merged linux keyring code

Sam Hartman hartmans at MIT.EDU
Tue Oct 3 11:17:29 EDT 2006

>>>>> "Kevin" == Kevin Coffman <kwc at> writes:

    >> Questions:
    >> In start_seq_get, it appears that the iterator will process no
    >> more than the number of keys that existed when resolve was
    >> called.  (Plus one, potentially, because of the magic entry
    >> holding the principal name.)  Perhaps it should use
    >> key_read_alloc instead?

    Kevin> Actually, numkeys is updated in store_cred() and should
    Kevin> always be up-to-date.  I probably could have implemented
    Kevin> remove_cred() and updated the numkeys count there too, but
    Kevin> does anything depend on it doing anything?

What happens when someone else in another process stores a credential?

    >> Is libkeyutils always installed on reasonably modern Linux
    >> systems?  (Including, say, Debian's current "stable" release.)
    >> Would it make sense to try loading at run time, so one set of
    >> binaries can work with or without it?  Or just let the package
    >> maintainer decide which way to go, and what dependencies to
    >> add....

    Kevin> There are two parts.  First, the kernel support is
    Kevin> optional, so the basic kernel keyring support may or may
    Kevin> not be present.  (It is only available in 2.6.11-ish and
    Kevin> later.)  Then there is the user-land library.  I'm not sure
    Kevin> if Debian or SuSe are enabling keyring support in their
    Kevin> kernel, or if they include the library by default.  The
    Kevin> keyring support came from a Redhat person, so their newer
    Kevin> releases definitely have it.

    Kevin> A runtime test and calling krb5_cc_register() might be made
    Kevin> to work.  Of course the header that goes with libkeyutils
    Kevin> is still necessary to compile it.

I think the right way to do this is to depend on the library if
available at compile time and never to select the keyring cache as the
default if kernel support is not available in the current system.

More information about the krbdev mailing list