Fedora ticket cache location

Russ Allbery rra at stanford.edu
Sun Jun 10 19:40:13 EDT 2012


Stephen Gallagher <sgallagh at redhat.com> writes:
> On Thu, 2012-06-07 at 13:32 -0700, Russ Allbery wrote:

>> That sounds remarkably annoying to use as an application developer.  I
>> think a good design goal here should be to make this not much harder to
>> use than hardcoding /tmp if you want people to actually use it.

> Can we just replace this hard-coded string with a configure-time flag
> that allows variable-substitution? That would be easiest, I think.

This seems like a really broken solution to me.  It requires people
building the software on Fedora to figure out the magic string to use to
make the software work like other packages on Fedora.

> To answer your original question about Fedora ticket caches, the plan
> starting with Fedora 18 is to have caches stored (by default) in
> DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
> be readable only by the user (or root) and protectable by SELinux and 2)
> supports the multiple-TGT feature of recent krb5 and 3) is stored on a
> tmpfs system so that it is not retrievable on a stolen laptop by
> rebooting to single-user mode.

This doesn't seem to have anticipated the krenew use case where the goal
is to create a new ticket cache for the same principal as the existing
ticket cache but independent of the session (although still bound to the
user) so that it's preserved after logout.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the krbdev mailing list