Keytab-based initiator creds design
Nico Williams
nico at cryptonector.com
Thu Jun 7 16:21:01 EDT 2012
On Thu, Jun 7, 2012 at 2:59 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 06/07/2012 02:56 PM, Simo Sorce wrote:
>>> - /{var, run}/krb5/user/$USER/keytab
>>> - /{var, run}/krb5/user/$USER/ccache
>>> - /{var, run}/krb5/user/$USER/default_principal
>
> How would this work on Windows?
Clearly Windows can provide persistent locations. Dunno if it can
provide ephemeral ones, but it could always do so via CCAPI-style
daemons.
>> So I think I like this proposal, it aligns well with what we are already
>> trying to do there.
>>
>> The /run location should be /run/user/$USER/krb5/ccache though as that
>> is where the various pam modules put stuff
>
> I'm confused. If we're going to make an effort to align with where Fedora
> happens to puts the default per-user ccache, how is that better than just
> using the default ccache? It seems to negate the "no surprise" benefit.
Users on Fedora would not be surprised, unless they came from other
OSes. See my reply to Russ.
> (On a complete tangent, how is Fedora going to deal with multiple login
> sessions by the same user?)
That's another thing. On some OSes there may be a per-session ccache
(and possibly even keytab). The search order, and locations, should
be a build-time thing, possibly with configuration overrides.
If we think of all these locations as specifiable via URIs then we're
really talking about a list of URIs (FILE, CCAPI, ...), which probably
simplifies things.
Nico
--
More information about the krbdev
mailing list