1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
|
.TH "KRB5.CONF" "5" " " "1.12" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructuredText.
.
.sp
The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your krb5.conf file in the directory
\fB/etc\fP. You can override the default location by setting the
environment variable \fBKRB5_CONFIG\fP.
.SH STRUCTURE
.sp
The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
section may contain zero or more relations, of the form:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
foo = bar
.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B or
.sp
.nf
.ft C
fubar = {
foo = bar
baz = quux
}
.ft P
.fi
.UNINDENT
.sp
Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP
value for the tag. This means that neither the remainder of this
configuration file nor any other configuration file will be checked
for any other values for this tag.
.INDENT 0.0
.TP
.B For example, if you have the following lines:
.sp
.nf
.ft C
foo = bar*
foo = baz
.ft P
.fi
.UNINDENT
.sp
then the second value of \fBfoo\fP (\fBbaz\fP) would never be read.
.sp
The krb5.conf file can include other files using either of the
following directives at the beginning of a line:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
include FILENAME
includedir DIRNAME
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Included profile
files are syntactically independent of their parents, so each included
file must begin with a section header.
.sp
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
headers:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
module MODULEPATH:RESIDUAL
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fIMODULEPATH\fP may be relative to the library path of the krb5
installation, or it may be an absolute path. \fIRESIDUAL\fP is provided
to the module at initialization time. If krb5.conf uses a module
directive, \fIkdc.conf(5)\fP should also use one if it exists.
.SH SECTIONS
.sp
The krb5.conf file may contain the following sections:
.TS
center;
|l|l|.
_
T{
\fI\%[libdefaults]\fP
T} T{
Settings used by the Kerberos V5 library
T}
_
T{
\fI\%[realms]\fP
T} T{
Realm\-specific contact information and settings
T}
_
T{
\fI\%[domain_realm]\fP
T} T{
Maps server hostnames to Kerberos realms
T}
_
T{
\fI\%[capaths]\fP
T} T{
Authentication paths for non\-hierarchical cross\-realm
T}
_
T{
\fI\%[appdefaults]\fP
T} T{
Settings used by some Kerberos V5 applications
T}
_
T{
\fI\%[plugins]\fP
T} T{
Controls plugin module registration
T}
_
.TE
.sp
Additionally, krb5.conf may include any of the relations described in
\fIkdc.conf(5)\fP, but it is not a recommended practice.
.SS [libdefaults]
.sp
The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
.B \fBallow_weak_crypto\fP
If this flag is set to false, then weak encryption types will be
filtered out of the previous three lists (as noted in
\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The
default value for this tag is false, which may cause
authentication failures in existing Kerberos infrastructures that
do not support strong crypto. Users in affected environments
should set this tag to true until their infrastructure adopts
stronger ciphers.
.TP
.B \fBap_req_checksum_type\fP
An integer which specifies the type of AP\-REQ checksum to use in
authenticators. This variable should be unset so the appropriate
checksum for the encryption key in use will be used. This can be
set if backward compatibility requires a specific checksum type.
See the \fBkdc_req_checksum_type\fP configuration option for the
possible values and their meanings.
.TP
.B \fBcanonicalize\fP
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
answers with different client principals than the requested
principal will be accepted. The default value is false.
.TP
.B \fBccache_type\fP
This parameter determines the format of credential cache types
created by \fIkinit(1)\fP or other programs. The default value
is 4, which represents the most current format. Smaller values
can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.
.TP
.B \fBclockskew\fP
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
.TP
.B \fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
The default is \fB@CCNAME@\fP. This relation is subject to parameter
expansion (see below).
.TP
.B \fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
obtaining client credentials. The default is \fB@CKTNAME@\fP. This
relation is subject to parameter expansion (see below).
.TP
.B \fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
application servers such as sshd. The default is \fB@KTNAME@\fP. This
relation is subject to parameter expansion (see below).
.TP
.B \fBdefault_realm\fP
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
invoking programs such as \fIkinit(1)\fP.
