Next: , Previous: Encryption types and salting, Up: Setting up a realm


4.12 Credential cache server - KCM

When KCM running is easy for users to switch between different kerberos principals using kswitch or built in support in application, like OpenSSH's GSSAPIClientIdentity.

Other advantages are that there is the long term credentials are not written to disk and on reboot the credential is removed when kcm process stopps running.

Configure the system startup script to start the kcm process, /usr/heimdal/libexec/kcm and then configure the system to use kcm in krb5.conf.

     [libdefaults]
     	default_cc_type = KCM

Now when you run kinit it doesn't overwrite your existing credentials but rather just add them to the set of credentials. klist -l lists the credentials and the star marks the default credential.

     $ kinit lha@KTH.SE
     lha@KTH.SE's Password:
     $ klist -l
       Name         Cache name               Expires
     lha@KTH.SE   0                        Nov 22 23:09:40   *
     lha@SU.SE    Initial default ccache   Nov 22 14:14:24

When switching between credentials you can use kswitch.

     $ kswitch -i
          Principal
     1    lha@KTH.SE
     2    lha@SU.SE
     Select number: 2

After switching, a new set of credentials are used as default.

     $ klist -l
       Name         Cache name               Expires
     lha@SU.SE    Initial default ccache   Nov 22 14:14:24   *
     lha@KTH.SE   0                        Nov 22 23:09:40

Som applications, like openssh with Simon Wilkinsons patch applied, support specifiying that credential to use. The example below will login to the host computer.kth.se using lha@KTH.SE (not the current default credential).

     $ ssh \
        -o GSSAPIAuthentication=yes \
        -o GSSAPIKeyExchange=yes \
        -o GSSAPIClientIdentity=lha@KTH.SE \
        computer.kth.se