krb5 commit [krb5-1.11]: Edit ccache_def.rst
Tom Yu
tlyu at MIT.EDU
Tue Nov 26 18:27:47 EST 2013
https://github.com/krb5/krb5/commit/5905145ae09228a7361ebf5962aa3c3a97c85155
commit 5905145ae09228a7361ebf5962aa3c3a97c85155
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Nov 22 16:53:35 2013 -0500
Edit ccache_def.rst
Re-fill to 70 columns. Replace non-ascii apostrophes with ASCII ones.
Edit wording slightly.
(cherry picked from commit 482869d393807d02668cf49ce74666d682cf77a6)
ticket: 7782
version_fixed: 1.11.5
status: resolved
doc/basic/ccache_def.rst | 162 +++++++++++++++++++++++----------------------
1 files changed, 83 insertions(+), 79 deletions(-)
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index 476f21f..85a06d6 100644
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -1,62 +1,65 @@
.. _ccache_definition:
Credential cache
-=================
+================
-A credential cache (or "ccache") holds Kerberos credentials while they remain
-valid and, generally, while the user's session lasts, so that authenticating
-to a service multiple times (e.g., connecting to a web or mail server more
-than once) doesn't require contacting the KDC every time.
+A credential cache (or "ccache") holds Kerberos credentials while they
+remain valid and, generally, while the user's session lasts, so that
+authenticating to a service multiple times (e.g., connecting to a web
+or mail server more than once) doesn't require contacting the KDC
+every time.
-A credential cache usually contains one initial ticket which is obtained
-using a password or another form of identity verification. If this
-ticket is a ticket-granting ticket, it can be used to obtain additional
-credentials without the password. Because the credential cache does not
-store the password, less long-term damage can be done to the userâs
-account if the machine is compromised.
+A credential cache usually contains one initial ticket which is
+obtained using a password or another form of identity verification.
+If this ticket is a ticket-granting ticket, it can be used to obtain
+additional credentials without the password. Because the credential
+cache does not store the password, less long-term damage can be done
+to the user's account if the machine is compromised.
-A credentials cache stores a default client principal name, set when the cache
-is created. This is the name shown at the top of the :ref:`klist(1)` *-A*
-output.
+A credentials cache stores a default client principal name, set when
+the cache is created. This is the name shown at the top of the
+:ref:`klist(1)` *-A* output.
-Each normal cache entry includes a service principal name, a client principal
-name (which, in some ccache types, need not be the same as the default),
-lifetime information, and flags, along with the credential itself. There are
-also other entries indicated by special names which store additional
-information.
+Each normal cache entry includes a service principal name, a client
+principal name (which, in some ccache types, need not be the same as
+the default), lifetime information, and flags, along with the
+credential itself. There are also other entries, indicated by special
+names, that store additional information.
ccache types
------------
The credential cache interface, like the :ref:`keytab_definition` and
-:ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the
-type of credential cache and any associated cache naming data to use.
+:ref:`rcache_definition` interfaces, uses `TYPE:value` strings to
+indicate the type of credential cache and any associated cache naming
+data to use.
-There are several kinds of credentials cache supported in the MIT Kerberos
-library. Not all are supported on every platform. In most cases, it should be
-correct to use the default type built into the library.
+There are several kinds of credentials cache supported in the MIT
+Kerberos library. Not all are supported on every platform. In most
+cases, it should be correct to use the default type built into the
+library.
-#. **API** is implemented only on Windows platform. It communicates with a
- server process that holds the credentials in memory for the user, rather
- than writing them to disk.
+#. **API** is only implemented on Windows. It communicates with a
+ server process that holds the credentials in memory for the user,
+ rather than writing them to disk.
#. **DIR** points to the storage location of the collection of the
- credential caches in *FILE:* format. It is most useful when dealing with
- multiple Kerberos realms and KDCs. For release 1.10 the directory must
- already exist. In post-1.10 releases the requirement is for parent
- directory to exist and the current process must have permissions to create
- the directory if it does not exist. See :ref:`col_ccache` for details.
- New in release 1.10.
-
-#. **FILE** caches are the simplest and most portable. A simple flat file
- format is used to store one credential after another. This is the default
- ccache type.
-
-#. **KEYRING** is Linux-specific, and uses the kernel keyring support to store
- credential data in unswappable kernel memory where only the current user
- should be able to access it.
- The following residual forms are supported:
+ credential caches in *FILE:* format. It is most useful when dealing
+ with multiple Kerberos realms and KDCs. For release 1.10 the
+ directory must already exist. In post-1.10 releases the
+ requirement is for parent directory to exist and the current
+ process must have permissions to create the directory if it does
+ not exist. See :ref:`col_ccache` for details. New in release 1.10.
+
+#. **FILE** caches are the simplest and most portable. A simple flat
+ file format is used to store one credential after another. This is
+ the default ccache type.
