ccache using linux Keyrings

Nicolas Williams Nicolas.Williams at
Fri Apr 14 17:46:44 EDT 2006

On Fri, Apr 14, 2006 at 02:05:17PM -0700, Frank Cusack wrote:
> I've always wanted to add a hook to gssd so that you could "forcibly" give
> credentials to or revoke credentials from it.  Rather than have gssd search
> the filesystem.  Shouldn't be hard, just never got a round tuit.  That'd
> solve the well-known name problem.

That's not difficult -- kinit/pam_krb5 almost do that with ktkt_warnd,
and keylogin/pam_dhkeys does that with keyserv.

None of that gets you process grouping semantics like what AFS folks are
used to.

PAGs are, from an AFS perspective, an IDentity Selection tool.  Linux
keyrings here wouldn't be much more than that either, for the AFS crowd.

> >Second, this really prevents any multi credential per UID access model.   
> >You would not be able
> >to have multiple Kerberos credentials when doing nfsv4.
> >I think the hope is that keyring credentials cache will provide a way of 
> >allow per thread an per
> >process credentials when using NFSv4.
> I don't see how, unless it's a real PAG-like thingy, which AFAIK the Linux
> keyring is not.  The kernel will still have to look for a well known 
> keyring.

I don't know enough about Linux keyrings to say, but from this thread I
gather that keyrings provide PAG like grouping and inheritance

> BTW, it's not just NFSv4, it's nfs/gss (and as Nico points out, it's not
> just kerberos).  I've been using gss (krb5) with nfsv3 for a few years now.


And it's not just NFSv2/3/4 either, but also CIFS and AFS and probably
other things.


More information about the krbdev mailing list