diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin/conf_files/krb5_conf.html')
| -rw-r--r-- | crypto/krb5/doc/html/admin/conf_files/krb5_conf.html | 1350 |
1 files changed, 0 insertions, 1350 deletions
diff --git a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html b/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html deleted file mode 100644 index f1438242431d..000000000000 --- a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html +++ /dev/null @@ -1,1350 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>krb5.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kdc.conf" href="kdc_conf.html" /> - <link rel="prev" title="Configuration Files" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Configuration Files" - accesskey="P">previous</a> | - <a href="kdc_conf.html" title="kdc.conf" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="krb5-conf"> -<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h1> -<p>The krb5.conf file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -<code class="docutils literal notranslate"><span class="pre">/etc</span></code>. You can override the default location by setting the -environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated -filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are -present will be read. Starting in release 1.14, directory names can -also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory -whose names consist solely of alphanumeric characters, dashes, or -underscores will be read.</p> -<section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> -<p>The krb5.conf file is set up in the style of a Windows INI file. -Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace) -are ignored as comments. Sections are headed by the section name, in -square brackets. Each section may contain zero or more relations, of -the form:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> -</pre></div> -</div> -<p>or:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> - <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span> -<span class="p">}</span> -</pre></div> -</div> -<p>The krb5.conf file can include other files using either of the -following directives at the beginning of a line:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span> -<span class="n">includedir</span> <span class="n">DIRNAME</span> -</pre></div> -</div> -<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or -directory must exist and be readable. Including a directory includes -all files within the directory whose names consist solely of -alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in “.conf” are also included, unless the -name begins with “.”. Included profile files are syntactically -independent of their parents, so each included file must begin with a -section header. Starting in release 1.17, files are read in -alphanumeric order; in previous releases, they may be read in any -order.</p> -<p>Placing a ‘*’ after the closing bracket of a section name indicates -that the section is <em>final</em>, meaning that if the same section appears -again later, it will be ignored. A subsection can be marked as final -by placing a ‘*’ after either the tag name or the closing brace. A -relation can be marked as final by placing a ‘*’ after the tag name. -Prior to release 1.22, only sections and subsections can be marked as -final, and the flag only causes values to be ignored if they appear in -later files specified in <strong>KRB5_CONFIG</strong>, not if they appear later -within the same file or an included file.</p> -<p>The krb5.conf file can specify that configuration should be obtained -from a loadable module, rather than the file itself, using the -following directive at the beginning of a line before any section -headers:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span> -</pre></div> -</div> -<p><em>MODULEPATH</em> may be relative to the library path of the krb5 -installation, or it may be an absolute path. <em>RESIDUAL</em> is provided -to the module at initialization time. If krb5.conf uses a module -directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p> -</section> -<section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> -<p>The krb5.conf file may contain the following sections:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td> -<td><p>Settings used by the Kerberos V5 library</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></p></td> -<td><p>Realm-specific contact information and settings</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></p></td> -<td><p>Maps server hostnames to Kerberos realms</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></p></td> -<td><p>Authentication paths for non-hierarchical cross-realm</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></p></td> -<td><p>Settings used by some Kerberos V5 applications</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></p></td> -<td><p>Controls plugin module registration</p></td> -</tr> -</tbody> -</table> -<p>Additionally, krb5.conf may include any of the relations described in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p> -<section id="libdefaults"> -<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Link to this heading">¶</a></h3> -<p>The libdefaults section may contain any of the following relations:</p> -<dl> -<dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys. -In future releases, this flag will allow des3-cbc-sha1 to be used -at all. The default value for this tag is false. (Added in -release 1.21.)</p> -</dd> -<dt><strong>allow_rc4</strong></dt><dd><p>Permit the KDC to issue tickets with arcfour-hmac session keys. -In future releases, this flag will allow arcfour-hmac to be used -at all. The default value for this tag is false. (Added in -release 1.21.)</p> -</dd> -<dt><strong>allow_weak_crypto</strong></dt><dd><p>If this flag is set to false, then weak encryption types (as noted -in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered -out of the lists <strong>default_tgs_enctypes</strong>, -<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default -value for this tag is false.</p> -</dd> -<dt><strong>canonicalize</strong></dt><dd><p>If this flag is set to true, initial ticket requests to the KDC -will request canonicalization of the client principal name, and -answers with different client principals than the requested -principal will be accepted. The default value is false.</p> -</dd> -<dt><strong>ccache_type</strong></dt><dd><p>This parameter determines the format of credential cache types -created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value -is 4, which represents the most current format. Smaller values -can be used for compatibility with very old implementations of -Kerberos which interact with credential caches on the same host.</p> -</dd> -<dt><strong>clockskew</strong></dt><dd><p>Sets the maximum allowable amount of clockskew in seconds that the -library will tolerate before assuming that a Kerberos message is -invalid. The default value is 300 seconds, or five minutes.</p> -<p>The clockskew setting is also used when evaluating ticket start -and expiration times. For example, tickets that have reached -their expiration time can still be used (and renewed if they are -renewable tickets) if they have been expired for a shorter -duration than the <strong>clockskew</strong> setting.