.TP
.B \fBdefault_tgs_enctypes\fP
Identifies the supported list of session key encryption types that
should be returned by the KDC, in order of preference from
highest to lowest. The list may be delimited with commas or
whitespace. See \fIEncryption_and_salt_types\fP in
\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
.TP
.B \fBdefault_tkt_enctypes\fP
Identifies the supported list of session key encryption types that
should be requested by the client, in order of preference from
highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
.B \fBdns_lookup_kdc\fP
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. (Note that the admin_server
entry must be in the krb5.conf realm information in order to
contact kadmind, because the DNS implementation for kadmin is
incomplete.)
.sp
Enabling this option does open up a type of denial\-of\-service
attack, if someone spoofs the DNS records and redirects you to
another server. However, it\(aqs no worse than a denial of service,
because that fake KDC will be unable to decode anything you send
it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
.B \fBextra_addresses\fP
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
using address\-restricted tickets. The addresses should be in a
comma\-separated list. This option has no effect if
\fBnoaddresses\fP is true.
.TP
.B \fBforwardable\fP
If this flag is true, initial tickets will be forwardable by
default, if allowed by the KDC. The default value is false.
.TP
.B \fBignore_acceptor_hostname\fP
When accepting GSSAPI or krb5 security contexts for host\-based
service principals, ignore any hostname passed by the calling
application, and allow clients to authenticate to any service
principal in the keytab matching the service name and realm name
(if given). This option can improve the administrative
flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
default value is false.
.TP
.B \fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
k5login file to be granted login access, if a \fI.k5login(5)\fP
file exists. If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal. The default value is
true.
.TP
.B \fBk5login_directory\fP
If set, the library will look for a local user\(aqs k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
files in the user\(aqs home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.
.TP
.B \fBkdc_default_options\fP
Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
(KDC_OPT_RENEWABLE_OK).
.TP
.B \fBkdc_timesync\fP
Accepted values for this relation are 1 or 0. If it is nonzero,
client machines will compute the difference between their time and
the time returned by the KDC in the timestamps in the tickets and
use this value to correct for an inaccurate system clock when
requesting service tickets or authenticating to services. This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.
.TP
.B \fBkdc_req_checksum_type\fP
An integer which specifies the type of checksum to use for the KDC
requests, for compatibility with very old KDC implementations.
This value is only used for DES keys; other keys use the preferred
checksum type for those keys.
.sp
The possible values and their meanings are as follows.
.TS
center;
|l|l|.
_
T{
1
T} T{
CRC32
T}
_
T{
2
T} T{
RSA MD4
T}
_
T{
3
T} T{
RSA MD4 DES
T}
_
T{
4
T} T{
DES CBC
T}
_
T{
7
T} T{
RSA MD5
T}
_
T{
8
T} T{
RSA MD5 DES
T}
_
T{
9
T} T{
NIST SHA
T}
_
T{
12
T} T{
HMAC SHA1 DES3
T}
_
T{
\-138
T} T{
Microsoft MD5 HMAC checksum type
T}
_
.TE
.TP
.B \fBnoaddresses\fP
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs. The default value is true.
.TP
.B \fBpermitted_enctypes\fP
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
.B \fBplugin_base_dir\fP
If set, determines the base directory where krb5 plugins are
located. The default value is the \fBkrb5/plugins\fP subdirectory
of the krb5 library directory.
.TP
.B \fBpreferred_preauth_types\fP
This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
KDC. The default value for this setting is "17, 16, 15, 14",
which forces libkrb5 to attempt to use PKINIT if it is supported.
.TP
.B \fBproxiable\fP
If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC. The default value is false.
.TP
.B \fBrdns\fP
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names. The default value is true.
.TP
.B \fBrealm_try_domains\fP
Indicate whether a host\(aqs domain components should be used to
determine the Kerberos realm of the host. The value of this
variable is an integer: \-1 means not to search, 0 means to try the
host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
parent, and so forth. The library\(aqs usual mechanism for locating
Kerberos realms is used to determine whether a domain is a valid
realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
set. The default is not to search domain components.
.TP
.B \fBrenew_lifetime\fP
(\fIduration\fP string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
.TP
.B \fBsafe_checksum_type\fP
An integer which specifies the type of checksum to use for the
KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
compatibility with applications linked against DCE version 1.1 or
earlier Kerberos libraries, use a value of 3 to use the RSA MD4
DES instead. This field is ignored when its value is incompatible
with the session key type. See the \fBkdc_req_checksum_type\fP
configuration option for the possible values and their meanings.
