1krb5envvar(5) Standards, Environments, and Macros krb5envvar(5)
2
3
4
6 krb5envvar - Kerberos environment variables
7
9 The Kerberos mechanism provides a number of environment variables to
10 configure different behavior in order to meet applications' needs.
11 Environment variables used within the Kerberos mechanism are:
12
13 KRB5_KTNAME
14
15 Used by the mechanism to specify the location of the key table
16 file. The variable can be set to the following value:
17
18 [[<kt type>:]<file name>]
19
20 where <kt type> can be FILE or WRFILE. FILE is for read operations;
21 WRFILE is for write operations. <file name> is the location of the
22 keytab file.
23
24 r
25
26 If KRB5_KTNAME is not defined, the default value is:
27
28 FILE:/etc/krb5/krb5.keytab
29
30 The keytab file is used to store credentials persistently and is
31 used commonly for service daemons.
32
33 Specifying the FILE type assumes that the subsequent operations on
34 the associated file are readable by the invoking process. Care must
35 be taken to ensure that the file is readable only by the set of
36 principals that need to retrieve their unencrypted keys.
37
38 The WRFILE type is used by the kadmin(1M) command. Specifying this
39 type allows the administrator to designate an alternate keytab file
40 to write to without using extra command line arguments for file
41 location.
42
43
44 KRB5CCNAME
45
46 Used by the mechanism to specify the location of the credential
47 cache. The variable can be set to the following value:
48
49 [[<cc type>:]<file name>]
50
51 where <cc type> can be FILE or MEMORY. <file name> is the location
52 of the principal's credential cache.
53
54 If KRB5CCNAME is not defined, the default value is:
55
56 FILE:/tmp/krb5cc_<uid>
57
58 where <uid> is the user id of the process that created the cache
59 file.
60
61 The credential cache file is used to store tickets that have been
62 granted to the principal.
63
64 Specifying the FILE types assumes that subsequent operations on the
65 associated file are readable and writable by the invoking process.
66 Care must be taken to ensure that the file is accessible only by
67 the set of principals that need to access their credentials. If the
68 credential file is in a directory to which other users have write
69 access, you need to set that directory's sticky bit (see chmod(1)).
70
71 The MEMORY credential cache type is used only in special cases,
72 such as when making a temporary cache for the life of the invoking
73 process.
74
75
76 KRB5RCNAME
77
78 Used by the mechanism to specify the type and location of the
79 replay cache. The variable can be set to the following value:
80
81 [[<rc type>:]<file name>]
82
83 where <rc type> can be either FILE, MEMORY, or NONE. <file name> is
84 relevant only when specifying the replay cache file type.
85
86 If not defined, the default value is:
87
88 FILE:/var/krb5/rcache/root/rc_<service>
89
90 ...if the process is owned by root, or:
91
92 FILE:/var/krb5/rcache/rc_<service>
93
94 ...if the process is owned by a user other than root. <service> is
95 the service process name associated with the replay cache file.
96
97 The replay cache is used by Kerberos to detect the replay of
98 authentication data. This prevents people who capture authentica‐
99 tion messages on the network from authenticating to the server by
100 resending these messages.
101
102 When specifying the FILE replay cache type, care must be taken to
103 prevent the replay cache file from being deleted by another user.
104 Make sure that every directory in the replay cache path is either
105 writable only by the owner of the replay cache or that the sticky
106 bit ("t") is set on every directory in the replay cache path to
107 which others have write permission.
108
109 When specifying the MEMORY replay cache type you need to weigh the
110 trade-off of performance against the slight security risk created
111 by using a non-persistent cache. The risk occurs during system
112 reboots when the following condition obtains:
113
114 o The duration from the last write to the replay cache
115 before reboot to the point when the Kerberized server
116 applications are running is less than the Kerberos
117 clockskew (see krb5.conf(4)).
118 When specifying the NONE replay cache time you need to understand
119 that this disables the replay cache, and all security risks that
120 this presents. This includes all the risks outlined in this section
121 of the man page.
122
123 Under this condition, the server applications can accept a replay
124 of Kerberos authentication data (up to the difference between the
125 time of the last write and the clockskew). Typically, this is a
126 small window of time. If the server applications take longer than
127 the clockskew to start accepting connections there is no replay
128 risk.
129
130 The risk described above is the same when using FILE replay cache
131 types when the replay cache resides on swap file systems, such as
132 /tmp and /var/run.
133
134 The performance improvement in MEMORY replay cache types over FILE
135 types is derived from the absence of disk I/O. This is true even if
136 the FILE replay cache is on a memory-backed file system, such as
137 swap (/tmp and /var/run).
138
139 Note that MEMORY-type caches are per-process caches, therefore use
140 of these types of caches must be carefully considered. One example
141 of where MEMORY-type caches can be problematic is when an applica‐
142 tion uses more than one process for establishing security con‐
143 texts. In such a case, memory replay caches are not shared across
144 the processes, thus allowing potential for replay attacks.
145
146
147 KRB5_CONFIG
148
149 Allows you to change the default location of the
150 /etc/krb5/krb5.conf file to enable the Kerberos library code to
151 read configuration parameters from another file specified by
152 KRB5_CONFIG. For example (using kinit from ksh(1)):
153
154 KRB5_CONFIG=/var/tmp/krb5.conf kinit
155
156
157
159 See attributes(5) for a description of the following attributes:
160
161
162
163
164 ┌─────────────────────────────┬─────────────────────────────┐
165 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
166 ├─────────────────────────────┼─────────────────────────────┤
167 │Availability │SUNWkrbu │
168 ├─────────────────────────────┼─────────────────────────────┤
169 │Interface Stability │Uncommitted │
170 └─────────────────────────────┴─────────────────────────────┘
171
173 chmod(1), kinit(1), klist(1), ksh(1), kadmin(1M), kadmind(1M),
174 krb5.conf(4), attributes(5), kerberos(5)
175
176
177
178SunOS 5.11 13 Feb 2008 krb5envvar(5)