diff options
Diffstat (limited to 'doc/html/basic/rcache_def.html')
-rw-r--r-- | doc/html/basic/rcache_def.html | 230 |
1 files changed, 230 insertions, 0 deletions
diff --git a/doc/html/basic/rcache_def.html b/doc/html/basic/rcache_def.html new file mode 100644 index 000000000000..3bc9690898c5 --- /dev/null +++ b/doc/html/basic/rcache_def.html @@ -0,0 +1,230 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>replay cache — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="Kerberos V5 concepts" href="index.html" /> + <link rel="next" title="stash file" href="stash_file_def.html" /> + <link rel="prev" title="keytab" href="keytab_def.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="keytab_def.html" title="keytab" + accesskey="P">previous</a> | + <a href="stash_file_def.html" title="stash file" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__replay cache">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="replay-cache"> +<span id="rcache-definition"></span><h1>replay cache<a class="headerlink" href="#replay-cache" title="Permalink to this headline">¶</a></h1> +<p>A replay cache (or “rcache”) keeps track of all authenticators +recently presented to a service. If a duplicate authentication +request is detected in the replay cache, an error message is sent to +the application program.</p> +<p>The replay cache interface, like the credential cache and +<a class="reference internal" href="keytab_def.html#keytab-definition"><em>keytab</em></a> interfaces, uses <cite>type:value</cite> strings to +indicate the type of replay cache and any associated cache naming +data to use.</p> +<div class="section" id="background-information"> +<h2>Background information<a class="headerlink" href="#background-information" title="Permalink to this headline">¶</a></h2> +<p>Some Kerberos or GSSAPI services use a simple authentication mechanism +where a message is sent containing an authenticator, which establishes +the encryption key that the client will use for talking to the +service. But nothing about that prevents an eavesdropper from +recording the messages sent by the client, establishing a new +connection, and re-sending or “replaying” the same messages; the +replayed authenticator will establish the same encryption key for the +new session, and the following messages will be decrypted and +processed. The attacker may not know what the messages say, and can’t +generate new messages under the same encryption key, but in some +instances it may be harmful to the user (or helpful to the attacker) +to cause the server to see the same messages again a second time. For +example, if the legitimate client sends “delete first message in +mailbox”, a replay from an attacker may delete another, different +“first” message. (Protocol design to guard against such problems has +been discussed in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-10"><strong>RFC 4120</strong></a>.)</p> +<p>Even if one protocol uses further protection to verify that the client +side of the connection actually knows the encryption keys (and thus is +presumably a legitimate user), if another service uses the same +service principal name, it may be possible to record an authenticator +used with the first protocol and “replay” it against the second.</p> +<p>The replay cache mitigates these attacks somewhat, by keeping track of +authenticators that have been seen until their five-minute window +expires. Different authenticators generated by multiple connections +from the same legitimate client will generally have different +timestamps, and thus will not be considered the same.</p> +<p>This mechanism isn’t perfect. If a message is sent to one application +server but a man-in-the-middle attacker can prevent it from actually +arriving at that server, the attacker could then use the authenticator +(once!) against a different service on the same host. This could be a +problem if the message from the client included something more than +authentication in the first message that could be useful to the +attacker (which is uncommon; in most protocols the server has to +indicate a successful authentication before the client sends +additional messages), or if the simple act of presenting the +authenticator triggers some interesting action in the service being +attacked.</p> +</div> +<div class="section" id="default-rcache-type"> +<h2>Default rcache type<a class="headerlink" href="#default-rcache-type" title="Permalink to this headline">¶</a></h2> +<p>There is currently only one implemented kind of replay cache, called +<strong>dfl</strong>. It stores replay data in one file, occasionally rewriting it +to purge old, expired entries.</p> +<p>The default type can be overridden by the <strong>KRB5RCACHETYPE</strong> +environment variable.</p> +<p>The placement of the replay cache file is determined by the following:</p> +<ol class="arabic simple"> +<li>The <strong>KRB5RCACHEDIR</strong> environment variable;</li> +<li>If KRB5RCACHEDIR is unspecified, on UNIX, the library +will fall back to the environment variable <strong>TMPDIR</strong>, and then to +a temporary directory determined at configuration time such as +<em>/tmp</em> or <em>/var/tmp</em>; on Windows, it will check the environment +variables <em>TEMP</em> and <em>TMP</em>, and fall back to the directory C:\.</li> +</ol> +</div> +<div class="section" id="performance-issues"> +<h2>Performance issues<a class="headerlink" href="#performance-issues" title="Permalink to this headline">¶</a></h2> +<p>Several known minor performance issues that may occur when replay +cache is enabled on the Kerberos system include: delays due to writing +the authenticator data to disk slowing down response time for very +heavily loaded servers, and delays during the rewrite that may be +unacceptable to high-performance services.</p> +<p>For use cases where replays are adequately defended against for all +protocols using a given service principal name, or where performance +or other considerations outweigh the risk of replays, the special +replay cache type “none” can be specified:</p> +<div class="highlight-python"><div class="highlight"><pre><span class="n">KRB5RCACHETYPE</span><span class="o">=</span><span class="n">none</span> +</pre></div> +</div> +<p>It doesn’t record any information about authenticators, and reports +that any authenticator seen is not a replay.</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">replay cache</a><ul> +<li><a class="reference internal" href="#background-information">Background information</a></li> +<li><a class="reference internal" href="#default-rcache-type">Default rcache type</a></li> +<li><a class="reference internal" href="#performance-issues">Performance issues</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li> +<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">replay cache</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li> +<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="keytab_def.html" title="keytab" + >previous</a> | + <a href="stash_file_def.html" title="stash file" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__replay cache">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |