|
1 '\" te |
|
2 .\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. |
|
3 .TH krb5envvar 5 "6 Dec 2013" "SunOS 5.12" "Standards, Environments, and Macros" |
|
4 .SH NAME |
|
5 krb5envvar \- Kerberos environment variables |
|
6 .SH DESCRIPTION |
|
7 .sp |
|
8 .LP |
|
9 The Kerberos mechanism provides a number of environment variables to configure different behavior in order to meet applications' needs. Environment variables used within the Kerberos mechanism are: |
|
10 .sp |
|
11 .ne 2 |
|
12 .mk |
|
13 .na |
|
14 \fB\fBKRB5_KTNAME\fR\fR |
|
15 .ad |
|
16 .sp .6 |
|
17 .RS 4n |
|
18 Used by the mechanism to specify the location of the key table file. The variable can be set to the following value: |
|
19 .sp |
|
20 .in +2 |
|
21 .nf |
|
22 [[\fI<kt type>\fR:]\fI<file name>\fR] |
|
23 .fi |
|
24 .in -2 |
|
25 |
|
26 where \fI<kt type>\fR can be \fBFILE\fR or \fBWRFILE\fR. \fBFILE\fR is for read operations; \fBWRFILE\fR is for write operations. \fI<file name>\fR is the location of the \fBkeytab\fR file. |
|
27 .sp |
|
28 If \fBKRB5_KTNAME\fR is not defined, the default value is: |
|
29 .sp |
|
30 .in +2 |
|
31 .nf |
|
32 FILE:/etc/krb5/krb5.keytab |
|
33 .fi |
|
34 .in -2 |
|
35 |
|
36 The \fBkeytab\fR file is used to store credentials persistently and is used commonly for service daemons. |
|
37 .sp |
|
38 Specifying the \fBFILE\fR type assumes that the subsequent operations on the associated file are readable by the invoking process. Care must be taken to ensure that the file is readable only by the set of principals that need to retrieve their unencrypted keys. |
|
39 .sp |
|
40 The \fBWRFILE\fR type is used by the \fBkadmin\fR(1M) command. Specifying this type allows the administrator to designate an alternate \fBkeytab\fR file to write to without using extra command line arguments for file location. |
|
41 .RE |
|
42 |
|
43 .sp |
|
44 .ne 2 |
|
45 .mk |
|
46 .na |
|
47 \fB\fBKRB5CCNAME\fR\fR |
|
48 .ad |
|
49 .sp .6 |
|
50 .RS 4n |
|
51 Used by the mechanism to specify the location of the credential cache. The variable can be set to the following value: |
|
52 .sp |
|
53 .in +2 |
|
54 .nf |
|
55 [[\fI<cc type>\fR:]\fI<file name>\fR] |
|
56 .fi |
|
57 .in -2 |
|
58 |
|
59 where \fI<cc type>\fR can be \fBFILE\fR or \fBMEMORY\fR. \fI<file name>\fR is the location of the principal's credential cache. |
|
60 .sp |
|
61 If \fBKRB5CCNAME\fR is not defined, the default value is: |
|
62 .sp |
|
63 .in +2 |
|
64 .nf |
|
65 FILE:/tmp/krb5cc_\fI<uid>\fR |
|
66 .fi |
|
67 .in -2 |
|
68 |
|
69 where \fI<uid>\fR is the user id of the process that created the cache file. |
|
70 .sp |
|
71 The credential cache file is used to store tickets that have been granted to the principal. |
|
72 .sp |
|
73 Specifying the \fBFILE\fR types assumes that subsequent operations on the associated file are readable and writable by the invoking process. Care must be taken to ensure that the file is accessible only by the set of principals that need to access their credentials. If the credential file is in a directory to which other users have write access, you need to set that directory's sticky bit (see \fBchmod\fR(1)). |
|
74 .sp |
|
75 The \fBMEMORY\fR credential cache type is used only in special cases, such as when making a temporary cache for the life of the invoking process. |
|
76 .RE |
|
77 |
|
78 .sp |
|
79 .ne 2 |
|
80 .mk |
|
81 .na |
|
82 \fB\fBKRB5RCNAME\fR\fR |
|
83 .ad |
|
84 .sp .6 |
|
85 .RS 4n |
|
86 Used by the mechanism to specify the type and location of the replay cache. The variable can be set to the following value: |
|
87 .sp |
|
88 .in +2 |
|
89 .nf |
|
90 [[\fI<rc type>\fR:]\fI<file name>\fR] |
|
91 .fi |
|
92 .in -2 |
|
93 |
|
94 where \fI<rc type>\fR can be either \fBFILE\fR, \fBMEMORY\fR, or \fBNONE\fR. \fI<file name>\fR is relevant only when specifying the replay cache file type. |
|
95 .sp |
|
96 If not defined, the default value is: |
|
97 .sp |
|
98 .in +2 |
|
99 .nf |
|
100 FILE:/var/krb5/rcache/root/rc_\fI<service>\fR |
|
101 .fi |
|
102 .in -2 |
|
103 |
|
