krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/basic/ccache_def.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/basic/ccache_def.html')

-rw-r--r--

doc/html/basic/ccache_def.html

1 files changed, 41 insertions, 38 deletions

diff --git a/doc/html/basic/ccache_def.html b/doc/html/basic/ccache_def.html
index 0ba9c7215668..b2c4dca07438 100644
--- a/doc/html/basic/ccache_def.html
+++ b/doc/html/basic/ccache_def.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Credential cache — MIT Kerberos Documentation</title>

+ <title>Credential cache — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,24 +59,24 @@

- <div class="body">

+ <div class="body" role="main">

<h1>Credential cache<a class="headerlink" href="#credential-cache" title="Permalink to this headline">¶</a></h1>

-A credential cache (or “ccache”) holds Kerberos credentials while they

-remain valid and, generally, while the user’s session lasts, so that

+A credential cache (or “ccache”) holds Kerberos credentials while they

+remain valid and, generally, while the user’s session lasts, so that

authenticating to a service multiple times (e.g., connecting to a web

-or mail server more than once) doesn’t require contacting the KDC

+or mail server more than once) doesn’t require contacting the KDC

every time.

A credential cache usually contains one initial ticket which is

obtained using a password or another form of identity verification.

If this ticket is a ticket-granting ticket, it can be used to obtain

additional credentials without the password. Because the credential

cache does not store the password, less long-term damage can be done

-to the user’s account if the machine is compromised.

+to the user’s account if the machine is compromised.

A credentials cache stores a default client principal name, set when

the cache is created. This is the name shown at the top of the

-<a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -A output.

+<a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -A output.

Each normal cache entry includes a service principal name, a client

principal name (which, in some ccache types, need not be the same as

the default), lifetime information, and flags, along with the

@@ -86,8 +84,8 @@ credential itself. There are also other entries, indicated by special

names, that store additional information.

<h2>ccache types<a class="headerlink" href="#ccache-types" title="Permalink to this headline">¶</a></h2>

-The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition">keytab</a> and

-<a class="reference internal" href="rcache_def.html#rcache-definition">replay cache</a> interfaces, uses <cite>TYPE:value</cite> strings to

+The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition">keytab</a> and

+<a class="reference internal" href="rcache_def.html#rcache-definition">replay cache</a> interfaces, uses <cite>TYPE:value</cite> strings to

indicate the type of credential cache and any associated cache naming

data to use.

There are several kinds of credentials cache supported in the MIT

@@ -105,16 +103,23 @@ with multiple Kerberos realms and KDCs. For release 1.10 the

directory must already exist. In post-1.10 releases the

requirement is for parent directory to exist and the current

process must have permissions to create the directory if it does

-not exist. See <a class="reference internal" href="#col-ccache">Collections of caches</a> for details. New in release 1.10.

+not exist. See <a class="reference internal" href="#col-ccache">Collections of caches</a> for details. New in release 1.10.

+The following residual forms are supported:

+<ul class="simple">

+<li>DIR:dirname</li>

+<li>DIR::dirpath/filename - a single cache within the directory</li>

+</ul>

+Switching to a ccache of the latter type causes it to become the

+primary for the directory.

</li>

<li>FILE caches are the simplest and most portable. A simple flat

file format is used to store one credential after another. This is

the default ccache type if no type is specified in a ccache name.

</li>

-<li>KCM caches work by contacting a daemon process called <tt class="docutils literal">kcm</tt>

-to perform cache operations. If the cache name is just <tt class="docutils literal">KCM:</tt>,

+<li>KCM caches work by contacting a daemon process called <code class="docutils literal">kcm</code>

+to perform cache operations. If the cache name is just <code class="docutils literal">KCM:</code>,

the default cache as determined by the KCM daemon will be used.

-Newly created caches must generally be named <tt class="docutils literal">KCM:uid:name</tt>,

+Newly created caches must generally be named <code class="docutils literal">KCM:uid:name</code>,

where uid is the effective user ID of the running process.

KCM client support is new in release 1.13. A KCM daemon has not

yet been implemented in MIT krb5, but the client will interoperate

@@ -143,11 +148,11 @@ logs out, until the cache credentials expire. This type of

ccache requires support from the kernel; otherwise, it will fall

back to the user keyring.</li>

</ul>

-See <a class="reference internal" href="#col-ccache">Collections of caches</a> for details.

+See <a class="reference internal" href="#col-ccache">Collections of caches</a> for details.

</li>

-<li>MEMORY caches are for storage of credentials that don’t need to

+<li>MEMORY caches are for storage of credentials that don’t need to

be made available outside of the current process. For example, a

-memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1">kadmin</a> to store the

+memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1">kadmin</a> to store the

administrative ticket used to contact the admin server. Memory

ccaches are faster than file ccaches and are automatically

destroyed when the process exits.

@@ -174,18 +179,18 @@ Collections are supported by the KCM ccache type in release 1.1

<h3>Tool alterations to use cache collection<a class="headerlink" href="#tool-alterations-to-use-cache-collection" title="Permalink to this headline">¶</a></h3>

-<li><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1">kdestroy</a> -A will destroy all caches in the collection.</li>

-<li>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1">kinit</a>

+<li><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1">kdestroy</a> -A will destroy all caches in the collection.</li>

+<li>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1">kinit</a>

princname will search the collection for a matching cache and

store credentials there, or will store credentials in a new unique

cache of the default type if no existing cache for the principal

exists. Either way, kinit will switch to the selected cache.</li>

-<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -l will list the caches in the collection.</li>

-<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -A will show the content of all caches in the

+<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -l will list the caches in the collection.</li>

+<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1">klist</a> -A will show the content of all caches in the

collection.</li>

-<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1">kswitch</a> -p princname will search the collection for a

+<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1">kswitch</a> -p princname will search the collection for a

matching cache and switch to it.</li>

-<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1">kswitch</a> -c cachename will switch to a specified cache.</li>

+<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1">kswitch</a> -c cachename will switch to a specified cache.</li>

</ul>

</div>

@@ -195,9 +200,9 @@ matching cache and switch to it.</li>

descending order of priority:

<li>The KRB5CCNAME environment variable. For example,

-<tt class="docutils literal">KRB5CCNAME=DIR:/mydir/</tt>.</li>

-<li>The default_ccache_name profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults">[libdefaults]</a>.</li>

-<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths">DEFCCNAME</a>.</li>

+<code class="docutils literal">KRB5CCNAME=DIR:/mydir/</code>.</li>

+<li>The default_ccache_name profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults">[libdefaults]</a>.</li>

+<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths">DEFCCNAME</a>.</li>

</ol>

</div>

@@ -230,9 +235,7 @@ descending order of priority:

<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>

<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>

<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">

-<li class="toctree-l2 current"><a class="current reference internal" href="">Credential cache</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">Credential cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>

@@ -262,8 +265,8 @@ descending order of priority:

- <div class="right" >Release: 1.16

+ <div class="right" >Release: 1.21.1

</div>