[krbdev.mit.edu #6206] new API for storing extra per-principal data in ccache
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Tue Oct 21 12:07:21 EDT 2008
Over the years there have been many organizations that have stored items
in the credential cache as a service principal with a non-Kerberos
ticket as the data blob. This has been frowned upon and I believe for
good reason.
If we want to make the credential cache an arbitrary storage mechanism
than we should stored typed blobs and permit the registration of blob
types.
Examples of items that organizations have wanted to store in the
credential cache server include:
* X.509 certificates and private keys
* SSH public and private keys
* PGP public and private keys
* configuration data
I think permitting the credential cache to be used in this manner is a
good thing. I simply believe that doing so by constructing arbitrary
service names is not.
Tools that list / manipulate the content of the credential cache will
not understand the non-Kerberos v5 ticket blobs.
The credential cache already has support for typed objects because it
must distinguish between v4 and v5 objects. I believe opening the
registration process to permit third parties to register new types is a
preferable way to go.
More information about the krb5-bugs
mailing list