ccache using linux keyring
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Apr 13 17:16:48 EDT 2005
On Wednesday, April 13, 2005 12:40:50 PM -0400 Kevin Coffman
<kwc at citi.umich.edu> wrote:
> The current implementation uses a new keyring created in the
> session-specific keyring (KEY_SPEC_SESSION_KEYRING) to represent a
> user's credentials cache file. The principal information and each
> ticket are stored in this keyring as an individual key. The name of
> the keyring matches the 'residual' name as passed to the resolve
> function and found in KRB5CCNAME. The principal information is kept in
> a key named 'krb5_princ' and each ticket is kept in a sequentially
> numbered key 'krb5tkt_000000', etc. (These individual key names are
> just for reference, their key_serial is what is really kept track of.)
Why not name them for the service principal?
> I propose to add a new well-known key named "krb5_cc_active" to the
> session-specific keyring which will hold the key serial number of the
> 'active' credentials cache (keyring). This will allow a user to change
> KRB5CCNAME settings and create several ccaches as needed. A utility
> pgm will be required to change the 'active' key to point to the desired
> active credentials cache.
I'm a little confused here. Presumably if I set KRB5CCNAME to
"keyring:foo", then it should use the keyring named 'foo'.
Under what circumstances does it use the keyring named in the
krb5_cc_active key?
More information about the krbdev
mailing list