merged linux keyring code
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Oct 4 13:39:01 EDT 2006
On Wednesday, October 04, 2006 01:15:58 PM -0400 Sam Hartman
<hartmans at MIT.EDU> wrote:
>>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>
> Kevin> On 10/4/06, Sam Hartman <hartmans at mit.edu> wrote:
> >> BTW, what syntaxt did you end up using for keyring cache names?
> >>
> >> --Sam
>
> Kevin> "KEYRING:" uses session keyring "KEYRING:process:" uses
> Kevin> process keyring "KEYRING:thread:" uses thread keyring
>
>
> so there is no user keyring? Session is the broadest scope?
Yes and no. Each uid can have a "default session keyring" which is used if
there is no session keyring; this is similar to AFS UID PAG's. There is
also a per-uid keyring, but the code I'm looking at seems to provide only
limited access.
BTW, note that while you might want to manipulate a specific keyring, the
normal model for searches is that you search first the thread keyring, then
the process keyring, then the session keyring. That seems like a desirable
behavior for Kerberos. IMHO "KEYRING:" should search for a ccache on all
three keyrings in order, and if a new one needs to be created, it should be
created on the session keyring.
-- Jeff
More information about the krbdev
mailing list