.TP
.B \fBticket_lifetime\fP
(\fIduration\fP string.) Sets the default lifetime for initial
ticket requests. The default value is 1 day.
.TP
.B \fBudp_preference_limit\fP
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
\fBudp_preference_limit\fP. If the message is smaller than
\fBudp_preference_limit\fP, then UDP will be tried before TCP.
Regardless of the size, both protocols will be tried if the first
attempt fails.
.TP
.B \fBverify_ap_req_nofail\fP
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab. The default value is false.
.UNINDENT
.SS [realms]
.sp
Each tag in the [realms] section of the file is the name of a Kerberos
realm. The value of the tag is a subsection with relations that
define the properties of that particular realm. For each realm, the
following tags may be specified in the realm\(aqs subsection:
.INDENT 0.0
.TP
.B \fBadmin_server\fP
Identifies the host where the administration server is running.
Typically, this is the master Kerberos server. This tag must be
given a value in order to communicate with the \fIkadmind(8)\fP
server for the realm.
.TP
.B \fBauth_to_local\fP
This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being
translated. The possible values are:
.INDENT 7.0
.TP
.B \fBRULE:\fP\fIexp\fP
The local name will be formulated from \fIexp\fP.
.sp
The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
The integer \fIn\fP indicates how many components the target
principal should have. If this matches, then a string will be
formed from \fIstring\fP, substituting the realm of the principal
for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then
\fB[2:$2$1foo]\fP would result in the string
\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then
the \fBs//[g]\fP substitution command will be run over the
string. The optional \fBg\fP will cause the substitution to be
global over the \fIstring\fP, instead of replacing only the first
match in the \fIstring\fP.
.TP
.B \fBDEFAULT\fP
The principal name will be used as the local user name. If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
will fail.
.TP
.B For example:
.sp
.nf
.ft C
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auto_to_local = DEFAULT
}
.ft P
.fi
.UNINDENT
.sp
would result in any principal without \fBroot\fP or \fBadmin\fP as the
second component to be translated with the default rule. A
principal with a second component of \fBadmin\fP will become its
first component. \fBroot\fP will be used as the local name for any
principal with a second component of \fBroot\fP. The exception to
these two rules are any principals \fBjohndoe/*\fP, which will
always get the local name \fBguest\fP.
.TP
.B \fBauth_to_local_names\fP
This subsection allows you to set explicit mappings from principal
names to local user names. The tag is the mapping name, and the
value is the corresponding local user name.
.TP
.B \fBdefault_domain\fP
This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \fBrcmd.hostname\fP to
\fBhost/hostname.domain\fP).
.TP
.B \fBkdc\fP
The name or address of a host running a KDC for that realm. An
optional port number, separated from the hostname by a colon, may
be included. If the name or address contains colons (for example,
if it is an IPv6 address), enclose it in square brackets to
distinguish the colon from a port separator. For your computer to
be able to communicate with the KDC for each realm, this tag must
be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.
.TP
.B \fBkpasswd_server\fP
Points to the server where all the password changes are performed.
If there is no such entry, the port 464 on the \fBadmin_server\fP
host will be tried.
.TP
.B \fBmaster_kdc\fP
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
master KDC, in case the user\(aqs password has just been changed, and
the updated database has not been propagated to the slave servers
yet.
.TP
.B \fBv4_instance_convert\fP
This subsection allows the administrator to configure exceptions
to the \fBdefault_domain\fP mapping rule. It contains V4 instances
(the tag name) which should be translated to some specific
hostname (the tag value) as the second component in a Kerberos V5
principal name.
.TP
.B \fBv4_realm\fP
This relation is used by the krb524 library routines when
converting a V5 principal name to a V4 principal name. It is used
when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords. The tag value
is the Kerberos V4 realm name.
.UNINDENT
.SS [domain_realm]
.sp
The [domain_realm] section provides a translation from a domain name
or hostname to a Kerberos realm name. The tag name can be a host name
or domain name, where domain names are indicated by a prefix of a
period (\fB.\fP). The value of the relation is the Kerberos realm name
for that particular host or domain. The Kerberos realm may be
identified either in the \fI\%realms\fP section or using DNS SRV records.
