merged linux keyring code

Kevin Coffman kwc at
Tue Oct 3 09:44:21 EDT 2006

On 10/3/06, Jeffrey Altman <jaltman at> wrote:
> Kevin Coffman wrote:
> > There are two parts.  First, the kernel support is optional, so the
> > basic kernel keyring support may or may not be present.  (It is only
> > available in 2.6.11-ish and later.)  Then there is the user-land
> > library.  I'm not sure if Debian or SuSe are enabling keyring support
> > in their kernel, or if they include the library by default.  The
> > keyring support came from a Redhat person, so their newer releases
> > definitely have it.
> If the OpenAFS experience is anything to go by, do not support keyrings
> on kernels earlier than 2.6.18.

I don't think the ccache code has any dependencies beyond the basic
support that was initially added to the kernel.  But I have been wrong

> > A runtime test and calling krb5_cc_register() might be made to work.
> > Of course the header that goes with libkeyutils is still necessary to
> > compile it.
> >
> >> I see some stuff in the code referring to sessions, but from my
> >> experimentation, the default seems to be for the stored data to be
> >> per-user, available from all the user's login sessions.  Is that
> >> correct?
> >
> > Yes.  The session keyring is roughly equivalent to an afs pag.  At
> > least the inheritance model is based on the pag inheritance.  So
> > credentials put in the session keyring should be available from all
> > processes sharing that session keyring.
> Ken:
> Are you indicating that if you SSH to the system twice that Kerberos
> credentials obtained in the first session are accessible in the second
> session?
> Or from the first session are you running 'su' to start the second session?

Doesn't [Open]SSH use "FILE:"?

More information about the krbdev mailing list