unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

krb5envvar(5)         Standards, Environments, and Macros        krb5envvar(5)



NAME
       krb5envvar - Kerberos environment variables

DESCRIPTION
       The  Kerberos  mechanism  provides a number of environment variables to
       configure different behavior in  order  to  meet  applications'  needs.
       Environment variables used within the Kerberos mechanism are:

       KRB5_KTNAME

           Used  by  the  mechanism  to  specify the location of the key table
           file. The variable can be set to the following value:


           [[<kt type>:]<file name>]

           where <kt type> can be FILE or WRFILE. FILE is for read operations;
           WRFILE  is for write operations. <file name> is the location of the
           keytab file.

           If KRB5_KTNAME is not defined, the default value is:


           FILE:/etc/krb5/krb5.keytab

           The keytab file is used to store credentials  persistently  and  is
           used commonly for service daemons.

           Specifying  the FILE type assumes that the subsequent operations on
           the associated file are readable by the invoking process. Care must
           be  taken  to  ensure  that the file is readable only by the set of
           principals that need to retrieve their unencrypted keys.

           The WRFILE type is used by the kadmin(1M) command. Specifying  this
           type allows the administrator to designate an alternate keytab file
           to write to without using extra command  line  arguments  for  file
           location.



       KRB5CCNAME

           Used  by  the  mechanism  to specify the location of the credential
           cache. The variable can be set to the following value:


           [[<cc type>:]<file name>]

           where <cc type> can be FILE or MEMORY. <file name> is the  location
           of the principal's credential cache.

           If KRB5CCNAME is not defined, the default value is:


           FILE:/tmp/krb5cc_<uid>

           where  <uid>  is  the user id of the process that created the cache
           file.

           The credential cache file is used to store tickets that  have  been
           granted to the principal.

           Specifying the FILE types assumes that subsequent operations on the
           associated file are readable and writable by the invoking  process.
           Care  must  be  taken to ensure that the file is accessible only by
           the set of principals that need to access their credentials. If the
           credential  file  is in a directory to which other users have write
           access, you will need to  set  that  directory's  sticky  bit  (see
           chmod(1)).

           The  MEMORY  credential  cache  type is used only in special cases,
           such as when making a temporary cache for the life of the  invoking
           process.



       KRB5RCNAME

           Used  by  the  mechanism  to  specify  the type and location of the
           replay cache. The variable can be set to the following value:


           [[<rc type>:]<file name>]

           where <rc type> can be either FILE or MEMORY. <file name> is  rele-
           vant only when specifying the replay cache file type.

           If not defined, the default value is:


           FILE:/var/krb5/rcache/root/rc_<service>

           ...if the process is owned by root, or:


           FILE:/var/krb5/rcache/rc_<service>

           ...if  the process is owned by a user other than root. <service> is
           the service process name associated with the replay cache file.

           The replay cache is used  by  Kerberos  to  detect  the  replay  of
           authentication  data.  This prevents people who capture authentica-
           tion messages on the network from authenticating to the  server  by
           resending these messages.

           When  specifying  the FILE replay cache type, care must be taken to
           prevent the replay cache file from being deleted by  another  user.
           Make  sure  that every directory in the replay cache path is either
           writable only by the owner of the replay cache or that  the  sticky
           bit  ("t")  is  set  on every directory in the replay cache path to
           which others have write permission.

           When specifying the MEMORY replay cache type you need to weigh  the
           trade-off  of  performance against the slight security risk created
           by using a non-persistent cache.  The  risk  occurs  during  system
           reboots when the following condition obtains:


             o  The  duration  from  the last write to the replay cache before
                reboot to the point when the  Kerberized  server  applications
                are   running   is  less  than  the  Kerberos  clockskew  (see
                krb5.conf(4)).

           Under this condition, the server applications can accept  a  replay
           of  Kerberos  authentication data (up to the difference between the
           time of the last write and the clockskew).  Typically,  this  is  a
           small  window  of time. If the server applications take longer than
           the clockskew to start accepting connections  there  is  no  replay
           risk.

           The  risk  described above is the same when using FILE replay cache
           types when the replay cache resides on swap file systems,  such  as
           /tmp and /var/run.

           The  performance improvement in MEMORY replay cache types over FILE
           types is derived from the absence of disk I/O. This is true even if
           the  FILE  replay  cache is on a memory-backed file system, such as
           swap (/tmp and /var/run).



ATTRIBUTES
       See attributes(5) for a description of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).    ATTRIBUTE  TYPEATTRIBUTE  VALUE  AvailabilitySUNWkrbu
       Interface StabilityUnstable


SEE ALSO
       chmod(1), kinit(1), klist(1),  kadmin(1M),  kadmind(1M),  krb5.conf(4),
       attributes(5), SEAM(5)



SunOS 5.10                        5 Mar 2004                     krb5envvar(5)