merged linux keyring code
Jeffrey Altman
jaltman at MIT.EDU
Tue Oct 3 09:39:13 EDT 2006
Kevin Coffman wrote:
> There are two parts. First, the kernel support is optional, so the
> basic kernel keyring support may or may not be present. (It is only
> available in 2.6.11-ish and later.) Then there is the user-land
> library. I'm not sure if Debian or SuSe are enabling keyring support
> in their kernel, or if they include the library by default. The
> keyring support came from a Redhat person, so their newer releases
> definitely have it.
If the OpenAFS experience is anything to go by, do not support keyrings
on kernels earlier than 2.6.18.
> A runtime test and calling krb5_cc_register() might be made to work.
> Of course the header that goes with libkeyutils is still necessary to
> compile it.
>
>> I see some stuff in the code referring to sessions, but from my
>> experimentation, the default seems to be for the stored data to be
>> per-user, available from all the user's login sessions. Is that
>> correct?
>
> Yes. The session keyring is roughly equivalent to an afs pag. At
> least the inheritance model is based on the pag inheritance. So
> credentials put in the session keyring should be available from all
> processes sharing that session keyring.
Ken:
Are you indicating that if you SSH to the system twice that Kerberos
credentials obtained in the first session are accessible in the second
session?
Or from the first session are you running 'su' to start the second session?
Jeffrey Altman
More information about the krbdev
mailing list