diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-04-17 17:17:13 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-06-02 18:09:47 -0400 |
commit | f220067c2969aab107bd1300ad1cb8d4855389a7 (patch) | |
tree | 169dadfa34b5fdd4e0635cef321150b0e1240973 /doc | |
parent | d950809ff49e3e7603594186d77135a09ab6b1b2 (diff) | |
download | krb5-f220067c2969aab107bd1300ad1cb8d4855389a7.tar.gz krb5-f220067c2969aab107bd1300ad1cb8d4855389a7.tar.xz krb5-f220067c2969aab107bd1300ad1cb8d4855389a7.zip |
Load custom anchors when using KKDCP
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart. We only check the [realms] section, though.
ticket: 7929
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 19ea9c904..c0693278d 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -428,6 +428,32 @@ following tags may be specified in the realm's subsection: (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). +**http_anchors** + When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag + can be used to specify the location of the CA certificate which should be + trusted to issue the certificate for a proxy server. If left unspecified, + the system-wide default set of CA certificates is used. + + The syntax for values is similar to that of values for the + **pkinit_anchors** tag: + + **FILE:** *filename* + + *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. + + **DIR:** *dirname* + + *dirname* is assumed to be an directory which contains CA certificates. + All files in the directory will be examined; if they contain certificates + (in PEM format), they will be used. + + **ENV:** *envvar* + + *envvar* specifies the name of an environment variable which has been set + to a value conforming to one of the previous values. For example, + ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has + been set to ``FILE:/tmp/my_proxy.pem``. + **kdc** The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may |