New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache collections APIs and commands only support default collections #1146
Comments
10 tasks
nicowilliams
changed the title
The
Using non-default credentials caches / cache collections with commands that want to search them causes the default credentials cache collections to be searched instead, and worse, credentials possible to be created there
Jun 5, 2023
get_cache_first()
method of krb5_cc_ops
should have had a collection name argument.
So there is some appetite to fix these things in MIT, but it's gone undone for a long time. And my own energy on this may be running out. |
nicowilliams
changed the title
Using non-default credentials caches / cache collections with commands that want to search them causes the default credentials cache collections to be searched instead, and worse, credentials possible to be created there
Cache collections APIs and commands only support default collections
Jun 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See discussion in #1143 for problems this causes.
Using non-default credentials caches / cache collections with commands that want to search them causes the default credentials cache collections to be searched instead, and worse, credentials possible to be created there.
The cache collection APIs we copied from MIT Kerberos all lack a suitable way to identify a collection, and all instead search all the default collections:
krb5_cc_cache_match()
-- no cache [collection] name in sight in its prototypekrb5_cccol_cursor_new()
/krb5_cccol_cursor_next()
-- no cache [collection] name in sight in its prototypeOn the other hand,
krb5_cc_cache_get_first()
does have aconst char *type
argument that we can change toconst char *type_or_collection
(i.e., allow it to acceptSCC
but alsoSCC:${HOME}/.scc
, for example), but then theget_cache_first()
method ofkrb5_cc_ops
doesn't itself take a similar argument, thus we cannot extend ``krb5_cc_cache_get_first()'s semantics in this way without adding a new method to
krb5_cc_ops` that is like `get_cache_first()` but which takes that same extra `const char *` argument.Things we could do about this:
KRB5CCNAME
, but x6)We should probably also ask @greghudson what MIT Kerberos might or might not accept in this space. We can diverge, naturally, but if we can at least get consensus on whether one ought to even be able to have non-default cache collections, that'd be great.
The text was updated successfully, but these errors were encountered: