diff options
Diffstat (limited to 'doc/pdf/basic.tex')
| -rw-r--r-- | doc/pdf/basic.tex | 751 |
1 files changed, 751 insertions, 0 deletions
diff --git a/doc/pdf/basic.tex b/doc/pdf/basic.tex new file mode 100644 index 000000000000..d13762e98d6d --- /dev/null +++ b/doc/pdf/basic.tex @@ -0,0 +1,751 @@ +% Generated by Sphinx. +\def\sphinxdocclass{report} +\documentclass[letterpaper,10pt,english]{sphinxmanual} +\usepackage[utf8]{inputenc} +\DeclareUnicodeCharacter{00A0}{\nobreakspace} +\usepackage{cmap} +\usepackage[T1]{fontenc} +\usepackage{babel} +\usepackage{times} +\usepackage[Bjarne]{fncychap} +\usepackage{longtable} +\usepackage{sphinx} +\usepackage{multirow} + + +\title{Kerberos Concepts} +\date{ } +\release{1.15.1} +\author{MIT} +\newcommand{\sphinxlogo}{} +\renewcommand{\releasename}{Release} +\makeindex + +\makeatletter +\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% + \let\PYG@ul=\relax \let\PYG@tc=\relax% + \let\PYG@bc=\relax \let\PYG@ff=\relax} +\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} +\def\PYG@toks#1+{\ifx\relax#1\empty\else% + \PYG@tok{#1}\expandafter\PYG@toks\fi} +\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% + \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} +\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} + +\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} +\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} +\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} +\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} +\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} +\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} +\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} +\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} +\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} +\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} +\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} +\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} +\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} +\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} +\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} +\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} +\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} +\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} +\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} +\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} +\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} +\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} +\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} +\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} +\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} +\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} +\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} +\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} +\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} + +\def\PYGZbs{\char`\\} +\def\PYGZus{\char`\_} +\def\PYGZob{\char`\{} +\def\PYGZcb{\char`\}} +\def\PYGZca{\char`\^} +\def\PYGZam{\char`\&} +\def\PYGZlt{\char`\<} +\def\PYGZgt{\char`\>} +\def\PYGZsh{\char`\#} +\def\PYGZpc{\char`\%} +\def\PYGZdl{\char`\$} +\def\PYGZhy{\char`\-} +\def\PYGZsq{\char`\'} +\def\PYGZdq{\char`\"} +\def\PYGZti{\char`\~} +% for compatibility with earlier versions +\def\PYGZat{@} +\def\PYGZlb{[} +\def\PYGZrb{]} +\makeatother + +\begin{document} + +\maketitle +\tableofcontents +\phantomsection\label{basic/index::doc} + + + +\chapter{Credential cache} +\label{basic/ccache_def:basic-concepts}\label{basic/ccache_def::doc}\label{basic/ccache_def:credential-cache}\label{basic/ccache_def:ccache-definition}\label{basic/ccache_def:kerberos-v5-concepts} +A credential cache (or ``ccache'') holds Kerberos credentials while they +remain valid and, generally, while the user's session lasts, so that +authenticating to a service multiple times (e.g., connecting to a web +or mail server more than once) doesn't require contacting the KDC +every time. + +A credential cache usually contains one initial ticket which is +obtained using a password or another form of identity verification. +If this ticket is a ticket-granting ticket, it can be used to obtain +additional credentials without the password. Because the credential +cache does not store the password, less long-term damage can be done +to the user's account if the machine is compromised. + +A credentials cache stores a default client principal name, set when +the cache is created. This is the name shown at the top of the +\emph{klist(1)} \emph{-A} output. + +Each normal cache entry includes a service principal name, a client +principal name (which, in some ccache types, need not be the same as +the default), lifetime information, and flags, along with the +credential itself. There are also other entries, indicated by special +names, that