Search Mailing List Archives
krb5 keyring ccache
eagle at windlord.stanford.edu
Fri May 4 08:34:45 PDT 2012
Benjamin Coddington <bcodding at uvm.edu> writes:
> We're interested in using linux session keyrings to hold krb5
> credentials acquired through webauth. I'd like to propose one approach.
> If acceptable, I'd be happy to submit the required changes to include
> documentation and config requirements.
> This approach reuses the existing WebAuthCredCacheDir directive by
> passing it along unchanged if it begins with "KEYRING:" to
> webauth_krb5_init_via_cred -> krb5_cc_resolve.
Looks like a great idea to me. The only change that I'd recommend is
that, rather than special-case KEYRING, instead preserve the current
behavior only if the argument begins with FILE: or doesn't begin with a
cache type. Most other cache types, like KEYRING, aren't file system
caches and should be treated the same way that you're treating KEYRING.
Thanks for this!
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
More information about the webauth-info