5

MIT Kerberos supports multiple types of credential cache to store tickets .

For example, if I want to use a persistent keyring per-user in kernel memory I can add the following to krb5.conf.

[libdefaults]
    default_ccache_name = KEYRING:persistent:%{uid}

One of the options is a ccache in process memory.

How do I enable this option?

rlf
  • 335
  • 2
  • 9

1 Answers1

2

As explained in the linked document, the memory cache is using MEMORY keyword so the following should do the job:

 default_ccache_name = MEMORY:

But note that this type of ccache will be destroyed once the process exits. Note that : needs to be present, otherwise it will try to store the ticket in the file called MEMORY in current working directory.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • Does this mean that when obtaining the TGT with `kinit ` the TGT is destroyed right after `kinit` terminates? As far as I know it only runs for like a second to obtain the TGT and then it exits. What's the usecase for such a ccache type? – arne.z Jun 16 '17 at 19:38
  • I didn't try that, but from the manual it looks like that. If you have kerberos set up at hand, what is harder than try that? The manual talks about `kadmin`, which is separate "shell" taking administrative command, where it would make sense (unlike the `kinit` command which is useful for long-term tickets). – Jakuje Jun 16 '17 at 19:40
  • This method does not work! It just creates a file in the current working directory to `kinit` called: "MEMORY". It seems that the default ccache type is `FILE` and if no other recognised keyword is prepended it is assumed to be `FILE`. – rlf Jun 16 '17 at 21:19
  • Can you try with `MEMORY:` I don't have kerberos setup at hand. – Jakuje Jun 17 '17 at 05:39
  • Thank you! This indeed works. I couldn't edit answer to reflect this as there wasn't enough character changes, I will happily accept it when the answer gets updated. – rlf Jun 17 '17 at 12:53
  • I updated the answer. – Jakuje Jun 17 '17 at 12:54