aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5/doc/html/admin/conf_files
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5/doc/html/admin/conf_files')
-rw-r--r--crypto/krb5/doc/html/admin/conf_files/index.html176
-rw-r--r--crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html331
-rw-r--r--crypto/krb5/doc/html/admin/conf_files/kdc_conf.html1064
-rw-r--r--crypto/krb5/doc/html/admin/conf_files/krb5_conf.html1350
4 files changed, 0 insertions, 2921 deletions
diff --git a/crypto/krb5/doc/html/admin/conf_files/index.html b/crypto/krb5/doc/html/admin/conf_files/index.html
deleted file mode 100644
index a309e76072c9..000000000000
--- a/crypto/krb5/doc/html/admin/conf_files/index.html
+++ /dev/null
@@ -1,176 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en" data-content_root="../../">
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
-
- <title>Configuration Files &#8212; MIT Kerberos Documentation</title>
- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />
- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />
- <script src="../../_static/documentation_options.js?v=236fef3b"></script>
- <script src="../../_static/doctools.js?v=888ff710"></script>
- <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
- <link rel="author" title="About these documents" href="../../about.html" />
- <link rel="index" title="Index" href="../../genindex.html" />
- <link rel="search" title="Search" href="../../search.html" />
- <link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="next" title="krb5.conf" href="krb5_conf.html" />
- <link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" />
- </head><body>
- <div class="header-wrapper">
- <div class="header">
-
-
- <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
-
- <div class="rel">
-
- <a href="../../index.html" title="Full Table of Contents"
- accesskey="C">Contents</a> |
- <a href="../install_appl_srv.html" title="UNIX Application Servers"
- accesskey="P">previous</a> |
- <a href="krb5_conf.html" title="krb5.conf"
- accesskey="N">next</a> |
- <a href="../../genindex.html" title="General Index"
- accesskey="I">index</a> |
- <a href="../../search.html" title="Enter search criteria"
- accesskey="S">Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
- </div>
- </div>
- </div>
-
- <div class="content-wrapper">
- <div class="content">
- <div class="document">
-
- <div class="documentwrapper">
- <div class="bodywrapper">
- <div class="body" role="main">
-
- <section id="configuration-files">
-<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Link to this heading">¶</a></h1>
-<p>Kerberos uses configuration files to allow administrators to specify
-settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all
-applications using the Kerboros library, on clients and servers.
-For KDC-specific applications, additional settings can be specified in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the two files are merged into a configuration profile
-used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>
-is also only used on the KDC, it controls permissions for modifying the
-KDC database.</p>
-<section id="contents">
-<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2>
-<div class="toctree-wrapper compound">
-<ul>
-<li class="toctree-l1"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
-<li class="toctree-l1"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
-<li class="toctree-l1"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
-</ul>
-</div>
-</section>
-</section>
-
-
- <div class="clearer"></div>
- </div>
- </div>
- </div>
- </div>
- <div class="sidebar">
-
- <h2>On this page</h2>
- <ul>
-<li><a class="reference internal" href="#">Configuration Files</a><ul>
-<li><a class="reference internal" href="#contents">Contents</a></li>
-</ul>
-</li>
-</ul>
-
- <br/>
- <h2>Table of contents</h2>
- <ul class="current">
-<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
-<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
-<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
-<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuration Files</a><ul>
-<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
-</ul>
-</li>
-<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
-</ul>
-</li>
-<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
-</ul>
-
- <br/>
- <h4><a href="../../index.html">Full Table of Contents</a></h4>
- <h4>Search</h4>
- <form class="search" action="../../search.html" method="get">
- <input type="text" name="q" size="18" />
- <input type="submit" value="Go" />
- <input type="hidden" name="check_keywords" value="yes" />
- <input type="hidden" name="area" value="default" />
- </form>
-
- </div>
- <div class="clearer"></div>
- </div>
- </div>
-
- <div class="footer-wrapper">
- <div class="footer" >
- <div class="right" ><i>Release: 1.22-final</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.
- </div>
- <div class="left">
-
- <a href="../../index.html" title="Full Table of Contents"
- >Contents</a> |
- <a href="../install_appl_srv.html" title="UNIX Application Servers"
- >previous</a> |
- <a href="krb5_conf.html" title="krb5.conf"
- >next</a> |
- <a href="../../genindex.html" title="General Index"
- >index</a> |
- <a href="../../search.html" title="Enter search criteria"
- >Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
- </div>
- </div>
- </div>
-
- </body>
-</html> \ No newline at end of file
diff --git a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html b/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html
deleted file mode 100644
index 17e628141aa1..000000000000
--- a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html
+++ /dev/null
@@ -1,331 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en" data-content_root="../../">
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
-
- <title>kadm5.acl &#8212; MIT Kerberos Documentation</title>
- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />
- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />
- <script src="../../_static/documentation_options.js?v=236fef3b"></script>
- <script src="../../_static/doctools.js?v=888ff710"></script>
- <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
- <link rel="author" title="About these documents" href="../../about.html" />
- <link rel="index" title="Index" href="../../genindex.html" />
- <link rel="search" title="Search" href="../../search.html" />
- <link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="next" title="Realm configuration decisions" href="../realm_config.html" />
- <link rel="prev" title="kdc.conf" href="kdc_conf.html" />
- </head><body>
- <div class="header-wrapper">
- <div class="header">
-
-
- <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
-
- <div class="rel">
-
- <a href="../../index.html" title="Full Table of Contents"
- accesskey="C">Contents</a> |
- <a href="kdc_conf.html" title="kdc.conf"
- accesskey="P">previous</a> |
- <a href="../realm_config.html" title="Realm configuration decisions"
- accesskey="N">next</a> |
- <a href="../../genindex.html" title="General Index"
- accesskey="I">index</a> |
- <a href="../../search.html" title="Enter search criteria"
- accesskey="S">Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
- </div>
- </div>
- </div>
-
- <div class="content-wrapper">
- <div class="content">
- <div class="document">
-
- <div class="documentwrapper">
- <div class="bodywrapper">
- <div class="body" role="main">
-
- <section id="kadm5-acl">
-<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Link to this heading">¶</a></h1>
-<section id="description">
-<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2>
-<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List
-(ACL) file to manage access rights to the Kerberos database.
-For operations that affect principals, the ACL file also controls
-which principals can operate on which other principals.</p>
-<p>The default location of the Kerberos ACL file is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code> unless this is overridden by the <em>acl_file</em>
-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>
-</section>
-<section id="syntax">
-<h2>SYNTAX<a class="headerlink" href="#syntax" title="Link to this heading">¶</a></h2>
-<p>Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate"><span class="pre">#</span></code>) are
-ignored. Lines containing ACL entries have the format:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span>
-</pre></div>
-</div>
-<div class="admonition note">
-<p class="admonition-title">Note</p>
-<p>Line order in the ACL file is important. The first matching entry
-will control access for an actor principal on a target principal.</p>
-</div>
-<dl>
-<dt><em>principal</em></dt><dd><p>(Partially or fully qualified Kerberos principal name.) Specifies
-the principal whose permissions are to be set.</p>
-<p>Each component of the name may be wildcarded using the <code class="docutils literal notranslate"><span class="pre">*</span></code>
-character.</p>
-</dd>
-<dt><em>permissions</em></dt><dd><p>Specifies what operations may or may not be performed by a
-<em>principal</em> matching a particular entry. This is a string of one or
-more of the following list of characters or their upper-case
-counterparts. If the character is <em>upper-case</em>, then the operation
-is disallowed. If the character is <em>lower-case</em>, then the operation
-is permitted.</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p>a</p></td>
-<td><p>[Dis]allows the addition of principals or policies</p></td>
-</tr>
-<tr class="row-even"><td><p>c</p></td>
-<td><p>[Dis]allows the changing of passwords for principals</p></td>
-</tr>
-<tr class="row-odd"><td><p>d</p></td>
-<td><p>[Dis]allows the deletion of principals or policies</p></td>
-</tr>
-<tr class="row-even"><td><p>e</p></td>
-<td><p>[Dis]allows the extraction of principal keys</p></td>
-</tr>
-<tr class="row-odd"><td><p>i</p></td>
-<td><p>[Dis]allows inquiries about principals or policies</p></td>
-</tr>
-<tr class="row-even"><td><p>l</p></td>
-<td><p>[Dis]allows the listing of all principals or policies</p></td>
-</tr>
-<tr class="row-odd"><td><p>m</p></td>
-<td><p>[Dis]allows the modification of principals or policies</p></td>
-</tr>
-<tr class="row-even"><td><p>p</p></td>
-<td><p>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a>)</p></td>
-</tr>
-<tr class="row-odd"><td><p>s</p></td>
-<td><p>[Dis]allows the explicit setting of the key for a principal</p></td>
-</tr>
-<tr class="row-even"><td><p>x</p></td>
-<td><p>Short for admcilsp. All privileges (except <code class="docutils literal notranslate"><span class="pre">e</span></code>)</p></td>
-</tr>
-<tr class="row-odd"><td><p>*</p></td>
-<td><p>Same as x.</p></td>
-</tr>
-</tbody>
-</table>
-</dd>
-</dl>
-<div class="admonition note">
-<p class="admonition-title">Note</p>
-<p>The <code class="docutils literal notranslate"><span class="pre">extract</span></code> privilege is not included in the wildcard
-privilege; it must be explicitly assigned. This privilege
-allows the user to extract keys from the database, and must be
-handled with great care to avoid disclosure of important keys
-like those of the kadmin/* or krbtgt/* principals. The
-<strong>lockdown_keys</strong> principal attribute can be used to prevent
-key extraction from specific principals regardless of the
-granted privilege.</p>
-</div>
-<dl>
-<dt><em>target_principal</em></dt><dd><p>(Optional. Partially or fully qualified Kerberos principal name.)