</p> -</dd> -<dt><strong>default_ccache_name</strong></dt><dd><p>This relation specifies the name of the default credential cache. -The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter -expansion (see below). New in release 1.11.</p> -</dd> -<dt><strong>default_client_keytab_name</strong></dt><dd><p>This relation specifies the name of the default keytab for -obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This -relation is subject to parameter expansion (see below). -New in release 1.11.</p> -</dd> -<dt><strong>default_keytab_name</strong></dt><dd><p>This relation specifies the default keytab name to be used by -application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This -relation is subject to parameter expansion (see below).</p> -</dd> -<dt><strong>default_rcache_name</strong></dt><dd><p>This relation specifies the name of the default replay cache. -The default is <code class="docutils literal notranslate"><span class="pre">dfl:</span></code>. This relation is subject to parameter -expansion (see below). New in release 1.18.</p> -</dd> -<dt><strong>default_realm</strong></dt><dd><p>Identifies the default Kerberos realm for the client. Set its -value to your Kerberos realm. If this value is not set, then a -realm must be specified with every Kerberos principal when -invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</p> -</dd> -<dt><strong>default_tgs_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that -the client should request when making a TGS-REQ, in order of -preference from highest to lowest. The list may be delimited with -commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag. -Starting in release 1.18, the default value is the value of -<strong>permitted_enctypes</strong>. For previous releases or if -<strong>permitted_enctypes</strong> is not set, the default value is -<code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -<p>Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.</p> -</dd> -<dt><strong>default_tkt_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that -the client should request when making an AS-REQ, in order of -preference from highest to lowest. The format is the same as for -default_tgs_enctypes. Starting in release 1.18, the default -value is the value of <strong>permitted_enctypes</strong>. For previous -releases or if <strong>permitted_enctypes</strong> is not set, the default -value is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -<p>Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.</p> -</dd> -<dt><strong>dns_canonicalize_hostname</strong></dt><dd><p>Indicate whether name lookups will be used to canonicalize -hostnames for use in service principal names. Setting this flag -to false can improve security by reducing reliance on DNS, but -means that short hostnames will not be canonicalized to -fully-qualified hostnames. If this option is set to <code class="docutils literal notranslate"><span class="pre">fallback</span></code> (new -in release 1.18), DNS canonicalization will only be performed the -server hostname is not found with the original name when -requesting credentials. The default value is true.</p> -</dd> -<dt><strong>dns_lookup_kdc</strong></dt><dd><p>Indicate whether DNS SRV records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. (Note that the admin_server -entry must be in the krb5.conf realm information in order to -contact kadmind, because the DNS implementation for kadmin is -incomplete.)</p> -<p>Enabling this option does open up a type of denial-of-service -attack, if someone spoofs the DNS records and redirects you to -another server. However, it’s no worse than a denial of service, -because that fake KDC will be unable to decode anything you send -it (besides the initial ticket request, which has no encrypted -data), and anything the fake KDC sends will not be trusted without -verification using some secret that it won’t know.</p> -</dd> -<dt><strong>dns_lookup_realm</strong></dt><dd><p>Indicate whether DNS TXT records should be used to map hostnames -to realm names for hostnames not listed in the [domain_realm] -section, and to determine the default realm if <strong>default_realm</strong> -is not set. The default value is false.</p> -</dd> -<dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. SRV records are used as a -fallback if no URI records were found. The default value is true. -New in release 1.15.</p> -</dd> -<dt><strong>enforce_ok_as_delegate</strong></dt><dd><p>If this flag to true, GSSAPI credential delegation will be -disabled when the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> flag is not set in the -service ticket. If this flag is false, the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> -ticket flag is only enforced when an application specifically -requests enforcement. The default value is false.</p> -</dd> -<dt><strong>err_fmt</strong></dt><dd><p>This relation allows for custom error message formatting. If a -value is set, error messages will be formatted by substituting a -normal error message for %M and an error code for %C in the value.</p> -</dd> -<dt><strong>extra_addresses</strong></dt><dd><p>This allows a computer to use multiple local addresses, in order -to allow Kerberos to work in a network that uses NATs while still -using address-restricted tickets. The addresses should be in a -comma-separated list. This option has no effect if -<strong>noaddresses</strong> is true.</p> -</dd> -<dt><strong>forwardable</strong></dt><dd><p>If this flag is true, initial tickets will be forwardable by -default, if allowed by the KDC. The default value is false.</p> -</dd> -<dt><strong>ignore_acceptor_hostname</strong></dt><dd><p>When accepting GSSAPI or krb5 security contexts for host-based -service principals, ignore any hostname passed by the calling -application, and allow clients to authenticate to any service -principal in the keytab matching the service name and realm name -(if given). This option can improve the administrative -flexibility of server applications on multihomed hosts, but could -compromise the security of virtual hosting environments. The -default value is false. New in release 1.10.</p> -</dd> -<dt><strong>k5login_authoritative</strong></dt><dd><p>If this flag is true, principals must be listed in a local user’s -k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> -file exists. If this flag is false, a principal may still be -granted login access through other mechanisms even if a k5login -file exists but does not list the principal. The default value is -true.</p> -</dd> -<dt><strong>k5login_directory</strong></dt><dd><p>If set, the library will look for a local user’s k5login file -within the named directory, with a filename corresponding to the -local username. If not set, the library will look for k5login -files in the user’s home directory, with the filename .k5login. -For security reasons, .k5login files must be owned by -the local user or by root.</p> -</dd> -<dt><strong>kcm_mach_service</strong></dt><dd><p>On macOS only, determines the name of the bootstrap service used to -contact the KCM daemon for the KCM credential cache type. If the -value is <code class="docutils literal notranslate"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM -daemon. The default value is <code class="docutils literal notranslate"><span class="pre">org.h5l.kcm</span></code>.