Date: Fri, 5 Feb 2010 15:19:19 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-current@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: Kerberized NFSv3 incorrect behavior (revisited) Message-ID: <Pine.GSO.4.63.1002051515270.17768@muncher.cs.uoguelph.ca> In-Reply-To: <4B6C3258.7050607@eng.auth.gr>
index | next in thread | previous in thread | raw e-mail
On Fri, 5 Feb 2010, George Mamalakis wrote: > shows no tickets. This could be also a security threat, in case different > kerberos principals (users in this setup) use a shared machine account to > logon, and then access their resources by kiniting to their respective > principals. > The kernel only knows the effective uid and the current gssd assumes that there will be "one" user principal with a TGT in /tmp/krb5cc_N (where 'N' is that uid#). Having multiple principals sharing the same login/uid (which I'm guessing is what you refer to as a "shared machine account", isn't going to work. I suppose that the gssd could do a "uid"->"username"->"principal name" mapping and then use that "principal name", but it is still going to be unique (ie only one) per uid. rickhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1002051515270.17768>