summaryrefslogtreecommitdiff
path: root/src/man/sssd-krb5.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/sssd-krb5.5.xml')
-rw-r--r--src/man/sssd-krb5.5.xml23
1 files changed, 17 insertions, 6 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index df124b4d..720f39b7 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -158,12 +158,15 @@
<term>krb5_ccname_template (string)</term>
<listitem>
<para>
- Location of the user's credential cache. Two credential
- cache types are currently supported: <quote>FILE</quote>
- and <quote>DIR</quote>. The cache can be specified either
- as <replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute
- path, which implies the <quote>FILE</quote> type. In the
- template, the following sequences are substituted:
+ Location of the user's credential cache. Three
+ credential cache types are currently supported:
+ <quote>FILE</quote>, <quote>DIR</quote> and
+ <quote>KEYRING:persistent</quote>. The cache can
+ be specified either as
+ <replaceable>TYPE:RESIDUAL</replaceable>, or as an
+ absolute path, which implies the
+ <quote>FILE</quote> type. In the template, the
+ following sequences are substituted:
<variablelist>
<varlistentry>
<term>%u</term>
@@ -209,6 +212,14 @@
used to create a unique filename in a safe way.
</para>
<para>
+ When using KEYRING types, the only supported
+ mechanism is <quote>KEYRING:persistent:%U</quote>,
+ which uses the Linux kernel keyring to store
+ credentials on a per-UID basis. This is also the
+ recommended choice, as it is the most secure and
+ predictable method.
+ </para>
+ <para>
Default: FILE:%d/krb5cc_%U_XXXXXX
</para>
</listitem>