</p> -</dd> -<dt><strong>kcm_socket</strong></dt><dd><p>Determines the path to the Unix domain socket used to access the -KCM daemon for the KCM credential cache type. If the value is -<code class="docutils literal notranslate"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM -daemon. The default value is -<code class="docutils literal notranslate"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</p> -</dd> -<dt><strong>kdc_default_options</strong></dt><dd><p>Default KDC options (Xored for multiple values) when requesting -initial tickets. By default it is set to 0x00000010 -(KDC_OPT_RENEWABLE_OK).</p> -</dd> -<dt><strong>kdc_timesync</strong></dt><dd><p>Accepted values for this relation are 1 or 0. If it is nonzero, -client machines will compute the difference between their time and -the time returned by the KDC in the timestamps in the tickets and -use this value to correct for an inaccurate system clock when -requesting service tickets or authenticating to services. This -corrective factor is only used by the Kerberos library; it is not -used to change the system clock. The default value is 1.</p> -</dd> -<dt><strong>noaddresses</strong></dt><dd><p>If this flag is true, requests for initial tickets will not be -made with address restrictions set, allowing the tickets to be -used across NATs. The default value is true.</p> -</dd> -<dt><strong>permitted_enctypes</strong></dt><dd><p>Identifies the encryption types that servers will permit for -session keys and for ticket and authenticator encryption, ordered -by preference from highest to lowest. Starting in release 1.18, -this tag also acts as the default value for -<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The -default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -</dd> -<dt><strong>plugin_base_dir</strong></dt><dd><p>If set, determines the base directory where krb5 plugins are -located. The default value is the <code class="docutils literal notranslate"><span class="pre">krb5/plugins</span></code> subdirectory -of the krb5 library directory. This relation is subject to -parameter expansion (see below) in release 1.17 and later.</p> -</dd> -<dt><strong>preferred_preauth_types</strong></dt><dd><p>This allows you to set the preferred preauthentication types which -the client will attempt before others which may be advertised by a -KDC. The default value for this setting is “17, 16, 15, 14”, -which forces libkrb5 to attempt to use PKINIT if it is supported.</p> -</dd> -<dt><strong>proxiable</strong></dt><dd><p>If this flag is true, initial tickets will be proxiable by -default, if allowed by the KDC. The default value is false.</p> -</dd> -<dt><strong>qualify_shortname</strong></dt><dd><p>If this string is set, it determines the domain suffix for -single-component hostnames when DNS canonicalization is not used -(either because <strong>dns_canonicalize_hostname</strong> is false or because -forward canonicalization failed). The default value is the first -search domain of the system’s DNS configuration. To disable -qualification of shortnames, set this relation to the empty string -with <code class="docutils literal notranslate"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">""</span></code>. (New in release 1.18.)</p> -</dd> -<dt><strong>rdns</strong></dt><dd><p>If this flag is true, reverse name lookup will be used in addition -to forward name lookup to canonicalizing hostnames for use in -service principal names. If <strong>dns_canonicalize_hostname</strong> is set -to false, this flag has no effect. The default value is true.</p> -</dd> -<dt><strong>realm_try_domains</strong></dt><dd><p>Indicate whether a host’s domain components should be used to -determine the Kerberos realm of the host. The value of this -variable is an integer: -1 means not to search, 0 means to try the -host’s domain itself, 1 means to also try the domain’s immediate -parent, and so forth. The library’s usual mechanism for locating -Kerberos realms is used to determine whether a domain is a valid -realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is -set. The default is not to search domain components.</p> -</dd> -<dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime -for initial ticket requests. The default value is 0.</p> -</dd> -<dt><strong>request_timeout</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the maximum total time for KDC and -password change requests. This timeout does not affect the -intervals between requests, so setting a low timeout may result in -fewer requests being attempted and/or some servers not being -contacted. A value of 0 indicates no specific maximum, in which -case requests will time out if no server responds after several -tries. The default value is 0. (New in release 1.22.)</p> -</dd> -<dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the -groups allowed for SPAKE preauthentication. The possible values -are:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>edwards25519</p></td> -<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td> -</tr> -<tr class="row-even"><td><p>P-256</p></td> -<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -<tr class="row-odd"><td><p>P-384</p></td> -<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -<tr class="row-even"><td><p>P-521</p></td> -<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -</tbody> -</table> -<p>The default value for the client is <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>. The default -value for the KDC is empty. New in release 1.17.</p> -</dd> -<dt><strong>ticket_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial -ticket requests. The default value is 1 day.</p> -</dd> -<dt><strong>udp_preference_limit</strong></dt><dd><p>When sending a message to the KDC, the library will try using TCP -before UDP if the size of the message is above -<strong>udp_preference_limit</strong>. If the message is smaller than -<strong>udp_preference_limit</strong>, then UDP will be tried before TCP. -Regardless of the size, both protocols will be tried if the first -attempt fails.</p> -</dd> -<dt><strong>verify_ap_req_nofail</strong></dt><dd><p>If this flag is true, then an attempt to verify initial -credentials will fail if the client machine does not have a -keytab. The default value is false.</p> -</dd> -<dt><strong>client_aware_channel_bindings</strong></dt><dd><p>If this flag is true, then all application protocol authentication -requests will be flagged to indicate that the application supports -channel bindings when operating over a secure channel. The -default value is false.</p> -</dd> -</dl> -</section> -<section id="realms"> -<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> -<p>Each tag in the [realms] section of the file is the name of a Kerberos -realm. The value of the tag is a subsection with relations that -define the properties of that particular realm. For each realm, the -following tags may be specified in the realm’s subsection:</p> -<dl> -<dt><strong>admin_server</strong></dt><dd><p>Identifies the host where the administration server is running. -Typically, this is the primary Kerberos server. This tag must be -given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> -server for the realm.</p> -</dd> -<dt><strong>auth_to_local</strong></dt><dd><p>This tag allows you to set a general rule for mapping principal -names to local user names. It will be used if there is not an -explicit mapping for the principal name that is being -translated. The possible values are:</p> -<dl> -<dt><strong>RULE:</strong><em>exp</em></dt><dd><p>The local name will be formulated from <em>exp</em>.