2. A client may not have access to the session keys in its ccache, e.g. if it’s using gssproxy.
Oops, sorry -- that’s a little off the mark. In that case of course session-key logging won’t help the client directly, since it doesn’t perform those operations or call libkrb5 itself at all; the gssproxy daemon does. In that case we’d apply KRB5KEYLOGFILE to the daemon. But there is a second reason nonetheless: it’s easier for debugging. A long-lived client process under observation could have its ccache flushed by ticket renewal or similar management, losing the needed session keys (and a mechanism like gssproxy could in fact have several ccaches it manages) -- whereas setting KRB5KEYLOGFILE would reliably capture them all without extra work. -- Richard ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
