[38588] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jul 26 11:22:49 2019
To: Charles Hedrick <hedrick@rutgers.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <79c8b429-89d8-3ff9-c6dc-3b9bd68fce72@mit.edu>
Date: Fri, 26 Jul 2019 11:22:31 -0400
MIME-Version: 1.0
In-Reply-To: <30D49B12-7535-448B-8FE6-A7210648753A@rutgers.edu>
Content-Language: en-US
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 7/26/19 9:09 AM, Charles Hedrick wrote:
> I’ve submitted a feature request to fix the default ccselect plugin so
> it reads /etc/k5identity if the user doesn’t have one or it doesn’t
> apply. Also, you’d need to recognize ${username}. That would let me
> specify a policy for NFS credentials, which could conceivably even
> differ for different file servers. I think that’s the best that can be
> done with the current kernel.
A possible pure-userspace solution is to establish a local directory per
user in a well-known location, where users (or some agent operating as
the user's uid) can copy a ticket cache into in a well-known filename.
If rpc.gssd finds a cache there, it could use it in preference to
picking from the user's collection. This doesn't give the kind of
per-process control you can get from AFS's pagsh, but it does give
control to users as opposed to a root-owned file like /etc/k5identity.
On machines using systemd, /run/user/uid could be leveraged for this
purpose, although that directory will only exist while the user is
logged in (so not for cron jobs).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
