How to force kerberos to use in memory credential cache?

linux ssh kerberos single-sign-on mitkerberos

7,242

As explained in the linked document, the memory cache is using MEMORY keyword so the following should do the job:

 default_ccache_name = MEMORY:

But note that this type of ccache will be destroyed once the process exits. Note that : needs to be present, otherwise it will try to store the ticket in the file called MEMORY in current working directory.

7,242

rlf

Updated on September 18, 2022

Comments

rlf almost 2 years
MIT Kerberos supports multiple types of credential cache to store tickets .

For example, if I want to use a persistent keyring per-user in kernel memory I can add the following to krb5.conf.
```
[libdefaults]
    default_ccache_name = KEYRING:persistent:%{uid}
```
One of the options is a ccache in process memory.

How do I enable this option?
arne.z about 7 years

Does this mean that when obtaining the TGT with kinit <username> the TGT is destroyed right after kinit terminates? As far as I know it only runs for like a second to obtain the TGT and then it exits. What's the usecase for such a ccache type?
Jakuje about 7 years

I didn't try that, but from the manual it looks like that. If you have kerberos set up at hand, what is harder than try that? The manual talks about kadmin, which is separate "shell" taking administrative command, where it would make sense (unlike the kinit command which is useful for long-term tickets).
rlf about 7 years

This method does not work! It just creates a file in the current working directory to kinit called: "MEMORY". It seems that the default ccache type is FILE and if no other recognised keyword is prepended it is assumed to be FILE.
Jakuje about 7 years

Can you try with MEMORY: I don't have kerberos setup at hand.
rlf about 7 years

Thank you! This indeed works. I couldn't edit answer to reflect this as there wasn't enough character changes, I will happily accept it when the answer gets updated.
Jakuje about 7 years

I updated the answer.