Host names and domain names should be in lower case. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
maps the host with the exact name \fBcrash.mit.edu\fP into the
TEST.ATHENA.MIT.EDU realm. The period prefix in \fB.mit.edu\fP denotes
that all systems in the \fBmit.edu\fP domain belong to
\fBATHENA.MIT.EDU\fP realm. The third entry maps the host \fBmit.edu\fP
itself to the \fBATHENA.MIT.EDU\fP realm.
.sp
If no translation entry applies to a hostname used for a service
principal for a service ticket request, the library will try to get a
referral to the appropriate realm from the client realm\(aqs KDC. If
that does not succeed, the host\(aqs realm is considered to be the
hostname\(aqs domain portion converted to uppercase, unless the
\fBrealm_try_domains\fP setting in [libdefaults] causes a different
parent domain to be used.
.SS [capaths]
.sp
In order to perform direct (non\-hierarchical) cross\-realm
authentication, configuration is needed to determine the
authentication paths between realms.
.sp
A client will use this section to find the authentication path between
its realm and the realm of the server. The server will use this
section to verify the authentication path used by the client, by
checking the transited field of the received ticket.
.sp
There is a tag for each participating client realm, and each tag has
subtags for each of the server realms. The value of the subtags is an
intermediate realm which may participate in the cross\-realm
authentication. The subtags may be repeated if there is more then one
intermediate realm. A value of "." means that the two realms share
keys directly, and no intermediate realms should be allowed to
participate.
.sp
Only those entries which will be needed on the client or the server
need to be present. A client needs a tag for its local realm with
subtags for all the realms of servers it will need to authenticate to.
A server needs a tag for each realm of the clients it will serve, with
a subtag of the server realm.
.sp
For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub
realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
but not \fBPNL.GOV\fP. The [capaths] section for \fBANL.GOV\fP systems
would look like this:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[capaths]
ANL.GOV = {
TEST.ANL.GOV = .
PNL.GOV = ES.NET
NERSC.GOV = ES.NET
ES.NET = .
}
TEST.ANL.GOV = {
ANL.GOV = .
}
PNL.GOV = {
ANL.GOV = ES.NET
}
NERSC.GOV = {
ANL.GOV = ES.NET
}
ES.NET = {
ANL.GOV = .
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The [capaths] section of the configuration file used on \fBNERSC.GOV\fP
systems would look like this:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[capaths]
NERSC.GOV = {
ANL.GOV = ES.NET
TEST.ANL.GOV = ES.NET
TEST.ANL.GOV = ANL.GOV
PNL.GOV = ES.NET
ES.NET = .
}
ANL.GOV = {
NERSC.GOV = ES.NET
}
PNL.GOV = {
NERSC.GOV = ES.NET
}
ES.NET = {
NERSC.GOV = .
}
TEST.ANL.GOV = {
NERSC.GOV = ANL.GOV
NERSC.GOV = ES.NET
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
When a subtag is used more than once within a tag, clients will use
the order of values to determine the path. The order of values is not
important to servers.
.SS [appdefaults]
.sp
Each tag in the [appdefaults] section names a Kerberos V5 application
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
.INDENT 0.0
.TP
.B For example:
.sp
.nf
.ft C
[appdefaults]
telnet = {
ATHENA.MIT.EDU = {
option1 = false
}
}
telnet = {
option1 = true
option2 = true
}
ATHENA.MIT.EDU = {
option2 = false
}
option2 = true
.ft P
.fi
.UNINDENT
.sp
The above four ways of specifying the value of an option are shown in
order of decreasing precedence. In this example, if telnet is running
in the realm EXAMPLE.COM, it should, by default, have option1 and
option2 set to true. However, a telnet program in the realm
\fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and
\fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should
have \fBoption2\fP set to false by default. Any programs running in
other realms should have \fBoption2\fP set to true.
.sp
The list of specifiable options for each application may be found in
that application\(aqs man pages. The application defaults specified here
are overridden by those specified in the \fI\%realms\fP section.
.SS [plugins]
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%pwqual\fP interface
.IP \(bu 2
\fI\%kadm5_hook\fP interface
.IP \(bu 2
\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Tags in the [plugins] section can be used to register dynamic plugin
modules and to turn modules on and off. Not every krb5 pluggable
interface uses the [plugins] section; the ones that do are documented
here.
