Plugins for libkrb5 credential cache management functions
ghudson at MIT.EDU
Tue Nov 19 14:46:42 EST 2013
On 11/15/2013 12:12 PM, Adamson, Andy wrote:
> Solution 1: [inotify on FILE credentials]
> Solution 2: [integrate with KEYRING credentials]
> Solution 3: [nfslog/nfslogout interfaces invoked from PAM or other login system facility]
> Solution 4: AFAICS the most versatile solution is to add a plugin architecture to libkrb for call
> outs on functions that manipulate kerberos credentials.
I agree that solution 1 isn't great.
I have concerns about solution 4. Kerberos credential caches can be
used for several different purposes; they aren't only used to store
login credentials. For instance, a user could run a server process
which receives delegated credentials from a client, or could run kadmin
and get credentials for username/admin to administer the realm's KDB.
Notifying the kernel any time any credential cache is destroyed would
create a lot of false positives.
I would be happy to have a pluggable interface which allows for
implementations of new ccache types, but I don't think I would welcome a
hook-style interface which causes ccache operations to have arbitrary
side effects beyond changing the ccache.
I don't know enough about the Linux kernel to comment on whether
solution 2 is viable. Solution 3 is obviously viable in the sense that
we're used to it with AFS.
More information about the Kerberos