override default credentials cache file location

Chris Ward krice at facebook.com
Thu Oct 14 14:51:53 EDT 2010 

I could be wrong, but I think what you want is this:

KRB5CCNAME

     Used by the mechanism to specify the location of the credential cache. 
The variable can be set to the following value:

     [[<cc type>:]<file name>]

     where <cc type> can be FILE or MEMORY. <file name> is the location of 
the principal's credential cache.

     If KRB5CCNAME is not defined, the default value is:

     FILE:/tmp/krb5cc_<uid>

     where <uid> is the user id of the process that created the cache file.

     The credential cache file is used to store tickets that have been 
granted to the principal.

     Specifying the FILE types assumes that subsequent operations on the 
associated file are readable and writable by the invoking process. Care 
must be taken to ensure that the file is accessible only by the set of 
principals that need to access their credentials. If the credential file 
is in a directory to which other users have write access, you need to set 
that directory's sticky bit (see chmod(1)).

     The MEMORY credential cache type is used only in special cases, such 
as when making a temporary cache for the life of the invoking process.


On Thu, 14 Oct 2010, Zaar Hai wrote:

> Good day, dear all!
>
> I'm using MIT kerberos version 1.6 on Debian Lenny amd64. I would like
> to override default location of credentials cache file. Here is the
> reasoning and may be someone would have a better solution:
>
> Credentials cache are stored in /tmp by default. /tmp is mounted on
> real disk and that's not going to change. The problem is that if, for
> example, I run kinit in the evening and go home, then someone who
> breaks to office at night, can reboot my computer from CD and access
> my credentials cache gaining the access to all of the network services
> I'm eligible to access.
> I've thought of making default cache location to be
> /var/cars/krb5ccache which will be mounted to RAM, making above
> scenario much harder to execute.
>
> Thanks.
> -- 
> Zaar
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list