merged linux keyring code
Kevin Coffman
kwc at citi.umich.edu
Tue Oct 3 09:44:21 EDT 2006
On 10/3/06, Jeffrey Altman <jaltman at mit.edu> wrote:
> Kevin Coffman wrote:
> > There are two parts. First, the kernel support is optional, so the
> > basic kernel keyring support may or may not be present. (It is only
> > available in 2.6.11-ish and later.) Then there is the user-land
> > library. I'm not sure if Debian or SuSe are enabling keyring support
> > in their kernel, or if they include the library by default. The
> > keyring support came from a Redhat person, so their newer releases
> > definitely have it.
>
> If the OpenAFS experience is anything to go by, do not support keyrings
> on kernels earlier than 2.6.18.
I don't think the ccache code has any dependencies beyond the basic
support that was initially added to the kernel. But I have been wrong
before...
> > A runtime test and calling krb5_cc_register() might be made to work.
> > Of course the header that goes with libkeyutils is still necessary to
> > compile it.
> >
> >> I see some stuff in the code referring to sessions, but from my
> >> experimentation, the default seems to be for the stored data to be
> >> per-user, available from all the user's login sessions. Is that
> >> correct?
> >
> > Yes. The session keyring is roughly equivalent to an afs pag. At
> > least the inheritance model is based on the pag inheritance. So
> > credentials put in the session keyring should be available from all
> > processes sharing that session keyring.
>
> Ken:
>
> Are you indicating that if you SSH to the system twice that Kerberos
> credentials obtained in the first session are accessible in the second
> session?
>
> Or from the first session are you running 'su' to start the second session?
Doesn't [Open]SSH use "FILE:"?
More information about the krbdev
mailing list