ccache using linux keyring

Jeffrey Hutzelman jhutz at
Wed Apr 13 17:16:48 EDT 2005

On Wednesday, April 13, 2005 12:40:50 PM -0400 Kevin Coffman 
<kwc at> wrote:

> The current implementation uses a new keyring created in the
> session-specific keyring (KEY_SPEC_SESSION_KEYRING) to represent a
> user's credentials cache file.  The principal information and each
> ticket are stored in this keyring as an individual key.  The name of
> the keyring matches the 'residual' name as passed to the resolve
> function and found in KRB5CCNAME.  The principal information is kept in
> a key named 'krb5_princ' and each ticket is kept in a sequentially
> numbered key 'krb5tkt_000000', etc.  (These individual key names are
> just for reference, their key_serial is what is really kept track of.)

Why not name them for the service principal?

> I propose to add a new well-known key named "krb5_cc_active" to the
> session-specific keyring which will hold the key serial number of the
> 'active' credentials cache (keyring).  This will allow a user to change
> KRB5CCNAME settings and create several ccaches as needed.  A utility
> pgm will be required to change the 'active' key to point to the desired
> active credentials cache.

I'm a little confused here.  Presumably if I set KRB5CCNAME to 
"keyring:foo", then it should use the keyring named 'foo'.

Under what circumstances does it use the keyring named in the 
krb5_cc_active key?

More information about the krbdev mailing list