Ken Hornstein writes:

>> telnetd should include both the UID and the PID in the cache name.
>> This works much more smoothly with rpc.gssd and is what I do in
>> pam-krb5.

>
> In a perfect world, we'd chuck the whole horrid scheme and create some
> utility to send the Kerberos credentials to rpc.gssd or it's equivalant.
> Sigh.


I think AFS uses the correct model. Credentials are really an attribute
of the user and for the best security should be tracked by the kernel like
any other security attribute of the user (UID, GID, supplemental groups,
capabilities, etc.). But that gets into really nasty cross-platform
issues, not to mention annoying kernel licensing issues.

--
Russ Allbery (rra@stanford.edu)