Fedora ticket cache location
Stephen Gallagher
sgallagh at redhat.com
Sun Jun 10 19:25:48 EDT 2012
On Thu, 2012-06-07 at 13:32 -0700, Russ Allbery wrote:
> That sounds remarkably annoying to use as an application developer. I
> think a good design goal here should be to make this not much harder to
> use than hardcoding /tmp if you want people to actually use it.
>
Can we just replace this hard-coded string with a configure-time flag
that allows variable-substitution? That would be easiest, I think. This
is essentially how we handle things in the SSSD[1].
To answer your original question about Fedora ticket caches, the plan
starting with Fedora 18 is to have caches stored (by default) in
DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
be readable only by the user (or root) and protectable by SELinux and 2)
supports the multiple-TGT feature of recent krb5 and 3) is stored on a
tmpfs system so that it is not retrievable on a stolen laptop by
rebooting to single-user mode.
[1] http://sgallagh.fedorapeople.org/sssd/1.8.91/man/sssd-krb5.5.html
See the section on krb5_ccname_template.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120610/b657ca01/attachment.bin
More information about the krbdev
mailing list