<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Credential cache — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.12.5',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
<link rel="up" title="Kerberos V5 concepts" href="index.html" />
<link rel="next" title="keytab" href="keytab_def.html" />
<link rel="prev" title="Kerberos V5 concepts" href="index.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="index.html" title="Kerberos V5 concepts"
accesskey="P">previous</a> |
<a href="keytab_def.html" title="keytab"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="credential-cache">
<span id="ccache-definition"></span><h1>Credential cache<a class="headerlink" href="#credential-cache" title="Permalink to this headline">¶</a></h1>
<p>A credential cache (or “ccache”) holds Kerberos credentials while they
remain valid and, generally, while the user’s session lasts, so that
authenticating to a service multiple times (e.g., connecting to a web
or mail server more than once) doesn’t require contacting the KDC
every time.</p>
<p>A credential cache usually contains one initial ticket which is
obtained using a password or another form of identity verification.
If this ticket is a ticket-granting ticket, it can be used to obtain
additional credentials without the password. Because the credential
cache does not store the password, less long-term damage can be done
to the user’s account if the machine is compromised.</p>
<p>A credentials cache stores a default client principal name, set when
the cache is created. This is the name shown at the top of the
<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-A</em> output.</p>
<p>Each normal cache entry includes a service principal name, a client
principal name (which, in some ccache types, need not be the same as
the default), lifetime information, and flags, along with the
credential itself. There are also other entries, indicated by special
names, that store additional information.</p>
<div class="section" id="ccache-types">
<h2>ccache types<a class="headerlink" href="#ccache-types" title="Permalink to this headline">¶</a></h2>
<p>The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition"><em>keytab</em></a> and
<a class="reference internal" href="rcache_def.html#rcache-definition"><em>replay cache</em></a> interfaces, uses <cite>TYPE:value</cite> strings to
indicate the type of credential cache and any associated cache naming
data to use.</p>
<p>There are several kinds of credentials cache supported in the MIT
Kerberos library. Not all are supported on every platform. In most
cases, it should be correct to use the default type built into the
library.</p>
<ol class="arabic">
<li><p class="first"><strong>API</strong> is only implemented on Windows. It communicates with a
server process that holds the credentials in memory for the user,
rather than writing them to disk.</p>
</li>
<li><p class="first"><strong>DIR</strong> points to the storage location of the collection of the
credential caches in <em>FILE:</em> format. It is most useful when dealing
with multiple Kerberos realms and KDCs. For release 1.10 the
directory must already exist. In post-1.10 releases the
requirement is for parent directory to exist and the current
process must have permissions to create the directory if it does
not exist. See <a class="reference internal" href="#col-ccache"><em>Collections of caches</em></a> for details. New in release 1.10.</p>
</li>
<li><p class="first"><strong>FILE</strong> caches are the simplest and most portable. A simple flat
file format is used to store one credential after another. This is
the default ccache type.</p>
</li>
<li><p class="first"><strong>KEYRING</strong> is Linux-specific, and uses the kernel keyring support
to store credential data in unswappable kernel memory where only
the current user should be able to access it. The following
residual forms are supported:</p>
<ul class="simple">
<li>KEYRING:name</li>
<li>KEYRING:process:name - process keyring</li>
<li>KEYRING:thread:name - thread keyring</li>
</ul>
<p>Starting with release 1.12 the <em>KEYRING</em> type supports collections.
The following new residual forms were added:</p>
<ul class="simple">
<li>KEYRING:session:name - session keyring</li>
<li>KEYRING:user:name - user keyring</li>
<li>KEYRING:persistent:uidnumber - persistent per-UID collection.
Unlike the user keyring, this collection survives after the user
logs out, until the cache credentials expire. This type of
ccache requires support from the kernel; otherwise, it will fall
back to the user keyring.</li>
</ul>
<p>See <a class="reference internal" href="#col-ccache"><em>Collections of caches</em></a> for details.</p>
</li>
<li><p class="first"><strong>MEMORY</strong> caches are for storage of credentials that don’t need to
be made available outside of the current process. For example, a
memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to store the
administrative ticket used to contact the admin server. Memory
ccaches are faster than file ccaches and are automatically
destroyed when the process exits.</p>
</li>
<li><p class="first"><strong>MSLSA</strong> is a Windows-specific cache type that accesses the
Windows credential store.</p>
</li>
</ol>
</div>
<div class="section" id="collections-of-caches">
<span id="col-ccache"></span><h2>Collections of caches<a class="headerlink" href="#collections-of-caches" title="Permalink to this headline">¶</a></h2>
<p>Some credential cache types can support collections of multiple
caches. One of the caches in the collection is designated as the
<em>primary</em> and will be used when the collection is resolved as a cache.
When a collection-enabled cache type is the default cache for a
process, applications can search the specified collection for a
specific client principal, and GSSAPI applications will automatically
select between the caches in the collection based on criteria such as
the target service realm.</p>
<p>Credential cache collections are new in release 1.10, with support
from the <strong>DIR</strong> and <strong>API</strong> ccache types. In release 1.12, the
<strong>KEYRING</strong> ccache type also supports collections.</p>
<div class="section" id="tool-alterations-to-use-cache-collection">
<h3>Tool alterations to use cache collection<a class="headerlink" href="#tool-alterations-to-use-cache-collection" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> <em>-A</em> will destroy all caches in the collection.</li>
<li>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>
<em>princname</em> will search the collection for a matching cache and
store credentials there, or will store credentials in a new unique
cache of the default type if no existing cache for the principal
exists. Either way, kinit will switch to the selected cache.</li>
<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-l</em> will list the caches in the collection.</li>
<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-A</em> will show the content of all caches in the
collection.</li>
<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><em>kswitch</em></a> <em>-p princname</em> will search the collection for a
matching cache and switch to it.</li>
<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><em>kswitch</em></a> <em>-c cachename</em> will switch to a specified cache.</li>
</ul>
</div>
</div>
<div class="section" id="default-ccache-name">
<h2>Default ccache name<a class="headerlink" href="#default-ccache-name" title="Permalink to this headline">¶</a></h2>
<p>The default credential cache name is determined by the following, in
descending order of priority:</p>
<ol class="arabic simple">
<li>The <strong>KRB5CCNAME</strong> environment variable. For example,
<tt class="docutils literal"><span class="pre">KRB5CCNAME=DIR:/mydir/</span></tt>.</li>
<li>The <strong>default_ccache_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</li>
<li>The hardcoded default, <tt class="docutils literal"><span class="pre">FILE:/tmp/krb5cc_%{uid}</span></tt>.</li>
</ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Credential cache</a><ul>
<li><a class="reference internal" href="#ccache-types">ccache types</a></li>
<li><a class="reference internal" href="#collections-of-caches">Collections of caches</a><ul>
<li><a class="reference internal" href="#tool-alterations-to-use-cache-collection">Tool alterations to use cache collection</a></li>
</ul>
</li>
<li><a class="reference internal" href="#default-ccache-name">Default ccache name</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="">Credential cache</a><ul class="simple">
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>
<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>
<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.12.5</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2015, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="index.html" title="Kerberos V5 concepts"
>previous</a> |
<a href="keytab_def.html" title="keytab"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache">feedback</a>
</div>
</div>
</div>
</body>
</html>
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates
>
by-pkgid
>
de48a1d508d22df6e1cda9bc68f13a3c
>
files
>
98