store additional information. + + +\section{ccache types} +\label{basic/ccache_def:ccache-types} +The credential cache interface, like the {\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} and +{\hyperref[basic/rcache_def:rcache-definition]{\emph{replay cache}}} interfaces, uses \emph{TYPE:value} strings to +indicate the type of credential cache and any associated cache naming +data to use. + +There are several kinds of credentials cache supported in the MIT +Kerberos library. Not all are supported on every platform. In most +cases, it should be correct to use the default type built into the +library. +\begin{enumerate} +\item {} +\textbf{API} is only implemented on Windows. It communicates with a +server process that holds the credentials in memory for the user, +rather than writing them to disk. + +\item {} +\textbf{DIR} points to the storage location of the collection of the +credential caches in \emph{FILE:} format. It is most useful when dealing +with multiple Kerberos realms and KDCs. For release 1.10 the +directory must already exist. In post-1.10 releases the +requirement is for parent directory to exist and the current +process must have permissions to create the directory if it does +not exist. See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. New in release 1.10. + +\item {} +\textbf{FILE} caches are the simplest and most portable. A simple flat +file format is used to store one credential after another. This is +the default ccache type if no type is specified in a ccache name. + +\item {} +\textbf{KCM} caches work by contacting a daemon process called \code{kcm} +to perform cache operations. If the cache name is just \code{KCM:}, +the default cache as determined by the KCM daemon will be used. +Newly created caches must generally be named \code{KCM:uid:name}, +where \emph{uid} is the effective user ID of the running process. + +KCM client support is new in release 1.13. A KCM daemon has not +yet been implemented in MIT krb5, but the client will interoperate +with the KCM daemon implemented by Heimdal. OS X 10.7 and higher +provides a KCM daemon as part of the operating system, and the +\textbf{KCM} cache type is used as the default cache on that platform in +a default build. + +\item {} +\textbf{KEYRING} is Linux-specific, and uses the kernel keyring support +to store credential data in unswappable kernel memory where only +the current user should be able to access it. The following +residual forms are supported: +\begin{itemize} +\item {} +KEYRING:name + +\item {} +KEYRING:process:name - process keyring + +\item {} +KEYRING:thread:name - thread keyring + +\end{itemize} + +Starting with release 1.12 the \emph{KEYRING} type supports collections. +The following new residual forms were added: +\begin{itemize} +\item {} +KEYRING:session:name - session keyring + +\item {} +KEYRING:user:name - user keyring + +\item {} +KEYRING:persistent:uidnumber - persistent per-UID collection. +Unlike the user keyring, this collection survives after the user +logs out, until the cache credentials expire. This type of +ccache requires support from the kernel; otherwise, it will fall +back to the user keyring. + +\end{itemize} + +See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. + +\item {} +\textbf{MEMORY} caches are for storage of credentials that don't need to +be made available outside of the current process. For example, a +memory ccache is used by \emph{kadmin(1)} to store the +administrative ticket used to contact the admin server. Memory +ccaches are faster than file ccaches and are automatically +destroyed when the process exits. + +\item {} +\textbf{MSLSA} is a Windows-specific cache type that accesses the +Windows credential store. + +\end{enumerate} + + +\section{Collections of caches} +\label{basic/ccache_def:collections-of-caches}\label{basic/ccache_def:col-ccache} +Some credential cache types can support collections of multiple +caches. One of the caches in the collection is designated as the +\emph{primary} and will be used when the collection is resolved as a cache. +When a collection-enabled cache type is the default cache for a +process, applications can search the specified collection for a +specific client principal, and GSSAPI applications will automatically +select between the caches in the collection based on criteria such as +the target service realm. + +Credential cache collections are new in release 1.10, with support +from the \textbf{DIR} and \textbf{API} ccache types. Starting in release 1.12, +collections are also supported by the \textbf{KEYRING} ccache type. +Collections are supported by the \textbf{KCM} ccache type in release 1.13. + + +\subsection{Tool alterations to use cache collection} +\label{basic/ccache_def:tool-alterations-to-use-cache-collection}\begin{itemize} +\item {} +\emph{kdestroy(1)} \emph{-A} will destroy all caches