.sp
Each pluggable interface corresponds to a subsection of [plugins].
All subsections support the same tags:
.INDENT 0.0
.TP
.B \fBdisable\fP
This tag may have multiple values. If there are values for this
tag, then the named modules will be disabled for the pluggable
interface.
.TP
.B \fBenable_only\fP
This tag may have multiple values. If there are values for this
tag, then only the named modules will be enabled for the pluggable
interface.
.TP
.B \fBmodule\fP
This tag may have multiple values. Each value is a string of the
form \fBmodulename:pathname\fP, which causes the shared object
located at \fIpathname\fP to be registered as a dynamic module named
\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an
absolute path, it will be treated as relative to the
\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP.
.UNINDENT
.sp
The following subsections are currently supported within the [plugins]
section:
.SS ccselect interface
.sp
The ccselect subsection controls modules for credential cache
selection within a cache collection. In addition to any registered
dynamic modules, the following built\-in modules exist (and may be
disabled with the disable tag):
.INDENT 0.0
.TP
.B \fBk5identity\fP
Uses a .k5identity file in the user\(aqs home directory to select a
client principal
.TP
.B \fBrealm\fP
Uses the service realm to guess an appropriate cache from the
collection
.UNINDENT
.SS pwqual interface
.sp
The pwqual subsection controls modules for the password quality
interface, which is used to reject weak passwords when passwords are
changed. The following built\-in modules exist for this interface:
.INDENT 0.0
.TP
.B \fBdict\fP
Checks against the realm dictionary file
.TP
.B \fBempty\fP
Rejects empty passwords
.TP
.B \fBhesiod\fP
Checks against user information stored in Hesiod (only if Kerberos
was built with Hesiod support)
.TP
.B \fBprinc\fP
Checks against components of the principal name
.UNINDENT
.SS kadm5_hook interface
.sp
The kadm5_hook interface provides plugins with information on
principal creation, modification, password changes and deletion. This
interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
.SS clpreauth and kdcpreauth interfaces
.sp
The clpreauth and kdcpreauth interfaces allow plugin modules to
provide client and KDC preauthentication mechanisms. The following
built\-in modules exist for these interfaces:
.INDENT 0.0
.TP
.B \fBpkinit\fP
This module implements the PKINIT preauthentication mechanism.
.TP
.B \fBencrypted_challenge\fP
This module implements the encrypted challenge FAST factor.
.TP
.B \fBencrypted_timestamp\fP
This module implements the encrypted timestamp mechanism.
.UNINDENT
.SH PKINIT OPTIONS
.IP Note
The following are PKINIT\-specific options. These values may
be specified in [libdefaults] as global defaults, or within
a realm\-specific subsection of [libdefaults], or may be
specified as realm\-specific values in the [realms] section.
A realm\-specific value overrides, not adds to, a generic
[libdefaults] specification. The search order is:
.RE
.INDENT 0.0
.IP 1. 3
realm\-specific subsection of [libdefaults]:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
EXAMPLE.COM = {
pkinit_anchors = FILE:/usr/local/example.com.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
realm\-specific value in the [realms] section,
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[realms]
OTHERREALM.ORG = {
pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
generic value in the [libdefaults] section.
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SS Specifying PKINIT identity information
.sp
The syntax for specifying Public Key identity, trust, and revocation
information for PKINIT is as follows:
.INDENT 0.0
.TP
.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
specifies the name of a PEM\-format file containing the user\(aqs
certificate. If \fIkeyfilename\fP is not specified, the user\(aqs
private key is expected to be in \fIfilename\fP as well. Otherwise,
\fIkeyfilename\fP is the name of the file containing the private key.
.sp
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
be the name of an OpenSSL\-style ca\-bundle file.
.TP
.B \fBDIR:\fP\fIdirname\fP
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
where the first part of the file name is the same for matching
pairs of certificate and private key files. When a file with a
name ending with \fB.crt\fP is found, a matching file ending with
\fB.key\fP is assumed to contain the private key. If no such file
is found, then the certificate in the \fB.crt\fP is not used.
.sp
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
be an OpenSSL\-style hashed CA directory where each CA cert is
stored in a file named \fBhash\-of\-ca\-cert.#\fP. This infrastructure
is encouraged, but all files in the directory will be examined and
if they contain certificates (in PEM format), they will be used.
