[32815] in Kerberos
Re: override default credentials cache file location
daemon@ATHENA.MIT.EDU (Zaar Hai)
Thu Oct 14 19:04:24 2010
From: Zaar Hai <haizaar@gmail.com>
In-Reply-To: <1287083589.19112.411.camel@ray>
Mime-Version: 1.0 (iPhone Mail 8A293)
Date: Fri, 15 Oct 2010 01:04:57 +0200
Message-ID: <4672642529141194544@unknownmsgid>
To: Greg Hudson <ghudson@mit.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 14 באוקe 2010, at 21:13, Greg Hudson <ghudson@MIT.EDU> wrote:
On Thu, 2010-10-14 at 06:26 -0400, Zaar Hai wrote:
I've thought of making default cache location to be
/var/cars/krb5ccache which will be mounted to RAM, making above
scenario much harder to execute.
Unfortunately, this appears to be hardcoded:
snprintf(name_buf, name_size, "FILE:/tmp/krb5cc_%ld", (long) getuid());
As Chris Ward points out, $KRB5CCNAME determines the default ccachelocation on a per-process basis. If you're using pam_krb5, it willtypically set KRB5CCNAME for the login system, and you should be able toinstruct it to put the ccache somewhere other than /tmp; consult thepam_krb5 man page on your system for details.
Thank you guys for the hint.
I guess for now my only option is to fix KRB5CCNAME for each kerberisedservice I've got, which includes ssh, apache, pam, and various otherservices that use k5start helper. Too bad it's hard-coded. It would be bestto have it configurable in libdefaults of krb5.conf.1. Where can I submit a feature request for this?
2. MEMORY ccache type will not be good for pam_krb5, but only for thingslike LDAP server that do not spawn subprocesses / shells, correct?
Thanks again, Zaar.________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