+
+#. **KEYRING** is Linux-specific, and uses the kernel keyring support
+ to store credential data in unswappable kernel memory where only
+ the current user should be able to access it. The following
+ residual forms are supported:
* KEYRING:name
* KEYRING:process:name - process keyring
@@ -67,21 +70,23 @@ correct to use the default type built into the library.
* KEYRING:session:name - session keyring
* KEYRING:user:name - user keyring
- * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike
- the user keyring, this collection survives after the user logs out,
- until the cache credentials expire. This type of ccache requires
- support from the kernel; otherwise, it will fall back to the user keyring.
+ * KEYRING:persistent:uidnumber - persistent per-UID collection.
+ Unlike the user keyring, this collection survives after the user
+ logs out, until the cache credentials expire. This type of
+ ccache requires support from the kernel; otherwise, it will fall
+ back to the user keyring.
See :ref:`col_ccache` for details.
-#. **MEMORY** caches are for storage of credentials that donât need to be
- made available outside of the current process. For example, a *MEMORY*
- ccache is used by :ref:`kadmin(1)` to store the administrative ticket
- used to contact the admin server. It's a bit faster, it doesn't write
- anything to disk, and it's trivial to destroy when you're done with it.
+#. **MEMORY** caches are for storage of credentials that don't need to
+ be made available outside of the current process. For example, a
+ memory ccache is used by :ref:`kadmin(1)` to store the
+ administrative ticket used to contact the admin server. Memory
+ ccaches are faster than file ccaches and are automatically
+ destroyed when the process exits.
-#. **MSLSA** is a Windows-specific cache type that actually accesses the Windows
- credential store, similar to the *KEYRING* type for Linux.
+#. **MSLSA** is a Windows-specific cache type that accesses the
+ Windows credential store.
.. _col_ccache:
@@ -89,45 +94,44 @@ correct to use the default type built into the library.
Collections of caches
---------------------
-Some credential cache types can support collections of multiple caches.
-One of the caches in the collection is designated as the *primary* and
-will be used when the collection is resolved as a cache. When a
-collection-enabled cache type is the default cache for a process,
-applications can search the specified collection for a specific client
-principal, and GSSAPI applications will automatically select between the
-caches in the collection based on criteria such as the target service realm.
+Some credential cache types can support collections of multiple
+caches. One of the caches in the collection is designated as the
+*primary* and will be used when the collection is resolved as a cache.
+When a collection-enabled cache type is the default cache for a
+process, applications can search the specified collection for a
+specific client principal, and GSSAPI applications will automatically
+select between the caches in the collection based on criteria such as
+the target service realm.
-Credential cache collections are new in release 1.10, with support from the
-**DIR** and **API** ccache types. In release 1.12, the **KEYRING** ccache
-type also supports collections.
+Credential cache collections are new in release 1.10, with support
+from the **DIR** and **API** ccache types. In release 1.12, the
+**KEYRING** ccache type also supports collections.
Tool alterations to use cache collection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-* :ref:`kdestroy(1)` *-A* will destroy all caches in the collection.
-* If the default cache type supports switching, :ref:`kinit(1)` *princname*
- will search the collection for a matching cache and store credentials
- there, or will store credentials in a new unique cache of the default type
- if no existing cache for the principal exists. Either way, kinit will switch
- to the selected cache.
+* :ref:`kdestroy(1)` *-A* will destroy all caches in the collection.
+* If the default cache type supports switching, :ref:`kinit(1)`
+ *princname* will search the collection for a matching cache and
+ store credentials there, or will store credentials in a new unique
+ cache of the default type if no existing cache for the principal
+ exists. Either way, kinit will switch to the selected cache.
* :ref:`klist(1)` *-l* will list the caches in the collection.
-* :ref:`klist(1)` *-A* will show the content of all caches in the collection.
-* :ref:`kswitch(1)` *-p princname* will search the collection for a matching
- cache and switch to it.
+* :ref:`klist(1)` *-A* will show the content of all caches in the
+ collection.
+* :ref:`kswitch(1)` *-p princname* will search the collection for a
+ matching cache and switch to it.
* :ref:`kswitch(1)` *-c cachename* will switch to a specified cache.
-
Default ccache name
-------------------
-The default ccache name is OS specific. It can be overridden by the
-**KRB5CCNAME** environment variable.
-
-The placement of the credential cache file is determined by the following:
+The default credential cache name is determined by the following, in
+descending order of priority:
-#. The **KRB5CCNAME** environment variable.
- For example, *KRB5CCNAME=DIR:/mydir/*
+#. The **KRB5CCNAME** environment variable. For example,
+ ``KRB5CCNAME=DIR:/mydir/``.
#. The **default_ccache_name** profile variable in :ref:`libdefaults`.
More information about the cvs-krb5
mailing list