.sp
In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
hashed CA directory where each revocation list is stored in a file
named \fBhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.
.TP
.B \fBPKCS12:\fP\fIfilename\fP
\fIfilename\fP is the name of a PKCS #12 format file, containing the
user\(aqs certificate and private key.
.TP
.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the \fImodname\fP. If no
module\-name is specified, the default is \fBopensc\-pkcs11.so\fP.
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
a particular smard card reader or token if there is more than one
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
force the selection of a particular certificate on the device.
See the \fBpkinit_cert_match\fP configuration option for more ways
to select a particular certificate to use for PKINIT.
.TP
.B \fBENV:\fP\fIenvvar\fP
\fIenvvar\fP specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fP, where environment variable
\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP.
.UNINDENT
.SS PKINIT krb5.conf options
.INDENT 0.0
.TP
.B \fBpkinit_anchors\fP
Specifies the location of trusted anchor (root) certificates which
the client trusts to sign KDC certificates. This option may be
specified multiple times. These values from the config file are
not used if the user specifies X509_anchors on the command line.
.TP
.B \fBpkinit_cert_match\fP
Specifies matching rules that the client certificate must match
before it is used to attempt PKINIT authentication. If a user has
multiple certificates available (on a smart card, or via other
media), there must be exactly one certificate chosen before
attempting PKINIT authentication. This option may be specified
multiple times. All the available certificates are checked
against each rule in order until there is a match of exactly one
certificate.
.sp
The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP
string representations from the certificate Subject DN and Issuer
DN values.
.sp
The syntax of the matching rules is:
.INDENT 7.0
.INDENT 3.5
[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
.UNINDENT
.UNINDENT
.sp
where:
.INDENT 7.0
.TP
.B \fIrelation\-operator\fP
can be either \fB&&\fP, meaning all component rules must match,
or \fB||\fP, meaning only one component rule must match. The
default is \fB&&\fP.
.TP
.B \fIcomponent\-rule\fP
can be one of the following. Note that there is no
punctuation or whitespace between component rules.
.INDENT 7.0
.INDENT 3.5
.nf
\fB<SUBJECT>\fP\fIregular\-expression\fP
\fB<ISSUER>\fP\fIregular\-expression\fP
\fB<SAN>\fP\fIregular\-expression\fP
\fB<EKU>\fP\fIextended\-key\-usage\-list\fP
\fB<KU>\fP\fIkey\-usage\-list\fP
.fi
.sp
.UNINDENT
.UNINDENT
.sp
\fIextended\-key\-usage\-list\fP is a comma\-separated list of
required Extended Key Usage values. All values in the list
must be present in the certificate. Extended Key Usage values
can be:
.INDENT 7.0
.IP \(bu 2
pkinit
.IP \(bu 2
msScLogin
.IP \(bu 2
clientAuth
.IP \(bu 2
emailProtection
.UNINDENT
.sp
\fIkey\-usage\-list\fP is a comma\-separated list of required Key
Usage values. All values in the list must be present in the
certificate. Key Usage values can be:
.INDENT 7.0
.IP \(bu 2
digitalSignature
.IP \(bu 2
keyEncipherment
.UNINDENT
.UNINDENT
.sp
Examples:
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
.ft P
.fi
.UNINDENT
.UNINDENT
.TP
.B \fBpkinit_eku_checking\fP
This option specifies what Extended Key Usage value the KDC
certificate presented to the client must contain. (Note that if
the KDC certificate has the pkinit SubjectAlternativeName encoded
as the Kerberos TGS name, EKU checking is not necessary since the
issuing CA has certified this as a KDC certificate.) The values
recognized in the krb5.conf file are:
.INDENT 7.0
.TP
.B \fBkpKDC\fP
This is the default value and specifies that the KDC must have
the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
.TP
.B \fBkpServerAuth\fP
If \fBkpServerAuth\fP is specified, a KDC certificate with the
id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
.TP
.B \fBnone\fP
If \fBnone\fP is specified, then the KDC certificate will not be
checked to verify it has an acceptable EKU. The use of this
option is not recommended.
