xref: /freebsd/crypto/heimdal/kcm/kcm.8 (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id$
33.\"
34.Dd May 29, 2005
35.Dt KCM 8
36.Os Heimdal
37.Sh NAME
38.Nm kcm
39.Nd process-based credential cache for Kerberos tickets.
40.Sh SYNOPSIS
41.Nm
42.Op Fl Fl cache-name= Ns Ar cachename
43.Oo Fl c Ar file \*(Ba Xo
44.Fl Fl config-file= Ns Ar file
45.Xc
46.Oc
47.Oo Fl g Ar group \*(Ba Xo
48.Fl Fl group= Ns Ar group
49.Xc
50.Oc
51.Op Fl Fl max-request= Ns Ar size
52.Op Fl Fl disallow-getting-krbtgt
53.Op Fl Fl detach
54.Op Fl h | Fl Fl help
55.Oo Fl k Ar principal \*(Ba Xo
56.Fl Fl system-principal= Ns Ar principal
57.Xc
58.Oc
59.Oo Fl l Ar time \*(Ba Xo
60.Fl Fl lifetime= Ns Ar time
61.Xc
62.Oc
63.Oo Fl m Ar mode \*(Ba Xo
64.Fl Fl mode= Ns Ar mode
65.Xc
66.Oc
67.Op Fl n | Fl Fl no-name-constraints
68.Oo Fl r Ar time \*(Ba Xo
69.Fl Fl renewable-life= Ns Ar time
70.Xc
71.Oc
72.Oo Fl s Ar path \*(Ba Xo
73.Fl Fl socket-path= Ns Ar path
74.Xc
75.Oc
76.Oo Xo
77.Fl Fl door-path= Ns Ar path
78.Xc
79.Oc
80.Oo Fl S Ar principal \*(Ba Xo
81.Fl Fl server= Ns Ar principal
82.Xc
83.Oc
84.Oo Fl t Ar keytab \*(Ba Xo
85.Fl Fl keytab= Ns Ar keytab
86.Xc
87.Oc
88.Oo Fl u Ar user \*(Ba Xo
89.Fl Fl user= Ns Ar user
90.Xc
91.Oc
92.Op Fl v | Fl Fl version
93.Sh DESCRIPTION
94.Nm
95is a process based credential cache.
96To use it, set the
97.Ev KRB5CCNAME
98environment variable to
99.Ql KCM: Ns Ar uid
100or add the stanza
101.Bd -literal
102
103[libdefaults]
104        default_cc_name = KCM:%{uid}
105
106.Ed
107to the
108.Pa /etc/krb5.conf
109configuration file and make sure
110.Nm kcm
111is started in the system startup files.
112.Pp
113The
114.Nm
115daemon can hold the credentials for all users in the system.  Access
116control is done with Unix-like permissions.  The daemon checks the
117access on all operations based on the uid and gid of the user.  The
118tickets are renewed as long as is permitted by the KDC's policy.
119.Pp
120The
121.Nm
122daemon can also keep a SYSTEM credential that server processes can
123use to access services.  One example of usage might be an nss_ldap
124module that quickly needs to get credentials and doesn't want to renew
125the ticket itself.
126.Pp
127Supported options:
128.Bl -tag -width Ds
129.It Fl Fl cache-name= Ns Ar cachename
130system cache name
131.It Fl c Ar file , Fl Fl config-file= Ns Ar file
132location of config file
133.It Fl g Ar group , Fl Fl group= Ns Ar group
134system cache group
135.It Fl Fl max-request= Ns Ar size
136max size for a kcm-request
137.It Fl Fl disallow-getting-krbtgt
138disallow extracting any krbtgt from the
139.Nm kcm
140daemon.
141.It Fl Fl detach
142detach from console
143.It Fl h , Fl Fl help
144.It Fl k Ar principal , Fl Fl system-principal= Ns Ar principal
145system principal name
146.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
147lifetime of system tickets
148.It Fl m Ar mode , Fl Fl mode= Ns Ar mode
149octal mode of system cache
150.It Fl n , Fl Fl no-name-constraints
151disable credentials cache name constraints
152.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
153renewable lifetime of system tickets
154.It Fl s Ar path , Fl Fl socket-path= Ns Ar path
155path to kcm domain socket
156.It Fl Fl door-path= Ns Ar path
157path to kcm door socket
158.It Fl S Ar principal , Fl Fl server= Ns Ar principal
159server to get system ticket for
160.It Fl t Ar keytab , Fl Fl keytab= Ns Ar keytab
161system keytab name
162.It Fl u Ar user , Fl Fl user= Ns Ar user
163system cache owner
164.It Fl v , Fl Fl version
165.El
166.\".Sh ENVIRONMENT
167.\".Sh FILES
168.\".Sh EXAMPLES
169.\".Sh DIAGNOSTICS
170.\".Sh SEE ALSO
171.\".Sh STANDARDS
172.\".Sh HISTORY
173.\".Sh AUTHORS
174.\".Sh BUGS
175