1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Credential cache — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="keytab" href="keytab_def.html" /> 22 <link rel="prev" title="Kerberos V5 concepts" href="index.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="index.html" title="Kerberos V5 concepts" 35 accesskey="P">previous</a> | 36 <a href="keytab_def.html" title="keytab" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="credential-cache"> 56<span id="ccache-definition"></span><h1>Credential cache<a class="headerlink" href="#credential-cache" title="Permalink to this headline">¶</a></h1> 57<p>A credential cache (or “ccache”) holds Kerberos credentials while they 58remain valid and, generally, while the user’s session lasts, so that 59authenticating to a service multiple times (e.g., connecting to a web 60or mail server more than once) doesn’t require contacting the KDC 61every time.</p> 62<p>A credential cache usually contains one initial ticket which is 63obtained using a password or another form of identity verification. 64If this ticket is a ticket-granting ticket, it can be used to obtain 65additional credentials without the password. Because the credential 66cache does not store the password, less long-term damage can be done 67to the user’s account if the machine is compromised.</p> 68<p>A credentials cache stores a default client principal name, set when 69the cache is created. This is the name shown at the top of the 70<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-A</em> output.</p> 71<p>Each normal cache entry includes a service principal name, a client 72principal name (which, in some ccache types, need not be the same as 73the default), lifetime information, and flags, along with the 74credential itself. There are also other entries, indicated by special 75names, that store additional information.</p> 76<section id="ccache-types"> 77<h2>ccache types<a class="headerlink" href="#ccache-types" title="Permalink to this headline">¶</a></h2> 78<p>The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition"><span class="std std-ref">keytab</span></a> and 79<a class="reference internal" href="rcache_def.html#rcache-definition"><span class="std std-ref">replay cache</span></a> interfaces, uses <cite>TYPE:value</cite> strings to 80indicate the type of credential cache and any associated cache naming 81data to use.</p> 82<p>There are several kinds of credentials cache supported in the MIT 83Kerberos library. Not all are supported on every platform. In most 84cases, it should be correct to use the default type built into the 85library.</p> 86<ol class="arabic"> 87<li><p><strong>API</strong> is only implemented on Windows. It communicates with a 88server process that holds the credentials in memory for the user, 89rather than writing them to disk.</p></li> 90<li><p><strong>DIR</strong> points to the storage location of the collection of the 91credential caches in <em>FILE:</em> format. It is most useful when dealing 92with multiple Kerberos realms and KDCs. For release 1.10 the 93directory must already exist. In post-1.10 releases the 94requirement is for parent directory to exist and the current 95process must have permissions to create the directory if it does 96not exist. See <a class="reference internal" href="#col-ccache"><span class="std std-ref">Collections of caches</span></a> for details. New in release 1.10. 97The following residual forms are supported:</p> 98<ul class="simple"> 99<li><p>DIR:dirname</p></li> 100<li><p>DIR::dirpath/filename - a single cache within the directory</p></li> 101</ul> 102<p>Switching to a ccache of the latter type causes it to become the 103primary for the directory.</p> 104</li> 105<li><p><strong>FILE</strong> caches are the simplest and most portable. A simple flat 106file format is used to store one credential after another. This is 107the default ccache type if no type is specified in a ccache name.</p></li> 108<li><p><strong>KCM</strong> caches work by contacting a daemon process called <code class="docutils literal notranslate"><span class="pre">kcm</span></code> 109to perform cache operations. If the cache name is just <code class="docutils literal notranslate"><span class="pre">KCM:</span></code>, 110the default cache as determined by the KCM daemon will be used. 111Newly created caches must generally be named <code class="docutils literal notranslate"><span class="pre">KCM:uid:name</span></code>, 112where <em>uid</em> is the effective user ID of the running process.</p> 113<p>KCM client support is new in release 1.13. A KCM daemon has not 114yet been implemented in MIT krb5, but the client will interoperate 115with the KCM daemon implemented by Heimdal. macOS 10.7 and higher 116provides a KCM daemon as part of the operating system, and the 117<strong>KCM</strong> cache type is used as the default cache on that platform in 118a default build.</p> 119</li> 120<li><p><strong>KEYRING</strong> is Linux-specific, and uses the kernel keyring support 121to store credential data in unswappable kernel memory where only 122the current user should be able to access it. The following 123residual forms are supported:</p> 124<ul class="simple"> 125<li><p>KEYRING:name</p></li> 126<li><p>KEYRING:process:name - process keyring</p></li> 127<li><p>KEYRING:thread:name - thread keyring</p></li> 128</ul> 129<p>Starting with release 1.12 the <em>KEYRING</em> type supports collections. 130The following new residual forms were added:</p> 131<ul class="simple"> 132<li><p>KEYRING:session:name - session keyring</p></li> 133<li><p>KEYRING:user:name - user keyring</p></li> 134<li><p>KEYRING:persistent:uidnumber - persistent per-UID collection. 135Unlike the user keyring, this collection survives after the user 136logs out, until the cache credentials expire. This type of 137ccache requires support from the kernel; otherwise, it will fall 138back to the user keyring.</p></li> 139</ul> 140<p>See <a class="reference internal" href="#col-ccache"><span class="std std-ref">Collections of caches</span></a> for details.</p> 141</li> 142<li><p><strong>MEMORY</strong> caches are for storage of credentials that don’t need to 143be made available outside of the current process. For example, a 144memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to store the 145administrative ticket used to contact the admin server. Memory 146ccaches are faster than file ccaches and are automatically 147destroyed when the process exits.