.UNINDENT
.TP
.B \fBpkinit_dh_min_bits\fP
Specifies the size of the Diffie\-Hellman key the client will
attempt to use. The acceptable values are 1024, 2048, and 4096.
The default is 2048.
.TP
.B \fBpkinit_identities\fP
Specifies the location(s) to be used to find the user\(aqs X.509
identity information. This option may be specified multiple
times. Each value is attempted in order until identity
information is found and authentication is attempted. Note that
these values are not used if the user specifies
\fBX509_user_identity\fP on the command line.
.TP
.B \fBpkinit_kdc_hostname\fP
The presense of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\-pkinit\-san as
defined in \fI\%RFC 4556\fP. This option may be specified multiple
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
.TP
.B \fBpkinit_longhorn\fP
If this flag is set to true, we are talking to the Longhorn KDC.
.TP
.B \fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
.B \fBpkinit_require_crl_checking\fP
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
verification fails. If the certificate being verified is not
listed in a CRL, or there is no CRL present for its issuing CA,
and \fBpkinit_require_crl_checking\fP is false, then verification
succeeds.
.sp
However, if \fBpkinit_require_crl_checking\fP is true and there is
no CRL information available for the issuing CA, then verification
fails.
.sp
\fBpkinit_require_crl_checking\fP should be set to true if the
policy is such that up\-to\-date CRLs must be present for every CA.
.TP
.B \fBpkinit_revoke\fP
Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented. This option may be specified
multiple times.
.TP
.B \fBpkinit_win2k\fP
This flag specifies whether the target realm is assumed to support
only the old, pre\-RFC version of the protocol. The default is
false.
.TP
.B \fBpkinit_win2k_require_binding\fP
If this flag is set to true, it expects that the target KDC is
patched to return a reply with a checksum rather than a nonce.
The default is false.
.UNINDENT
.SH PARAMETER EXPANSION
.sp
Several variables, such as \fBdefault_keytab_name\fP, allow parameters
to be expanded. Valid parameters are:
.INDENT 0.0
.INDENT 3.5
.TS
center;
|l|l|.
_
T{
%{TEMP}
T} T{
Temporary directory
T}
_
T{
%{uid}
T} T{
Unix real UID or Windows SID
T}
_
T{
%{euid}
T} T{
Unix effective user ID or Windows SID
T}
_
T{
%{USERID}
T} T{
Same as %{uid}
T}
_
T{
%{null}
T} T{
Empty string
T}
_
T{
%{LIBDIR}
T} T{
Installation library directory
T}
_
T{
%{BINDIR}
T} T{
Installation binary directory
T}
_
T{
%{SBINDIR}
T} T{
Installation admin binary directory
T}
_
T{
%{username}
T} T{
(Unix) Username of effective user ID
T}
_
T{
%{APPDATA}
T} T{
(Windows) Roaming application data for current user
T}
_
T{
%{COMMON_APPDATA}
T} T{
(Windows) Application data for all users
T}
_
T{
%{LOCAL_APPDATA}
T} T{
(Windows) Local application data for current user
T}
_
T{
%{SYSTEM}
T} T{
(Windows) Windows system folder
T}
_
T{
%{WINDOWS}
T} T{
(Windows) Windows folder
T}
_
T{
%{USERCONFIG}
T} T{
(Windows) Per\-user MIT krb5 config file directory
T}
_
T{
%{COMMONCONFIG}
T} T{
(Windows) Common MIT krb5 config file directory
T}
_
.TE
.UNINDENT
.UNINDENT
.SH SAMPLE KRB5.CONF FILE
.sp
Here is an example of a generic krb5.conf file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
default_realm = ATHENA.MIT.EDU
default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos\-1.mit.edu
kdc = kerberos\-2.mit.edu:750
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
default_domain = mit.edu
}
EXAMPLE.COM = {
kdc = kerberos.example.com
kdc = kerberos\-1.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
[capaths]
ATHENA.MIT.EDU = {
EXAMPLE.COM = .
}
EXAMPLE.COM = {
ATHENA.MIT.EDU = .
}
.ft P
.fi
.UNINDENT
.UNINDENT
.SH FILES
.sp
\fB/etc/krb5.conf\fP
.SH SEE ALSO
.sp
syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
2012, MIT
.\" Generated by docutils manpage writer.
.
|