diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
| commit | 0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch) | |
| tree | e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/_sources/basic | |
| parent | b0e4d68d5124581ae353493d69bea352de4cff8a (diff) | |
Diffstat (limited to 'doc/html/_sources/basic')
| -rw-r--r-- | doc/html/_sources/basic/ccache_def.rst.txt (renamed from doc/html/_sources/basic/ccache_def.txt) | 7 | ||||
| -rw-r--r-- | doc/html/_sources/basic/date_format.rst.txt (renamed from doc/html/_sources/basic/date_format.txt) | 0 | ||||
| -rw-r--r-- | doc/html/_sources/basic/index.rst.txt (renamed from doc/html/_sources/basic/index.txt) | 0 | ||||
| -rw-r--r-- | doc/html/_sources/basic/keytab_def.rst.txt (renamed from doc/html/_sources/basic/keytab_def.txt) | 6 | ||||
| -rw-r--r-- | doc/html/_sources/basic/rcache_def.rst.txt (renamed from doc/html/_sources/basic/rcache_def.txt) | 72 | ||||
| -rw-r--r-- | doc/html/_sources/basic/stash_file_def.rst.txt (renamed from doc/html/_sources/basic/stash_file_def.txt) | 0 |
6 files changed, 52 insertions, 33 deletions
diff --git a/doc/html/_sources/basic/ccache_def.txt b/doc/html/_sources/basic/ccache_def.rst.txt index d147f0d7aa99..53542adde934 100644 --- a/doc/html/_sources/basic/ccache_def.txt +++ b/doc/html/_sources/basic/ccache_def.rst.txt @@ -51,6 +51,13 @@ library. requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. + The following residual forms are supported: + + * DIR:dirname + * DIR::dirpath/filename - a single cache within the directory + + Switching to a ccache of the latter type causes it to become the + primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is diff --git a/doc/html/_sources/basic/date_format.txt b/doc/html/_sources/basic/date_format.rst.txt index 6ee82ce6fb3c..6ee82ce6fb3c 100644 --- a/doc/html/_sources/basic/date_format.txt +++ b/doc/html/_sources/basic/date_format.rst.txt diff --git a/doc/html/_sources/basic/index.txt b/doc/html/_sources/basic/index.rst.txt index 87a9b5472fa3..87a9b5472fa3 100644 --- a/doc/html/_sources/basic/index.txt +++ b/doc/html/_sources/basic/index.rst.txt diff --git a/doc/html/_sources/basic/keytab_def.txt b/doc/html/_sources/basic/keytab_def.rst.txt index 33ae67c6c75b..6c7fcc3b05ef 100644 --- a/doc/html/_sources/basic/keytab_def.txt +++ b/doc/html/_sources/basic/keytab_def.rst.txt @@ -12,10 +12,8 @@ credentials for client applications. Keytabs are named using the format *type*\ ``:``\ *value*. Usually *type* is ``FILE`` and *value* is the absolute pathname of the file. -Other possible values for *type* are ``SRVTAB``, which indicates a -file in the deprecated Kerberos 4 srvtab format, and ``MEMORY``, which -indicates a temporary keytab stored in the memory of the current -process. +The other possible value for *type* is ``MEMORY``, which indicates a +temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a diff --git a/doc/html/_sources/basic/rcache_def.txt b/doc/html/_sources/basic/rcache_def.rst.txt index 2de953354ebe..a80cf5af6ce7 100644 --- a/doc/html/_sources/basic/rcache_def.txt +++ b/doc/html/_sources/basic/rcache_def.rst.txt @@ -9,7 +9,7 @@ request is detected in the replay cache, an error message is sent to the application program. The replay cache interface, like the credential cache and -:ref:`keytab_definition` interfaces, uses `type:value` strings to +:ref:`keytab_definition` interfaces, uses `type:residual` strings to indicate the type of replay cache and any associated cache naming data to use. @@ -57,41 +57,55 @@ additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. -Default rcache type -------------------- +Replay cache types +------------------ -There is currently only one implemented kind of replay cache, called -**dfl**. It stores replay data in one file, occasionally rewriting it -to purge old, expired entries. +Unlike the credential cache and keytab interfaces, replay cache types +are in lowercase. The following types are defined: -The default type can be overridden by the **KRB5RCACHETYPE** -environment variable. +#. **none** disables the replay cache. The residual value is ignored. -The placement of the replay cache file is determined by the following: +#. **file2** (new in release 1.18) uses a hash-based format to store + replay records. The file may grow to accommodate hash collisions. + The residual value is the filename. -#. The **KRB5RCACHEDIR** environment variable; +#. **dfl** is the default type if no environment variable or + configuration specifies a different type. It stores replay data in + a file2 replay cache with a filename based on the effective uid. + The residual value is ignored. -#. If KRB5RCACHEDIR is unspecified, on UNIX, the library - will fall back to the environment variable **TMPDIR**, and then to - a temporary directory determined at configuration time such as - */tmp* or */var/tmp*; on Windows, it will check the environment - variables *TEMP* and *TMP*, and fall back to the directory C:\\. +For the dfl type, the location of the replay cache file is determined +as follows: -Performance issues ------------------- +#. The directory is taken from the **KRB5RCACHEDIR** environment + variable, or the **TMPDIR** environment variable, or a temporary + directory determined at configuration time such as ``/var/tmp``, in + descending order of preference. + +#. The filename is ``krb5_EUID.rcache2`` where EUID is the effective + uid of the process. + +#. The file is opened without following symbolic links, and ownership + of the file is verified to match the effective uid. + +On Windows, the directory for the dfl type is the local appdata +directory, unless overridden by the **KRB5RCACHEDIR** environment +variable. The filename on Windows is ``krb5.rcache2``, and the file +is opened normally. + +Default replay cache name +------------------------- + +The default replay cache name is determined by the following, in +descending order of priority: -Several known minor performance issues that may occur when replay -cache is enabled on the Kerberos system include: delays due to writing -the authenticator data to disk slowing down response time for very -heavily loaded servers, and delays during the rewrite that may be -unacceptable to high-performance services. +#. The **KRB5RCACHENAME** environment variable (new in release 1.18). -For use cases where replays are adequately defended against for all -protocols using a given service principal name, or where performance -or other considerations outweigh the risk of replays, the special -replay cache type "none" can be specified:: +#. The **KRB5RCACHETYPE** environment variable. If this variable is + set, the residual value is empty. - KRB5RCACHETYPE=none +#. The **default_rcache_name** profile variable in :ref:`libdefaults` + (new in release 1.18). -It doesn't record any information about authenticators, and reports -that any authenticator seen is not a replay. +#. If none of the above are set, the default replay cache name is + ``dfl:``. diff --git a/doc/html/_sources/basic/stash_file_def.txt b/doc/html/_sources/basic/stash_file_def.rst.txt index 256e2c272d8d..256e2c272d8d 100644 --- a/doc/html/_sources/basic/stash_file_def.txt +++ b/doc/html/_sources/basic/stash_file_def.rst.txt |