Plugins for libkrb5 credential cache management functions

Adamson, Andy William.Adamson at
Tue Nov 19 16:14:36 EST 2013

On Nov 19, 2013, at 2:46 PM, Greg Hudson <ghudson at MIT.EDU>

> On 11/15/2013 12:12 PM, Adamson, Andy wrote:
>> Solution 1: [inotify on FILE credentials]
>> Solution 2: [integrate with KEYRING credentials]
>> Solution 3: [nfslog/nfslogout interfaces invoked from PAM or other login system facility]
>> Solution 4: AFAICS the most versatile solution is to add a plugin architecture to libkrb for call
>> outs on functions that manipulate kerberos credentials.
> I agree that solution 1 isn't great.
> I have concerns about solution 4.  Kerberos credential caches can be
> used for several different purposes; they aren't only used to store
> login credentials.  For instance, a user could run a server process
> which receives delegated credentials from a client, or could run kadmin
> and get credentials for username/admin to administer the realm's KDB.
> Notifying the kernel any time any credential cache is destroyed would
> create a lot of false positives.
> I would be happy to have a pluggable interface which allows for
> implementations of new ccache types, but I don't think I would welcome a
> hook-style interface which causes ccache operations to have arbitrary
> side effects beyond changing the ccache.

Yes - I see your point that allowing for arbitrary side effects is not a very secure architecture.

> I don't know enough about the Linux kernel to comment on whether
> solution 2 is viable.  Solution 3 is obviously viable in the sense that
> we're used to it with AFS.

Yes - I agree. I have a design and prototype code for the nfslogin/nfslogout facility which I will pursue.

Thanks for you response.


More information about the Kerberos mailing list