ccache using linux keyring

Kevin Coffman kwc at
Wed Apr 13 12:40:50 EDT 2005

I have a preliminary ccache implementation for Linux using the new 
kernel keyring support as the storage medium.  (See 
Documentation/keys.txt in the patches at
lls/keys/ for documentation on the keyring support.)

Before I get too far with it, I'm looking for comments/suggestions on 
what I currently have implemented and my proposed change.

The current implementation uses a new keyring created in the 
session-specific keyring (KEY_SPEC_SESSION_KEYRING) to represent a 
user's credentials cache file.  The principal information and each 
ticket are stored in this keyring as an individual key.  The name of 
the keyring matches the 'residual' name as passed to the resolve 
function and found in KRB5CCNAME.  The principal information is kept in 
a key named 'krb5_princ' and each ticket is kept in a sequentially 
numbered key 'krb5tkt_000000', etc.  (These individual key names are 
just for reference, their key_serial is what is really kept track of.)

This still leaves our gssd with no way to easily and deterministically 
find the right credentials cache (keyring) to use for a given request.

I propose to add a new well-known key named "krb5_cc_active" to the 
session-specific keyring which will hold the key serial number of the 
'active' credentials cache (keyring).  This will allow a user to change 
KRB5CCNAME settings and create several ccaches as needed.  A utility 
pgm will be required to change the 'active' key to point to the desired 
active credentials cache.


More information about the krbdev mailing list