[32813] in Kerberos
Re: override default credentials cache file location
daemon@ATHENA.MIT.EDU (Chris Ward)
Thu Oct 14 14:51:53 2010
Date: Thu, 14 Oct 2010 11:51:53 -0700 (PDT)
From: Chris Ward <krice@facebook.com>
To: Zaar Hai <haizaar@gmail.com>
In-Reply-To: <AANLkTik44GKtwJBwysv8ONSeLdPQ-b+=SOO7U8qCHdmb@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1010141149020.17062@skoodge.facebook.com>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I could be wrong, but I think what you want is this:
KRB5CCNAME
Used by the mechanism to specify the location of the credential cache.
The variable can be set to the following value:
[[<cc type>:]<file name>]
where <cc type> can be FILE or MEMORY. <file name> is the location of
the principal's credential cache.
If KRB5CCNAME is not defined, the default value is:
FILE:/tmp/krb5cc_<uid>
where <uid> is the user id of the process that created the cache file.
The credential cache file is used to store tickets that have been
granted to the principal.
Specifying the FILE types assumes that subsequent operations on the
associated file are readable and writable by the invoking process. Care
must be taken to ensure that the file is accessible only by the set of
principals that need to access their credentials. If the credential file
is in a directory to which other users have write access, you need to set
that directory's sticky bit (see chmod(1)).
The MEMORY credential cache type is used only in special cases, such
as when making a temporary cache for the life of the invoking process.
On Thu, 14 Oct 2010, Zaar Hai wrote:
> Good day, dear all!
>
> I'm using MIT kerberos version 1.6 on Debian Lenny amd64. I would like
> to override default location of credentials cache file. Here is the
> reasoning and may be someone would have a better solution:
>
> Credentials cache are stored in /tmp by default. /tmp is mounted on
> real disk and that's not going to change. The problem is that if, for
> example, I run kinit in the evening and go home, then someone who
> breaks to office at night, can reboot my computer from CD and access
> my credentials cache gaining the access to all of the network services
> I'm eligible to access.
> I've thought of making default cache location to be
> /var/cars/krb5ccache which will be mounted to RAM, making above
> scenario much harder to execute.
>
> Thanks.
> --
> Zaar
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
