Fedora ticket cache location
Simo Sorce
simo at redhat.com
Mon Jun 11 10:27:54 EDT 2012
On Mon, 2012-06-11 at 09:27 -0400, Sam Hartman wrote:
> >>>>> "Stephen" == Stephen Gallagher <sgallagh at redhat.com> writes:
>
> Stephen> DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
> Stephen> be readable only by the user (or root) and protectable by SELinux and 2)
> Stephen> supports the multiple-TGT feature of recent krb5 and 3) is stored on a
> Stephen> tmpfs system so that it is not retrievable on a stolen laptop by
> Stephen> rebooting to single-user mode.
>
> Can we get clarity about <username> in the above?
> There are a number of ways to get the username in a process. From sssd's
> standpoint, it doesn't matter , but we should be clear about what krb5
> should do here. As an example of the possibilites:
>
> * LOGNAME environment variable
>
> * USER environment variable
>
> * getpwuid(get?uid())
>
> * getlogin() which is probably right for BSD but is kind of a bad idea
> for Linux because of the utmp dependency
We normally set KRB5CCNAME at login so you don't have to guess.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list