Plugins for libkrb5 credential cache management functions

Greg Hudson ghudson at MIT.EDU
Tue Nov 19 14:46:42 EST 2013

On 11/15/2013 12:12 PM, Adamson, Andy wrote:
> Solution 1: [inotify on FILE credentials]
> Solution 2: [integrate with KEYRING credentials]
> Solution 3: [nfslog/nfslogout interfaces invoked from PAM or other login system facility]
> Solution 4: AFAICS the most versatile solution is to add a plugin architecture to libkrb for call
> outs on functions that manipulate kerberos credentials.

I agree that solution 1 isn't great.

I have concerns about solution 4.  Kerberos credential caches can be
used for several different purposes; they aren't only used to store
login credentials.  For instance, a user could run a server process
which receives delegated credentials from a client, or could run kadmin
and get credentials for username/admin to administer the realm's KDB.
Notifying the kernel any time any credential cache is destroyed would
create a lot of false positives.

I would be happy to have a pluggable interface which allows for
implementations of new ccache types, but I don't think I would welcome a
hook-style interface which causes ccache operations to have arbitrary
side effects beyond changing the ccache.

I don't know enough about the Linux kernel to comment on whether
solution 2 is viable.  Solution 3 is obviously viable in the sense that
we're used to it with AFS.

More information about the Kerberos mailing list