| 1 | .\" Copyright (c) 2005 Kungliga Tekniska Högskolan
|
|---|
| 2 | .\" (Royal Institute of Technology, Stockholm, Sweden).
|
|---|
| 3 | .\" All rights reserved.
|
|---|
| 4 | .\"
|
|---|
| 5 | .\" Redistribution and use in source and binary forms, with or without
|
|---|
| 6 | .\" modification, are permitted provided that the following conditions
|
|---|
| 7 | .\" are met:
|
|---|
| 8 | .\"
|
|---|
| 9 | .\" 1. Redistributions of source code must retain the above copyright
|
|---|
| 10 | .\" notice, this list of conditions and the following disclaimer.
|
|---|
| 11 | .\"
|
|---|
| 12 | .\" 2. Redistributions in binary form must reproduce the above copyright
|
|---|
| 13 | .\" notice, this list of conditions and the following disclaimer in the
|
|---|
| 14 | .\" documentation and/or other materials provided with the distribution.
|
|---|
| 15 | .\"
|
|---|
| 16 | .\" 3. Neither the name of the Institute nor the names of its contributors
|
|---|
| 17 | .\" may be used to endorse or promote products derived from this software
|
|---|
| 18 | .\" without specific prior written permission.
|
|---|
| 19 | .\"
|
|---|
| 20 | .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|---|
| 21 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|---|
| 22 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|---|
| 23 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|---|
| 24 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|---|
| 25 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|---|
| 26 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|---|
| 27 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|---|
| 28 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|---|
| 29 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|---|
| 30 | .\" SUCH DAMAGE.
|
|---|
| 31 | .\"
|
|---|
| 32 | .\" $Id$
|
|---|
| 33 | .\"
|
|---|
| 34 | .Dd May 29, 2005
|
|---|
| 35 | .Dt KCM 8
|
|---|
| 36 | .Os Heimdal
|
|---|
| 37 | .Sh NAME
|
|---|
| 38 | .Nm kcm
|
|---|
| 39 | .Nd process-based credential cache for Kerberos tickets.
|
|---|
| 40 | .Sh SYNOPSIS
|
|---|
| 41 | .Nm
|
|---|
| 42 | .Op Fl Fl cache-name= Ns Ar cachename
|
|---|
| 43 | .Oo Fl c Ar file \*(Ba Xo
|
|---|
| 44 | .Fl Fl config-file= Ns Ar file
|
|---|
| 45 | .Xc
|
|---|
| 46 | .Oc
|
|---|
| 47 | .Oo Fl g Ar group \*(Ba Xo
|
|---|
| 48 | .Fl Fl group= Ns Ar group
|
|---|
| 49 | .Xc
|
|---|
| 50 | .Oc
|
|---|
| 51 | .Op Fl Fl max-request= Ns Ar size
|
|---|
| 52 | .Op Fl Fl disallow-getting-krbtgt
|
|---|
| 53 | .Op Fl Fl detach
|
|---|
| 54 | .Op Fl h | Fl Fl help
|
|---|
| 55 | .Oo Fl k Ar principal \*(Ba Xo
|
|---|
| 56 | .Fl Fl system-principal= Ns Ar principal
|
|---|
| 57 | .Xc
|
|---|
| 58 | .Oc
|
|---|
| 59 | .Oo Fl l Ar time \*(Ba Xo
|
|---|
| 60 | .Fl Fl lifetime= Ns Ar time
|
|---|
| 61 | .Xc
|
|---|
| 62 | .Oc
|
|---|
| 63 | .Oo Fl m Ar mode \*(Ba Xo
|
|---|
| 64 | .Fl Fl mode= Ns Ar mode
|
|---|
| 65 | .Xc
|
|---|
| 66 | .Oc
|
|---|
| 67 | .Op Fl n | Fl Fl no-name-constraints
|
|---|
| 68 | .Oo Fl r Ar time \*(Ba Xo
|
|---|
| 69 | .Fl Fl renewable-life= Ns Ar time
|
|---|
| 70 | .Xc
|
|---|
| 71 | .Oc
|
|---|
| 72 | .Oo Fl s Ar path \*(Ba Xo
|
|---|
| 73 | .Fl Fl socket-path= Ns Ar path
|
|---|
| 74 | .Xc
|
|---|
| 75 | .Oc
|
|---|
| 76 | .Oo Xo
|
|---|
| 77 | .Fl Fl door-path= Ns Ar path
|
|---|
| 78 | .Xc
|
|---|
| 79 | .Oc
|
|---|
| 80 | .Oo Fl S Ar principal \*(Ba Xo
|
|---|
| 81 | .Fl Fl server= Ns Ar principal
|
|---|
| 82 | .Xc
|
|---|
| 83 | .Oc
|
|---|
| 84 | .Oo Fl t Ar keytab \*(Ba Xo
|
|---|
| 85 | .Fl Fl keytab= Ns Ar keytab
|
|---|
| 86 | .Xc
|
|---|
| 87 | .Oc
|
|---|
| 88 | .Oo Fl u Ar user \*(Ba Xo
|
|---|
| 89 | .Fl Fl user= Ns Ar user
|
|---|
| 90 | .Xc
|
|---|
| 91 | .Oc
|
|---|
| 92 | .Op Fl v | Fl Fl version
|
|---|
| 93 | .Sh DESCRIPTION
|
|---|
| 94 | .Nm
|
|---|
| 95 | is a process based credential cache.