</p> -<p>The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>. -The integer <em>n</em> indicates how many components the target -principal should have. If this matches, then a string will be -formed from <em>string</em>, substituting the realm of the principal -for <code class="docutils literal notranslate"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for -<code class="docutils literal notranslate"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal notranslate"><span class="pre">johndoe/admin</span></code> then -<code class="docutils literal notranslate"><span class="pre">[2:$2$1foo]</span></code> would result in the string -<code class="docutils literal notranslate"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then -the <code class="docutils literal notranslate"><span class="pre">s//[g]</span></code> substitution command will be run over the -string. The optional <strong>g</strong> will cause the substitution to be -global over the <em>string</em>, instead of replacing only the first -match in the <em>string</em>.</p> -</dd> -<dt><strong>DEFAULT</strong></dt><dd><p>The principal name will be used as the local user name. If -the principal has more than one component or is not in the -default realm, this rule is not applicable and the conversion -will fail.</p> -</dd> -</dl> -<p>For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[realms] - ATHENA.MIT.EDU = { - auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ - auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// - auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auth_to_local = DEFAULT - } -</pre></div> -</div> -<p>would result in any principal without <code class="docutils literal notranslate"><span class="pre">root</span></code> or <code class="docutils literal notranslate"><span class="pre">admin</span></code> as the -second component to be translated with the default rule. A -principal with a second component of <code class="docutils literal notranslate"><span class="pre">admin</span></code> will become its -first component. <code class="docutils literal notranslate"><span class="pre">root</span></code> will be used as the local name for any -principal with a second component of <code class="docutils literal notranslate"><span class="pre">root</span></code>. The exception to -these two rules are any principals <code class="docutils literal notranslate"><span class="pre">johndoe/*</span></code>, which will -always get the local name <code class="docutils literal notranslate"><span class="pre">guest</span></code>.</p> -</dd> -<dt><strong>auth_to_local_names</strong></dt><dd><p>This subsection allows you to set explicit mappings from principal -names to local user names. The tag is the mapping name, and the -value is the corresponding local user name.</p> -</dd> -<dt><strong>default_domain</strong></dt><dd><p>This tag specifies the domain used to expand hostnames when -translating Kerberos 4 service principals to Kerberos 5 principals -(for example, when converting <code class="docutils literal notranslate"><span class="pre">rcmd.hostname</span></code> to -<code class="docutils literal notranslate"><span class="pre">host/hostname.domain</span></code>).</p> -</dd> -<dt><strong>disable_encrypted_timestamp</strong></dt><dd><p>If this flag is true, the client will not perform encrypted -timestamp preauthentication if requested by the KDC. Setting this -flag can help to prevent dictionary attacks by active attackers, -if the realm’s KDCs support SPAKE preauthentication or if initial -authentication always uses another mechanism or always uses FAST. -This flag persists across client referrals during initial -authentication. This flag does not prevent the KDC from offering -encrypted timestamp. New in release 1.17.</p> -</dd> -<dt><strong>http_anchors</strong></dt><dd><p>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag -can be used to specify the location of the CA certificate which should be -trusted to issue the certificate for a proxy server. If left unspecified, -the system-wide default set of CA certificates is used.</p> -<p>The syntax for values is similar to that of values for the -<strong>pkinit_anchors</strong> tag:</p> -<p><strong>FILE:</strong> <em>filename</em></p> -<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p> -<p><strong>DIR:</strong> <em>dirname</em></p> -<p><em>dirname</em> is assumed to be an directory which contains CA certificates. -All files in the directory will be examined; if they contain certificates -(in PEM format), they will be used.</p> -<p><strong>ENV:</strong> <em>envvar</em></p> -<p><em>envvar</em> specifies the name of an environment variable which has been set -to a value conforming to one of the previous values. For example, -<code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has -been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> -</dd> -<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for the realm, or a -UNIX domain socket path of a locally running KDC. An optional -port number, separated from the hostname by a colon, may be -included. If the name or address contains colons (for example, if -it is an IPv6 address), enclose it in square brackets to -distinguish the colon from a port separator. For your computer to -be able to communicate with the KDC for each realm, this tag must -be given a value in each realm subsection in the configuration -file, or there must be DNS SRV records specifying the KDCs.</p> -</dd> -<dt><strong>kpasswd_server</strong></dt><dd><p>The location of the password change server for the realm, using -the same syntax as <strong>kdc</strong>. If there is no such entry, DNS will -be queried (unless forbidden by <strong>dns_lookup_kdc</strong>). Finally, -port 464 on the <strong>admin_server</strong> host will be tried.</p> -</dd> -<dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is -used as a fallback if <strong>primary_kdc</strong> is not specified.</p> -</dd> -<dt><strong>primary_kdc</strong></dt><dd><p>Identifies the primary KDC(s). Currently, this tag is used in only -one case: If an attempt to get credentials fails because of an -invalid password, the client software will attempt to contact the -primary KDC, in case the user’s password has just been changed, and -the updated database has not been propagated to the replica -servers yet. New in release 1.19.</p> -</dd> -<dt><strong>sitename</strong></dt><dd><p>Specifies the name of the host’s site for the purpose of DNS-based -KDC discovery for this realm. New in release 1.22.</p> -</dd> -<dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions -to the <strong>default_domain</strong> mapping rule. It contains V4 instances -(the tag name) which should be translated to some specific -hostname (the tag value) as the second component in a Kerberos V5 -principal name.</p> -</dd> -<dt><strong>v4_realm</strong></dt><dd><p>This relation is used by the krb524 library routines when -converting a V5 principal name to a V4 principal name. It is used -when the V4 realm name and the V5 realm name are not the same, but -still share the same principal names and passwords. The tag value -is the Kerberos V4 realm name.