From 799c0303440e66004b4517e66d7f2852cfd313e4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 16 Nov 2017 15:39:01 -0500
Subject: Avoid clobbering root's ccache if possible

If the gssapi library is modern enough, store the ccache in a process
scoped keyring by default. This will avoid clobbering root's default
ccache, and keep the creds from littering the filesystem.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 utils/gssd/gssd.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'utils/gssd/gssd.h')

diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index f4f5975..88839f6 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -45,6 +45,7 @@
 
 #define GSSD_DEFAULT_CRED_DIR			"/tmp"
 #define GSSD_USER_CRED_DIR			"/run/user/%U"
+#define GSSD_SECURE_MACHINE_CACHE		"KEYRING:process:gssd_ccache"
 #define GSSD_DEFAULT_CRED_PREFIX		"krb5cc"
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX	"machine"
 #define GSSD_DEFAULT_KEYTAB_FILE		"/etc/krb5.keytab"
-- 
cgit