When KCM running is easy for users to switch between different kerberos principals using kswitch or built in support in application, like OpenSSH's GSSAPIClientIdentity.
Other advantages are that there is the long term credentials are not written to disk and on reboot the credential is removed when kcm process stopps running.
Configure the system startup script to start the kcm process, /usr/heimdal/libexec/kcm and then configure the system to use kcm in krb5.conf.
[libdefaults] default_cc_type = KCM
Now when you run kinit it doesn't overwrite your existing credentials but rather just add them to the set of credentials. klist -l lists the credentials and the star marks the default credential.
$ kinit lha@KTH.SE lha@KTH.SE's Password: $ klist -l Name Cache name Expires lha@KTH.SE 0 Nov 22 23:09:40 * lha@SU.SE Initial default ccache Nov 22 14:14:24
When switching between credentials you can use kswitch.
$ kswitch -i Principal 1 lha@KTH.SE 2 lha@SU.SE Select number: 2
After switching, a new set of credentials are used as default.
$ klist -l Name Cache name Expires lha@SU.SE Initial default ccache Nov 22 14:14:24 * lha@KTH.SE 0 Nov 22 23:09:40
Som applications, like openssh with Simon Wilkinsons patch applied, support specifiying that credential to use. The example below will login to the host computer.kth.se using lha@KTH.SE (not the current default credential).
$ ssh \ -o GSSAPIAuthentication=yes \ -o GSSAPIKeyExchange=yes \ -o GSSAPIClientIdentity=lha@KTH.SE \ computer.kth.se