On 05/30/2014 01:38 PM, [email protected] wrote: > the bad news is that it did not always work quite as expected.
All of the behaviors you describe are intended, but they could probably be documented better. > KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME=some.key.file \ > app-with-gssapi-calls > this worked extemely well. no clashes occured with any other tgt, > with either the FILE:... or DIR:... syntax. You might want to give the memory ccache a name (MEMORY:mycache), although I guess the empty name works too. > however, i believe > some dialects of unix make all of memory available via things like > /dev/kmem or /proc/core, which could pose security issues... Not a concern. Your process's memory is at least as secure as the files it reads from. > one other thought: what happens to app-with-gssapi-calls if it > runs past the time limit for the tgt obtained by this mechanism? The KRB5_CLIENT_KTNAME mechanism will renew the TGT when it is halfway to expired. So if you get ten-hour tickets by default, the resulting connection should be valid for at least five hours, if the application even checks. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