</p> -</dd> -</dl> -</section> -<section id="domain-realm"> -<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Link to this heading">¶</a></h3> -<p>The [domain_realm] section provides a translation from hostnames to -Kerberos realms. Each tag is a domain name, providing the mapping for -that domain and all subdomains. If the tag begins with a period -(<code class="docutils literal notranslate"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be -identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records. -Tag names should be in lower case. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> - <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<p>maps the host with the name <code class="docutils literal notranslate"><span class="pre">crash.mit.edu</span></code> into the -<code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the -domain <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not -the host with the name <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code>. That host is matched -by the third entry, which maps the host <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> and all hosts -under the domain <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> that do not match a preceding rule -into the realm <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> -<p>If no translation entry applies to a hostname used for a service -principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm’s KDC. If -that does not succeed, the host’s realm is considered to be the -hostname’s domain portion converted to uppercase, unless the -<strong>realm_try_domains</strong> setting in [libdefaults] causes a different -parent domain to be used.</p> -</section> -<section id="capaths"> -<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Link to this heading">¶</a></h3> -<p>In order to perform direct (non-hierarchical) cross-realm -authentication, configuration is needed to determine the -authentication paths between realms.</p> -<p>A client will use this section to find the authentication path between -its realm and the realm of the server. The server will use this -section to verify the authentication path used by the client, by -checking the transited field of the received ticket.</p> -<p>There is a tag for each participating client realm, and each tag has -subtags for each of the server realms. The value of the subtags is an -intermediate realm which may participate in the cross-realm -authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of “.” means that the two realms share -keys directly, and no intermediate realms should be allowed to -participate.</p> -<p>Only those entries which will be needed on the client or the server -need to be present. A client needs a tag for its local realm with -subtags for all the realms of servers it will need to authenticate to. -A server needs a tag for each realm of the clients it will serve, with -a subtag of the server realm.</p> -<p>For example, <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> all wish to -use the <code class="docutils literal notranslate"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub -realm of <code class="docutils literal notranslate"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> -but not <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code> systems -would look like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> -</pre></div> -</div> -<p>The [capaths] section of the configuration file used on <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> -systems would look like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> -</pre></div> -</div> -<p>When a subtag is used more than once within a tag, clients will use -the order of values to determine the path. The order of values is not -important to servers.</p> -</section> -<section id="appdefaults"> -<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Link to this heading">¶</a></h3> -<p>Each tag in the [appdefaults] section names a Kerberos V5 application -or an option that is used by some Kerberos V5 application[s]. The -value of the tag defines the default behaviors for that application.</p> -<p>For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span> - <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> - <span class="p">}</span> - <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> -</pre></div> -</div> -<p>The above four ways of specifying the value of an option are shown in -order of decreasing precedence. In this example, if telnet is running -in the realm EXAMPLE.COM, it should, by default, have option1 and -option2 set to true. However, a telnet program in the realm -<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal notranslate"><span class="pre">option1</span></code> set to false and -<code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should -have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to false by default. Any programs running in -other realms should have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true.</p> -<p>The list of specifiable options for each application may be found in -that application’s man pages. The application defaults specified here -are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p> -</section> -<section id="plugins"> -<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Link to this heading">¶</a></h3> -<blockquote> -<div><ul class="simple"> -<li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li> -<li><p><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</p></li> -<li><p><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</p></li> -</ul> -</div></blockquote> -<p>Tags in the [plugins] section can be used to register dynamic plugin -modules and to turn modules on and off. Not every krb5 pluggable -interface uses the [plugins] section; the ones that do are documented -here.</p> -<p>New in release 1.9.</p> -<p>Each pluggable interface corresponds to a subsection of [plugins]. -All subsections support the same tags:</p> -<dl class="simple"> -<dt><strong>disable</strong></dt><dd><p>This tag may have multiple values. If there are values for this -tag, then the named modules will be disabled for the pluggable -interface.</p> -</dd> -<dt><strong>enable_only</strong></dt><dd><p>This tag may have multiple values. If there are values for this -tag, then only the named modules will be enabled for the pluggable -interface.</p> -</dd> -<dt><strong>module</strong></dt><dd><p>This tag may have multiple values. Each value is a string of the -form <code class="docutils literal notranslate"><span class="pre">modulename:pathname</span></code>, which causes the shared object -located at <em>pathname</em> to be registered as a dynamic module named -<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an -absolute path, it will be treated as relative to the -<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> -</dd> -</dl> -<p>For pluggable interfaces where module order matters, modules -registered with a <strong>module</strong> tag normally come first, in the order -they are registered, followed by built-in modules in the order they -are documented below. If <strong>enable_only</strong> tags are used, then the -order of those tags overrides the normal module order.