ccache using linux keyring

Sam Hartman hartmans at MIT.EDU
Fri Apr 15 13:18:27 EDT 2005

>>>>> "Kevin" == Kevin Coffman <kwc at> writes:

    Kevin> After discussing this here with Bruce, I think having more
    Kevin> than one ccache in the session ring is unnecessary.  If you
    Kevin> want to do this sort of thing, you would do the equivalent
    Kevin> of a setpag and get into a new session keyring.  That still
    Kevin> leaves the problem of gssd finding the ccache w/o
    Kevin> environment variables.  However, naming the keyring
    Kevin> something like "krb5ccache:<residual>" and having only one
    Kevin> ccache in a session ring would allow it to work.

I think we disagree.  I think we'd like to see something more like KFM
semantics unless there is a good reason not to.  So we would like to
support multiple ccaches per session.

I still am uncomfortable with Jeff's naming suggestions.  I can think of a lot of cases where you would have multiple tickets for the same service:

* U2U tickets for different TGTs

* postdated or invalid tickets

* different encryption types

* New extensions to Kerberos that make tickets distinguishable in ways
  that current tickets are not distinguishable.

I think it is fine to include the service name in the ticket, but I think you need to support multiple tickets that have the same service name.


More information about the krbdev mailing list