1krb5envvar(5)         Standards, Environments, and Macros        krb5envvar(5)
2
3
4

NAME

6       krb5envvar - Kerberos environment variables
7

DESCRIPTION

9       The  Kerberos  mechanism  provides a number of environment variables to
10       configure different behavior in  order  to  meet  applications'  needs.
11       Environment variables used within the Kerberos mechanism are:
12
13       KRB5_KTNAME
14
15           Used  by  the  mechanism  to  specify the location of the key table
16           file. The variable can be set to the following value:
17
18             [[<kt type>:]<file name>]
19
20           where <kt type> can be FILE or WRFILE. FILE is for read operations;
21           WRFILE  is for write operations. <file name> is the location of the
22           keytab file.
23
24           r
25
26           If KRB5_KTNAME is not defined, the default value is:
27
28             FILE:/etc/krb5/krb5.keytab
29
30           The keytab file is used to store credentials  persistently  and  is
31           used commonly for service daemons.
32
33           Specifying  the FILE type assumes that the subsequent operations on
34           the associated file are readable by the invoking process. Care must
35           be  taken  to  ensure  that the file is readable only by the set of
36           principals that need to retrieve their unencrypted keys.
37
38           The WRFILE type is used by the kadmin(1M) command. Specifying  this
39           type allows the administrator to designate an alternate keytab file
40           to write to without using extra command  line  arguments  for  file
41           location.
42
43
44       KRB5CCNAME
45
46           Used  by  the  mechanism  to specify the location of the credential
47           cache. The variable can be set to the following value:
48
49             [[<cc type>:]<file name>]
50
51           where <cc type> can be FILE or MEMORY. <file name> is the  location
52           of the principal's credential cache.
53
54           If KRB5CCNAME is not defined, the default value is:
55
56             FILE:/tmp/krb5cc_<uid>
57
58           where  <uid>  is  the user id of the process that created the cache
59           file.
60
61           The credential cache file is used to store tickets that  have  been
62           granted to the principal.
63
64           Specifying the FILE types assumes that subsequent operations on the
65           associated file are readable and writable by the invoking  process.
66           Care  must  be  taken to ensure that the file is accessible only by
67           the set of principals that need to access their credentials. If the
68           credential  file  is in a directory to which other users have write
69           access, you need to set that directory's sticky bit (see chmod(1)).
70
71           The MEMORY credential cache type is used  only  in  special  cases,
72           such  as when making a temporary cache for the life of the invoking
73           process.
74
75
76       KRB5RCNAME
77
78           Used by the mechanism to specify  the  type  and  location  of  the
79           replay cache. The variable can be set to the following value:
80
81             [[<rc type>:]<file name>]
82
83           where <rc type> can be either FILE, MEMORY, or NONE. <file name> is
84           relevant only when specifying the replay cache file type.
85
86           If not defined, the default value is:
87
88             FILE:/var/krb5/rcache/root/rc_<service>
89
90           ...if the process is owned by root, or:
91
92             FILE:/var/krb5/rcache/rc_<service>
93
94           ...if the process is owned by a user other than root. <service>  is
95           the service process name associated with the replay cache file.
96
97           The  replay  cache  is  used  by  Kerberos  to detect the replay of
98           authentication data. This prevents people who  capture  authentica‐
99           tion  messages  on the network from authenticating to the server by
100           resending these messages.
101
102           When specifying the FILE replay cache type, care must be  taken  to
103           prevent  the  replay cache file from being deleted by another user.
104           Make sure that every directory in the replay cache path  is  either
105           writable  only  by the owner of the replay cache or that the sticky
106           bit ("t") is set on every directory in the  replay  cache  path  to
107           which others have write permission.
108
109           When  specifying the MEMORY replay cache type you need to weigh the
110           trade-off of performance against the slight security  risk  created
111           by  using  a  non-persistent  cache.  The risk occurs during system
112           reboots when the following condition obtains:
113
114               o      The duration from the last write  to  the  replay  cache
115                      before  reboot  to  the point when the Kerberized server
116                      applications are  running  is  less  than  the  Kerberos
117                      clockskew (see krb5.conf(4)).
118           When  specifying  the NONE replay cache time you need to understand
119           that this disables the replay cache, and all  security  risks  that
120           this presents. This includes all the risks outlined in this section
121           of the man page.
122
123           Under this condition, the server applications can accept  a  replay
124           of  Kerberos  authentication data (up to the difference between the
125           time of the last write and the clockskew).  Typically,  this  is  a
126           small  window  of time. If the server applications take longer than
127           the clockskew to start accepting connections  there  is  no  replay
128           risk.
129
130           The  risk  described above is the same when using FILE replay cache
131           types when the replay cache resides on swap file systems,  such  as
132           /tmp and /var/run.
133
134           The  performance improvement in MEMORY replay cache types over FILE
135           types is derived from the absence of disk I/O. This is true even if
136           the  FILE  replay  cache is on a memory-backed file system, such as
137           swap (/tmp and /var/run).
138
139           Note that MEMORY-type caches are per-process caches,  therefore use
140           of these types of caches must be carefully considered. One  example
141           of where MEMORY-type caches can be problematic  is when an applica‐
142           tion  uses   more  than  one process for establishing security con‐
143           texts. In such a case, memory replay caches are not  shared  across
144           the processes, thus  allowing potential for replay attacks.
145
146
147       KRB5_CONFIG
148
149           Allows    you    to    change   the   default   location   of   the
150           /etc/krb5/krb5.conf file to enable the  Kerberos  library  code  to
151           read  configuration  parameters  from  another  file  specified  by
152           KRB5_CONFIG. For example (using kinit from ksh(1)):
153
154              KRB5_CONFIG=/var/tmp/krb5.conf kinit
155
156
157

ATTRIBUTES

159       See attributes(5) for a description of the following attributes:
160
161
162
163
164       ┌─────────────────────────────┬─────────────────────────────┐
165       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
166       ├─────────────────────────────┼─────────────────────────────┤
167       │Availability                 │SUNWkrbu                     │
168       ├─────────────────────────────┼─────────────────────────────┤
169       │Interface Stability          │Uncommitted                  │
170       └─────────────────────────────┴─────────────────────────────┘
171

SEE ALSO

173       chmod(1),  kinit(1),   klist(1),   ksh(1),   kadmin(1M),   kadmind(1M),
174       krb5.conf(4), attributes(5), kerberos(5)
175
176
177
178SunOS 5.11                        13 Feb 2008                    krb5envvar(5)