in the collection. + +\item {} +If the default cache type supports switching, \emph{kinit(1)} +\emph{princname} will search the collection for a matching cache and +store credentials there, or will store credentials in a new unique +cache of the default type if no existing cache for the principal +exists. Either way, kinit will switch to the selected cache. + +\item {} +\emph{klist(1)} \emph{-l} will list the caches in the collection. + +\item {} +\emph{klist(1)} \emph{-A} will show the content of all caches in the +collection. + +\item {} +\emph{kswitch(1)} \emph{-p princname} will search the collection for a +matching cache and switch to it. + +\item {} +\emph{kswitch(1)} \emph{-c cachename} will switch to a specified cache. + +\end{itemize} + + +\section{Default ccache name} +\label{basic/ccache_def:default-ccache-name} +The default credential cache name is determined by the following, in +descending order of priority: +\begin{enumerate} +\item {} +The \textbf{KRB5CCNAME} environment variable. For example, +\code{KRB5CCNAME=DIR:/mydir/}. + +\item {} +The \textbf{default\_ccache\_name} profile variable in \emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFCCNAME}. + +\end{enumerate} + + +\chapter{keytab} +\label{basic/keytab_def:keytab}\label{basic/keytab_def::doc}\label{basic/keytab_def:keytab-definition} +A keytab (short for ``key table'') stores long-term keys for one or more +principals. Keytabs are normally represented by files in a standard +format, although in rare cases they can be represented in other ways. +Keytabs are used most often to allow server applications to accept +authentications from clients, but can also be used to obtain initial +credentials for client applications. + +Keytabs are named using the format \emph{type}\code{:}\emph{value}. Usually +\emph{type} is \code{FILE} and \emph{value} is the absolute pathname of the file. +Other possible values for \emph{type} are \code{SRVTAB}, which indicates a +file in the deprecated Kerberos 4 srvtab format, and \code{MEMORY}, which +indicates a temporary keytab stored in the memory of the current +process. + +A keytab contains one or more entries, where each entry consists of a +timestamp (indicating when the entry was written to the keytab), a +principal name, a key version number, an encryption type, and the +encryption key itself. + +A keytab can be displayed using the \emph{klist(1)} command with the +\code{-k} option. Keytabs can be created or appended to by extracting +keys from the KDC database using the \emph{kadmin(1)} \emph{ktadd} +command. Keytabs can be manipulated using the \emph{ktutil(1)} and +\emph{k5srvutil(1)} commands. + + +\section{Default keytab} +\label{basic/keytab_def:default-keytab} +The default keytab is used by server applications if the application +does not request a specific keytab. The name of the default keytab is +determined by the following, in decreasing order of preference: +\begin{enumerate} +\item {} +The \textbf{KRB5\_KTNAME} environment variable. + +\item {} +The \textbf{default\_keytab\_name} profile variable in \emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFKTNAME}. + +\end{enumerate} + + +\section{Default client keytab} +\label{basic/keytab_def:default-client-keytab} +The default client keytab is used, if it is present and readable, to +automatically obtain initial credentials for GSSAPI client +applications. The principal name of the first entry in the client +keytab is used by default when obtaining initial credentials. The +name of the default client keytab is determined by the following, in +decreasing order of preference: +\begin{enumerate} +\item {} +The \textbf{KRB5\_CLIENT\_KTNAME} environment variable. + +\item {} +The \textbf{default\_client\_keytab\_name} profile variable in +\emph{libdefaults}. + +\item {} +The hardcoded default, \emph{DEFCKTNAME}. + +\end{enumerate} + + +\chapter{replay cache} +\label{basic/rcache_def:replay-cache}\label{basic/rcache_def:rcache-definition}\label{basic/rcache_def::doc} +A replay cache (or ``rcache'') keeps track of all authenticators +recently presented to a service. If a duplicate authentication +request is detected in the replay cache, an error message is sent to +the application program. + +The replay cache interface, like the credential cache and +{\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} interfaces, uses \emph{type:value} strings to +indicate the type of replay cache and any associated cache naming +data to use. + + +\section{Background information} +\label{basic/rcache_def:background-information} +Some Kerberos or GSSAPI services use a simple authentication mechanism +where a message is sent containing an authenticator, which establishes +the encryption key that the client will use for talking to the +service. But nothing about that prevents an eavesdropper from +recording the messages sent