krb5_cc_gen_new

Jacques A. Vidrine nectar at FreeBSD.org
Fri Mar 26 08:42:47 EST 2004 

On Thu, Mar 25, 2004 at 07:15:46PM -0500, Sam Hartman wrote:
> 
> 
> I implemented the change I proposed earlier and went to go test it.  I found the following implementation of krb5_cc_gen_new:
> 
> 
> krb5_error_code KRB5_CALLCONV
> krb5_cc_gen_new (krb5_context context, krb5_ccache *cache)
> {
>     return (*cache)->ops->gen_new(context, cache);
> }
> 
> 
> IT seems like gen_new should set up a new ccache.  Certainly the fcc
> and mcc implementations do this.
> 
> 
> So to use this API correctly, I think I need to:
> 
> * call krb5_cc_resolv with a bogus residual part to set of a ccache structure
> * save  a copy of that ccache structure
> * call krb5_cc_gen_new overwriting the  the original ccache structure
> * call krb5_cc_close on my copy of the ccache structure
> 
> 
> That seems nonintuitive at the least and completely broken on top.  O
>   and since krb5_ccache is opaque, I actually can't even use the API
>   without leaking memory.
> 
> Perhaps we should rethink.

I've used this API in pam_krb5 in order to create a new credentials
cache.  In such a case, we don't really care what the name of the
new cache is.  Unfortunately, the API is not compatible between MIT
Kerberos and Heimdal.

Oops, I misremembered.  Actually I avoided MIT Kerberos's
krb5_cc_gen_new because it uses mktemp().  Here are the example use
cases:


<<< compat_mit.c >>>
krb5_error_code
compat_new_memory_cache(krb5_context context, krb5_ccache *ccache)
{
        return krb5_cc_resolve(context, "MEMORY:", ccache);
}

/* MIT's krb5_fcc_gen_new uses mktemp, so we want to avoid it.
 */
extern krb5_cc_ops krb5_fcc_ops;
krb5_error_code
compat_new_file_cache(krb5_context context, krb5_ccache *ccache)
{
        char    fname[] = "/tmp/krb5cc_XXXXXXXX";
        int     fd;

        if (!seeded++) {
#ifdef HAVE_SRANDOMDEV
                srandomdev();
#elif HAVE_RANDOM
                srandom((unsigned long)time(NULL));
#else
                srand((unsigned)time(NULL));
#endif
        }

        fd = mkstemp(fname);
        if (fd < 0)
                return errno;
        close(fd);
        return krb5_cc_resolve(context, fname, ccache);
}
<<< compat_mit.c >>>


<<< compat_heimdal.c >>>
krb5_error_code
compat_new_memory_cache(krb5_context context, krb5_ccache *ccache)
{

        return krb5_cc_gen_new(context, &krb5_mcc_ops, ccache);
}

/* Heimdal's krb5_cc_gen_new always uses mkstemp, providing its own
 * implementation if the target system doesn't have one.
 */
krb5_error_code
compat_new_file_cache(krb5_context context, krb5_ccache *ccache)
{
        return krb5_cc_gen_new(context, &krb5_fcc_ops, ccache);
}
<<< compat_heimdal.c >>>


You can see from here that Heimdal's krb5_cc_gen_new, at least, is
used *in place of* krb5_cc_resolve.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org

More information about the krbdev mailing list