-Specifies the principal on which <em>permissions</em> may be applied.
-Each component of the name may be wildcarded using the <code class="docutils literal notranslate"><span class="pre">*</span></code>
-character.</p>
-<p><em>target_principal</em> can also include back-references to <em>principal</em>,
-in which <code class="docutils literal notranslate"><span class="pre">*number</span></code> matches the corresponding wildcard in
-<em>principal</em>.</p>
-</dd>
-<dt><em>restrictions</em></dt><dd><p>(Optional) A string of flags. Allowed restrictions are:</p>
-<blockquote>
-<div><dl class="simple">
-<dt>{+|-}<em>flagname</em></dt><dd><p>flag is forced to the indicated value. The permissible flags
-are the same as those for the <strong>default_principal_flags</strong>
-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>
-</dd>
-<dt><em>-clearpolicy</em></dt><dd><p>policy is forced to be empty.</p>
-</dd>
-<dt><em>-policy pol</em></dt><dd><p>policy is forced to be <em>pol</em>.</p>
-</dd>
-<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) associated value will be forced to
-MIN(<em>time</em>, requested value).</p>
-</dd>
-</dl>
-</div></blockquote>
-<p>The above flags act as restrictions on any add or modify operation
-which is allowed due to that ACL line.</p>
-</dd>
-</dl>
-<div class="admonition warning">
-<p class="admonition-title">Warning</p>
-<p>If the kadmind ACL file is modified, the kadmind daemon needs to be
-restarted for changes to take effect.</p>
-</div>
-</section>
-<section id="example">
-<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2>
-<p>Here is an example of a kadm5.acl file:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span>
-<span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span>
-<span class="n">joeadmin</span><span class="o">/*</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">i</span> <span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 3</span>
-<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ci</span> <span class="o">*</span><span class="mi">1</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 4</span>
-<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">l</span> <span class="o">*</span> <span class="c1"># line 5</span>
-<span class="n">sms</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">x</span> <span class="o">*</span> <span class="o">-</span><span class="n">maxlife</span> <span class="mi">9</span><span class="n">h</span> <span class="o">-</span><span class="n">postdateable</span> <span class="c1"># line 6</span>
-</pre></div>
-</div>
-<p>(line 1) Any principal in the <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> realm with an
-<code class="docutils literal notranslate"><span class="pre">admin</span></code> instance has all administrative privileges except extracting
-keys.</p>
-<p>(lines 1-3) The user <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> has all permissions except
-extracting keys with his <code class="docutils literal notranslate"><span class="pre">admin</span></code> instance,
-<code class="docutils literal notranslate"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></code> (matches line 1). He has no
-permissions at all with his null instance, <code class="docutils literal notranslate"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></code>
-(matches line 2). His <code class="docutils literal notranslate"><span class="pre">root</span></code> and other non-<code class="docutils literal notranslate"><span class="pre">admin</span></code>, non-null
-instances (e.g., <code class="docutils literal notranslate"><span class="pre">extra</span></code> or <code class="docutils literal notranslate"><span class="pre">dbadmin</span></code>) have inquire permissions
-with any principal that has the instance <code class="docutils literal notranslate"><span class="pre">root</span></code> (matches line 3).</p>
-<p>(line 4) Any <code class="docutils literal notranslate"><span class="pre">root</span></code> principal in <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> can inquire
-or change the password of their null instance, but not any other
-null instance. (Here, <code class="docutils literal notranslate"><span class="pre">*1</span></code> denotes a back-reference to the
-component matching the first wildcard in the actor principal.)</p>
-<p>(line 5) Any <code class="docutils literal notranslate"><span class="pre">root</span></code> principal in <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> can generate
-the list of principals in the database, and the list of policies
-in the database. This line is separate from line 4, because list
-permission can only be granted globally, not to specific target
-principals.</p>
-<p>(line 6) Finally, the Service Management System principal
-<code class="docutils literal notranslate"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></code> has all permissions except extracting keys, but
-any principal that it creates or modifies will not be able to get
-postdateable tickets or tickets with a life of longer than 9 hours.</p>
-</section>
-<section id="module-behavior">
-<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Link to this heading">¶</a></h2>
-<p>The ACL file can coexist with other authorization modules in release
-1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize
-operations according to the rules above, but will never
-authoritatively deny an operation, so other modules can authorize
-operations in addition to those authorized by the ACL file.</p>
-<p>To operate without an ACL file, set the <em>acl_file</em> variable in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>.</p>
-</section>
-<section id="see-also">
-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>
-<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p>
-</section>
-</section>
-
-
- <div class="clearer"></div>
- </div>
- </div>
- </div>
- </div>
- <div class="sidebar">
-
- <h2>On this page</h2>
- <ul>
-<li><a class="reference internal" href="#">kadm5.acl</a><ul>
-<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
-<li><a class="reference internal" href="#syntax">SYNTAX</a></li>
-<li><a class="reference internal" href="#example">EXAMPLE</a></li>
-<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li>
-<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
-</ul>
-</li>
-</ul>
-
- <br/>
- <h2>Table of contents</h2>
- <ul class="current">
-<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
-<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
-<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
-<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
-<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
-<li class="toctree-l3 current"><a class="current reference internal" href="#">kadm5.acl</a></li>
-</ul>
-</li>
-<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
-</ul>
-</li>
-<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
-</ul>
-
- <br/>
- <h4><a href="../../index.html">Full Table of Contents</a></h4>
- <h4>Search</h4>
- <form class="search" action="../../search.html" method="get">
- <input type="text" name="q" size="18" />
- <input type="submit" value="Go" />
- <input type="hidden" name="check_keywords" value="yes" />
- <input type="hidden" name="area" value="default" />
- </form>
-
- </div>
- <div class="clearer"></div>
- </div>
- </div>
-
- <div class="footer-wrapper">
- <div class="footer" >
- <div class="right" ><i>Release: 1.22-final</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.
- </div>
- <div class="left">
-
- <a href="../../index.html" title="Full Table of Contents"
- >Contents</a> |
- <a href="kdc_conf.html" title="kdc.conf"
- >previous</a> |
- <a href="../realm_config.html" title="Realm configuration decisions"
- >next</a> |
- <a href="../../genindex.html" title="General Index"
- >index</a> |
- <a href="../../search.html" title="Enter search criteria"
- >Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
- </div>
- </div>
- </div>
-
- </body>
-</html> \ No newline at end of file
diff --git a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html b/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html
deleted file mode 100644
index e6bc02ccbb55..000000000000
--- a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html
+++ /dev/null
@@ -1,1064 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en" data-content_root="../../">
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
-
- <title>kdc.conf &#8212; MIT Kerberos Documentation</title>
- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />
- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />
- <script src="../../_static/documentation_options.js?v=236fef3b"></script>
- <script src="../../_static/doctools.js?v=888ff710"></script>
- <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
- <link rel="author" title="About these documents" href="../../about.html" />
- <link rel="index" title="Index" href="../../genindex.html" />
- <link rel="search" title="Search" href="../../search.html" />
- <link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="next" title="kadm5.acl" href="kadm5_acl.html" />
- <link rel="prev" title="krb5.conf" href="krb5_conf.html" />
- </head><body>
- <div class="header-wrapper">
- <div class="header">
-
-
- <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
-
- <div class="rel">
-
- <a href="../../index.html" title="Full Table of Contents"
- accesskey="C">Contents</a> |
- <a href="krb5_conf.html" title="krb5.conf"
- accesskey="P">previous</a> |
- <a href="kadm5_acl.html" title="kadm5.acl"
- accesskey="N">next</a> |
- <a href="../../genindex.html" title="General Index"
- accesskey="I">index</a> |
- <a href="../../search.html" title="Enter search criteria"
- accesskey="S">Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
- </div>
- </div>
- </div>
-
- <div class="content-wrapper">
- <div class="content">
- <div class="document">
-
- <div class="documentwrapper">
- <div class="bodywrapper">
- <div class="body" role="main">
-
- <section id="kdc-conf">
-<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h1>
-<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which
-are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program.
-Relations documented here may also be specified in krb5.conf; for the
-KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
-single configuration profile.</p>
-<p>Normally, the kdc.conf file is found in the KDC state directory,
-<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code>. You can override the default location by setting the
-environment variable <strong>KRB5_KDC_PROFILE</strong>.</p>
-<p>Please note that you need to restart the KDC daemon for any configuration
-changes to take effect.</p>
-<section id="structure">
-<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2>
-<p>The kdc.conf file is set up in the same format as the
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p>
-</section>
-<section id="sections">
-<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2>
-<p>The kdc.conf file may contain the following sections:</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></p></td>
-<td><p>Default values for KDC behavior</p></td>
-</tr>
-<tr class="row-even"><td><p><a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a></p></td>
-<td><p>Realm-specific database configuration and settings</p></td>
-</tr>
-<tr class="row-odd"><td><p><a class="reference internal" href="#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a></p></td>
-<td><p>Default database settings</p></td>
-</tr>
-<tr class="row-even"><td><p><a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a></p></td>
-<td><p>Per-database settings</p></td>
-</tr>
-<tr class="row-odd"><td><p><a class="reference internal" href="#logging"><span class="std std-ref">[logging]</span></a></p></td>
-<td><p>Controls how Kerberos daemons perform logging</p></td>
-</tr>
-</tbody>
-</table>
-<section id="kdcdefaults">
-<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Link to this heading">¶</a></h3>
-<p>Some relations in the [kdcdefaults] section specify default values for
-realm variables, to be used if the [realms] subsection does not
-contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for
-the definitions of these relations.</p>
-<ul class="simple">
-<li><p><strong>host_based_services</strong></p></li>
-<li><p><strong>kdc_listen</strong></p></li>
-<li><p><strong>kdc_ports</strong></p></li>
-<li><p><strong>kdc_tcp_listen</strong></p></li>
-<li><p><strong>kdc_tcp_ports</strong></p></li>
-<li><p><strong>no_host_referral</strong></p></li>
-<li><p><strong>restrict_anonymous_to_tgt</strong></p></li>
-</ul>
-<p>The following [kdcdefaults] variables have no per-realm equivalent:</p>
-<dl class="simple">
-<dt><strong>kdc_max_dgram_reply_size</strong></dt><dd><p>Specifies the maximum packet size that can be sent over UDP. The
-default value is 4096 bytes.</p>
-</dd>
-<dt><strong>kdc_tcp_listen_backlog</strong></dt><dd><p>(Integer.) Set the size of the listen queue length for the KDC
-daemon. The value may be limited by OS settings. The default
-value is 5.</p>
-</dd>
-<dt><strong>spake_preauth_kdc_challenge</strong></dt><dd><p>(String.) Specifies the group for a SPAKE optimistic challenge.
