logo_kerberos.gif

Projects/APIs for keytab and cccol content

From K5Wiki
< Projects
Revision as of 13:26, 2 June 2012 by Ghudson (talk | contribs) (Description)

Jump to: navigation, search

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2012-06-08.

Comments can be sent to krbdev@mit.edu.


This project is to implement the Heimdal API krb5_kt_have_content().

Background

In certain situations, it is desirable to know whether a keytab is actually present and populated. For example, acquiring GSS acceptor credentials with the krb5 mech should not succeed if the default keytab file doesn't exist. krb5_kt_resolve() does not answer this question, as it returns successfully even if the file doesn't exist.

Description

The API signature is:

   krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab);

It returns 0 if keytab exists and contains entries, or KRB5_KT_NOTFOUND if it does not.

Implementation

The Heimdal implementation begins iterating over the keytab and returns true if one entry can be retrieved. We can make the implementation somewhat more efficient using a vtable method; for instance, the FILE keytab type can stat the keytab and return true if the file size is larger than the size of a keytab header. But this optimization is probably not worth the code footprint.

The KDB keytab is not iterable. Since KDBs are almost never empty, it is probably reasonable to return true unconditionally for non-iterable keytabs.

Testing

The existing t_keytab.c test program can be augmented to test krb5_kt_have_content().

Documentation

Doxygen markup for krb5_kt_have_content() should be sufficient. It may be worth briefly mentioning this API in our application programmer section on keytabs when we have one.

Release notes

  • Add a new API krb5_kt_have_content() to determine whether a keytab exists and contains any entries.