</p> -<p>The following subsections are currently supported within the [plugins] -section:</p> -<section id="ccselect-interface"> -<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Link to this heading">¶</a></h4> -<p>The ccselect subsection controls modules for credential cache -selection within a cache collection. In addition to any registered -dynamic modules, the following built-in modules exist (and may be -disabled with the disable tag):</p> -<dl class="simple"> -<dt><strong>k5identity</strong></dt><dd><p>Uses a .k5identity file in the user’s home directory to select a -client principal</p> -</dd> -<dt><strong>realm</strong></dt><dd><p>Uses the service realm to guess an appropriate cache from the -collection</p> -</dd> -<dt><strong>hostname</strong></dt><dd><p>If the service principal is host-based, uses the service hostname -to guess an appropriate cache from the collection</p> -</dd> -</dl> -</section> -<section id="pwqual-interface"> -<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Link to this heading">¶</a></h4> -<p>The pwqual subsection controls modules for the password quality -interface, which is used to reject weak passwords when passwords are -changed. The following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>dict</strong></dt><dd><p>Checks against the realm dictionary file</p> -</dd> -<dt><strong>empty</strong></dt><dd><p>Rejects empty passwords</p> -</dd> -<dt><strong>hesiod</strong></dt><dd><p>Checks against user information stored in Hesiod (only if Kerberos -was built with Hesiod support)</p> -</dd> -<dt><strong>princ</strong></dt><dd><p>Checks against components of the principal name</p> -</dd> -</dl> -</section> -<section id="kadm5-hook-interface"> -<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Link to this heading">¶</a></h4> -<p>The kadm5_hook interface provides plugins with information on -principal creation, modification, password changes and deletion. This -interface can be used to write a plugin to synchronize MIT Kerberos -with another database such as Active Directory. No plugins are built -in for this interface.</p> -</section> -<section id="kadm5-auth-interface"> -<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Link to this heading">¶</a></h4> -<p>The kadm5_auth section (introduced in release 1.16) controls modules -for the kadmin authorization interface, which determines whether a -client principal is allowed to perform a kadmin operation. The -following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>acl</strong></dt><dd><p>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes -operations which are allowed according to the rules in the file.</p> -</dd> -<dt><strong>self</strong></dt><dd><p>This module authorizes self-service operations including password -changes, creation of new random keys, fetching the client’s -principal record or string attributes, and fetching the policy -record associated with the client principal.</p> -</dd> -</dl> -</section> -<section id="clpreauth-and-kdcpreauth-interfaces"> -<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Link to this heading">¶</a></h4> -<p>The clpreauth and kdcpreauth interfaces allow plugin modules to -provide client and KDC preauthentication mechanisms. The following -built-in modules exist for these interfaces:</p> -<dl class="simple"> -<dt><strong>pkinit</strong></dt><dd><p>This module implements the PKINIT preauthentication mechanism.</p> -</dd> -<dt><strong>encrypted_challenge</strong></dt><dd><p>This module implements the encrypted challenge FAST factor.</p> -</dd> -<dt><strong>encrypted_timestamp</strong></dt><dd><p>This module implements the encrypted timestamp mechanism.</p> -</dd> -</dl> -</section> -<section id="hostrealm-interface"> -<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Link to this heading">¶</a></h4> -<p>The hostrealm section (introduced in release 1.12) controls modules -for the host-to-realm interface, which affects the local mapping of -hostnames to realm names and the choice of default realm. The following -built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>profile</strong></dt><dd><p>This module consults the [domain_realm] section of the profile for -authoritative host-to-realm mappings, and the <strong>default_realm</strong> -variable for the default realm.</p> -</dd> -<dt><strong>dns</strong></dt><dd><p>This module looks for DNS records for fallback host-to-realm -mappings and the default realm. It only operates if the -<strong>dns_lookup_realm</strong> variable is set to true.</p> -</dd> -<dt><strong>domain</strong></dt><dd><p>This module applies heuristics for fallback host-to-realm -mappings. It implements the <strong>realm_try_domains</strong> variable, and -uses the uppercased parent domain of the hostname if that does not -produce a result.</p> -</dd> -</dl> -</section> -<section id="localauth-interface"> -<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Link to this heading">¶</a></h4> -<p>The localauth section (introduced in release 1.12) controls modules -for the local authorization interface, which affects the relationship -between Kerberos principals and local system accounts. The following -built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>default</strong></dt><dd><p>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong> -values.</p> -</dd> -<dt><strong>rule</strong></dt><dd><p>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong> -values.</p> -</dd> -<dt><strong>names</strong></dt><dd><p>This module looks for an <strong>auth_to_local_names</strong> mapping for the -principal name.</p> -</dd> -<dt><strong>auth_to_local</strong></dt><dd><p>This module processes <strong>auth_to_local</strong> values in the default -realm’s section, and applies the default method if no -<strong>auth_to_local</strong> values exist.</p> -</dd> -<dt><strong>k5login</strong></dt><dd><p>This module authorizes a principal to a local account according to -the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</p> -</dd> -<dt><strong>an2ln</strong></dt><dd><p>This module authorizes a principal to a local account if the -principal name maps to the local account name.</p> -</dd> -</dl> -</section> -<section id="certauth-interface"> -<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Link to this heading">¶</a></h4> -<p>The certauth section (introduced in release 1.16) controls modules for -the certificate authorization interface, which determines whether a -certificate is allowed to preauthenticate a user via PKINIT. The -following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>pkinit_san</strong></dt><dd><p>This module authorizes the certificate if it contains a PKINIT -Subject Alternative Name for the requested client principal, or a -Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong> -is set to true for the realm.</p> -</dd> -<dt><strong>pkinit_eku</strong></dt><dd><p>This module rejects the certificate if it does not contain an -Extended Key Usage attribute consistent with the -<strong>pkinit_eku_checking</strong> value for the realm.</p> -</dd> -<dt><strong>dbmatch</strong></dt><dd><p>This module authorizes or rejects the certificate according to -whether it matches the <strong>pkinit_cert_match</strong> string attribute on -the client principal, if that attribute is present.