</p></li> 148<li><p><strong>MSLSA</strong> is a Windows-specific cache type that accesses the 149Windows credential store.</p></li> 150</ol> 151</section> 152<section id="collections-of-caches"> 153<span id="col-ccache"></span><h2>Collections of caches<a class="headerlink" href="#collections-of-caches" title="Permalink to this headline">¶</a></h2> 154<p>Some credential cache types can support collections of multiple 155caches. One of the caches in the collection is designated as the 156<em>primary</em> and will be used when the collection is resolved as a cache. 157When a collection-enabled cache type is the default cache for a 158process, applications can search the specified collection for a 159specific client principal, and GSSAPI applications will automatically 160select between the caches in the collection based on criteria such as 161the target service realm.</p> 162<p>Credential cache collections are new in release 1.10, with support 163from the <strong>DIR</strong> and <strong>API</strong> ccache types. Starting in release 1.12, 164collections are also supported by the <strong>KEYRING</strong> ccache type. 165Collections are supported by the <strong>KCM</strong> ccache type in release 1.13.</p> 166<section id="tool-alterations-to-use-cache-collection"> 167<h3>Tool alterations to use cache collection<a class="headerlink" href="#tool-alterations-to-use-cache-collection" title="Permalink to this headline">¶</a></h3> 168<ul class="simple"> 169<li><p><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a> <em>-A</em> will destroy all caches in the collection.</p></li> 170<li><p>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> 171<em>princname</em> will search the collection for a matching cache and 172store credentials there, or will store credentials in a new unique 173cache of the default type if no existing cache for the principal 174exists. Either way, kinit will switch to the selected cache.</p></li> 175<li><p><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-l</em> will list the caches in the collection.</p></li> 176<li><p><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-A</em> will show the content of all caches in the 177collection.</p></li> 178<li><p><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><span class="std std-ref">kswitch</span></a> <em>-p princname</em> will search the collection for a 179matching cache and switch to it.</p></li> 180<li><p><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><span class="std std-ref">kswitch</span></a> <em>-c cachename</em> will switch to a specified cache.</p></li> 181</ul> 182</section> 183</section> 184<section id="default-ccache-name"> 185<h2>Default ccache name<a class="headerlink" href="#default-ccache-name" title="Permalink to this headline">¶</a></h2> 186<p>The default credential cache name is determined by the following, in 187descending order of priority:</p> 188<ol class="arabic simple"> 189<li><p>The <strong>KRB5CCNAME</strong> environment variable. For example, 190<code class="docutils literal notranslate"><span class="pre">KRB5CCNAME=DIR:/mydir/</span></code>.</p></li> 191<li><p>The <strong>default_ccache_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p></li> 192<li><p>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>.</p></li> 193</ol> 194</section> 195</section> 196 197 198 <div class="clearer"></div> 199 </div> 200 </div> 201 </div> 202 </div> 203 <div class="sidebar"> 204 205 <h2>On this page</h2> 206 <ul> 207<li><a class="reference internal" href="#">Credential cache</a><ul> 208<li><a class="reference internal" href="#ccache-types">ccache types</a></li> 209<li><a class="reference internal" href="#collections-of-caches">Collections of caches</a><ul> 210<li><a class="reference internal" href="#tool-alterations-to-use-cache-collection">Tool alterations to use cache collection</a></li> 211</ul> 212</li> 213<li><a class="reference internal" href="#default-ccache-name">Default ccache name</a></li> 214</ul> 215</li> 216</ul> 217 218 <br/> 219 <h2>Table of contents</h2> 220 <ul class="current"> 221<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> 222<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> 223<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 224<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> 225<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 226<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current"> 227<li class="toctree-l2 current"><a class="current reference internal" href="#">Credential cache</a></li> 228<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li> 229<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li> 230<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li> 231<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li> 232</ul> 233</li> 234<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 235<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 236<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 237<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 238<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 239</ul> 240 241 <br/> 242 <h4><a href="../index.html">Full Table of Contents</a></h4> 243 <h4>Search</h4> 244 <form class="search" action="../search.html" method="get"> 245 <input type="text" name="q" size="18" /> 246 <input type="submit" value="Go" /> 247 <input type="hidden" name="check_keywords" value="yes" /> 248 <input type="hidden" name="area" value="default" /> 249 </form> 250 251 </div> 252 <div class="clearer"></div> 253 </div> 254 </div> 255 256 <div class="footer-wrapper"> 257 <div class="footer" > 258 <div class="right" ><i>Release: 1.21.3</i><br /> 259 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 260 </div> 261 <div class="left"> 262 263 <a href="../index.html" title="Full Table of Contents" 264 >Contents</a> | 265 <a href="index.html" title="Kerberos V5 concepts" 266 >previous</a> | 267 <a href="keytab_def.html" title="keytab" 268 >next</a> | 269 <a href="../genindex.html" title="General Index" 270 >index</a> | 271 <a href="../search.html" title="Enter search criteria" 272 >Search</a> | 273 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache">feedback</a> 274 </div> 275 </div> 276 </div> 277 278 </body> 279</html>