Headsup! krb5 ccache defaults are changing in Rawhide
Stephen Gallagher
sgallagh at redhat.com
Fri Feb 24 02:42:16 UTC 2012
On Thu, 2012-02-23 at 23:58 +0000, David Howells wrote:
> Stephen Gallagher <sgallagh at redhat.com> wrote:
>
> > with the upcoming Fedora 18 release (currently Rawhide) we are going to
> > change the place where krb5 credential cache files are saved by default.
> >
> > The new default for credential caches will be the /run/user/<username>
> > directory.
>
> Alternatively, you could put them in the kernel keyrings: make a keyring under
> the current session keyring and store them in there. There is code there to
> do that. That then makes them per-login-session and allows local overriding
> of the credentials by creating a new session keyring.
We considered the kernel keyring but discovered that it's insufficient
for a number of reasons. For one, the kernel keyring is (as I understand
it) unswappable kernel memory. Kerberos credential caches that contain
complex PAC/PAD data (such as those acquired from complex Active
Directory forests) can use up a fairly sizeable amount of memory.
For another, the kernel keyring does not support multiple concurrent
TGTs (the support of which requires the DIR: credential cache format,
which we are also going to make an effort to support in the same
timeframe).
So the best move for us at this time (we feel) is to get everyone
on-board with having the credential caches in a well-known location
other than /tmp. /run/user/username offers us a number of advantages
with regards to security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120223/e8f95dfe/attachment.sig>
More information about the devel
mailing list