ccache using linux keyring

David Howells dhowells at
Thu Apr 14 11:28:11 EDT 2005

Kevin Coffman <kwc at> wrote:

> I chose session because that what seemed more pag-like.  It looked
> to me like JOIN_SESSION_KEYRING is the newpag equivalent.
> Is that wrong?

No - it depends how widely you want the TGT to be available. I was thinking
that you might want the TGT to be available to all your sessions by placing it
in your user keyring.

> OK, using the new naming suggested by Jeff, here is what I would see
> (with my UMICH.EDU credentials cache "active" for gssd):

And the key types?

> This assumes that my default realm is CITI.UMICH.EDU and I've gotten
> several ticket for the CITI.UMICH.EDU realm.  Then I've done
> 	% setenv KRB5CCNAME KEYRING:/tmp/krb5cc_20010_umich
> 	% kinit kwc at UMICH.EDU
> and then ran the utility to make /tmp/krb5cc_20010_umich my active
> ccache.  gssd will then try to use my UMICH.EDU tickets to get
> service tickets to negotiate NFSv4 gss contexts.

Can you outline the process by which you envision a service (say the NFS4
client in the kernel) finding a key?

> >  (5) Users have a key count quota and a key allocation quota.
> This is one issue that I am concered with.  I could look at the code...
> but is the quota configurable?

Not currently, but there's no reason it couldn't be made so. The quota values
are stored per user. What may be more limiting is that keyrings currently have
a hard limit of PAGE_SIZE on the content.


More information about the krbdev mailing list