Hello there! Till now the default ccache location has been: DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc Kerberos has added support for kernel keyring support for quite a while, so now it is a good opportunity to consider moving default ccache location to kernel keyring instead, which brings several advantages: - Avoiding involving the file system to reduce potential surface of attack. - Using kerberos utilities while in another user's shell (acquired by su or sudo) will no longer throw "credentials cache not found" error. The move is unlikely to cause compatibility issues between Kerberos and identity management solutions such as SSSD and Winbind. SSSD reads the ccache location settings from kerberos and will adapt to the change automatically. Winbind supports keyring-type ccache and goes even further to commend it being "the most secure and predictable method". However, the following components require more thorough testing and/or additional patches to be made: - YaST windows domain membership module The module generates configuration files for file-based ccache, could it generate configurations that use kernel keyring instead? - SSH, NFS utilities, mod-auth-kerb I am not yet sure whether these components can also make use of kernel keyring, need more investigation. Apart from those components above, are there other things I am missing? Comments and suggestions are welcome. Regards, Howard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org