Fedora ticket cache location

Nico Williams nico at cryptonector.com
Thu Jun 7 16:45:24 EDT 2012


On Thu, Jun 7, 2012 at 3:32 PM, Russ Allbery <rra at stanford.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>> On Thu, Jun 7, 2012 at 3:17 PM, Russ Allbery <rra at stanford.edu> wrote:
>
>>> I want to replace that hard-coded file location with something that
>>> respects the system configuration for where such ticket caches should
>>> be written.  I think I need an interface where I pass in the user or
>>> the UID or the like and get back either a krb5_ccache or a cache
>>> identifier that I should use for a temporary ticket cache.
>
>> If you want to pass in a UID.. that's not portable (a username would be
>> OK though).  And you'll probably also want to pass in a PID, PAG, ...
>> All not portable.
>
> I want a temporary ticket cache, so I'm not particularly interested in PID

That wasn't clear.

> or PAG for this particular purpose.  You're going to hand me back a new
> unique cache and then I'll handle visibility from there.  Although I
> realize I may need to give you a hint for keyring caches so that you can
> set up appropriate permissions.

The problem is that if you want NFS/AFS/SMB/... to know how to find
and use this temporary ccache... how will they do that?  The
traditional answers have been:

 - Solaris NFS -> use per-user default; no temp ccaches, sorry
 - AFS -> set PAG, set tokens
 - Linux NFS -> use keyrings(?)

I think in general when you say "temporary ccache" you want either a)
something that NFS/AFS/SMB won't use, or b) a new session so they can
find your credentials.

Nico
--



More information about the krbdev mailing list