krb5 commit [krb5-1.12]: Added a new ccache doc to "Kerberos V5 concepts"
Tom Yu
tlyu at MIT.EDU
Mon Nov 25 16:26:18 EST 2013
https://github.com/krb5/krb5/commit/fa4a84050e9a8e11284096997e490e2fb811e78c
commit fa4a84050e9a8e11284096997e490e2fb811e78c
Author: Zhanna Tsitkov <tsitkova at mit.edu>
Date: Fri Nov 22 14:02:57 2013 -0500
Added a new ccache doc to "Kerberos V5 concepts"
This is to add a short introductory document on credential
caches to the Concepts section of Kerberos documentation.
(cherry picked from commit 251f94621328277044e3ae1a10ecd3ddfdda1dbb)
ticket: 7776
doc/basic/ccache_def.rst | 134 ++++++++++++++++++++++++++++++++++++++++++++++
doc/basic/index.rst | 1 +
2 files changed, 135 insertions(+), 0 deletions(-)
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
new file mode 100644
index 0000000..476f21f
--- /dev/null
+++ b/doc/basic/ccache_def.rst
@@ -0,0 +1,134 @@
+.. _ccache_definition:
+
+Credential cache
+=================
+
+A credential cache (or "ccache") holds Kerberos credentials while they remain
+valid and, generally, while the user's session lasts, so that authenticating
+to a service multiple times (e.g., connecting to a web or mail server more
+than once) doesn't require contacting the KDC every time.
+
+A credential cache usually contains one initial ticket which is obtained
+using a password or another form of identity verification. If this
+ticket is a ticket-granting ticket, it can be used to obtain additional
+credentials without the password. Because the credential cache does not
+store the password, less long-term damage can be done to the userâs
+account if the machine is compromised.
+
+A credentials cache stores a default client principal name, set when the cache
+is created. This is the name shown at the top of the :ref:`klist(1)` *-A*
+output.
+
+Each normal cache entry includes a service principal name, a client principal
+name (which, in some ccache types, need not be the same as the default),
+lifetime information, and flags, along with the credential itself. There are
+also other entries indicated by special names which store additional
+information.
+
+
+ccache types
+------------
+
+The credential cache interface, like the :ref:`keytab_definition` and
+:ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the
+type of credential cache and any associated cache naming data to use.
+
+There are several kinds of credentials cache supported in the MIT Kerberos
+library. Not all are supported on every platform. In most cases, it should be
+correct to use the default type built into the library.
+
+#. **API** is implemented only on Windows platform. It communicates with a
+ server process that holds the credentials in memory for the user, rather
+ than writing them to disk.
+
+#. **DIR** points to the storage location of the collection of the
+ credential caches in *FILE:* format. It is most useful when dealing with
+ multiple Kerberos realms and KDCs. For release 1.10 the directory must
+ already exist. In post-1.10 releases the requirement is for parent
+ directory to exist and the current process must have permissions to create
+ the directory if it does not exist. See :ref:`col_ccache` for details.
+ New in release 1.10.
+
+#. **FILE** caches are the simplest and most portable. A simple flat file
+ format is used to store one credential after another. This is the default
+ ccache type.
+
+#. **KEYRING** is Linux-specific, and uses the kernel keyring support to store
+ credential data in unswappable kernel memory where only the current user
+ should be able to access it.
+ The following residual forms are supported:
+
+ * KEYRING:name
+ * KEYRING:process:name - process keyring
+ * KEYRING:thread:name - thread keyring
+
+ Starting with release 1.12 the *KEYRING* type supports collections.
+ The following new residual forms were added:
+
+ * KEYRING:session:name - session keyring
+ * KEYRING:user:name - user keyring
+ * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike
+ the user keyring, this collection survives after the user logs out,
+ until the cache credentials expire. This type of ccache requires
+ support from the kernel; otherwise, it will fall back to the user keyring.
+
+ See :ref:`col_ccache` for details.
+
+#. **MEMORY** caches are for storage of credentials that donât need to be
+ made available outside of the current process. For example, a *MEMORY*
+ ccache is used by :ref:`kadmin(1)` to store the administrative ticket
+ used to contact the admin server. It's a bit faster, it doesn't write
+ anything to disk, and it's trivial to destroy when you're done with it.
+
+#. **MSLSA** is a Windows-specific cache type that actually accesses the Windows
+ credential store, similar to the *KEYRING* type for Linux.
+
+
+.. _col_ccache:
+
+Collections of caches
+---------------------
+
+Some credential cache types can support collections of multiple caches.
+One of the caches in the collection is designated as the *primary* and
+will be used when the collection is resolved as a cache. When a
+collection-enabled cache type is the default cache for a process,
+applications can search the specified collection for a specific client
+principal, and GSSAPI applications will automatically select between the
+caches in the collection based on criteria such as the target service realm.
+
+Credential cache collections are new in release 1.10, with support from the
+**DIR** and **API** ccache types. In release 1.12, the **KEYRING** ccache
+type also supports collections.
+
+Tool alterations to use cache collection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* :ref:`kdestroy(1)` *-A* will destroy all caches in the collection.
+* If the default cache type supports switching, :ref:`kinit(1)` *princname*
+ will search the collection for a matching cache and store credentials
+ there, or will store credentials in a new unique cache of the default type
+ if no existing cache for the principal exists. Either way, kinit will switch
+ to the selected cache.
+* :ref:`klist(1)` *-l* will list the caches in the collection.
+* :ref:`klist(1)` *-A* will show the content of all caches in the collection.
+* :ref:`kswitch(1)` *-p princname* will search the collection for a matching
+ cache and switch to it.
+* :ref:`kswitch(1)` *-c cachename* will switch to a specified cache.
+
+
+
+Default ccache name
+-------------------
+
+The default ccache name is OS specific. It can be overridden by the
+**KRB5CCNAME** environment variable.
+
+The placement of the credential cache file is determined by the following:
+
+#. The **KRB5CCNAME** environment variable.
+ For example, *KRB5CCNAME=DIR:/mydir/*
+
+#. The **default_ccache_name** profile variable in :ref:`libdefaults`.
+
+#. The hardcoded default, |ccache|.
diff --git a/doc/basic/index.rst b/doc/basic/index.rst
index e7a6930..87a9b54 100644
--- a/doc/basic/index.rst
+++ b/doc/basic/index.rst
@@ -7,6 +7,7 @@ Kerberos V5 concepts
.. toctree::
:maxdepth: 1
+ ccache_def
keytab_def
rcache_def
stash_file_def
More information about the cvs-krb5
mailing list