|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
Standards, Environments, and Macros krb5envvar(5)
NAME
krb5envvar - Kerberos environment variables
DESCRIPTION
The Kerberos mechanism provides a number of environment
variables to configure different behavior in order to meet
applications' needs. Environment variables used within the
Kerberos mechanism are:
KRB5_KTNAME
Used by the mechanism to specify the location of the key
table file. The variable can be set to the following
value:
[[<kt type>:]<file name>]
where <kt type> can be FILE or WRFILE. FILE is for read
operations; WRFILE is for write operations. <file name>
is the location of the keytab file.
If KRB5_KTNAME is not defined, the default value is:
FILE:/etc/krb5/krb5.keytab
The keytab file is used to store credentials per-
sistently and is used commonly for service daemons.
Specifying the FILE type assumes that the subsequent
operations on the associated file are readable by the
invoking process. Care must be taken to ensure that the
file is readable only by the set of principals that need
to retrieve their unencrypted keys.
The WRFILE type is used by the kadmin(1M) command.
Specifying this type allows the administrator to desig-
nate an alternate keytab file to write to without using
extra command line arguments for file location.
KRB5CCNAME
Used by the mechanism to specify the location of the
credential cache. The variable can be set to the follow-
ing value:
[[<cc type>:]<file name>]
SunOS 5.10 Last change: 1 June 2006 1
Standards, Environments, and Macros krb5envvar(5)
where <cc type> can be FILE or MEMORY. <file name> is
the location of the principal's credential cache.
If KRB5CCNAME is not defined, the default value is:
FILE:/tmp/krb5cc_<uid>
where <uid> is the user id of the process that created
the cache file.
The credential cache file is used to store tickets that
have been granted to the principal.
Specifying the FILE types assumes that subsequent opera-
tions on the associated file are readable and writable
by the invoking process. Care must be taken to ensure
that the file is accessible only by the set of princi-
pals that need to access their credentials. If the
credential file is in a directory to which other users
have write access, you will need to set that directory's
sticky bit (see chmod(1)).
The MEMORY credential cache type is used only in special
cases, such as when making a temporary cache for the
life of the invoking process.
KRB5RCNAME
Used by the mechanism to specify the type and location
of the replay cache. The variable can be set to the fol-
lowing value:
[[<rc type>:]<file name>]
where <rc type> can be either FILE or MEMORY. <file
name> is relevant only when specifying the replay cache
file type.
If not defined, the default value is:
FILE:/var/krb5/rcache/root/rc_<service>
...if the process is owned by root, or:
FILE:/var/krb5/rcache/rc_<service>
SunOS 5.10 Last change: 1 June 2006 2
Standards, Environments, and Macros krb5envvar(5)
...if the process is owned by a user other than root.
<service> is the service process name associated with
the replay cache file.
The replay cache is used by Kerberos to detect the
replay of authentication data. This prevents people who
capture authentication messages on the network from
authenticating to the server by resending these mes-
sages.
When specifying the FILE replay cache type, care must be
taken to prevent the replay cache file from being
deleted by another user. Make sure that every directory
in the replay cache path is either writable only by the
owner of the replay cache or that the sticky bit ("t")
is set on every directory in the replay cache path to
which others have write permission.
When specifying the MEMORY replay cache type you need to
weigh the trade-off of performance against the slight
security risk created by using a non-persistent cache.
The risk occurs during system reboots when the following
condition obtains:
o The duration from the last write to the replay
cache before reboot to the point when the Kerber-
ized server applications are running is less than
the Kerberos clockskew (see krb5.conf(4)).
Under this condition, the server applications can accept
a replay of Kerberos authentication data (up to the
difference between the time of the last write and the
clockskew). Typically, this is a small window of time.
If the server applications take longer than the clock-
skew to start accepting connections there is no replay
risk.
The risk described above is the same when using FILE
replay cache types when the replay cache resides on swap
file systems, such as /tmp and /var/run.
The performance improvement in MEMORY replay cache types
over FILE types is derived from the absence of disk I/O.
This is true even if the FILE replay cache is on a
memory-backed file system, such as swap (/tmp and
/var/run).
KRB5_CONFIG
SunOS 5.10 Last change: 1 June 2006 3
Standards, Environments, and Macros krb5envvar(5)
Allows you to change the default location of the
/etc/krb5/krb5.conf file to enable the Kerberos library
code to read configuration parameters from another file
specified by KRB5_CONFIG. For example (using kinit from
ksh(1)):
KRB5_CONFIG=/var/tmp/krb5.conf kinit
ATTRIBUTES
See attributes(5) for a description of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWkrbu |
|_____________________________|_____________________________|
| Interface Stability | Unstable |
|_____________________________|_____________________________|
SEE ALSO
chmod(1), kinit(1), klist(1), ksh(1), kadmin(1M),
kadmind(1M), krb5.conf(4), attributes(5), kerberos(5)
SunOS 5.10 Last change: 1 June 2006 4
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:27:51 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2878 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2489 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2408 hits)
(Suse Linux 10.1)
|
Man Pages 