-See the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>
-for possible values. The default is not to issue an optimistic
-challenge. (New in release 1.17.)</p>
-</dd>
-</dl>
-</section>
-<section id="realms">
-<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3>
-<p>Each tag in the [realms] section is the name of a Kerberos realm. The
-value of the tag is a subsection where the relations define KDC
-parameters for that particular realm. The following example shows how
-to define one parameter for the ATHENA.MIT.EDU realm:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-<p>The following tags may be specified in a [realms] subsection:</p>
-<dl>
-<dt><strong>acl_file</strong></dt><dd><p>(String.) Location of the access control list file that
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> uses to determine which principals are allowed
-which permissions on the Kerberos database. To operate without an
-ACL file, set this relation to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span>
-<span class="pre">&quot;&quot;</span></code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code>. For more
-information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p>
-</dd>
-<dt><strong>database_module</strong></dt><dd><p>(String.) This relation indicates the name of the configuration
-section under <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> for database-specific parameters
-used by the loadable database library. The default value is the
-realm name. If this configuration section does not exist, default
-values will be used for all database parameters.</p>
-</dd>
-<dt><strong>database_name</strong></dt><dd><p>(String, deprecated.) This relation specifies the location of the
-Kerberos database for this realm, if the DB2 module is being used
-and the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> configuration section does not specify a
-database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/principal</span></code>.</p>
-</dd>
-<dt><strong>default_principal_expiration</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#abstime"><span class="std std-ref">Absolute time</span></a> string.) Specifies the default expiration date of
-principals created in this realm. The default value is 0, which
-means no expiration date.</p>
-</dd>
-<dt><strong>default_principal_flags</strong></dt><dd><p>(Flag string.) Specifies the default attributes of principals
-created in this realm. The format for this string is a
-comma-separated list of flags, with ‘+’ before each flag that
-should be enabled and ‘-’ before each flag that should be
-disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>,
-<strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and
-<strong>service</strong> flags default to enabled.</p>
-<p>There are a number of possible flags:</p>
-<dl class="simple">
-<dt><strong>allow-tickets</strong></dt><dd><p>Enabling this flag means that the KDC will issue tickets for
-this principal. Disabling this flag essentially deactivates
-the principal within this realm.</p>
-</dd>
-<dt><strong>dup-skey</strong></dt><dd><p>Enabling this flag allows the KDC to issue user-to-user
-service tickets for this principal.</p>
-</dd>
-<dt><strong>forwardable</strong></dt><dd><p>Enabling this flag allows the principal to obtain forwardable
-tickets.</p>
-</dd>
-<dt><strong>hwauth</strong></dt><dd><p>If this flag is enabled, then the principal is required to
-preauthenticate using a hardware device before receiving any
-tickets.</p>
-</dd>
-<dt><strong>no-auth-data-required</strong></dt><dd><p>Enabling this flag prevents PAC or AD-SIGNEDPATH data from
-being added to service tickets for the principal.</p>
-</dd>
-<dt><strong>ok-as-delegate</strong></dt><dd><p>If this flag is enabled, it hints the client that credentials
-can and should be delegated when authenticating to the
-service.</p>
-</dd>
-<dt><strong>ok-to-auth-as-delegate</strong></dt><dd><p>Enabling this flag allows the principal to use S4USelf tickets.</p>
-</dd>
-<dt><strong>postdateable</strong></dt><dd><p>Enabling this flag allows the principal to obtain postdateable
-tickets.</p>
-</dd>
-<dt><strong>preauth</strong></dt><dd><p>If this flag is enabled on a client principal, then that
-principal is required to preauthenticate to the KDC before
-receiving any tickets. On a service principal, enabling this
-flag means that service tickets for this principal will only
-be issued to clients with a TGT that has the preauthenticated
-bit set.</p>
-</dd>
-<dt><strong>proxiable</strong></dt><dd><p>Enabling this flag allows the principal to obtain proxy
-tickets.</p>
-</dd>
-<dt><strong>pwchange</strong></dt><dd><p>Enabling this flag forces a password change for this
-principal.</p>
-</dd>
-<dt><strong>pwservice</strong></dt><dd><p>If this flag is enabled, it marks this principal as a password
-change service. This should only be used in special cases,
-for example, if a user’s password has expired, then the user
-has to get tickets for that principal without going through
-the normal password authentication in order to be able to
-change the password.</p>
-</dd>
-<dt><strong>renewable</strong></dt><dd><p>Enabling this flag allows the principal to obtain renewable
-tickets.</p>
-</dd>
-<dt><strong>service</strong></dt><dd><p>Enabling this flag allows the the KDC to issue service tickets
-for this principal. In release 1.17 and later, user-to-user
-service tickets are still allowed if the <strong>dup-skey</strong> flag is
-set.</p>
-</dd>
-<dt><strong>tgt-based</strong></dt><dd><p>Enabling this flag allows a principal to obtain tickets based
-on a ticket-granting-ticket, rather than repeating the
-authentication process that was used to obtain the TGT.</p>
-</dd>
-</dl>
-</dd>
-<dt><strong>dict_file</strong></dt><dd><p>(String.) Location of the dictionary file containing strings that
-are not allowed as passwords. The file should contain one string
-per line, with no additional whitespace. If none is specified or
-if there is no policy assigned to the principal, no dictionary
-checks of passwords will be performed.</p>
-</dd>
-<dt><strong>disable_pac</strong></dt><dd><p>(Boolean value.) If true, the KDC will not issue PACs for this
-realm, and S4U2Self and S4U2Proxy operations will be disabled.
-The default is false, which will permit the KDC to issue PACs.
-New in release 1.20.</p>
-</dd>
-<dt><strong>encrypted_challenge_indicator</strong></dt><dd><p>(String.) Specifies the authentication indicator value that the KDC
-asserts into tickets obtained using FAST encrypted challenge
-pre-authentication. New in 1.16.</p>
-</dd>
-<dt><strong>host_based_services</strong></dt><dd><p>(Whitespace- or comma-separated list.) Lists services which will
-get host-based referral processing even if the server principal is
-not marked as host-based by the client.</p>
-</dd>
-<dt><strong>iprop_enable</strong></dt><dd><p>(Boolean value.) Specifies whether incremental database
-propagation is enabled. The default value is false.</p>
-</dd>
-<dt><strong>iprop_ulogsize</strong></dt><dd><p>(Integer.) Specifies the maximum number of log entries to be
-retained for incremental propagation. The default value is 1000.
-Prior to release 1.11, the maximum value was 2500. New in release
-1.19.</p>
-</dd>
-<dt><strong>iprop_master_ulogsize</strong></dt><dd><p>The name for <strong>iprop_ulogsize</strong> prior to release 1.19. Its value is
-used as a fallback if <strong>iprop_ulogsize</strong> is not specified.</p>
-</dd>
-<dt><strong>iprop_replica_poll</strong></dt><dd><p>(Delta time string.) Specifies how often the replica KDC polls
-for new updates from the primary. The default value is <code class="docutils literal notranslate"><span class="pre">2m</span></code>
-(that is, two minutes). New in release 1.17.</p>
-</dd>
-<dt><strong>iprop_slave_poll</strong></dt><dd><p>(Delta time string.) The name for <strong>iprop_replica_poll</strong> prior to
-release 1.17. Its value is used as a fallback if
-<strong>iprop_replica_poll</strong> is not specified.</p>
-</dd>
-<dt><strong>iprop_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the iprop RPC
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.
-Each entry may be an interface address, a port number, or an
-address and port number separated by a colon. If the address
-contains colons, enclose it in square brackets. If no address is
-specified, the wildcard address is used. If kadmind fails to bind
-to any of the specified addresses, it will fail to start. The
-default (when <strong>iprop_enable</strong> is true) is to bind to the wildcard
-address at the port specified in <strong>iprop_port</strong>. New in release
-1.15.</p>
-</dd>
-<dt><strong>iprop_port</strong></dt><dd><p>(Port number.) Specifies the port number to be used for
-incremental propagation. When <strong>iprop_enable</strong> is true, this
-relation is required in the replica KDC configuration file, and
-this relation or <strong>iprop_listen</strong> is required in the primary
-configuration file, as there is no default port number. Port
-numbers specified in <strong>iprop_listen</strong> entries will override this
-port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.</p>
-</dd>
-<dt><strong>iprop_resync_timeout</strong></dt><dd><p>(Delta time string.) Specifies the amount of time to wait for a
-full propagation to complete. This is optional in configuration
-files, and is used by replica KDCs only. The default value is 5
-minutes (<code class="docutils literal notranslate"><span class="pre">5m</span></code>). New in release 1.11.</p>
-</dd>
-<dt><strong>iprop_logfile</strong></dt><dd><p>(File name.) Specifies where the update log file for the realm
-database is to be stored. The default is to use the
-<strong>database_name</strong> entry from the realms section of the krb5 config
-file, with <code class="docutils literal notranslate"><span class="pre">.ulog</span></code> appended. (NOTE: If <strong>database_name</strong> isn’t
-specified in the realms section, perhaps because the LDAP database
-back end is being used, or the file name is specified in the
-[dbmodules] section, then the hard-coded default for
-<strong>database_name</strong> is used. Determination of the <strong>iprop_logfile</strong>
-default value will not use values from the [dbmodules] section.)</p>
-</dd>
-<dt><strong>kadmind_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the kadmin RPC
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.
