Fedora ticket cache location

Stephen Gallagher sgallagh at redhat.com
Sun Jun 10 19:54:03 EDT 2012


On Sun, 2012-06-10 at 16:40 -0700, Russ Allbery wrote:
> Stephen Gallagher <sgallagh at redhat.com> writes:
> > On Thu, 2012-06-07 at 13:32 -0700, Russ Allbery wrote:
> 
> >> That sounds remarkably annoying to use as an application developer.  I
> >> think a good design goal here should be to make this not much harder to
> >> use than hardcoding /tmp if you want people to actually use it.
> 
> > Can we just replace this hard-coded string with a configure-time flag
> > that allows variable-substitution? That would be easiest, I think.
> 
> This seems like a really broken solution to me.  It requires people
> building the software on Fedora to figure out the magic string to use to
> make the software work like other packages on Fedora.
> 
> > To answer your original question about Fedora ticket caches, the plan
> > starting with Fedora 18 is to have caches stored (by default) in
> > DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
> > be readable only by the user (or root) and protectable by SELinux and 2)
> > supports the multiple-TGT feature of recent krb5 and 3) is stored on a
> > tmpfs system so that it is not retrievable on a stolen laptop by
> > rebooting to single-user mode.
> 
> This doesn't seem to have anticipated the krenew use case where the goal
> is to create a new ticket cache for the same principal as the existing
> ticket cache but independent of the session (although still bound to the
> user) so that it's preserved after logout.
> 

Sorry, I guess I may not have been clear. /run/user/<username> will
persist until system reboot, and SSSD will handle automatically renewing
the credential cache for a user as long as the renew time lasts (if
configured to do so). So if I understand correctly, it's covering the
use case appropriately (without relying on krenew to actually do the
heavy-lifting).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120610/c8878a9b/attachment.bin


More information about the krbdev mailing list