ccache using linux keyring
Kevin Coffman
kwc at citi.umich.edu
Wed Apr 13 12:40:50 EDT 2005
I have a preliminary ccache implementation for Linux using the new
kernel keyring support as the storage medium. (See
Documentation/keys.txt in the patches at http://people.redhat.com/~dhowe
lls/keys/ for documentation on the keyring support.)
Before I get too far with it, I'm looking for comments/suggestions on
what I currently have implemented and my proposed change.
The current implementation uses a new keyring created in the
session-specific keyring (KEY_SPEC_SESSION_KEYRING) to represent a
user's credentials cache file. The principal information and each
ticket are stored in this keyring as an individual key. The name of
the keyring matches the 'residual' name as passed to the resolve
function and found in KRB5CCNAME. The principal information is kept in
a key named 'krb5_princ' and each ticket is kept in a sequentially
numbered key 'krb5tkt_000000', etc. (These individual key names are
just for reference, their key_serial is what is really kept track of.)
This still leaves our gssd with no way to easily and deterministically
find the right credentials cache (keyring) to use for a given request.
I propose to add a new well-known key named "krb5_cc_active" to the
session-specific keyring which will hold the key serial number of the
'active' credentials cache (keyring). This will allow a user to change
KRB5CCNAME settings and create several ccaches as needed. A utility
pgm will be required to change the 'active' key to point to the desired
active credentials cache.
Comments?
More information about the krbdev
mailing list