-Each entry may be an interface address, a port number, an address
-and port number separated by a colon, or a UNIX domain socket
-pathname. If the address contains colons, enclose it in square
-brackets. If no address is specified, the wildcard address is
-used. To disable listening for kadmin RPC connections, set this
-relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kadmind_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. If
-kadmind fails to bind to any of the specified addresses, it will
-fail to start. The default is to bind to the wildcard address at
-the port specified in <strong>kadmind_port</strong>, or the standard kadmin
-port (749). New in release 1.15.</p>
-</dd>
-<dt><strong>kadmind_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
-daemon is to listen for this realm. Port numbers specified in
-<strong>kadmind_listen</strong> entries will override this port number. The
-assigned port for kadmind is 749, which is used by default.</p>
-</dd>
-<dt><strong>key_stash_file</strong></dt><dd><p>(String.) Specifies the location where the master key has been
-stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</p>
-</dd>
-<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the listening
-addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each
-entry may be an interface address, a port number, an address and
-port number separated by a colon, or a UNIX domain socket
-pathname. If the address contains colons, enclose it in square
-brackets. If no address is specified, the wildcard address is
-used. If no port is specified, the standard port (88) is used.
-To disable listening on UDP, set this relation to the empty string
-with <code class="docutils literal notranslate"><span class="pre">kdc_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. If the KDC daemon fails to bind to any
-of the specified addresses, it will fail to start. The default is
-to bind to the wildcard address on the standard port. New in
-release 1.15.</p>
-</dd>
-<dt><strong>kdc_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to
-release 1.15, this relation lists the ports for the
-<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In
-release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong>
-if that relation is not defined.</p>
-</dd>
-<dt><strong>kdc_tcp_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the TCP
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon.
-The syntax is identical to that of <strong>kdc_listen</strong>. To disable
-listening on TCP, set this relation to the empty string with
-<code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. The default is to bind to the same
-addresses and ports as for UDP. New in release 1.15.</p>
-</dd>
-<dt><strong>kdc_tcp_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to
-release 1.15, this relation lists the ports for the
-<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In
-release 1.15 and later, it has the same meaning as
-<strong>kdc_tcp_listen</strong> if that relation is not defined.</p>
-</dd>
-<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening
-addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each
-entry may be an interface address, a port number, an address and
-port number separated by a colon, or a UNIX domain socket
-pathname. If the address contains colons, enclose it in square
-brackets. If no address is specified, the wildcard address is
-used. To disable listening for kpasswd requests, set this
-relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kpasswd_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. If
-kadmind fails to bind to any of the specified addresses, it will
-fail to start. The default is to bind to the wildcard address at
-the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd
-port (464). New in release 1.15.</p>
-</dd>
-<dt><strong>kpasswd_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
-daemon is to listen for password change requests for this realm.
-Port numbers specified in <strong>kpasswd_listen</strong> entries will override
-this port number. The assigned port for password change requests
-is 464, which is used by default.</p>
-</dd>
-<dt><strong>master_key_name</strong></dt><dd><p>(String.) Specifies the name of the principal associated with the
-master key. The default is <code class="docutils literal notranslate"><span class="pre">K/M</span></code>.</p>
-</dd>
-<dt><strong>master_key_type</strong></dt><dd><p>(Key type string.) Specifies the master key’s key type. The
-default value for this is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span></code>. For a list of all possible
-values, see <a class="reference internal" href="#encryption-types"><span class="std std-ref">Encryption types</span></a>.</p>
-</dd>
-<dt><strong>max_life</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period for
-which a ticket may be valid in this realm. The default value is
-24 hours.</p>
-</dd>
-<dt><strong>max_renewable_life</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period
-during which a valid ticket may be renewed in this realm.
-The default value is 0.</p>
-</dd>
-<dt><strong>no_host_referral</strong></dt><dd><p>(Whitespace- or comma-separated list.) Lists services to block
-from getting host-based referral processing, even if the client
-marks the server principal as host-based or the service is also
-listed in <strong>host_based_services</strong>. <code class="docutils literal notranslate"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></code> will
-disable referral processing altogether.</p>
-</dd>
-<dt><strong>reject_bad_transit</strong></dt><dd><p>(Boolean value.) If set to true, the KDC will check the list of
-transited realms for cross-realm tickets against the transit path
-computed from the realm names and the capaths section of its
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file; if the path in the ticket to be issued
-contains any realms not in the computed path, the ticket will not
-be issued, and an error will be returned to the client instead.
-If this value is set to false, such tickets will be issued
-anyways, and it will be left up to the application server to
-validate the realm transit path.</p>
-<p>If the disable-transited-check flag is set in the incoming
-request, this check is not performed at all. Having the
-<strong>reject_bad_transit</strong> option will cause such ticket requests to
-be rejected always.</p>
-<p>This transit path checking and config file option currently apply
-only to TGS requests.</p>
-<p>The default value is true.</p>
-</dd>
-<dt><strong>restrict_anonymous_to_tgt</strong></dt><dd><p>(Boolean value.) If set to true, the KDC will reject ticket
-requests from anonymous principals to service principals other
-than the realm’s ticket-granting service. This option allows
-anonymous PKINIT to be enabled for use as FAST armor tickets
-without allowing anonymous authentication to services. The
-default value is false. New in release 1.9.</p>
-</dd>
-<dt><strong>spake_preauth_indicator</strong></dt><dd><p>(String.) Specifies an authentication indicator value that the
-KDC asserts into tickets obtained using SPAKE pre-authentication.
-The default is not to add any indicators. This option may be
-specified multiple times. New in release 1.17.</p>
-</dd>
-<dt><strong>supported_enctypes</strong></dt><dd><p>(List of <em>key</em>:<em>salt</em> strings.) Specifies the default key/salt
-combinations of principals for this realm. Any principals created
-through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> will have keys of these types. The
-default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span></code>. For lists of
-possible values, see <a class="reference internal" href="#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a>.</p>
-</dd>
-</dl>
-</section>
-<section id="dbdefaults">
-<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Link to this heading">¶</a></h3>
-<p>The [dbdefaults] section specifies default values for some database
-parameters, to be used if the [dbmodules] subsection does not contain
-a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the
-definitions of these relations.</p>
-<ul class="simple">
-<li><p><strong>ldap_kerberos_container_dn</strong></p></li>
-<li><p><strong>ldap_kdc_dn</strong></p></li>
-<li><p><strong>ldap_kdc_sasl_authcid</strong></p></li>
-<li><p><strong>ldap_kdc_sasl_authzid</strong></p></li>
-<li><p><strong>ldap_kdc_sasl_mech</strong></p></li>
-<li><p><strong>ldap_kdc_sasl_realm</strong></p></li>
-<li><p><strong>ldap_kadmind_dn</strong></p></li>
-<li><p><strong>ldap_kadmind_sasl_authcid</strong></p></li>
-<li><p><strong>ldap_kadmind_sasl_authzid</strong></p></li>
-<li><p><strong>ldap_kadmind_sasl_mech</strong></p></li>
-<li><p><strong>ldap_kadmind_sasl_realm</strong></p></li>
-<li><p><strong>ldap_service_password_file</strong></p></li>
-<li><p><strong>ldap_conns_per_server</strong></p></li>
-</ul>
-</section>
-<section id="dbmodules">
-<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Link to this heading">¶</a></h3>
-<p>The [dbmodules] section contains parameters used by the KDC database
-library and database modules. Each tag in the [dbmodules] section is
-the name of a Kerberos realm or a section name specified by a realm’s
-<strong>database_module</strong> parameter. The following example shows how to
-define one database parameter for the ATHENA.MIT.EDU realm:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-<p>The following tags may be specified in a [dbmodules] subsection:</p>
-<dl class="simple">
-<dt><strong>database_name</strong></dt><dd><p>This DB2-specific tag indicates the location of the database in
-the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/principal</span></code>.</p>
-</dd>
-<dt><strong>db_library</strong></dt><dd><p>This tag indicates the name of the loadable database module. The
-value should be <code class="docutils literal notranslate"><span class="pre">db2</span></code> for the DB2 module, <code class="docutils literal notranslate"><span class="pre">klmdb</span></code> for the LMDB
-module, or <code class="docutils literal notranslate"><span class="pre">kldap</span></code> for the LDAP module.</p>
-</dd>
-<dt><strong>disable_last_success</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, suppresses KDC updates to the “Last successful
-authentication” field of principal entries requiring
-preauthentication. Setting this flag may improve performance.
-(Principal entries which do not require preauthentication never
-update the “Last successful authentication” field.). First
-introduced in release 1.9.</p>
-</dd>
-<dt><strong>disable_lockout</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, suppresses KDC updates to the “Last failed
-authentication” and “Failed password attempts” fields of principal
-entries requiring preauthentication. Setting this flag may
-improve performance, but also disables account lockout. First
-introduced in release 1.9.</p>
-</dd>
-<dt><strong>ldap_conns_per_server</strong></dt><dd><p>This LDAP-specific tag indicates the number of connections to be
-maintained per LDAP server.</p>
-</dd>
-<dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt><dd><p>These LDAP-specific tags indicate the default DN for binding to
-the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon uses
-<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon and other
-administrative programs use <strong>ldap_kadmind_dn</strong>. The kadmind DN
-must have the rights to read and write the Kerberos data in the
-LDAP database. The KDC DN must have the same rights, unless
-<strong>disable_lockout</strong> and <strong>disable_last_success</strong> are true, in
-which case it only needs to have rights to read the Kerberos data.
