Standards, Environments, and Macros krb5envvar(5)
NAME
krb5envvar - Kerberos environment variables
DESCRIPTION
The Kerberos mechanism provides a number of environment
variables to configure different behavior in order to meet
applications' needs. Environment variables used within the
Kerberos mechanism are:
KRB5KTNAME
Used by the mechanism to specify the location of the key
table file. The variable can be set to the following
value:
[:]]
where can be FILE or WRFILE. FILE is for read
operations; WRFILE is for write operations.
is the location of the keytab file.
r
If KRB5KTNAME is not defined, the default value is:
FILE:/etc/krb5/krb5.keytab
The keytab file is used to store credentials per-
sistently and is used commonly for service daemons.
Specifying the FILE type assumes that the subsequent
operations on the associated file are readable by the
invoking process. Care must be taken to ensure that the
file is readable only by the set of principals that need
to retrieve their unencrypted keys.
The WRFILE type is used by the kadmin(1M) command.
Specifying this type allows the administrator to desig-
nate an alternate keytab file to write to without using
extra command line arguments for file location.
KRB5CNAME
Used by the mechanism to specify the location of the
credential cache. The variable can be set to the follow-
ing value:
[:]]
where can be FILE or MEMORY. is
the location of the principal's credential cache.
SunOS 5.11 Last change: 13 Feb 2008 1
Standards, Environments, and Macros krb5envvar(5)
If KRB5CNAME is not defined, the default value is:
FILE:/tmp/krb5cc
where is the user id of the process that created
the cache file.
The credential cache file is used to store tickets that
have been granted to the principal.
Specifying the FILE types assumes that subsequent opera-
tions on the associated file are readable and writable
by the invoking process. Care must be taken to ensure
that the file is accessible only by the set of princi-
pals that need to access their credentials. If the
credential file is in a directory to which other users
have write access, you need to set that directory's
sticky bit (see chmod(1)).
The MEMORY credential cache type is used only in special
cases, such as when making a temporary cache for the
life of the invoking process.
KRB5RCNAME
Used by the mechanism to specify the type and location
of the replay cache. The variable can be set to the fol-
lowing value:
[:]]
where can be either FILE, MEMORY, or NONE.
is relevant only when specifying the replay
cache file type.
If not defined, the default value is:
FILE:/var/krb5/rcache/root/rc
...if the process is owned by root, or:
FILE:/var/krb5/rcache/rc
...if the process is owned by a user other than root.
is the service process name associated with
the replay cache file.
The replay cache is used by Kerberos to detect the
replay of authentication data. This prevents people who
capture authentication messages on the network from
authenticating to the server by resending these
SunOS 5.11 Last change: 13 Feb 2008 2
Standards, Environments, and Macros krb5envvar(5)
messages.
When specifying the FILE replay cache type, care must be
taken to prevent the replay cache file from being
deleted by another user. Make sure that every directory
in the replay cache path is either writable only by the
owner of the replay cache or that the sticky bit ("t")
is set on every directory in the replay cache path to
which others have write permission.
When specifying the MEMORY replay cache type you need to
weigh the trade-off of performance against the slight
security risk created by using a non-persistent cache.
The risk occurs during system reboots when the following
condition obtains:
o The duration from the last write to the replay
cache before reboot to the point when the Ker-
berized server applications are running is less
than the Kerberos clockskew (see krb5.conf(4)).
When specifying the NONE replay cache time you need to
understand that this disables the replay cache, and all
security risks that this presents. This includes all the
risks outlined in this section of the man page.
Under this condition, the server applications can accept
a replay of Kerberos authentication data (up to the
difference between the time of the last write and the
clockskew). Typically, this is a small window of time.
If the server applications take longer than the clock-
skew to start accepting connections there is no replay
risk.
The risk described above is the same when using FILE
replay cache types when the replay cache resides on swap
file systems, such as /tmp and /var/run.
The performance improvement in MEMORY replay cache types
over FILE types is derived from the absence of disk I/O.
This is true even if the FILE replay cache is on a
memory-backed file system, such as swap (/tmp and
/var/run).
Note that MEMORY-type caches are per-process caches,
therefore use of these types of caches must be carefully
considered. One example of where MEMORY-type caches can
be problematic is when an application uses more than
one process for establishing security contexts. In such
a case, memory replay caches are not shared across the
processes, thus allowing potential for replay attacks.
SunOS 5.11 Last change: 13 Feb 2008 3
Standards, Environments, and Macros krb5envvar(5)
KRB5CONFIG
Allows you to change the default location of the
/etc/krb5/krb5.conf file to enable the Kerberos library
code to read configuration parameters from another file
specified by KRB5CONFIG. For example (using kinit from
ksh(1)):
KRB5CONFIG=/var/tmp/krb5.conf kinit
ATRIBUTES
See attributes(5) for a description of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkrbu
Interface Stability Uncommitted
SEE ALSO
chmod(1), kinit(1), klist(1), ksh(1), kadmin(1M),
kadmind(1M), krb5.conf(4), attributes(5), kerberos(5)
SunOS 5.11 Last change: 13 Feb 2008 4
|
