Common Values for Credentials Store Extensions

The credentials store extension is an extension introduced by the MIT krb5 library implementation of GSSAPI. It allows for finer control of credentials from within a GSSAPI application. Each mechanism can define keywords to manipulate various aspects of their credentials for storage or retrieval operations.

The krb5 mechanism in MIT libraries

The krb5 mechanism as implemented by MIT libraries supports the credentials store extension with a number of keywords.

client_keytab

The client_keytab keyword can be used in a credential store when it is used with the gssapi.raw.ext_cred_store.acquire_cred_from() / gssapi.raw.ext_cred_store.add_cred_from() functions to indicate a custom location for a keytab containing client keys. It is not used in the context of calls used to store credentials.

The value is a string in the form type:residual where type can be any keytab storage type understood by the implementation and residual is the keytab identifier (usually something like a path). If the string is a path, then the type is defaulted to FILE.

keytab

The keytab keyword can be used in a credential store when it is used with the gssapi.raw.ext_cred_store.acquire_cred_from() / gssapi.raw.ext_cred_store.add_cred_from() functions to indicate a custom location for a keytab containing service keys. It is not used in the context of calls used to store credentials.

The value is a string in the form type:residual where type can be any keytab storage type understood by the implementation and residual is the keytab identifier (usually something like a path). If the string is a path, then the type is defaulted to FILE.

ccache

The ccache keyword can be used to reference a specific credential storage. It can be used both to indicate the source of existing credentials for the gssapi.raw.ext_cred_store.acquire_cred_from() / gssapi.raw.ext_cred_store.add_cred_from() functions, as well as the destination storage for the gssapi.raw.ext_cred_store.store_cred_into() function.

The value is a string in the form type:residual where type can be any credential cache storage type understood by the implementation and residual is the ccache identifier. If the string is a path, then the type is defaulted to FILE. Other commonly used types are DIR, KEYRING, KCM, and MEMORY. Each type has a different format for the residual; refer to the MIT krb5 documentation for more details.

rcache

The rcache keyword can be used to reference a custom replay cache storage. It is used only with the gssapi.raw.ext_cred_store.acquire_cred_from() / gssapi.raw.ext_cred_store.add_cred_from() functions for credentials used to accept context establishments, not to initiate contexts.

The value is a string in the form type:residual where type can be any replay cache storage type understood by the implementation and residual is the cache identifier (usually something like a path). If the string is a path, then the type is defaulted to FILE.

The krb5 mechanism in Heimdal

Heimdal has recently implemented the credential store extensions with the same interface as MIT krb5. However, it is not yet present in any released version.