-These tags are ignored if a SASL mechanism is set with
-<strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</p>
-</dd>
-<dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt><dd><p>These LDAP-specific tags specify the SASL mechanism (such as
-<code class="docutils literal notranslate"><span class="pre">EXTERNAL</span></code>) to use when binding to the LDAP server. New in
-release 1.13.</p>
-</dd>
-<dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt><dd><p>These LDAP-specific tags specify the SASL authentication identity
-to use when binding to the LDAP server. Not all SASL mechanisms
-require an authentication identity. If the SASL mechanism
-requires a secret (such as the password for <code class="docutils literal notranslate"><span class="pre">DIGEST-MD5</span></code>), these
-tags also determine the name within the
-<strong>ldap_service_password_file</strong> where the secret is stashed. New
-in release 1.13.</p>
-</dd>
-<dt><strong>ldap_kdc_sasl_authzid</strong> and <strong>ldap_kadmind_sasl_authzid</strong></dt><dd><p>These LDAP-specific tags specify the SASL authorization identity
-to use when binding to the LDAP server. In most circumstances
-they do not need to be specified. New in release 1.13.</p>
-</dd>
-<dt><strong>ldap_kdc_sasl_realm</strong> and <strong>ldap_kadmind_sasl_realm</strong></dt><dd><p>These LDAP-specific tags specify the SASL realm to use when
-binding to the LDAP server. In most circumstances they do not
-need to be set. New in release 1.13.</p>
-</dd>
-<dt><strong>ldap_kerberos_container_dn</strong></dt><dd><p>This LDAP-specific tag indicates the DN of the container object
-where the realm objects will be located.</p>
-</dd>
-<dt><strong>ldap_servers</strong></dt><dd><p>This LDAP-specific tag indicates the list of LDAP servers that the
-Kerberos servers can connect to. The list of LDAP servers is
-whitespace-separated. The LDAP server is specified by a LDAP URI.
-It is recommended to use <code class="docutils literal notranslate"><span class="pre">ldapi:</span></code> or <code class="docutils literal notranslate"><span class="pre">ldaps:</span></code> URLs to connect
-to the LDAP server.</p>
-</dd>
-<dt><strong>ldap_service_password_file</strong></dt><dd><p>This LDAP-specific tag indicates the file containing the stashed
-passwords (created by <code class="docutils literal notranslate"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code>) for the
-<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the
-<strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names
-for SASL authentication. This file must be kept secure.</p>
-</dd>
-<dt><strong>mapsize</strong></dt><dd><p>This LMDB-specific tag indicates the maximum size of the two
-database environments in megabytes. The default value is 128.
-Increase this value to address “Environment mapsize limit reached”
-errors. New in release 1.17.</p>
-</dd>
-<dt><strong>max_readers</strong></dt><dd><p>This LMDB-specific tag indicates the maximum number of concurrent
-reading processes for the databases. The default value is 128.
-New in release 1.17.</p>
-</dd>
-<dt><strong>nosync</strong></dt><dd><p>This LMDB-specific tag can be set to improve the throughput of
-kadmind and other administrative agents, at the expense of
-durability (recent database changes may not survive a power outage
-or other sudden reboot). It does not affect the throughput of the
-KDC. The default value is false. New in release 1.17.</p>
-</dd>
-<dt><strong>unlockiter</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, this DB2-specific tag causes iteration
-operations to release the database lock while processing each
-principal. Setting this flag to <code class="docutils literal notranslate"><span class="pre">true</span></code> can prevent extended
-blocking of KDC or kadmin operations when dumps of large databases
-are in progress. First introduced in release 1.13.</p>
-</dd>
-</dl>
-<p>The following tag may be specified directly in the [dbmodules]
-section to control where database modules are loaded from:</p>
-<dl class="simple">
-<dt><strong>db_module_dir</strong></dt><dd><p>This tag controls where the plugin system looks for database
-modules. The value should be an absolute path.</p>
-</dd>
-</dl>
-</section>
-<section id="logging">
-<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h3>
-<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following
-relations:</p>
-<dl class="simple">
-<dt><strong>admin_server</strong></dt><dd><p>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> performs logging.</p>
-</dd>
-<dt><strong>kdc</strong></dt><dd><p>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> performs logging.</p>
-</dd>
-<dt><strong>default</strong></dt><dd><p>Specifies how either daemon performs logging in the absence of
-relations specific to the daemon.</p>
-</dd>
-<dt><strong>debug</strong></dt><dd><p>(Boolean value.) Specifies whether debugging messages are
-included in log outputs other than SYSLOG. Debugging messages are
-always included in the system log output because syslog performs
-its own priority filtering. The default value is false. New in
-release 1.15.</p>
-</dd>
-</dl>
-<p>Logging specifications may have the following forms:</p>
-<dl>
-<dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt><dd><p>This value causes the daemon’s logging messages to go to the
-<em>filename</em>. If the <code class="docutils literal notranslate"><span class="pre">=</span></code> form is used, the file is overwritten.
-If the <code class="docutils literal notranslate"><span class="pre">:</span></code> form is used, the file is appended to.</p>
-</dd>
-<dt><strong>STDERR</strong></dt><dd><p>This value causes the daemon’s logging messages to go to its
-standard error stream.</p>
-</dd>
-<dt><strong>CONSOLE</strong></dt><dd><p>This value causes the daemon’s logging messages to go to the
-console, if the system supports it.</p>
-</dd>
-<dt><strong>DEVICE=</strong><em>&lt;devicename&gt;</em></dt><dd><p>This causes the daemon’s logging messages to go to the specified
-device.</p>
-</dd>
-<dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt><dd><p>This causes the daemon’s logging messages to go to the system log.</p>
-<p>For backward compatibility, a severity argument may be specified,
-and must be specified in order to specify a facility. This
-argument will be ignored.</p>
-<p>The facility argument specifies the facility under which the
-messages are logged. This may be any of the following facilities
-supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>,
-<strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>,
-<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>. If no
-facility is specified, the default is <strong>AUTH</strong>.</p>
-</dd>
-</dl>
-<p>In the following example, the logging messages from the KDC will go to
-the console and to the system log under the facility LOG_DAEMON, and
-the logging messages from the administrative server will be appended
-to the file <code class="docutils literal notranslate"><span class="pre">/var/adm/kadmin.log</span></code> and sent to the device
-<code class="docutils literal notranslate"><span class="pre">/dev/tty04</span></code>.</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">logging</span><span class="p">]</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">CONSOLE</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">SYSLOG</span><span class="p">:</span><span class="n">INFO</span><span class="p">:</span><span class="n">DAEMON</span>
- <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">adm</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span>
- <span class="n">admin_server</span> <span class="o">=</span> <span class="n">DEVICE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">tty04</span>
-</pre></div>
-</div>
-<p>If no logging specification is given, the default is to use syslog.
-To disable logging entirely, specify <code class="docutils literal notranslate"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p>
-</section>
-<section id="otp">
-<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Link to this heading">¶</a></h3>
-<p>Each subsection of [otp] is the name of an OTP token type. The tags
-within the subsection define the configuration required to forward a
-One Time Password request to a RADIUS server.</p>
-<p>For each token type, the following tags may be specified:</p>
-<dl class="simple">
-<dt><strong>server</strong></dt><dd><p>This is the server to send the RADIUS request to. It can be a
-hostname with optional port, an ip address with optional port, or
-a Unix domain socket address. The default is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/&lt;name&gt;.socket</span></code>.</p>
-</dd>
-<dt><strong>secret</strong></dt><dd><p>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code>)
-containing the secret used to encrypt the RADIUS packets. The
-secret should appear in the first line of the file by itself;
-leading and trailing whitespace on the line will be removed. If
-the value of <strong>server</strong> is a Unix domain socket address, this tag
-is optional, and an empty secret will be used if it is not
-specified. Otherwise, this tag is required.</p>
-</dd>
-<dt><strong>timeout</strong></dt><dd><p>An integer which specifies the time in seconds during which the
-KDC should attempt to contact the RADIUS server. This tag is the
-total time across all retries and should be less than the time
-which an OTP value remains valid for. The default is 5 seconds.</p>
-</dd>
-<dt><strong>retries</strong></dt><dd><p>This tag specifies the number of retries to make to the RADIUS
-server. The default is 3 retries (4 tries).</p>
-</dd>
-<dt><strong>strip_realm</strong></dt><dd><p>If this tag is <code class="docutils literal notranslate"><span class="pre">true</span></code>, the principal without the realm will be
-passed to the RADIUS server. Otherwise, the realm will be
-included. The default value is <code class="docutils literal notranslate"><span class="pre">true</span></code>.</p>
-</dd>
-<dt><strong>indicator</strong></dt><dd><p>This tag specifies an authentication indicator to be included in
-the ticket if this token type is used to authenticate. This
-option may be specified multiple times. (New in release 1.14.)</p>
-</dd>
-</dl>
-<p>In the following example, requests are sent to a remote server via UDP:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[otp]
- MyRemoteTokenType = {
- server = radius.mydomain.com:1812
- secret = SEmfiajf42$
- timeout = 15
- retries = 5
- strip_realm = true
- }
-</pre></div>
-</div>
-<p>An implicit default token type named <code class="docutils literal notranslate"><span class="pre">DEFAULT</span></code> is defined for when
-the per-principal configuration does not specify a token type. Its
-configuration is shown below. You may override this token type to
-something applicable for your situation:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span>
- <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</section>
-</section>
-<section id="pkinit-options">
-<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2>
-<div class="admonition note">
-<p class="admonition-title">Note</p>
-<p>The following are pkinit-specific options. These values may
-be specified in [kdcdefaults] as global defaults, or within
-a realm-specific subsection of [realms]. Also note that a
-realm-specific value over-rides, does not add to, a generic
-[kdcdefaults] specification. The search order is:</p>
-</div>
-<ol class="arabic">
-<li><p>realm-specific subsection of [realms]:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
- <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</li>
-<li><p>generic value in the [kdcdefaults] section:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
- <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span>
-</pre></div>
-</div>
-</li>
-</ol>
-<p>For information about the syntax of some of these options, see
-<a class="reference internal" href="krb5_conf.html#pkinit-identity"><span class="std std-ref">Specifying PKINIT identity information</span></a> in
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p>
-<dl>
-<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which
-the KDC trusts to sign client certificates. This option is
-required if pkinit is to be supported by the KDC. This option may
-be specified multiple times.</p>
-</dd>
-<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum strength of Diffie-Hellman group the KDC is
-willing to accept for key exchange. Valid values in order of
-increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521.
