krb5 library missing functions for collections
Charles Hedrick
hedrick at rutgers.edu
Mon Jul 22 13:51:12 EDT 2019
On Jul 22, 2019, at 1:00 PM, Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>> wrote:
By my reading, KEYRING also doesn't generally include the uid in the name.
Again, I can only speak for what I see in Redhat and Ubuntu. The default for KRB5CCNAME is KEYRING:persistent:UID. Something (I think a combination of the library and the kernel) prevents users from accessing anything that doesn’t start with KEYRING:persistent:UID with their own UID. Root can access them all.
KEYRING:persistent:UID is a collection. All actual caches are KEYRING:persistent:UID:stuff, so there’s no ambiguity.
There are other formats for KEYRING for per-process, etc., but as far as I know they’re not used and would be pretty hard to use except for inside a specific application.
More information about the Kerberos
mailing list