Hello Olaf, thanks for your quick response. On Fri, 6 Dec 2002 Olaf Kirch assaulted the keyboard and produced:

On Fri, Dec 06, 2002 at 07:21:42PM +0100, Helge Bahmann wrote:

...

- tickets are obtained and validated from kdc - credentials cache file /tmp/krb5cc_0 (!) is created and KRB5CCNAME set accordingly for the session

You should check the README that comes with our pam_krb5 RPM. It describes how to use separate cc files for all sessions.

you are referring to the ccache parameter? yes I know, I'm using it; but since the cc file names are still quite easily guessable, the possibility of the root compromise remains (unless there is some misconfiguration on my part, which I'm still not sure about -- the behvior is just too strange). Will try to produce some more information. Best regards -- Helge Bahmann <bahmann@math.tu-freiberg.de> /| \__ The past: Smart users in front of dumb terminals /_|____\ _/\ | __) $ ./configure \\ \|__/__| checking whether build environment is sane... yes \\/___/ | checking for AIX... no (we already did this) |