-The default is 2048. (P-256, P-384, and P-521 are new in release
-1.22.)</p>
-</dd>
-<dt><strong>pkinit_allow_upn</strong></dt><dd><p>Specifies that the KDC is willing to accept client certificates
-with the Microsoft UserPrincipalName (UPN) Subject Alternative
-Name (SAN). This means the KDC accepts the binding of the UPN in
-the certificate to the Kerberos principal name. The default value
-is false.</p>
-<p>Without this option, the KDC will only accept certificates with
-the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently
-no option to disable SAN checking in the KDC.</p>
-</dd>
-<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage (EKU) values the KDC
-is willing to accept in client certificates. The values
-recognized in the kdc.conf file are:</p>
-<dl class="simple">
-<dt><strong>kpClientAuth</strong></dt><dd><p>This is the default value and specifies that client
-certificates must have the id-pkinit-KPClientAuth EKU as
-defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>
-</dd>
-<dt><strong>scLogin</strong></dt><dd><p>If scLogin is specified, client certificates with the
-Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
-accepted.</p>
-</dd>
-<dt><strong>none</strong></dt><dd><p>If none is specified, then client certificates will not be
-checked to verify they have an acceptable EKU. The use of
-this option is not recommended.</p>
-</dd>
-</dl>
-</dd>
-<dt><strong>pkinit_identity</strong></dt><dd><p>Specifies the location of the KDC’s X.509 identity information.
-This option is required if pkinit is to be supported by the KDC.</p>
-</dd>
-<dt><strong>pkinit_indicator</strong></dt><dd><p>Specifies an authentication indicator to include in the ticket if
-pkinit is used to authenticate. This option may be specified
-multiple times. (New in release 1.14.)</p>
-</dd>
-<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be
-used by the KDC to complete the trust chain between a client’s
-certificate and a trusted anchor. This option may be specified
-multiple times.</p>
-</dd>
-<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL)
-information to be used by the KDC when verifying the validity of
-client certificates. This option may be specified multiple times.</p>
-</dd>
-<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the
-available revocation information to see if a certificate has been
-revoked. If a match is found for the certificate in a CRL,
-verification fails. If the certificate being verified is not
-listed in a CRL, or there is no CRL present for its issuing CA,
-and <strong>pkinit_require_crl_checking</strong> is false, then verification
-succeeds.</p>
-<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
-no CRL information available for the issuing CA, then verification
-fails.</p>
-<p><strong>pkinit_require_crl_checking</strong> should be set to true if the
-policy is such that up-to-date CRLs must be present for every CA.</p>
-</dd>
-<dt><strong>pkinit_require_freshness</strong></dt><dd><p>Specifies whether to require clients to include a freshness token
-in PKINIT requests. The default value is false. (New in release
-1.17.)</p>
-</dd>
-</dl>
-</section>
-<section id="encryption-types">
-<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h2>
-<p>Any tag in the configuration files which requires a list of encryption
-types can be set to some combination of the following strings.
-Encryption types marked as “weak” and “deprecated” are available for
-compatibility but not recommended for use.</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p>des3-cbc-raw</p></td>
-<td><p>Triple DES cbc mode raw (weak)</p></td>
-</tr>
-<tr class="row-even"><td><p>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</p></td>
-<td><p>Triple DES cbc mode with HMAC/sha1 (deprecated)</p></td>
-</tr>
-<tr class="row-odd"><td><p>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</p></td>
-<td><p>AES-256 CTS mode with 96-bit SHA-1 HMAC</p></td>
-</tr>
-<tr class="row-even"><td><p>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</p></td>
-<td><p>AES-128 CTS mode with 96-bit SHA-1 HMAC</p></td>
-</tr>
-<tr class="row-odd"><td><p>aes256-cts-hmac-sha384-192 aes256-sha2</p></td>
-<td><p>AES-256 CTS mode with 192-bit SHA-384 HMAC</p></td>
-</tr>
-<tr class="row-even"><td><p>aes128-cts-hmac-sha256-128 aes128-sha2</p></td>
-<td><p>AES-128 CTS mode with 128-bit SHA-256 HMAC</p></td>
-</tr>
-<tr class="row-odd"><td><p>arcfour-hmac rc4-hmac arcfour-hmac-md5</p></td>
-<td><p>RC4 with HMAC/MD5 (deprecated)</p></td>
-</tr>
-<tr class="row-even"><td><p>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</p></td>
-<td><p>Exportable RC4 with HMAC/MD5 (weak)</p></td>
-</tr>
-<tr class="row-odd"><td><p>camellia256-cts-cmac camellia256-cts</p></td>
-<td><p>Camellia-256 CTS mode with CMAC</p></td>
-</tr>
-<tr class="row-even"><td><p>camellia128-cts-cmac camellia128-cts</p></td>
-<td><p>Camellia-128 CTS mode with CMAC</p></td>
-</tr>
-<tr class="row-odd"><td><p>des3</p></td>
-<td><p>The triple DES family: des3-cbc-sha1</p></td>
-</tr>
-<tr class="row-even"><td><p>aes</p></td>
-<td><p>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</p></td>
-</tr>
-<tr class="row-odd"><td><p>rc4</p></td>
-<td><p>The RC4 family: arcfour-hmac</p></td>
-</tr>
-<tr class="row-even"><td><p>camellia</p></td>
-<td><p>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</p></td>
-</tr>
-</tbody>
-</table>
-<p>The string <strong>DEFAULT</strong> can be used to refer to the default set of
-types for the variable in question. Types or families can be removed
-from the current list by prefixing them with a minus sign (“-“).
-Types or families can be prefixed with a plus sign (“+”) for symmetry;
-it has the same meaning as just listing the type or family. For
-example, “<code class="docutils literal notranslate"><span class="pre">DEFAULT</span> <span class="pre">-rc4</span></code>” would be the default set of encryption
-types with RC4 types removed, and “<code class="docutils literal notranslate"><span class="pre">des3</span> <span class="pre">DEFAULT</span></code>” would be the
-default set of encryption types with triple DES types moved to the
-front.</p>
-<p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos
-operations, they are not supported by very old versions of our GSSAPI
-implementation (krb5-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given keys of these encryption
-types in the KDC database.</p>
-<p>The <strong>aes128-sha2</strong> and <strong>aes256-sha2</strong> encryption types are new in
-release 1.15. Services running versions of krb5 without support for
-these newer encryption types must not be given keys of these
-encryption types in the KDC database.</p>
-</section>
-<section id="keysalt-lists">
-<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Link to this heading">¶</a></h2>
-<p>Kerberos keys for users are usually derived from passwords. Kerberos
-commands and configuration parameters that affect generation of keys
-take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt
-lists</em>. Each keysalt pair is an enctype name followed by a salttype
-name, in the format <em>enc</em>:<em>salt</em>. Individual keysalt list members are
-separated by comma (“,”) characters or space characters. For example:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">e</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span>
-</pre></div>
-</div>
-<p>would start up kadmin so that by default it would generate
-password-derived keys for the <strong>aes256-cts</strong> and <strong>aes128-cts</strong>
-encryption types, using a <strong>normal</strong> salt.</p>
-<p>To ensure that people who happen to pick the same password do not have
-the same key, Kerberos 5 incorporates more information into the key
-using something called a salt. The supported salt types are as
-follows:</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p>normal</p></td>
-<td><p>default for Kerberos Version 5</p></td>
-</tr>
-<tr class="row-even"><td><p>norealm</p></td>
-<td><p>same as the default, without using realm information</p></td>
-</tr>
-<tr class="row-odd"><td><p>onlyrealm</p></td>
-<td><p>uses only realm information as the salt</p></td>
-</tr>
-<tr class="row-even"><td><p>special</p></td>
-<td><p>generate a random salt</p></td>
-</tr>
-</tbody>
-</table>
-</section>
-<section id="sample-kdc-conf-file">
-<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Link to this heading">¶</a></h2>
-<p>Here’s an example of a kdc.conf file:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
- <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span>
- <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span>
-<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span>
- <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
- <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
- <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span>
- <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span>
- <span class="n">database_module</span> <span class="o">=</span> <span class="n">openldap_ldapconf</span>
- <span class="p">}</span>
-
-<span class="p">[</span><span class="n">logging</span><span class="p">]</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">log</span>
- <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span>
-
-<span class="p">[</span><span class="n">dbdefaults</span><span class="p">]</span>
- <span class="n">ldap_kerberos_container_dn</span> <span class="o">=</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbcontainer</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">mit</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">edu</span>
-
-<span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>
- <span class="n">openldap_ldapconf</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">db_library</span> <span class="o">=</span> <span class="n">kldap</span>
- <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>
- <span class="n">ldap_kdc_dn</span> <span class="o">=</span> <span class="s2">&quot;cn=krbadmin,dc=mit,dc=edu&quot;</span>
- <span class="c1"># this object needs to have read rights on</span>
- <span class="c1"># the realm container and principal subtrees</span>
- <span class="n">ldap_kadmind_dn</span> <span class="o">=</span> <span class="s2">&quot;cn=krbadmin,dc=mit,dc=edu&quot;</span>
- <span class="c1"># this object needs to have read and write rights on</span>
- <span class="c1"># the realm container and principal subtrees</span>
- <span class="n">ldap_service_password_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span>
- <span class="n">ldap_servers</span> <span class="o">=</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="n">ldap_conns_per_server</span> <span class="o">=</span> <span class="mi">5</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</section>
-<section id="files">
-<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2>
-<p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kdc.conf</span></code></p>
-</section>
-<section id="see-also">
-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>
-<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p>
-</section>
-</section>
-
-
- <div class="clearer"></div>
- </div>
- </div>
- </div>
- </div>
- <div class="sidebar">
-
- <h2>On this page</h2>
- <ul>
-<li><a class="reference internal" href="#">kdc.conf</a><ul>
-<li><a class="reference internal" href="#structure">Structure</a></li>
-<li><a class="reference internal" href="#sections">Sections</a><ul>
-<li><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></li>
-<li><a class="reference internal" href="#realms">[realms]</a></li>
-<li><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></li>
-<li><a class="reference internal" href="#dbmodules">[dbmodules]</a></li>
-<li><a class="reference internal" href="#logging">[logging]</a></li>
-<li><a class="reference internal" href="#otp">[otp]</a></li>
-</ul>
-</li>
-<li><a class="reference internal" href="#pkinit-options">PKINIT options</a></li>
-<li><a class="reference internal" href="#encryption-types">Encryption types</a></li>
-<li><a class="reference internal" href="#keysalt-lists">Keysalt lists</a></li>
-<li><a class="reference internal" href="#sample-kdc-conf-file">Sample kdc.conf File</a></li>
-<li><a class="reference internal" href="#files">FILES</a></li>
-<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
-</ul>
-</li>
-</ul>
-
- <br/>
- <h2>Table of contents</h2>
- <ul class="current">
-<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
-<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
-<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
-<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
-<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
-<li class="toctree-l3 current"><a class="current reference internal" href="#">kdc.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
-</ul>
-</li>
-<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
-</ul>
-</li>
-<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
-</ul>
-
- <br/>
- <h4><a href="../../index.html">Full Table of Contents</a></h4>
- <h4>Search</h4>
- <form class="search" action="../../search.html" method="get">
- <input type="text" name="q" size="18" />
- <input type="submit" value="Go" />
- <input type="hidden" name="check_keywords" value="yes" />
- <input type="hidden" name="area" value="default" />
- </form>
-
- </div>
- <div class="clearer"></div>
- </div>
- </div>
-
- <div class="footer-wrapper">
- <div class="footer" >
- <div class="right" ><i>Release: 1.22-final</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.
