Keytab-based initiator creds design
Nico Williams
nico at cryptonector.com
Mon Jun 11 17:37:17 EDT 2012
On Mon, Jun 11, 2012 at 4:01 PM, Simo Sorce <simo at redhat.com> wrote:
> On Mon, 2012-06-11 at 11:47 -0700, Henry B. Hotz wrote:
>> The session ID, or per-session credential caches?
>
> The second.
I've been comind around to that view in recent years too. People who
run multiple apps in different PAGs, with different Kerberos
credentials, but all with the same UID (euid) tend to do this for
credential selection reasons. Credential selection is probably best
addressed via a different mechanism altogether (see krb5_cc_select()).
Also, PAGs provide no isolation. If isolation is required then either
different UIDs or MAC are required.
Nico
--
More information about the krbdev
mailing list