/var/logmarcus chiu

Kerberos - Credential Cache (ccache)

Created on · Last Modified on

Credential Cache (ccache)
  • holds Kerberos credentials while they remain valid and, generally, while the user’s session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn’t require contacting the KDC every time.

ccache - Basics

A ccache usually contains one initial ticket which is obtained usually by a password. If this ticket is a ticket-granting ticket, it can be used to obtain service tickets without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.

A ccache stores a default client principal name, set when the cache is created. This is the name shown at the top of the klist -A output.

ccache - Entries

Each normal cache entry includes:

  • a service principal name
  • a client principal name (which, in some ccache types, need not be the same as the default)
  • lifetime information
  • flags
  • along with the credential itself

There are also other entries, indicated by special names, that store additional information.

ccache - Types

The credential cache interface, like the keytab and replay cache interfaces, uses TYPE:value strings to indicate the type of credential cache and any associated cache naming data to use.

There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library.

API

is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.

DIR

points to the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See Collections of caches for details. New in release 1.10

FILE

caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type.

KEYRING

is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported:

  • KEYRING:name
  • KEYRING:process:name - process keyring
  • KEYRING:thread:name - thread keyring

Starting with release 1.12 the KEYRING type supports collections. The following new residual forms were added:

  • KEYRING:session:name - session keyring
  • KEYRING:user:name - user keyring
  • KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring.

KEYRING MEMORY

caches are for storage of credentials that don’t need to be made available outside of the current process. For example, a memory ccache is used by kadmin to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits.

MSLSA

is a Windows-specific cache type that accesses the Windows credential store.

See Collections of caches for details.

Resources