- </div>
- <div class="left">
-
- <a href="../../index.html" title="Full Table of Contents"
- >Contents</a> |
- <a href="krb5_conf.html" title="krb5.conf"
- >previous</a> |
- <a href="kadm5_acl.html" title="kadm5.acl"
- >next</a> |
- <a href="../../genindex.html" title="General Index"
- >index</a> |
- <a href="../../search.html" title="Enter search criteria"
- >Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
- </div>
- </div>
- </div>
-
- </body>
-</html> \ No newline at end of file
diff --git a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html b/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html
deleted file mode 100644
index f1438242431d..000000000000
--- a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html
+++ /dev/null
@@ -1,1350 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en" data-content_root="../../">
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
-
- <title>krb5.conf &#8212; MIT Kerberos Documentation</title>
- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />
- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />
- <script src="../../_static/documentation_options.js?v=236fef3b"></script>
- <script src="../../_static/doctools.js?v=888ff710"></script>
- <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
- <link rel="author" title="About these documents" href="../../about.html" />
- <link rel="index" title="Index" href="../../genindex.html" />
- <link rel="search" title="Search" href="../../search.html" />
- <link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="next" title="kdc.conf" href="kdc_conf.html" />
- <link rel="prev" title="Configuration Files" href="index.html" />
- </head><body>
- <div class="header-wrapper">
- <div class="header">
-
-
- <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
-
- <div class="rel">
-
- <a href="../../index.html" title="Full Table of Contents"
- accesskey="C">Contents</a> |
- <a href="index.html" title="Configuration Files"
- accesskey="P">previous</a> |
- <a href="kdc_conf.html" title="kdc.conf"
- accesskey="N">next</a> |
- <a href="../../genindex.html" title="General Index"
- accesskey="I">index</a> |
- <a href="../../search.html" title="Enter search criteria"
- accesskey="S">Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
- </div>
- </div>
- </div>
-
- <div class="content-wrapper">
- <div class="content">
- <div class="document">
-
- <div class="documentwrapper">
- <div class="bodywrapper">
- <div class="body" role="main">
-
- <section id="krb5-conf">
-<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h1>
-<p>The krb5.conf file contains Kerberos configuration information,
-including the locations of KDCs and admin servers for the Kerberos
-realms of interest, defaults for the current realm and for Kerberos
-applications, and mappings of hostnames onto Kerberos realms.
-Normally, you should install your krb5.conf file in the directory
-<code class="docutils literal notranslate"><span class="pre">/etc</span></code>. You can override the default location by setting the
-environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated
-filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are
-present will be read. Starting in release 1.14, directory names can
-also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory
-whose names consist solely of alphanumeric characters, dashes, or
-underscores will be read.</p>
-<section id="structure">
-<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2>
-<p>The krb5.conf file is set up in the style of a Windows INI file.
-Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace)
-are ignored as comments. Sections are headed by the section name, in
-square brackets. Each section may contain zero or more relations, of
-the form:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
-</pre></div>
-</div>
-<p>or:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
- <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span>
-<span class="p">}</span>
-</pre></div>
-</div>
-<p>The krb5.conf file can include other files using either of the
-following directives at the beginning of a line:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span>
-<span class="n">includedir</span> <span class="n">DIRNAME</span>
-</pre></div>
-</div>
-<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or
-directory must exist and be readable. Including a directory includes
-all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in “.conf” are also included, unless the
-name begins with “.”. Included profile files are syntactically
-independent of their parents, so each included file must begin with a
-section header. Starting in release 1.17, files are read in
-alphanumeric order; in previous releases, they may be read in any
-order.</p>
-<p>Placing a ‘*’ after the closing bracket of a section name indicates
-that the section is <em>final</em>, meaning that if the same section appears
-again later, it will be ignored. A subsection can be marked as final
-by placing a ‘*’ after either the tag name or the closing brace. A
-relation can be marked as final by placing a ‘*’ after the tag name.
-Prior to release 1.22, only sections and subsections can be marked as
-final, and the flag only causes values to be ignored if they appear in
-later files specified in <strong>KRB5_CONFIG</strong>, not if they appear later
-within the same file or an included file.</p>
-<p>The krb5.conf file can specify that configuration should be obtained
-from a loadable module, rather than the file itself, using the
-following directive at the beginning of a line before any section
-headers:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span>
-</pre></div>
-</div>
-<p><em>MODULEPATH</em> may be relative to the library path of the krb5
-installation, or it may be an absolute path. <em>RESIDUAL</em> is provided
-to the module at initialization time. If krb5.conf uses a module
-directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p>
-</section>
-<section id="sections">
-<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2>
-<p>The krb5.conf file may contain the following sections:</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td>
-<td><p>Settings used by the Kerberos V5 library</p></td>
-</tr>
-<tr class="row-even"><td><p><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></p></td>
-<td><p>Realm-specific contact information and settings</p></td>
-</tr>
-<tr class="row-odd"><td><p><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></p></td>
-<td><p>Maps server hostnames to Kerberos realms</p></td>
-</tr>
-<tr class="row-even"><td><p><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></p></td>
-<td><p>Authentication paths for non-hierarchical cross-realm</p></td>
-</tr>
-<tr class="row-odd"><td><p><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></p></td>
-<td><p>Settings used by some Kerberos V5 applications</p></td>
-</tr>
-<tr class="row-even"><td><p><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></p></td>
-<td><p>Controls plugin module registration</p></td>
-</tr>
-</tbody>
-</table>
-<p>Additionally, krb5.conf may include any of the relations described in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p>
-<section id="libdefaults">
-<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Link to this heading">¶</a></h3>
-<p>The libdefaults section may contain any of the following relations:</p>
-<dl>
-<dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
-In future releases, this flag will allow des3-cbc-sha1 to be used
-at all. The default value for this tag is false. (Added in
-release 1.21.)</p>
-</dd>
-<dt><strong>allow_rc4</strong></dt><dd><p>Permit the KDC to issue tickets with arcfour-hmac session keys.
-In future releases, this flag will allow arcfour-hmac to be used
-at all. The default value for this tag is false. (Added in
-release 1.21.)</p>
-</dd>
-<dt><strong>allow_weak_crypto</strong></dt><dd><p>If this flag is set to false, then weak encryption types (as noted
-in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered
-out of the lists <strong>default_tgs_enctypes</strong>,
-<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default
-value for this tag is false.</p>
-</dd>
-<dt><strong>canonicalize</strong></dt><dd><p>If this flag is set to true, initial ticket requests to the KDC
-will request canonicalization of the client principal name, and
-answers with different client principals than the requested
-principal will be accepted. The default value is false.</p>
-</dd>
-<dt><strong>ccache_type</strong></dt><dd><p>This parameter determines the format of credential cache types
-created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value
-is 4, which represents the most current format. Smaller values
-can be used for compatibility with very old implementations of
-Kerberos which interact with credential caches on the same host.</p>
-</dd>
-<dt><strong>clockskew</strong></dt><dd><p>Sets the maximum allowable amount of clockskew in seconds that the
-library will tolerate before assuming that a Kerberos message is
-invalid. The default value is 300 seconds, or five minutes.</p>
-<p>The clockskew setting is also used when evaluating ticket start
-and expiration times. For example, tickets that have reached
-their expiration time can still be used (and renewed if they are
-renewable tickets) if they have been expired for a shorter
-duration than the <strong>clockskew</strong> setting.</p>
-</dd>
-<dt><strong>default_ccache_name</strong></dt><dd><p>This relation specifies the name of the default credential cache.