by the client, establishing a new +connection, and re-sending or ``replaying'' the same messages; the +replayed authenticator will establish the same encryption key for the +new session, and the following messages will be decrypted and +processed. The attacker may not know what the messages say, and can't +generate new messages under the same encryption key, but in some +instances it may be harmful to the user (or helpful to the attacker) +to cause the server to see the same messages again a second time. For +example, if the legitimate client sends ``delete first message in +mailbox'', a replay from an attacker may delete another, different +``first'' message. (Protocol design to guard against such problems has +been discussed in \index{RFC!RFC 4120\#section-10}\href{http://tools.ietf.org/html/rfc4120.html\#section-10}{\textbf{RFC 4120}}.) + +Even if one protocol uses further protection to verify that the client +side of the connection actually knows the encryption keys (and thus is +presumably a legitimate user), if another service uses the same +service principal name, it may be possible to record an authenticator +used with the first protocol and ``replay'' it against the second. + +The replay cache mitigates these attacks somewhat, by keeping track of +authenticators that have been seen until their five-minute window +expires. Different authenticators generated by multiple connections +from the same legitimate client will generally have different +timestamps, and thus will not be considered the same. + +This mechanism isn't perfect. If a message is sent to one application +server but a man-in-the-middle attacker can prevent it from actually +arriving at that server, the attacker could then use the authenticator +(once!) against a different service on the same host. This could be a +problem if the message from the client included something more than +authentication in the first message that could be useful to the +attacker (which is uncommon; in most protocols the server has to +indicate a successful authentication before the client sends +additional messages), or if the simple act of presenting the +authenticator triggers some interesting action in the service being +attacked. + + +\section{Default rcache type} +\label{basic/rcache_def:default-rcache-type} +There is currently only one implemented kind of replay cache, called +\textbf{dfl}. It stores replay data in one file, occasionally rewriting it +to purge old, expired entries. + +The default type can be overridden by the \textbf{KRB5RCACHETYPE} +environment variable. + +The placement of the replay cache file is determined by the following: +\begin{enumerate} +\item {} +The \textbf{KRB5RCACHEDIR} environment variable; + +\item {} +If KRB5RCACHEDIR is unspecified, on UNIX, the library +will fall back to the environment variable \textbf{TMPDIR}, and then to +a temporary directory determined at configuration time such as +\emph{/tmp} or \emph{/var/tmp}; on Windows, it will check the environment +variables \emph{TEMP} and \emph{TMP}, and fall back to the directory C:\textbackslash{}. + +\end{enumerate} + + +\section{Performance issues} +\label{basic/rcache_def:performance-issues} +Several known minor performance issues that may occur when replay +cache is enabled on the Kerberos system include: delays due to writing +the authenticator data to disk slowing down response time for very +heavily loaded servers, and delays during the rewrite that may be +unacceptable to high-performance services. + +For use cases where replays are adequately defended against for all +protocols using a given service principal name, or where performance +or other considerations outweigh the risk of replays, the special +replay cache type ``none'' can be specified: + +\begin{Verbatim}[commandchars=\\\{\}] +\PYG{n}{KRB5RCACHETYPE}\PYG{o}{=}\PYG{n}{none} +\end{Verbatim} + +It doesn't record any information about authenticators, and reports +that any authenticator seen is not a replay. + + +\chapter{stash file} +\label{basic/stash_file_def:stash-file}\label{basic/stash_file_def::doc}\label{basic/stash_file_def:stash-definition} +The stash file is a local copy of the master key that resides in +encrypted form on the KDC's local disk. The stash file is used to +authenticate the KDC to itself automatically before starting the +\emph{kadmind(8)} and \emph{krb5kdc(8)} daemons (e.g., as part of the +machine's boot sequence). The stash file, like the keytab file (see +\emph{keytab\_file}) is a potential point-of-entry for a break-in, and +if compromised, would allow unrestricted access to the Kerberos +database. If you choose to install a stash file, it should be +readable only by root, and should exist only on the KDC's local disk. +The file should not be part of any backup of the machine, unless +access to the backup data is secured as tightly as access to the +master password itself. + +\begin{notice}{note}{Note:} +If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. +This means that the KDC will not be able to start automatically, such as after a system reboot. +\end{notice} + + +\chapter{Supported date and time formats} +\label{basic/date_format:supported-date-and-time-formats}\label{basic/date_format::doc}\label{basic/date_format:datetime} + +\section{Time duration} +\label{basic/date_format:duration}\label{basic/date_format:time-duration} +This format is used to express a time duration in the Kerberos +configuration files and user commands. The allowed formats are: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline + +Format + & +Example + & +Value +\\ +\hline +h:m{[}:s{]} + & +36:00 + & +36 hours +\\ +\hline +NdNhNmNs + & +8h30s + & +8 hours 30 seconds +\\ +\hline +N (number of seconds) + & +3600 + & +1 hour +\\ +\hline\end{tabulary} + +\end{quote} + +Here \emph{N} denotes a number, \emph{d} - days, \emph{h} - hours, \emph{m} - minutes, +\emph{s} - seconds. + +\begin{notice}{note}{Note:} +The time interval should not exceed 2147483647 seconds. +\end{notice} + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +Request a ticket valid for one hour, five hours, 30 minutes +and 10 days respectively: + + kinit \PYGZhy{}l 3600 + kinit \PYGZhy{}l 5:00 + kinit \PYGZhy{}l 30m + kinit \PYGZhy{}l \PYGZdq{}10d 0h 0m 0s\PYGZdq{} +\end{Verbatim} + + +\section{getdate time} +\label{basic/date_format:getdate-time}\label{basic/date_format:getdate} +Some of the kadmin and kdb5\_util commands take a date-time in a +human-readable format. Some of the acceptable date-time +strings are: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax } & \textsf{\relax +Format +} & \textsf{\relax +Example +}\\ +\hline \multirow{3}{*}{ +Date +} & +mm/dd/yy + & +07/27/12 +\\ +\hline & +month dd, yyyy + & +Jul 27, 2012 +\\ +\hline & +yyyy-mm-dd + & +2012-07-27 +\\ +\hline \multirow{2}{*}{ +Absolute +time +} & +HH:mm{[}:ss{]}pp + & +08:30 PM +\\ +\hline & +hh:mm{[}:ss{]} + & +20:30 +\\ +\hline +Relative +time + & +N tt + & +30 sec +\\ +\hline \multirow{2}{*}{ +Time zone +} & +Z + & +EST +\\ +\hline & +z + & +-0400 +\\ +\hline\end{tabulary} + +\end{quote} + +(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) + +Examples: + +\begin{Verbatim}[commandchars=\\\{\}] +Create a principal that expires on the date indicated: + addprinc test1 \PYGZhy{}expire \PYGZdq{}3/27/12 10:00:07 EST\PYGZdq{} + addprinc test2 \PYGZhy{}expire \PYGZdq{}January 23, 2015 10:05pm\PYGZdq{} + addprinc test3 \PYGZhy{}expire \PYGZdq{}22:00 GMT\PYGZdq{} +Add a principal that will expire in 30 minutes: + addprinc test4 \PYGZhy{}expire \PYGZdq{}30 minutes\PYGZdq{} +\end{Verbatim} + + +\section{Absolute time} +\label{basic/date_format:abstime}\label{basic/date_format:absolute-time} +This rarely used date-time format can be noted in one of the +following ways: +\begin{quote} + +\begin{tabulary}{\linewidth}{|L|L|L|} +\hline +\textsf{\relax +Format +} & \textsf{\relax +Example +} & \textsf{\relax +Value +}\\ +\hline +yyyymmddhhmmss + & +20141231235900 + & \multirow{5}{*}{ +One minute +before 2015 +}\\ +\hline +yyyy.mm.dd.hh.mm.ss + & +2014.12.31.23.59.00 + & \\ +\hline +yymmddhhmmss + & +141231235900 + & \\ +\hline +yy.mm.dd.hh.mm.ss + & +14.12.31.23.59.00 + & \\ +\hline +dd-month-yyyy:hh:mm:ss + & +31-Dec-2014:23:59:00 + & \\ +\hline +hh:mm:ss + & +20:00:00 + & \multirow{2}{*}{ +8 o'clock in +the evening +}\\ +\hline +hhmmss + & +200000 + & \\ +\hline\end{tabulary} + +\end{quote} + +(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) + +Example: + +\begin{Verbatim}[commandchars=\\\{\}] +Set the default expiration date to July 27, 2012 at 20:30 +default\PYGZus{}principal\PYGZus{}expiration = 20120727203000 +\end{Verbatim} + + +\subsection{Abbreviations used in this document} +\label{basic/date_format:abbreviation}\label{basic/date_format:abbreviations-used-in-this-document} +\begin{DUlineblock}{0em} +\item[] \emph{month} : locale’s month name or its abbreviation; +\item[] \emph{dd} : day of month (01-31); +\item[] \emph{HH} : hours (00-12); +\item[] \emph{hh} : hours (00-23); +\item[] \emph{mm} : in time - minutes (00-59); in date - month (01-12); +\item[] \emph{N} : number; +\item[] \emph{pp} : AM or PM; +\item[] \emph{ss} : seconds (00-60); +\item[] \emph{tt} : time units (hours, minutes, min, seconds, sec); +\item[] \emph{yyyy} : year; +\item[] \emph{yy} : last two digits of the year; +\item[] \emph{Z} : alphabetic time zone abbreviation; +\item[] \emph{z} : numeric time zone; +\end{DUlineblock} + +\begin{notice}{note}{Note:}\begin{itemize} +\item {} +If the date specification contains spaces, you may need to +enclose it in double quotes; + +\item {} +All keywords are case-insensitive. + +\end{itemize} +\end{notice} + + + +\renewcommand{\indexname}{Index} +\printindex +\end{document} |