xref: /freebsd/crypto/heimdal/kcm/kcm.8 (revision ea906c4152774dff300bb26fbfc1e4188351c89a) 
1.\" Copyright (c) 2005 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id: kcm.8 15497 2005-06-20 13:32:44Z lha $
33.\"
34.Dd May 29, 2005
35.Dt KCM 8
36.Os Heimdal
37.Sh NAME
38.Nm kcm
39.Nd
40is a process based credential cache for Kerberos tickets.
41.Sh SYNOPSIS
42.Nm
43.Op Fl -cache-name= Ns Ar cachename
44.Oo Fl c Ar file \*(Ba Xo
45.Fl -config-file= Ns Ar file
46.Xc
47.Oc
48.Oo Fl g Ar group \*(Ba Xo
49.Fl -group= Ns Ar group
50.Xc
51.Oc
52.Op Fl -max-request= Ns Ar size
53.Op Fl -disallow-getting-krbtgt
54.Op Fl -detach
55.Op Fl h | Fl -help
56.Oo Fl k Ar principal \*(Ba Xo
57.Fl -system-principal= Ns Ar principal
58.Xc
59.Oc
60.Oo Fl l Ar time \*(Ba Xo
61.Fl -lifetime= Ns Ar time
62.Xc
63.Oc
64.Oo Fl m Ar mode \*(Ba Xo
65.Fl -mode= Ns Ar mode
66.Xc
67.Oc
68.Op Fl n | Fl -no-name-constraints
69.Oo Fl r Ar time \*(Ba Xo
70.Fl -renewable-life= Ns Ar time
71.Xc
72.Oc
73.Oo Fl s Ar path \*(Ba Xo
74.Fl -socket-path= Ns Ar path
75.Xc
76.Oc
77.Oo Xo
78.Fl -door-path= Ns Ar path
79.Xc
80.Oc
81.Oo Fl S Ar principal \*(Ba Xo
82.Fl -server= Ns Ar principal
83.Xc
84.Oc
85.Oo Fl t Ar keytab \*(Ba Xo
86.Fl -keytab= Ns Ar keytab
87.Xc
88.Oc
89.Oo Fl u Ar user \*(Ba Xo
90.Fl -user= Ns Ar user
91.Xc
92.Oc
93.Op Fl v | Fl -version
94.Sh DESCRIPTION
95.Nm
96is a process based credential cache.
97To use it, set the
98.Ev KRB5CCNAME
99enviroment variable to
100.Ql KCM: Ns Ar uid
101or add the stanza
102.Bd -literal
103
104[libdefaults]
105        default_cc_name = KCM:%{uid}
106
107.Ed
108to the
109.Pa /etc/krb5.conf
110configuration file and make sure
111.Nm kcm
112is started in the system startup files.
113.Pp
114The
115.Nm
116daemon can hold the credentials for all users in the system.  Access
117control is done with Unix-like permissions.  The daemon checks the
118access on all operations based on the uid and gid of the user.  The
119tickets are renewed as long as is permitted by the KDC's policy.
120.Pp
121The
122.Nm
123daemon can also keep a SYSTEM credential that server processes can
124use to access services.  One example of usage might be an nss_ldap
125module that quickly needs to get credentials and doesn't want to renew
126the ticket itself.
127.Pp
128Supported options:
129.Bl -tag -width Ds
130.It Xo
131.Fl -cache-name= Ns Ar cachename
132.Xc
133system cache name
134.It Xo
135.Fl c Ar file ,
136.Fl -config-file= Ns Ar file
137.Xc
138location of config file
139.It Xo
140.Fl g Ar group ,
141.Fl -group= Ns Ar group
142.Xc
143system cache group
144.It Xo
145.Fl -max-request= Ns Ar size
146.Xc
147max size for a kcm-request
148.It Xo
149.Fl -disallow-getting-krbtgt
150.Xc
151disallow extracting any krbtgt from the
152.Nm kcm
153daemon.
154.It Xo
155.Fl -detach
156.Xc
157detach from console
158.It Xo
159.Fl h ,
160.Fl -help
161.Xc
162.It Xo
163.Fl k Ar principal ,
164.Fl -system-principal= Ns Ar principal
165.Xc
166system principal name
167.It Xo
168.Fl l Ar time ,
169.Fl -lifetime= Ns Ar time
170.Xc
171lifetime of system tickets
172.It Xo
173.Fl m Ar mode ,
174.Fl -mode= Ns Ar mode
175.Xc
176octal mode of system cache
177.It Xo
178.Fl n ,
179.Fl -no-name-constraints
180.Xc
181disable credentials cache name constraints
182.It Xo
183.Fl r Ar time ,
184.Fl -renewable-life= Ns Ar time
185.Xc
186renewable lifetime of system tickets
187.It Xo
188.Fl s Ar path ,
189.Fl -socket-path= Ns Ar path
190.Xc
191path to kcm domain socket
192.It Xo
193.Fl -door-path= Ns Ar path
194.Xc
195path to kcm door socket
196.It Xo
197.Fl S Ar principal ,
198.Fl -server= Ns Ar principal
199.Xc
200server to get system ticket for
201.It Xo
202.Fl t Ar keytab ,
203.Fl -keytab= Ns Ar keytab
204.Xc
205system keytab name
206.It Xo
207.Fl u Ar user ,
208.Fl -user= Ns Ar user
209.Xc
210system cache owner
211.It Xo
212.Fl v ,
213.Fl -version
214.Xc
215.El
216.\".Sh ENVIRONMENT
217.\".Sh FILES
218.\".Sh EXAMPLES
219.\".Sh DIAGNOSTICS
220.\".Sh SEE ALSO
221.\".Sh STANDARDS
222.\".Sh HISTORY
223.\".Sh AUTHORS
224.\".Sh BUGS
225