-To: freebsd-security@freebsd.org
Received: from bg.sics.se (bg.sics.se [193.10.66.124])
	by hub.freebsd.org (Postfix) with ESMTP id CF56314E03
	for <freebsd-security@freebsd.org>; Tue,  2 Nov 1999 12:54:22 -0800 (PST)
	(envelope-from bg@bg.sics.se)
Received: (from bg@localhost)
	by bg.sics.se (8.9.3/8.9.3) id VAA25174;
	Tue, 2 Nov 1999 21:54:52 +0100 (CET)
	(envelope-from bg)
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Kerberos tickets in /tmp -- or somewhere else?
References: <Pine.BSF.3.96.991019094445.33499A-100000@fledge.watson.org>
From: Bjoern Groenvall <bg@sics.se>
Date: 02 Nov 1999 21:54:51 +0100
In-Reply-To: Robert Watson's message of Tue, 19 Oct 1999 09:57:59 -0400 (EDT)
Message-ID: <wuogdc8vhg.fsf@bg.sics.se>
Lines: 39
X-Mailer: Red Gnus v0.52/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson <robert@cyrus.watson.org> writes:

> Does anyone know if there's a way to make our default-installed K4 move
> it's tickets somewhere other than /tmp without rebuilding?  /tmp on my
> busy machines gets filled with ticket files (sometimes many for a
> particular user with different variations on the same name).  On CMU's
> Andrew workstations, they make use of a /tkt with restrictive access
> rights for ticket files, which can be cleaned seperately from /tmp, and
> more importantly, in a different namespace.
> 
> It sounds like the kind of thing that's hardcoded (and if I remember from
> my last source inspection, it is), but perhaps we could make it something
> configurable?  I guess there is no tradition of a /etc/kerberosIV/krb.rc
> (.conf already taken)  with a configuration namespace and names/values
> :-).  This could also be used to configure other host-based
> policy--maximum ticket lifespans that the library should acquire, defaults
> for ticket-passing behavior once we get K5, etc. 

In krb4-current it is now possible to define the default ticket prefix
in /etc/krb.extra. If you put the variable declaration
krb_default_tkt_root = /tkt/tkt
in krb.extra then ticket files will be saved in /tkt.

If you would like to have a patch (relative krb4) for this change,
just ask, but you are probably not interested in rebuilding
anyways.

The change will probably be merged into FreeBSD at some later point.

Cheers,
Björn

-- 
  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg@sics.se, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message