</p> -</dd> -</dl> -</section> -</section> -</section> -<section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The following are PKINIT-specific options. These values may -be specified in [libdefaults] as global defaults, or within -a realm-specific subsection of [libdefaults], or may be -specified as realm-specific values in the [realms] section. -A realm-specific value overrides, not adds to, a generic -[libdefaults] specification. The search order is:</p> -</div> -<ol class="arabic"> -<li><p>realm-specific subsection of [libdefaults]:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> - <span class="p">}</span> -</pre></div> -</div> -</li> -<li><p>realm-specific value in the [realms] section:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span> - <span class="p">}</span> -</pre></div> -</div> -</li> -<li><p>generic value in the [libdefaults] section:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> -</pre></div> -</div> -</li> -</ol> -<section id="specifying-pkinit-identity-information"> -<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Link to this heading">¶</a></h3> -<p>The syntax for specifying Public Key identity, trust, and revocation -information for PKINIT is as follows:</p> -<dl> -<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt><dd><p>This option has context-specific behavior.</p> -<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em> -specifies the name of a PEM-format file containing the user’s -certificate. If <em>keyfilename</em> is not specified, the user’s -private key is expected to be in <em>filename</em> as well. Otherwise, -<em>keyfilename</em> is the name of the file containing the private key.</p> -<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to -be the name of an OpenSSL-style ca-bundle file.</p> -</dd> -<dt><strong>DIR:</strong><em>dirname</em></dt><dd><p>This option has context-specific behavior.</p> -<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em> -specifies a directory with files named <code class="docutils literal notranslate"><span class="pre">*.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">*.key</span></code> -where the first part of the file name is the same for matching -pairs of certificate and private key files. When a file with a -name ending with <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is found, a matching file ending with -<code class="docutils literal notranslate"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file -is found, then the certificate in the <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is not used.</p> -<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to -be an OpenSSL-style hashed CA directory where each CA cert is -stored in a file named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure -is encouraged, but all files in the directory will be examined and -if they contain certificates (in PEM format), they will be used.</p> -<p>In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style -hashed CA directory where each revocation list is stored in a file -named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged, -but all files in the directory will be examined and if they -contain a revocation list (in PEM format), they will be used.</p> -</dd> -<dt><strong>PKCS12:</strong><em>filename</em></dt><dd><p><em>filename</em> is the name of a PKCS #12 format file, containing the -user’s certificate and private key.</p> -</dd> -<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt><dd><p>All keyword/values are optional. <em>modname</em> specifies the location -of a library implementing PKCS #11. If a value is encountered -with no keyword, it is assumed to be the <em>modname</em>. If no -module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>. -<code class="docutils literal notranslate"><span class="pre">slotid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">token=</span></code> may be specified to force the use of -a particular smard card reader or token if there is more than one -available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to -force the selection of a particular certificate on the device. -Specifier values must not contain colon characters, as colons are -always treated as separators. See the <strong>pkinit_cert_match</strong> -configuration option for more ways to select a particular -certificate to use for PKINIT.</p> -</dd> -<dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has -been set to a value conforming to one of the previous values. For -example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable -<code class="docutils literal notranslate"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> -</dd> -</dl> -</section> -<section id="pkinit-krb5-conf-options"> -<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Link to this heading">¶</a></h3> -<dl> -<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which -the client trusts to sign KDC certificates. This option may be -specified multiple times. These values from the config file are -not used if the user specifies X509_anchors on the command line.</p> -</dd> -<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies matching rules that the client certificate must match -before it is used to attempt PKINIT authentication. If a user has -multiple certificates available (on a smart card, or via other -media), there must be exactly one certificate chosen before -attempting PKINIT authentication. This option may be specified -multiple times. All the available certificates are checked -against each rule in order until there is a match of exactly one -certificate.</p> -<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2253.html"><strong>RFC 2253</strong></a> -string representations from the certificate Subject DN and Issuer -DN values.</p> -<p>The syntax of the matching rules is:</p> -<blockquote> -<div><p>[<em>relation-operator</em>]<em>component-rule</em> …</p> -</div></blockquote> -<p>where:</p> -<dl> -<dt><em>relation-operator</em></dt><dd><p>can be either <code class="docutils literal notranslate"><span class="pre">&&</span></code>, meaning all component rules must match, -or <code class="docutils literal notranslate"><span class="pre">||</span></code>, meaning only one component rule must match. The -default is <code class="docutils literal notranslate"><span class="pre">&&</span></code>.</p> -</dd> -<dt><em>component-rule</em></dt><dd><p>can be one of the following. Note that there is no -punctuation or whitespace between component rules.</p> -<blockquote> -<div><div class="line-block"> -<div class="line"><strong><SUBJECT></strong><em>regular-expression</em></div> -<div class="line"><strong><ISSUER></strong><em>regular-expression</em></div> -<div class="line"><strong><SAN></strong><em>regular-expression</em></div> -<div class="line"><strong><EKU></strong><em>extended-key-usage-list</em></div> -<div class="line"><strong><KU></strong><em>key-usage-list</em></div> -</div> -</div></blockquote> -<p><em>extended-key-usage-list</em> is a comma-separated list of -required Extended Key Usage values. All values in the list -must be present in the certificate. Extended Key Usage values -can be:</p> -<ul class="simple"> -<li><p>pkinit</p></li> -<li><p>msScLogin</p></li> -<li><p>clientAuth</p></li> -<li><p>emailProtection</p></li> -</ul> -<p><em>key-usage-list</em> is a comma-separated list of required Key -Usage values. All values in the list must be present in the -certificate. Key Usage values can be:</p> -<ul class="simple"> -<li><p>digitalSignature</p></li> -<li><p>keyEncipherment</p></li> -</ul> -</dd> -</dl> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||<</span><span class="n">SUBJECT</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*<</span><span class="n">SAN</span><span class="o">>.