1.\" $NetBSD: kcm.8,v 1.3 2011/04/28 14:07:12 wiz Exp $ 2.\" 3.\" Copyright (c) 2005 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd May 29, 2005 37.Dt KCM 8 38.Os 39.Sh NAME 40.Nm kcm 41.Nd 42is a process based credential cache for Kerberos tickets. 43.Sh SYNOPSIS 44.Nm 45.Op Fl -cache-name= Ns Ar cachename 46.Oo Fl c Ar file \*(Ba Xo 47.Fl -config-file= Ns Ar file 48.Xc 49.Oc 50.Oo Fl g Ar group \*(Ba Xo 51.Fl -group= Ns Ar group 52.Xc 53.Oc 54.Op Fl -max-request= Ns Ar size 55.Op Fl -disallow-getting-krbtgt 56.Op Fl -detach 57.Op Fl h | Fl -help 58.Oo Fl k Ar principal \*(Ba Xo 59.Fl -system-principal= Ns Ar principal 60.Xc 61.Oc 62.Oo Fl l Ar time \*(Ba Xo 63.Fl -lifetime= Ns Ar time 64.Xc 65.Oc 66.Oo Fl m Ar mode \*(Ba Xo 67.Fl -mode= Ns Ar mode 68.Xc 69.Oc 70.Op Fl n | Fl -no-name-constraints 71.Oo Fl r Ar time \*(Ba Xo 72.Fl -renewable-life= Ns Ar time 73.Xc 74.Oc 75.Oo Fl s Ar path \*(Ba Xo 76.Fl -socket-path= Ns Ar path 77.Xc 78.Oc 79.Oo Xo 80.Fl -door-path= Ns Ar path 81.Xc 82.Oc 83.Oo Fl S Ar principal \*(Ba Xo 84.Fl -server= Ns Ar principal 85.Xc 86.Oc 87.Oo Fl t Ar keytab \*(Ba Xo 88.Fl -keytab= Ns Ar keytab 89.Xc 90.Oc 91.Oo Fl u Ar user \*(Ba Xo 92.Fl -user= Ns Ar user 93.Xc 94.Oc 95.Op Fl v | Fl -version 96.Sh DESCRIPTION 97.Nm 98is a process based credential cache. 99To use it, set the 100.Ev KRB5CCNAME 101enviroment variable to 102.Ql KCM: Ns Ar uid 103or add the stanza 104.Bd -literal 105 106[libdefaults] 107 default_cc_name = KCM:%{uid} 108 109.Ed 110to the 111.Pa /etc/krb5.conf 112configuration file and make sure 113.Nm kcm 114is started in the system startup files. 115.Pp 116The 117.Nm 118daemon can hold the credentials for all users in the system. Access 119control is done with Unix-like permissions. The daemon checks the 120access on all operations based on the uid and gid of the user. The 121tickets are renewed as long as is permitted by the KDC's policy. 122.Pp 123The 124.Nm 125daemon can also keep a SYSTEM credential that server processes can 126use to access services. One example of usage might be an nss_ldap 127module that quickly needs to get credentials and doesn't want to renew 128the ticket itself. 129.Pp 130Supported options: 131.Bl -tag -width Ds 132.It Fl -cache-name= Ns Ar cachename 133system cache name 134.It Fl c Ar file , Fl -config-file= Ns Ar file 135location of config file 136.It Fl g Ar group , Fl -group= Ns Ar group 137system cache group 138.It Fl -max-request= Ns Ar size 139max size for a kcm-request 140.It Fl -disallow-getting-krbtgt 141disallow extracting any krbtgt from the 142.Nm kcm 143daemon. 144.It Fl -detach 145detach from console 146.It Fl h , Fl -help 147.It Fl k Ar principal , Fl -system-principal= Ns Ar principal 148system principal name 149.It Fl l Ar time , Fl -lifetime= Ns Ar time 150lifetime of system tickets 151.It Fl m Ar mode , Fl -mode= Ns Ar mode 152octal mode of system cache 153.It Fl n , Fl -no-name-constraints 154disable credentials cache name constraints 155.It Fl r Ar time , Fl -renewable-life= Ns Ar time 156renewable lifetime of system tickets 157.It Fl s Ar path , Fl -socket-path= Ns Ar path 158path to kcm domain socket 159.It Fl -door-path= Ns Ar path 160path to kcm door socket 161.It Fl S Ar principal , Fl -server= Ns Ar principal 162server to get system ticket for 163.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab 164system keytab name 165.It Fl u Ar user , Fl -user= Ns Ar user 166system cache owner 167.It Fl v , Fl -version 168.El 169.\".Sh ENVIRONMENT 170.\".Sh FILES 171.\".Sh EXAMPLES 172.\".Sh DIAGNOSTICS 173.\".Sh SEE ALSO 174.\".Sh STANDARDS 175.\".Sh HISTORY 176.\".Sh AUTHORS 177.\".Sh BUGS 178