override default credentials cache file location

Zaar Hai haizaar at gmail.com
Thu Oct 14 19:04:57 EDT 2010


On 14 באוקe 2010, at 21:13, Greg Hudson <ghudson at MIT.EDU> wrote:

On Thu, 2010-10-14 at 06:26 -0400, Zaar Hai wrote:

I've thought of making default cache location to be

/var/cars/krb5ccache which will be mounted to RAM, making above

scenario much harder to execute.


Unfortunately, this appears to be hardcoded:

   snprintf(name_buf, name_size, "FILE:/tmp/krb5cc_%ld", (long) getuid());

As Chris Ward points out, $KRB5CCNAME determines the default ccache
location on a per-process basis.  If you're using pam_krb5, it will
typically set KRB5CCNAME for the login system, and you should be able to
instruct it to put the ccache somewhere other than /tmp; consult the
pam_krb5 man page on your system for details.

Thank you guys for the hint.

I guess for now my only option is to fix KRB5CCNAME for each kerberised
service I've got, which includes ssh, apache, pam, and various other
services that use k5start helper. Too bad it's hard-coded. It would be best
to have it configurable in libdefaults of krb5.conf.
1. Where can I submit a feature request for this?

2. MEMORY ccache type will not be good for pam_krb5, but only for things
like LDAP server that do not spawn subprocesses / shells, correct?

Thanks again,
                     Zaar.



More information about the Kerberos mailing list