Credential collections

Henry B. Hotz hotz at
Thu Mar 24 16:16:12 EDT 2011

On Mar 23, 2011, at 9:32 PM, krbdev-request at wrote:

>> CLI
>> ---
>> kinit and kdestroy can be used to manage multiple ccaches using the -c
>> flag, but it's not very convenient. ?The only previous work I'm aware
>> of in this area is in KfM, which has the following extensions:
>> * "kinit principal" scans the collection for a ccache for principal,
>> ?and creates a new unique CCAPI ccache if one doesn't exist.
>> * "klist -A" lists creds for all ccaches in the collection.
>> * "kdestroy -A" destroys all ccaches in the collection. ?"kdestroy -p
>> ?principal" scans the collection for a ccache for principal and
>> ?destroys it.
>> * "kswitch -c ccname" or "kswitch -p princname" sets the default
>> ?ccache in the collection. ?(In the normal case this translates into
>> ?a message to the CCAPI daemon. ?When KRB5CCNAME is set the semantics
>> ?are confusing to me and possibly broken.)

I'm perplexed as to why this is being revisited.  MIT implemented this stuff (for Apple) quite a long time ago.  It works quite nicely (when I need it).

Now if only Apple hadn't destroyed the Kerberos GUI, and kept the (very nicely functional) MIT-written one.

I wouldn't mind if things could be made better, but I'd settle for restoring what was and making it cross-platform (which I thought was the plan, back then).

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list