ccache using linux keyring

Kevin Coffman kwc at
Thu Apr 14 10:18:32 EDT 2005

> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at> writes:
>     Jeffrey> On Wednesday, April 13, 2005 12:40:50 PM -0400 Kevin
>     Jeffrey> Coffman
>     Jeffrey> <kwc at> wrote:
>     >> The current implementation uses a new keyring created in the
>     >> session-specific keyring (KEY_SPEC_SESSION_KEYRING) to
>     >> represent a user's credentials cache file.  The principal
>     >> information and each ticket are stored in this keyring as an
>     >> individual key.  The name of the keyring matches the 'residual'
>     >> name as passed to the resolve function and found in KRB5CCNAME.
>     >> The principal information is kept in a key named 'krb5_princ'
>     >> and each ticket is kept in a sequentially numbered key
>     >> 'krb5tkt_000000', etc.  (These individual key names are just
>     >> for reference, their key_serial is what is really kept track
>     >> of.)
>     Jeffrey> Why not name them for the service principal?
> I'm concerned that there may be circumstances where you want to have
> duplicate or semi-duplicate tickets.  I'm concerned that other ccache
> types do not work this way and it seems dangerous to have different
> semantics.

I'm not sure I understand your concern.  From the user-land Kerberos
library view, this should look like any other ccache type.

More information about the krbdev mailing list