krb5 cc iteration and selection functions

Alexandra Ellwood lxs at MIT.EDU
Fri Oct 28 16:00:07 EDT 2005

On Oct 28, 2005, at 9:20 AM, Love wrote:

> Hello,
> I extended the krb5_cc api for Heimdal recently to support  
> iteration and
> cache selection. Jeffery Altman asked me to post about them here.
> I've written about why they are useful here:
> Some question that jeff rasied, and I punted on when I did the
> implementation because it was simpler, is that the NULL type is  
> suppsed to
> do. Really it should probably iterate over all caches.
> Love
> /*
>  * Start iterating over all caches of `type'. If `type' is NULL, the
>  * default type is * used. `cursor' is initialized to the beginning.
>  * Return 0 or an error code.
>  */
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_cc_cache_get_first (krb5_context context,
>              const char *type,
>              krb5_cc_cache_cursor *cursor)
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_cc_cache_next (krb5_context context,
>            krb5_cc_cache_cursor cursor,
>            krb5_ccache *id)
> /*
>  * Destroy the cursor `cursor'.
>  */
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_cc_cache_end_seq_get (krb5_context context,
>                krb5_cc_cache_cursor cursor)

These functions look fine to me.  We needed to do this anyway.  :-)

I do agree with Jeff that if there are multiple ccache types available
that NULL should iterate over all of them.  This is especially important
for KfW (which has the LSA and API types), and for Linux (which will  
keyring and API types in the future).

> /*
>  * Search for a matching credential cache of type `type' that have the
>  * `principal' as the default principal. If NULL is used for `type',
>  * the default type is used. On success, `id' needs to be freed with
>  * krb5_cc_close or krb5_cc_destroy. On failure, error code is
>  * returned and `id' is set to NULL.
>  */
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_cc_cache_match (krb5_context context,
>              krb5_principal client,
>              const char *type,
>              krb5_ccache *id)

This function appears to do almost (but not quite) the same thing as  
one of
the mostly commonly used code paths in the Kerberos Login Library (KLL).

The big difference is that the KLL usually needs to find the first cache
containing *valid* initial tickets for a given client principal.  By  
valid I
mean non-expired, ip-address-matching, non-needs-validation tickets.   
If no
valid tickets exist then the KLL tries renewing/validating the first  
ones it finds.  If the KLL can't renew and the application is a GUI  
app, it
tries to prompt the user for more tickets.

Since there may be multiple ccaches with the same client principal in  
(especially if you change the NULL type to mean search over all  
types), the
KLL can't use this function.  What it really needs is either for this  
to return an array of krb5_ccaches that match the client principal or  
to also
check validity.  The latter seems like a bad idea because none of the  
krb5_cc_* functions deal with validity.

Obviously the existence of this function doesn't stop me from  
implementing my
KLL algorithm using the iterators above.  However since the KLL's  
algorithm will
share a lot of code in common with this one, I wonder if we need  
both.  I'd
recommend keeping this function internal (I assume you're using it to  
your gss_acquire_cred support) and then implementing the new KLL one  
when we
finalize the new API.  If this function has already shipped exported  
Heimdal, I will probably still argue in favor of MIT Kerberos not  
exporting it
unless someone can come up with a case where it's useful and the KLL  
wouldn't be more useful.

(Note that the new KLL API will be cross-platform and implemented for  
KfM, KfW
and the Unix ports of MIT Kerberos.  I will be posting a proposed API  
for it in
the next couple weeks and would be very happy if Heimdal folks  
participated in
the API review process and implemented it.)  :-)


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the krbdev mailing list