merged linux keyring code

Jeffrey Altman jaltman at MIT.EDU
Tue Oct 3 09:39:13 EDT 2006

Kevin Coffman wrote:
> There are two parts.  First, the kernel support is optional, so the
> basic kernel keyring support may or may not be present.  (It is only
> available in 2.6.11-ish and later.)  Then there is the user-land
> library.  I'm not sure if Debian or SuSe are enabling keyring support
> in their kernel, or if they include the library by default.  The
> keyring support came from a Redhat person, so their newer releases
> definitely have it.

If the OpenAFS experience is anything to go by, do not support keyrings
on kernels earlier than 2.6.18.

> A runtime test and calling krb5_cc_register() might be made to work.
> Of course the header that goes with libkeyutils is still necessary to
> compile it.
>> I see some stuff in the code referring to sessions, but from my
>> experimentation, the default seems to be for the stored data to be
>> per-user, available from all the user's login sessions.  Is that
>> correct?
> Yes.  The session keyring is roughly equivalent to an afs pag.  At
> least the inheritance model is based on the pag inheritance.  So
> credentials put in the session keyring should be available from all
> processes sharing that session keyring.


Are you indicating that if you SSH to the system twice that Kerberos
credentials obtained in the first session are accessible in the second

Or from the first session are you running 'su' to start the second session?

Jeffrey Altman

More information about the krbdev mailing list