diff options
author | Greg Hudson <ghudson@mit.edu> | 2019-05-17 13:45:08 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-05-31 13:43:29 -0400 |
commit | 0e68760cb8dce4ea25fd73d6eab95bce103b6443 (patch) | |
tree | 689361f0f2e4c553f7b6f3f2b163b24e9fa73495 /doc/basic | |
parent | e8a35f6962ce2d048616fb7457bff2d90398ca48 (diff) | |
download | krb5-0e68760cb8dce4ea25fd73d6eab95bce103b6443.zip krb5-0e68760cb8dce4ea25fd73d6eab95bce103b6443.tar.gz krb5-0e68760cb8dce4ea25fd73d6eab95bce103b6443.tar.bz2 |
Add KRB5RCACHENAME and default_rcache_name
In krb5_get_server_rcache(), stop constructing a residual value based
on piece and the euid, and instead resolve default replay cache
(previously an unused operation, as krb5_rc_default() was not part of
the API and was never used).
To determine the default replay cache name, try the KRB5RCACHENAME
environment variable first, and then try KRB5RCACHETYPE for
compatibility. If neither of those environment variables are set, try
the default_rcache_name profile relation in [libdefaults] before
falling back to "dfl:".
ticket: 8786
Diffstat (limited to 'doc/basic')
-rw-r--r-- | doc/basic/rcache_def.rst | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/doc/basic/rcache_def.rst b/doc/basic/rcache_def.rst index 5e550fc..de3b215 100644 --- a/doc/basic/rcache_def.rst +++ b/doc/basic/rcache_def.rst @@ -74,9 +74,6 @@ are in lowercase. The following types are defined: a file2 replay cache with a filename based on the effective uid. The residual value is ignored. -The default type can be overridden by the **KRB5RCACHETYPE** -environment variable. - For the dfl type, the location of the replay cache file is determined as follows: @@ -96,21 +93,19 @@ directory, unless overridden by the **KRB5RCACHEDIR** environment variable. The filename on Windows is ``krb5.rcache2``, and the file is opened normally. -Performance issues ------------------- +Default replay cache name +------------------------- + +The default replay cache name is determined by the following, in +descending order of priority: -Several known minor performance issues that may occur when replay -cache is enabled on the Kerberos system include: delays due to writing -the authenticator data to disk slowing down response time for very -heavily loaded servers, and delays during the rewrite that may be -unacceptable to high-performance services. +#. The **KRB5RCACHENAME** environment variable (new in release 1.18). -For use cases where replays are adequately defended against for all -protocols using a given service principal name, or where performance -or other considerations outweigh the risk of replays, the special -replay cache type "none" can be specified:: +#. The **KRB5RCACHETYPE** environment variable. If this variable is + set, the residual value is empty. - KRB5RCACHETYPE=none +#. The **default_rcache_name** profile variable in :ref:`libdefaults` + (new in release 1.18). -It doesn't record any information about authenticators, and reports -that any authenticator seen is not a replay. +#. If none of the above are set, the default replay cache name is + ``dfl:``. |