krb5envvar man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

krb5envvar(5)	      Standards, Environments, and Macros	 krb5envvar(5)

NAME
       krb5envvar - Kerberos environment variables

DESCRIPTION
       The  Kerberos  mechanism	 provides a number of environment variables to
       configure different behavior in	order  to  meet	 applications'	needs.
       Environment variables used within the Kerberos mechanism are:

       KRB5_KTNAME

	   Used	 by  the  mechanism  to	 specify the location of the key table
	   file. The variable can be set to the following value:

	     [[<kt type>:]<file name>]

	   where <kt type> can be FILE or WRFILE. FILE is for read operations;
	   WRFILE  is for write operations. <file name> is the location of the
	   keytab file.

	   r

	   If KRB5_KTNAME is not defined, the default value is:

	     FILE:/etc/krb5/krb5.keytab

	   The keytab file is used to store credentials	 persistently  and  is
	   used commonly for service daemons.

	   Specifying  the FILE type assumes that the subsequent operations on
	   the associated file are readable by the invoking process. Care must
	   be  taken  to  ensure  that the file is readable only by the set of
	   principals that need to retrieve their unencrypted keys.

	   The WRFILE type is used by the kadmin(1M) command. Specifying  this
	   type allows the administrator to designate an alternate keytab file
	   to write to without using extra command  line  arguments  for  file
	   location.

       KRB5CCNAME

	   Used	 by  the  mechanism  to specify the location of the credential
	   cache. The variable can be set to the following value:

	     [[<cc type>:]<file name>]

	   where <cc type> can be FILE or MEMORY. <file name> is the  location
	   of the principal's credential cache.

	   If KRB5CCNAME is not defined, the default value is:

	     FILE:/tmp/krb5cc_<uid>

	   where  <uid>	 is  the user id of the process that created the cache
	   file.

	   The credential cache file is used to store tickets that  have  been
	   granted to the principal.

	   Specifying the FILE types assumes that subsequent operations on the
	   associated file are readable and writable by the invoking  process.
	   Care	 must  be  taken to ensure that the file is accessible only by
	   the set of principals that need to access their credentials. If the
	   credential  file  is in a directory to which other users have write
	   access, you need to set that directory's sticky bit (see chmod(1)).

	   The MEMORY credential cache type is used  only  in  special	cases,
	   such	 as when making a temporary cache for the life of the invoking
	   process.

       KRB5RCNAME

	   Used by the mechanism to specify  the  type	and  location  of  the
	   replay cache. The variable can be set to the following value:

	     [[<rc type>:]<file name>]

	   where <rc type> can be either FILE, MEMORY, or NONE. <file name> is
	   relevant only when specifying the replay cache file type.

	   If not defined, the default value is:

	     FILE:/var/krb5/rcache/root/rc_<service>

	   ...if the process is owned by root, or:

	     FILE:/var/krb5/rcache/rc_<service>

	   ...if the process is owned by a user other than root. <service>  is
	   the service process name associated with the replay cache file.

	   The	replay	cache  is  used	 by  Kerberos  to detect the replay of
	   authentication data. This prevents people who  capture  authentica‐
	   tion	 messages  on the network from authenticating to the server by
	   resending these messages.

	   When specifying the FILE replay cache type, care must be  taken  to
	   prevent  the	 replay cache file from being deleted by another user.
	   Make sure that every directory in the replay cache path  is	either
	   writable  only  by the owner of the replay cache or that the sticky
	   bit ("t") is set on every directory in the  replay  cache  path  to
	   which others have write permission.

	   When	 specifying the MEMORY replay cache type you need to weigh the
	   trade-off of performance against the slight security	 risk  created
	   by  using  a	 non-persistent	 cache.	 The risk occurs during system
	   reboots when the following condition obtains:

	       o      The duration from the last write	to  the	 replay	 cache
		      before  reboot  to  the point when the Kerberized server
		      applications are	running	 is  less  than	 the  Kerberos
		      clockskew (see krb5.conf(4)).
	   When	 specifying  the NONE replay cache time you need to understand
	   that this disables the replay cache, and all	 security  risks  that
	   this presents. This includes all the risks outlined in this section
	   of the man page.

	   Under this condition, the server applications can accept  a	replay
	   of  Kerberos	 authentication data (up to the difference between the
	   time of the last write and the clockskew).  Typically,  this	 is  a
	   small  window  of time. If the server applications take longer than
	   the clockskew to start accepting connections	 there	is  no	replay
	   risk.

	   The	risk  described above is the same when using FILE replay cache
	   types when the replay cache resides on swap file systems,  such  as
	   /tmp and /var/run.

	   The	performance improvement in MEMORY replay cache types over FILE
	   types is derived from the absence of disk I/O. This is true even if
	   the	FILE  replay  cache is on a memory-backed file system, such as
	   swap (/tmp and /var/run).

	   Note that MEMORY-type caches are per-process caches,	 therefore use
	   of these types of caches must be carefully considered. One  example
	   of where MEMORY-type caches can be problematic  is when an applica‐
	   tion	 uses	more  than  one process for establishing security con‐
	   texts. In such a case, memory replay caches are not	shared	across
	   the processes, thus	allowing potential for replay attacks.

       KRB5_CONFIG

	   Allows    you    to	  change   the	 default   location   of   the
	   /etc/krb5/krb5.conf file to enable the  Kerberos  library  code  to
	   read	 configuration	parameters  from  another  file	 specified  by
	   KRB5_CONFIG. For example (using kinit from ksh(1)):

	      KRB5_CONFIG=/var/tmp/krb5.conf kinit

ATTRIBUTES
       See attributes(5) for a description of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWkrbu			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Uncommitted		   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       chmod(1),  kinit(1),   klist(1),	  ksh(1),   kadmin(1M),	  kadmind(1M),
       krb5.conf(4), attributes(5), kerberos(5)

SunOS 5.10			  13 Feb 2008			 krb5envvar(5)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net