104 \&...if the process is owned by root, or: |
|
105 .sp |
|
106 .in +2 |
|
107 .nf |
|
108 FILE:/var/krb5/rcache/rc_\fI<service>\fR |
|
109 .fi |
|
110 .in -2 |
|
111 |
|
112 \&...if the process is owned by a user other than root. \fI<service>\fR is the service process name associated with the replay cache file. |
|
113 .sp |
|
114 The replay cache is used by Kerberos to detect the replay of authentication data. This prevents people who capture authentication messages on the network from authenticating to the server by resending these messages. |
|
115 .sp |
|
116 When specifying the \fBFILE\fR replay cache type, care must be taken to prevent the replay cache file from being deleted by another user. Make sure that every directory in the replay cache path is either writable only by the owner of the replay cache or that the sticky bit ("\fBt\fR") is set on every directory in the replay cache path to which others have write permission. |
|
117 .sp |
|
118 When specifying the \fBMEMORY\fR replay cache type you need to weigh the trade-off of performance against the slight security risk created by using a non-persistent cache. The risk occurs during system reboots when the following condition obtains: |
|
119 .RS +4 |
|
120 .TP |
|
121 .ie t \(bu |
|
122 .el o |
|
123 The duration from the last write to the replay cache before reboot to the point when the Kerberized server applications are running is less than the Kerberos clockskew (see \fBkrb5.conf\fR(4)). |
|
124 .RE |
|
125 When specifying the \fBNONE\fR replay cache time you need to understand that this disables the replay cache, and all security risks that this presents. This includes all the risks outlined in this section of the man page. |
|
126 .sp |
|
127 Under this condition, the server applications can accept a replay of Kerberos authentication data (up to the difference between the time of the last write and the clockskew). Typically, this is a small window of time. If the server applications take longer than the clockskew to start accepting connections there is no replay risk. |
|
128 .sp |
|
129 The risk described above is the same when using \fBFILE\fR replay cache types when the replay cache resides on swap file systems, such as \fB/tmp\fR and \fB/var/run\fR. |
|
130 .sp |
|
131 The performance improvement in \fBMEMORY\fR replay cache types over \fBFILE\fR types is derived from the absence of disk I/O. This is true even if the \fBFILE\fR replay cache is on a memory-backed file system, such as swap (\fB/tmp\fR and \fB/var/run\fR). |
|
132 .sp |
|
133 Note that \fBMEMORY\fR-type caches are per-process caches, therefore use of these types of caches must be carefully considered. One example of where \fBMEMORY\fR-type caches can be problematic is when an application uses more than one process for establishing security contexts. In such a case, memory replay caches are not shared across the processes, thus allowing potential for replay attacks. |
|
134 .RE |
|
135 |
|
136 .sp |
|
137 .ne 2 |
|
138 .mk |
|
139 .na |
|
140 \fBKRB5_CONFIG\fR |
|
141 .ad |
|
142 .sp .6 |
|
143 .RS 4n |
|
144 Allows the Kerberos library to read configuration parameters from a file other than \fB/etc/krb5/krb5.conf\fR. To use \fBkinit\fR from \fBksh\fR(1), use the following example: |
|
145 .sp |
|
146 .in +2 |
|
147 .nf |
|
148 KRB5_CONFIG=/var/tmp/krb5.conf kinit |
|
149 .fi |
|
150 .in -2 |
|
151 |
|
152 .RE |
|
153 |
|
154 .SH ATTRIBUTES |
|
155 .sp |
|
156 .LP |
|
157 See \fBattributes\fR(5) for a description of the following attributes: |
|
158 .sp |
|
159 |
|
160 .sp |
|
161 .TS |
|
162 tab(�) box; |
|
163 cw(2.75i) |cw(2.75i) |
|
164 lw(2.75i) |lw(2.75i) |
|
165 . |
|
166 \fBATTRIBUTE TYPE\fR�\fBATTRIBUTE VALUE\fR |
|
167 _ |
|
168 Availability�system/security/kerberos-5 |
|
169 _ |
|
170 Interface Stability�Uncommitted |
|
171 .TE |
|
172 |
|
173 .SH SEE ALSO |
|
174 .sp |
|
175 .LP |
|
176 \fBchmod\fR(1), \fBkinit\fR(1), \fBklist\fR(1), \fBksh\fR(1), \fBkadmin\fR(1M), \fBkadmind\fR(1M), \fBkrb5.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5) |