merged linux keyring code

Jeffrey Hutzelman jhutz at
Wed Oct 4 13:39:01 EDT 2006

On Wednesday, October 04, 2006 01:15:58 PM -0400 Sam Hartman 
<hartmans at MIT.EDU> wrote:

>>>>>> "Kevin" == Kevin Coffman <kwc at> writes:
>     Kevin> On 10/4/06, Sam Hartman <hartmans at> wrote:
>     >> BTW, what syntaxt did you end up using for keyring cache names?
>     >>
>     >> --Sam
>     Kevin> "KEYRING:" uses session keyring "KEYRING:process:" uses
>     Kevin> process keyring "KEYRING:thread:" uses thread keyring
> so there is no user keyring?  Session is the broadest scope?

Yes and no.  Each uid can have a "default session keyring" which is used if 
there is no session keyring; this is similar to AFS UID PAG's.  There is 
also a per-uid keyring, but the code I'm looking at seems to provide only 
limited access.

BTW, note that while you might want to manipulate a specific keyring, the 
normal model for searches is that you search first the thread keyring, then 
the process keyring, then the session keyring.  That seems like a desirable 
behavior for Kerberos.  IMHO "KEYRING:" should search for a ccache on all 
three keyrings in order, and if a new one needs to be created, it should be 
created on the session keyring.

-- Jeff

More information about the krbdev mailing list