From darrenr@chiron.nabaus.com.au Tue May 21 04:27:54 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id EAA23768 for ; Tue, 21 May 2002 04:27:54 -0400 (EDT) Received: from orange.national.com.au (orange.national.com.au [203.57.240.81]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id EAA13914 for ; Tue, 21 May 2002 04:27:52 -0400 (EDT) Received: by orange.national.com.au (Postfix, from userid 5) id DDE8B144848; Tue, 21 May 2002 18:27:50 +1000 (EST) Received: from orange(203.57.240.81) by orange.national.com.au via csmap (V4.1) id srcAAAxfaO6d; Tue, 21 May 02 18:27:50 +1000 Received: from chiron.rais.nabaus.com.au (unknown [164.53.57.131]) by orange.national.com.au (Postfix) with ESMTP id ACCA8144847; Tue, 21 May 2002 18:27:49 +1000 (EST) Received: (from darrenr@localhost) by chiron.rais.nabaus.com.au (8.8.8+Sun/8.8.8) id SAA12282; Tue, 21 May 2002 18:27:47 +1000 (EST) Message-Id: <200205210827.SAA12282@chiron.rais.nabaus.com.au> Date: Tue, 21 May 2002 18:27:47 +1000 (EST) From: darrenr@chiron.nabaus.com.au Reply-To: darrenr@chiron.nabaus.com.au To: krb5-bugs@mit.edu Cc: darrenr@chiron.nabaus.com.au Subject: login(8) sets KRB5CCNAME different to klist(1) X-Send-Pr-Version: 3.99 >Number: 1110 >Category: krb5-appl >Synopsis: login(8) sets KRB5CCNAME different to klist(1) >Confidential: no >Severity: serious >Priority: high >Responsible: krb5-unassigned >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue May 21 04:28:01 EDT 2002 >Last-Modified: Tue May 21 09:16:27 EDT 2002 >Originator: Darren Reed >Organization: Optimation >Release: krb5-1.2.5 >Environment: System: SunOS chiron 5.5.1 Generic_103640-34 sun4u sparc SUNW,Ultra-2 Architecture: sun4 >Description: When logging in, login.krb5 sets $KRB5CCNAME to /tmp/krb5cc_p whereas klist uses /tmp/krb5cc_. So if we are logged in to a host and then telnet back to itself and login is ourself, klist will not display any tickets. >How-To-Repeat: L1$ unset KRB5CCNAME L1$ kinit L1$ klist L1$ telnet -x localhost L2$ klist >Fix: login.krb5 should be more intelligent about its choice for $KRB5CCNAME. If it can see a krb5cc_ that is owned by the right UID and has adequate permissions, perhaps it should set $KRB5CCNAME to that instead. >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Tue May 21 09:15:13 2002 State-Changed-Why: We do not consider this a bug. We in general consider it desirable to get a single credentials cache per session, rather than per user. WE'd probably also consider it OK if login.krb5 left KRB5CCNAME alone if it obtained no tickets, but the current behavior is also acceptable. If you want tickets in a session, forward them. >Unformatted: