On Thu, 2012-02-23 at 23:58 +0000, David Howells wrote: > Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > > > with the upcoming Fedora 18 release (currently Rawhide) we are going to > > change the place where krb5 credential cache files are saved by default. > > > > The new default for credential caches will be the /run/user/<username> > > directory. > > Alternatively, you could put them in the kernel keyrings: make a keyring under > the current session keyring and store them in there. There is code there to > do that. That then makes them per-login-session and allows local overriding > of the credentials by creating a new session keyring. We considered the kernel keyring but discovered that it's insufficient for a number of reasons. For one, the kernel keyring is (as I understand it) unswappable kernel memory. Kerberos credential caches that contain complex PAC/PAD data (such as those acquired from complex Active Directory forests) can use up a fairly sizeable amount of memory. For another, the kernel keyring does not support multiple concurrent TGTs (the support of which requires the DIR: credential cache format, which we are also going to make an effort to support in the same timeframe). So the best move for us at this time (we feel) is to get everyone on-board with having the credential caches in a well-known location other than /tmp. /run/user/username offers us a number of advantages with regards to security.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
