Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

OpenSolaris 2009.06 - man page for krb5envvar (opensolaris section 5)

krb5envvar(5)		       Standards, Environments, and Macros		    krb5envvar(5)

NAME
       krb5envvar - Kerberos environment variables

DESCRIPTION
       The  Kerberos  mechanism provides a number of environment variables to configure different
       behavior in order to meet applications' needs. Environment variables used within the  Ker-
       beros mechanism are:

       KRB5_KTNAME

	   Used  by the mechanism to specify the location of the key table file. The variable can
	   be set to the following value:

	     [[<kt type>:]<file name>]

	   where <kt type> can be FILE or WRFILE. FILE is for  read  operations;  WRFILE  is  for
	   write operations. <file name> is the location of the keytab file.

	   r

	   If KRB5_KTNAME is not defined, the default value is:

	     FILE:/etc/krb5/krb5.keytab

	   The	keytab	file  is  used to store credentials persistently and is used commonly for
	   service daemons.

	   Specifying the FILE type assumes that the subsequent operations on the associated file
	   are	readable  by  the invoking process. Care must be taken to ensure that the file is
	   readable only by the set of principals that need to retrieve their unencrypted keys.

	   The WRFILE type is used by the kadmin(1M) command. Specifying  this	type  allows  the
	   administrator  to  designate  an alternate keytab file to write to without using extra
	   command line arguments for file location.

       KRB5CCNAME

	   Used by the mechanism to specify the location of the credential  cache.  The  variable
	   can be set to the following value:

	     [[<cc type>:]<file name>]

	   where  <cc type> can be FILE or MEMORY. <file name> is the location of the principal's
	   credential cache.

	   If KRB5CCNAME is not defined, the default value is:

	     FILE:/tmp/krb5cc_<uid>

	   where <uid> is the user id of the process that created the cache file.

	   The credential cache file is used to store tickets that have been granted to the prin-
	   cipal.

	   Specifying  the  FILE  types assumes that subsequent operations on the associated file
	   are readable and writable by the invoking process. Care must be taken to  ensure  that
	   the file is accessible only by the set of principals that need to access their creden-
	   tials. If the credential file is in a  directory  to  which	other  users  have  write
	   access, you need to set that directory's sticky bit (see chmod(1)).

	   The	MEMORY credential cache type is used only in special cases, such as when making a
	   temporary cache for the life of the invoking process.

       KRB5RCNAME

	   Used by the mechanism to specify the type and location of the replay cache. The  vari-
	   able can be set to the following value:

	     [[<rc type>:]<file name>]

	   where <rc type> can be either FILE, MEMORY, or NONE. <file name> is relevant only when
	   specifying the replay cache file type.

	   If not defined, the default value is:

	     FILE:/var/krb5/rcache/root/rc_<service>

	   ...if the process is owned by root, or:

	     FILE:/var/krb5/rcache/rc_<service>

	   ...if the process is owned by a user other than root. <service> is the service process
	   name associated with the replay cache file.

	   The replay cache is used by Kerberos to detect the replay of authentication data. This
	   prevents people who capture authentication messages on the network from authenticating
	   to the server by resending these messages.

	   When  specifying  the FILE replay cache type, care must be taken to prevent the replay
	   cache file from being deleted by another user. Make sure that every directory  in  the
	   replay cache path is either writable only by the owner of the replay cache or that the
	   sticky bit ("t") is set on every directory in the replay cache path	to  which  others
	   have write permission.

	   When  specifying  the MEMORY replay cache type you need to weigh the trade-off of per-
	   formance against the slight security risk created by using a non-persistent cache. The
	   risk occurs during system reboots when the following condition obtains:

	       o      The  duration  from the last write to the replay cache before reboot to the
		      point when the Kerberized server applications are running is less than  the
		      Kerberos clockskew (see krb5.conf(4)).
	   When  specifying  the NONE replay cache time you need to understand that this disables
	   the replay cache, and all security risks that this presents.  This  includes  all  the
	   risks outlined in this section of the man page.

	   Under  this condition, the server applications can accept a replay of Kerberos authen-
	   tication data (up to the difference between	the  time  of  the  last  write  and  the
	   clockskew). Typically, this is a small window of time. If the server applications take
	   longer than the clockskew to start accepting connections there is no replay risk.

	   The risk described above is the same when using  FILE  replay  cache  types	when  the
	   replay cache resides on swap file systems, such as /tmp and /var/run.

	   The	performance  improvement  in MEMORY replay cache types over FILE types is derived
	   from the absence of disk I/O. This is true even if the FILE replay cache is on a  mem-
	   ory-backed file system, such as swap (/tmp and /var/run).

	   Note  that MEMORY-type caches are per-process caches,  therefore use of these types of
	   caches must be carefully considered. One  example of where MEMORY-type caches  can  be
	   problematic	is when an application uses  more than one process for establishing secu-
	   rity contexts. In such a case, memory replay caches are not	shared	across	the  pro-
	   cesses, thus  allowing potential for replay attacks.

       KRB5_CONFIG

	   Allows  you	to  change the default location of the /etc/krb5/krb5.conf file to enable
	   the Kerberos library code to read configuration parameters from another file specified
	   by KRB5_CONFIG. For example (using kinit from ksh(1)):

	      KRB5_CONFIG=/var/tmp/krb5.conf kinit

ATTRIBUTES
       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWkrbu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Uncommitted		   |
       +-----------------------------+-----------------------------+

SEE ALSO
       chmod(1),    kinit(1),	 klist(1),   ksh(1),   kadmin(1M),   kadmind(1M),   krb5.conf(4),
       attributes(5), kerberos(5)

SunOS 5.11				   13 Feb 2008				    krb5envvar(5)


All times are GMT -4. The time now is 01:31 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password