v5srvtab - Contains the service key table
/krb5/v5srvtab
The /krb5/v5srvtab file is the default service key table
file that contains the principal entries that you extract
from the principal database on the Key Distribution Center
(KDC). Each service principal must have a principal entry
in the principal database.
Unattended services that must authenticate using a service
principal account require that a key be added to the service
key table file. The secured application sends the
service ticket to the secured service, requesting a connection.
The secured service decrypts the ticket using its
key found in the service key table file. If the service
can decrypt the ticket, it knows that the user was previously
authenticated and is who the user claims to be. The
service then performs authorization checks. If the checks
are successful, a connection is established.
Data Types [Toc] [Back]
There are many types of service key table files; available
types depend on compile-time definitions. The available
types include the following: A memory-based service key
table file stores credentials in volatile memory. It is
useful in environments where no file system exists, or for
applications that require only temporary use of the
extracted key (or where putting those keys on disk can
cause problems).
A typical use of a memory-based service key table
file is as a temporary storage location for use by
applications that need to merge, edit, or consolidate
a file-based service key table file without
incurring the overhead of file-based I/O.
In most environments, a MEM service key table is
not persistent and lives only as long as the process
that created the service key table. Thus, it
is not suitable to store keys that must be passed
between processes. You can, however, use it to pass
keys within a process.
Multiple accesses to the service key table file are
supported through reference counting. As long as
the file has been accessed by csfC5resolve_kt() at
least one more time than it has been closed by
csfC5close_kt(), it will not be destroyed by a call
to csfC5close_kt(). To allow opening of an existing
memory service key table file by additional calls
to csfC5resolve_kt(), the kt structure name contains
a special name that can be resolved with the
memory service key table file address. To create a
name string that csfC5resolve_kt() can use, concatenate
the kt.tname field, a ':', and the kt.name
field. This technique works for the FILE service
key table as well. A file-based (nonvolatile)
service key table file stores keys in a disk file.
For multiuser systems, the file allows access only
to the applications needing access to the service
key table file. Identify FILE type to indicate
that the service key table file should not be modified
by the operation. A file-based (nonvolatile)
service key table stores keys in a disk file. Both
the FILE and WFILE types can be used to refer to
the same file storage location. However, use the
WFILE type to indicate that the service key table
file should be treated as a writable file during
the operation.
Specify a service key table file with a name in the form
TYPE:name, where all components are optional. The type
specifies MEM, FILE or WFILE; the interpretation of the
name is specific to a type. The name specifies the name of
the service key table file. The default name for the FILE
and WFILE types is /krb5/v5srvtab. The names NULL, "", and
: are all equivalent, and all specify that the default
service key table name should be used.
The type or name component can be empty. The following
table lists the possible combinations and results:
-----------------------------------------------------------------------
Component Type Component Name Behavior Key Table Type and
Name
-----------------------------------------------------------------------
Empty Empty Default FILE:/krb5/v5srvtab
type and
name.
Specified Empty Default FILE:/krb5/v5srvtab
name for
type. WFILE:/krb5/v5srvtab
MEM: no default name.
Empty Specified Default FILE:/keytablename
type with
specified
name.
Specified Specified Use speci- TYPE:/keytablename
fied type
and name.
-----------------------------------------------------------------------
Commands: kinit(1) ktutil(1)
v5srvtab(4)
[ Back ] |