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&&<</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">ISSUER</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*</span> -<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o"><</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">KU</span><span class="o">></span><span class="n">digitalSignature</span> -</pre></div> -</div> -</dd> -<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage value the KDC -certificate presented to the client must contain. (Note that if -the KDC certificate has the pkinit SubjectAlternativeName encoded -as the Kerberos TGS name, EKU checking is not necessary since the -issuing CA has certified this as a KDC certificate.) The values -recognized in the krb5.conf file are:</p> -<dl class="simple"> -<dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> -</dd> -<dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the -id-kp-serverAuth EKU will be accepted. This key usage value -is used in most commercially issued server certificates.</p> -</dd> -<dt><strong>none</strong></dt><dd><p>If <strong>none</strong> is specified, then the KDC certificate will not be -checked to verify it has an acceptable EKU. The use of this -option is not recommended.</p> -</dd> -</dl> -</dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the group of the Diffie-Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, P-256, -4096, P-384, and P-521. The default is 2048. (P-256, P-384, and -P-521 are new in release 1.22.)</p> -</dd> -<dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509 -identity information. If this option is specified multiple times, -each value is attempted in order until certificates are found. -Note that these values are not used if the user specifies -<strong>X509_user_identity</strong> on the command line.</p> -</dd> -<dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing -to accept a KDC certificate with a dNSName SAN (Subject -Alternative Name) rather than requiring the id-pkinit-san as -defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple -times. Its value should contain the acceptable hostname for the -KDC (as contained in its certificate).</p> -</dd> -<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be -used by the client to complete the trust chain between a KDC -certificate and a trusted anchor. This option may be specified -multiple times.</p> -</dd> -<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and <strong>pkinit_require_crl_checking</strong> is false, then verification -succeeds.</p> -<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is -no CRL information available for the issuing CA, then verification -fails.</p> -<p><strong>pkinit_require_crl_checking</strong> should be set to true if the -policy is such that up-to-date CRLs must be present for every CA.</p> -</dd> -<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL) -information to be used by the client when verifying the validity -of the KDC certificate presented. This option may be specified -multiple times.</p> -</dd> -</dl> -</section> -</section> -<section id="parameter-expansion"> -<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Link to this heading">¶</a></h2> -<p>Starting with release 1.11, several variables, such as -<strong>default_keytab_name</strong>, allow parameters to be expanded. -Valid parameters are:</p> -<blockquote> -<div><table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>%{TEMP}</p></td> -<td><p>Temporary directory</p></td> -</tr> -<tr class="row-even"><td><p>%{uid}</p></td> -<td><p>Unix real UID or Windows SID</p></td> -</tr> -<tr class="row-odd"><td><p>%{euid}</p></td> -<td><p>Unix effective user ID or Windows SID</p></td> -</tr> -<tr class="row-even"><td><p>%{USERID}</p></td> -<td><p>Same as %{uid}</p></td> -</tr> -<tr class="row-odd"><td><p>%{null}</p></td> -<td><p>Empty string</p></td> -</tr> -<tr class="row-even"><td><p>%{LIBDIR}</p></td> -<td><p>Installation library directory</p></td> -</tr> -<tr class="row-odd"><td><p>%{BINDIR}</p></td> -<td><p>Installation binary directory</p></td> -</tr> -<tr class="row-even"><td><p>%{SBINDIR}</p></td> -<td><p>Installation admin binary directory</p></td> -</tr> -<tr class="row-odd"><td><p>%{username}</p></td> -<td><p>(Unix) Username of effective user ID</p></td> -</tr> -<tr class="row-even"><td><p>%{APPDATA}</p></td> -<td><p>(Windows) Roaming application data for current user</p></td> -</tr> -<tr class="row-odd"><td><p>%{COMMON_APPDATA}</p></td> -<td><p>(Windows) Application data for all users</p></td> -</tr> -<tr class="row-even"><td><p>%{LOCAL_APPDATA}</p></td> -<td><p>(Windows) Local application data for current user</p></td> -</tr> -<tr class="row-odd"><td><p>%{SYSTEM}</p></td> -<td><p>(Windows) Windows system folder</p></td> -</tr> -<tr class="row-even"><td><p>%{WINDOWS}</p></td> -<td><p>(Windows) Windows folder</p></td> -</tr> -<tr class="row-odd"><td><p>%{USERCONFIG}</p></td> -<td><p>(Windows) Per-user MIT krb5 config file directory</p></td> -</tr> -<tr class="row-even"><td><p>%{COMMONCONFIG}</p></td> -<td><p>(Windows) Common MIT krb5 config file directory</p></td> -</tr> -</tbody> -</table> -</div></blockquote> -</section> -<section id="sample-krb5-conf-file"> -<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Link to this heading">¶</a></h2> -<p>Here is an example of a generic krb5.conf file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span> - -<span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="p">}</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="p">}</span> - -<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> - <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - -<span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> -</pre></div> -</div> -</section> -<section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> -<p><code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code></p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p>syslog(3)</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">krb5.conf</a><ul> -<li><a class="reference internal" href="#structure">Structure</a></li> -<li><a class="reference internal" href="#sections">Sections</a><ul> -<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li> -<li><a class="reference internal" href="#realms">[realms]</a></li> -<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li> -<li><a class="reference internal" href="#capaths">[capaths]</a></li> -<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li> -<li><a class="reference internal" href="#plugins">[plugins]</a><ul> -<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li> -<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li> -<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li> -<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li> -<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li> -<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li> -<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li> -<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li> -</ul> -</li> -</ul> -</li> -<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul> -<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li> -<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li> -</ul> -</li> -<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li> -<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li> -<li><a class="reference internal" href="#files">FILES</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Configuration Files" - >previous</a> | - <a href="kdc_conf.html" title="kdc.conf" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file |