MIT Kerberos Documentation

Credential cache selection interface (ccselect)ΒΆ

The ccselect interface allows modules to control how credential caches are chosen when a GSSAPI client contacts a service. For a detailed description of the ccselect interface, see the header file <krb5/ccselect_plugin.h>.

The primary ccselect method is choose, which accepts a server principal as input and returns a ccache and/or principal name as output. A module can use the krb5_cccol APIs to iterate over the cache collection in order to find an appropriate ccache to use.

A module can create and destroy per-library-context state objects by implementing the init and fini methods. State objects have the type krb5_ccselect_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object.

A module can have one of two priorities, “authoritative” or “heuristic”. Results from authoritative modules, if any are available, will take priority over results from heuristic modules. A module communicates its priority as a result of the init method.