Re: MEMORY credential cache interop between Heimdal and MIT?

[Michael B Allen <miallen@ioplex.com>]

On Wed, 22 Aug 2007 14:01:06 -0400
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> Michael B Allen wrote:
> > I think that the ccache plugin idea is a worthwhile project. Yes, I
> > think it would solve Alf's original issue. But by itself it would not
> > solve the shared storage or access control issues (access control being
> > what I am really interested in).
> >   
> We have been urging OS vendors for years to develop and support a standard
> credentials cache for their platform.  For Microsoft Windows this is the
> LSA.  For MacOS X
> there is the MIT CCAPI.  For Linux there is the Keyring.  Sun is rumored
> to be developing
> something for Solaris 11. 
> 
> The benefit of the ccache plug-in idea is that it is something that we
> can do today that is
> almost a trivial change to the existing MIT and Heimdal distributions
> and which can be used
> to extend the Kerberos distributions in the future to support any
> additional platform specific
> credential cache type that will become available in the future without
> requiring that the
> Kerberos libraries be re-built.
> 
> Using a kernel extension is certainly one way of implementing a
> credential cache.  However,
> you are still going to have to plug it into the Kerberos libraries.  The
> existing FILE: krb5_cc
> cache interface is not going to properly communicate with the extension
> and even if it did,
> the FILE: krb5_cc interface only knows how to store credentials for a
> single Kerberos v5
> principal per file. 
> 
> Your desire to implement another credential type simply convinces me
> more that the
> krb5_cc plug-in concept is more necessary than ever.

I agree. It might turn out that developing the krb5_cc plugin is the
right thing to do when interfacing the kernel extension with libkrb5 in
which case I'll look into it.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/