From ccsanady@friley216.res.iastate.edu  Thu Nov 14 05:02:24 1996
Received: from friley216.res.iastate.edu (friley216.res.iastate.edu [129.186.78.216])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA07586
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Nov 1996 05:02:24 -0800 (PST)
Received: (from ccsanady@localhost) by friley216.res.iastate.edu (8.7.6/8.7.3) id HAA02135; Thu, 14 Nov 1996 07:02:22 -0600 (CST)
Message-Id: <199611141302.HAA02135@friley216.res.iastate.edu>
Date: Thu, 14 Nov 1996 07:02:22 -0600 (CST)
From: Chris Csanady <ccsanady@friley216.res.iastate.edu>
Reply-To: ccsanady@friley216.res.iastate.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: kerberos tickets from login all have the same name
X-Send-Pr-Version: 3.2

>Number:         2008
>Category:       bin
>Synopsis:       kerberos tickets from login all have the same name
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 14 05:10:01 PST 1996
>Closed-Date:    Sun Apr 26 10:03:38 PDT 1998
>Last-Modified:  Sun Apr 26 10:03:51 PDT 1998
>Originator:     Chris Csanady
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	

By default, login stores your kerberos tickets in /tmp/tkt_uid.  If you are
logged on to the same machine multiple times, it will use the same ticket.  It
is generally good practice to put a kdestroy in your .logout (or the default.)
If you do this, logging out of any of your sessions will mean you have no
tickets in the others.
	

>How-To-Repeat:

	

>Fix:
	
	

*** klogin.c    Thu Nov 14 06:45:32 1996
--- klogin.c.new        Thu Nov 14 06:50:08 1996
***************
*** 54,59 ****
--- 54,60 ----
  
  extern int notickets;
  extern char *krbtkfile_env;
+ extern char *tty;
  
  /*
   * Attempt to log the user in using Kerberos authentication
***************
*** 102,112 ****
         */
  
        if (strcmp(instance, "root") != 0)
!               (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
!       else {
!               (void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
!               krbtkfile_env = tkt_location;
!       }
        (void)krb_set_tkt_string(tkt_location);
  
        /*
--- 103,114 ----
         */
  
        if (strcmp(instance, "root") != 0)
!               (void)sprintf(tkt_location, "%s_%d.%s",
!                       TKT_ROOT, pw->pw_uid, tty);
!       else
!               (void)sprintf(tkt_location, "%s_root_%d.%s",
!                       TKT_ROOT, pw->pw_uid, tty);
!       krbtkfile_env = tkt_location;
        (void)krb_set_tkt_string(tkt_location);
  
        /*

>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@lcs.mit.edu>
To: ccsanady@friley216.res.iastate.edu
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: bin/2008: kerberos tickets from login all have the same name
Date: Thu, 14 Nov 1996 10:49:19 -0500

 <<On Thu, 14 Nov 1996 07:02:22 -0600 (CST), Chris Csanady <ccsanady@friley216.res.iastate.edu> said:
 
 > By default, login stores your kerberos tickets in /tmp/tkt_uid.  If you are
 > logged on to the same machine multiple times, it will use the same ticket.  It
 > is generally good practice to put a kdestroy in your .logout (or the default.)
 
 Not everybody uses csh.  Some people use real shells.
 
 > If you do this, logging out of any of your sessions will mean you have no
 > tickets in the others.
 	
 This is a feature, not a bug.  I have a machine sitting on a table
 next to my desk upon which I occasionally need authentication.  I can
 securely log in on its console to get a TGT and then use my xterm
 window to perform the real work.
 
 More significantly, the Kerberized NFS client depends on being able to
 find a unique ticket file for each UID logged in.  Your proposed
 reversion (back to the way MIT Kerberos v4 worked) breaks this.  (The
 MIT way of doing authenticated NFS used a separate program called
 `fsauth' which would contact an RPC service on the NFS server and
 exchange authentication that way, which would then allow any requests
 from that client for that particular UID until the expiration date of
 the ticket.)
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sun Apr 26 10:03:38 PDT 1998 
State-Changed-Why:  
timed out 
>Unformatted:
