ccache using linux keyring
Sam Hartman
hartmans at MIT.EDU
Fri Apr 15 13:18:27 EDT 2005
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> After discussing this here with Bruce, I think having more
Kevin> than one ccache in the session ring is unnecessary. If you
Kevin> want to do this sort of thing, you would do the equivalent
Kevin> of a setpag and get into a new session keyring. That still
Kevin> leaves the problem of gssd finding the ccache w/o
Kevin> environment variables. However, naming the keyring
Kevin> something like "krb5ccache:<residual>" and having only one
Kevin> ccache in a session ring would allow it to work.
I think we disagree. I think we'd like to see something more like KFM
semantics unless there is a good reason not to. So we would like to
support multiple ccaches per session.
I still am uncomfortable with Jeff's naming suggestions. I can think of a lot of cases where you would have multiple tickets for the same service:
* U2U tickets for different TGTs
* postdated or invalid tickets
* different encryption types
* New extensions to Kerberos that make tickets distinguishable in ways
that current tickets are not distinguishable.
I think it is fine to include the service name in the ticket, but I think you need to support multiple tickets that have the same service name.
--Sam
More information about the krbdev
mailing list