|
|---|
| 96 | To use it, set the
|
|---|
| 97 | .Ev KRB5CCNAME
|
|---|
| 98 | enviroment variable to
|
|---|
| 99 | .Ql KCM: Ns Ar uid
|
|---|
| 100 | or add the stanza
|
|---|
| 101 | .Bd -literal
|
|---|
| 102 |
|
|---|
| 103 | [libdefaults]
|
|---|
| 104 | default_cc_name = KCM:%{uid}
|
|---|
| 105 |
|
|---|
| 106 | .Ed
|
|---|
| 107 | to the
|
|---|
| 108 | .Pa /etc/krb5.conf
|
|---|
| 109 | configuration file and make sure
|
|---|
| 110 | .Nm kcm
|
|---|
| 111 | is started in the system startup files.
|
|---|
| 112 | .Pp
|
|---|
| 113 | The
|
|---|
| 114 | .Nm
|
|---|
| 115 | daemon can hold the credentials for all users in the system. Access
|
|---|
| 116 | control is done with Unix-like permissions. The daemon checks the
|
|---|
| 117 | access on all operations based on the uid and gid of the user. The
|
|---|
| 118 | tickets are renewed as long as is permitted by the KDC's policy.
|
|---|
| 119 | .Pp
|
|---|
| 120 | The
|
|---|
| 121 | .Nm
|
|---|
| 122 | daemon can also keep a SYSTEM credential that server processes can
|
|---|
| 123 | use to access services. One example of usage might be an nss_ldap
|
|---|
| 124 | module that quickly needs to get credentials and doesn't want to renew
|
|---|
| 125 | the ticket itself.
|
|---|
| 126 | .Pp
|
|---|
| 127 | Supported options:
|
|---|
| 128 | .Bl -tag -width Ds
|
|---|
| 129 | .It Fl Fl cache-name= Ns Ar cachename
|
|---|
| 130 | system cache name
|
|---|
| 131 | .It Fl c Ar file , Fl Fl config-file= Ns Ar file
|
|---|
| 132 | location of config file
|
|---|
| 133 | .It Fl g Ar group , Fl Fl group= Ns Ar group
|
|---|
| 134 | system cache group
|
|---|
| 135 | .It Fl Fl max-request= Ns Ar size
|
|---|
| 136 | max size for a kcm-request
|
|---|
| 137 | .It Fl Fl disallow-getting-krbtgt
|
|---|
| 138 | disallow extracting any krbtgt from the
|
|---|
| 139 | .Nm kcm
|
|---|
| 140 | daemon.
|
|---|
| 141 | .It Fl Fl detach
|
|---|
| 142 | detach from console
|
|---|
| 143 | .It Fl h , Fl Fl help
|
|---|
| 144 | .It Fl k Ar principal , Fl Fl system-principal= Ns Ar principal
|
|---|
| 145 | system principal name
|
|---|
| 146 | .It Fl l Ar time , Fl Fl lifetime= Ns Ar time
|
|---|
| 147 | lifetime of system tickets
|
|---|
| 148 | .It Fl m Ar mode , Fl Fl mode= Ns Ar mode
|
|---|
| 149 | octal mode of system cache
|
|---|
| 150 | .It Fl n , Fl Fl no-name-constraints
|
|---|
| 151 | disable credentials cache name constraints
|
|---|
| 152 | .It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
|
|---|
| 153 | renewable lifetime of system tickets
|
|---|
| 154 | .It Fl s Ar path , Fl Fl socket-path= Ns Ar path
|
|---|
| 155 | path to kcm domain socket
|
|---|
| 156 | .It Fl Fl door-path= Ns Ar path
|
|---|
| 157 | path to kcm door socket
|
|---|
| 158 | .It Fl S Ar principal , Fl Fl server= Ns Ar principal
|
|---|
| 159 | server to get system ticket for
|
|---|
| 160 | .It Fl t Ar keytab , Fl Fl keytab= Ns Ar keytab
|
|---|
| 161 | system keytab name
|
|---|
| 162 | .It Fl u Ar user , Fl Fl user= Ns Ar user
|
|---|
| 163 | system cache owner
|
|---|
| 164 | .It Fl v , Fl Fl version
|
|---|
| 165 | .El
|
|---|
| 166 | .\".Sh ENVIRONMENT
|
|---|
| 167 | .\".Sh FILES
|
|---|
| 168 | .\".Sh EXAMPLES
|
|---|
| 169 | .\".Sh DIAGNOSTICS
|
|---|
| 170 | .\".Sh SEE ALSO
|
|---|
| 171 | .\".Sh STANDARDS
|
|---|
| 172 | .\".Sh HISTORY
|
|---|
| 173 | .\".Sh AUTHORS
|
|---|
| 174 | .\".Sh BUGS
|
|---|