-The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter
-expansion (see below). New in release 1.11.</p>
-</dd>
-<dt><strong>default_client_keytab_name</strong></dt><dd><p>This relation specifies the name of the default keytab for
-obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This
-relation is subject to parameter expansion (see below).
-New in release 1.11.</p>
-</dd>
-<dt><strong>default_keytab_name</strong></dt><dd><p>This relation specifies the default keytab name to be used by
-application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This
-relation is subject to parameter expansion (see below).</p>
-</dd>
-<dt><strong>default_rcache_name</strong></dt><dd><p>This relation specifies the name of the default replay cache.
-The default is <code class="docutils literal notranslate"><span class="pre">dfl:</span></code>. This relation is subject to parameter
-expansion (see below). New in release 1.18.</p>
-</dd>
-<dt><strong>default_realm</strong></dt><dd><p>Identifies the default Kerberos realm for the client. Set its
-value to your Kerberos realm. If this value is not set, then a
-realm must be specified with every Kerberos principal when
-invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</p>
-</dd>
-<dt><strong>default_tgs_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that
-the client should request when making a TGS-REQ, in order of
-preference from highest to lowest. The list may be delimited with
-commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag.
-Starting in release 1.18, the default value is the value of
-<strong>permitted_enctypes</strong>. For previous releases or if
-<strong>permitted_enctypes</strong> is not set, the default value is
-<code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p>
-<p>Do not set this unless required for specific backward
-compatibility purposes; stale values of this setting can prevent
-clients from taking advantage of new stronger enctypes when the
-libraries are upgraded.</p>
-</dd>
-<dt><strong>default_tkt_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that
-the client should request when making an AS-REQ, in order of
-preference from highest to lowest. The format is the same as for
-default_tgs_enctypes. Starting in release 1.18, the default
-value is the value of <strong>permitted_enctypes</strong>. For previous
-releases or if <strong>permitted_enctypes</strong> is not set, the default
-value is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p>
-<p>Do not set this unless required for specific backward
-compatibility purposes; stale values of this setting can prevent
-clients from taking advantage of new stronger enctypes when the
-libraries are upgraded.</p>
-</dd>
-<dt><strong>dns_canonicalize_hostname</strong></dt><dd><p>Indicate whether name lookups will be used to canonicalize
-hostnames for use in service principal names. Setting this flag
-to false can improve security by reducing reliance on DNS, but
-means that short hostnames will not be canonicalized to
-fully-qualified hostnames. If this option is set to <code class="docutils literal notranslate"><span class="pre">fallback</span></code> (new
-in release 1.18), DNS canonicalization will only be performed the
-server hostname is not found with the original name when
-requesting credentials. The default value is true.</p>
-</dd>
-<dt><strong>dns_lookup_kdc</strong></dt><dd><p>Indicate whether DNS SRV records should be used to locate the KDCs
-and other servers for a realm, if they are not listed in the
-krb5.conf information for the realm. (Note that the admin_server
-entry must be in the krb5.conf realm information in order to
-contact kadmind, because the DNS implementation for kadmin is
-incomplete.)</p>
-<p>Enabling this option does open up a type of denial-of-service
-attack, if someone spoofs the DNS records and redirects you to
-another server. However, it’s no worse than a denial of service,
-because that fake KDC will be unable to decode anything you send
-it (besides the initial ticket request, which has no encrypted
-data), and anything the fake KDC sends will not be trusted without
-verification using some secret that it won’t know.</p>
-</dd>
-<dt><strong>dns_lookup_realm</strong></dt><dd><p>Indicate whether DNS TXT records should be used to map hostnames
-to realm names for hostnames not listed in the [domain_realm]
-section, and to determine the default realm if <strong>default_realm</strong>
-is not set. The default value is false.</p>
-</dd>
-<dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs
-and other servers for a realm, if they are not listed in the
-krb5.conf information for the realm. SRV records are used as a
-fallback if no URI records were found. The default value is true.
-New in release 1.15.</p>
-</dd>
-<dt><strong>enforce_ok_as_delegate</strong></dt><dd><p>If this flag to true, GSSAPI credential delegation will be
-disabled when the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> flag is not set in the
-service ticket. If this flag is false, the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code>
-ticket flag is only enforced when an application specifically
-requests enforcement. The default value is false.</p>
-</dd>
-<dt><strong>err_fmt</strong></dt><dd><p>This relation allows for custom error message formatting. If a
-value is set, error messages will be formatted by substituting a
-normal error message for %M and an error code for %C in the value.</p>
-</dd>
-<dt><strong>extra_addresses</strong></dt><dd><p>This allows a computer to use multiple local addresses, in order
-to allow Kerberos to work in a network that uses NATs while still
-using address-restricted tickets. The addresses should be in a
-comma-separated list. This option has no effect if
-<strong>noaddresses</strong> is true.</p>
-</dd>
-<dt><strong>forwardable</strong></dt><dd><p>If this flag is true, initial tickets will be forwardable by
-default, if allowed by the KDC. The default value is false.</p>
-</dd>
-<dt><strong>ignore_acceptor_hostname</strong></dt><dd><p>When accepting GSSAPI or krb5 security contexts for host-based
-service principals, ignore any hostname passed by the calling
-application, and allow clients to authenticate to any service
-principal in the keytab matching the service name and realm name
-(if given). This option can improve the administrative
-flexibility of server applications on multihomed hosts, but could
-compromise the security of virtual hosting environments. The
-default value is false. New in release 1.10.</p>
-</dd>
-<dt><strong>k5login_authoritative</strong></dt><dd><p>If this flag is true, principals must be listed in a local user’s
-k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a>
-file exists. If this flag is false, a principal may still be
-granted login access through other mechanisms even if a k5login
-file exists but does not list the principal. The default value is
-true.</p>
-</dd>
-<dt><strong>k5login_directory</strong></dt><dd><p>If set, the library will look for a local user’s k5login file
-within the named directory, with a filename corresponding to the
-local username. If not set, the library will look for k5login
-files in the user’s home directory, with the filename .k5login.
-For security reasons, .k5login files must be owned by
-the local user or by root.</p>
-</dd>
-<dt><strong>kcm_mach_service</strong></dt><dd><p>On macOS only, determines the name of the bootstrap service used to
-contact the KCM daemon for the KCM credential cache type. If the
-value is <code class="docutils literal notranslate"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM
-daemon. The default value is <code class="docutils literal notranslate"><span class="pre">org.h5l.kcm</span></code>.</p>
-</dd>
-<dt><strong>kcm_socket</strong></dt><dd><p>Determines the path to the Unix domain socket used to access the
-KCM daemon for the KCM credential cache type. If the value is
-<code class="docutils literal notranslate"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM
-daemon. The default value is
-<code class="docutils literal notranslate"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</p>
-</dd>
-<dt><strong>kdc_default_options</strong></dt><dd><p>Default KDC options (Xored for multiple values) when requesting
-initial tickets. By default it is set to 0x00000010
-(KDC_OPT_RENEWABLE_OK).</p>
-</dd>
-<dt><strong>kdc_timesync</strong></dt><dd><p>Accepted values for this relation are 1 or 0. If it is nonzero,
-client machines will compute the difference between their time and
-the time returned by the KDC in the timestamps in the tickets and
-use this value to correct for an inaccurate system clock when
-requesting service tickets or authenticating to services. This
-corrective factor is only used by the Kerberos library; it is not
-used to change the system clock. The default value is 1.</p>
-</dd>
-<dt><strong>noaddresses</strong></dt><dd><p>If this flag is true, requests for initial tickets will not be
-made with address restrictions set, allowing the tickets to be
-used across NATs. The default value is true.</p>
-</dd>
-<dt><strong>permitted_enctypes</strong></dt><dd><p>Identifies the encryption types that servers will permit for
-session keys and for ticket and authenticator encryption, ordered
-by preference from highest to lowest. Starting in release 1.18,
-this tag also acts as the default value for
-<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The
-default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p>
-</dd>
-<dt><strong>plugin_base_dir</strong></dt><dd><p>If set, determines the base directory where krb5 plugins are
-located. The default value is the <code class="docutils literal notranslate"><span class="pre">krb5/plugins</span></code> subdirectory
-of the krb5 library directory. This relation is subject to
-parameter expansion (see below) in release 1.17 and later.</p>
-</dd>
-<dt><strong>preferred_preauth_types</strong></dt><dd><p>This allows you to set the preferred preauthentication types which
-the client will attempt before others which may be advertised by a
-KDC. The default value for this setting is “17, 16, 15, 14”,
-which forces libkrb5 to attempt to use PKINIT if it is supported.</p>
-</dd>
-<dt><strong>proxiable</strong></dt><dd><p>If this flag is true, initial tickets will be proxiable by
-default, if allowed by the KDC. The default value is false.</p>
-</dd>
-<dt><strong>qualify_shortname</strong></dt><dd><p>If this string is set, it determines the domain suffix for
-single-component hostnames when DNS canonicalization is not used
-(either because <strong>dns_canonicalize_hostname</strong> is false or because
-forward canonicalization failed). The default value is the first
-search domain of the system’s DNS configuration. To disable
-qualification of shortnames, set this relation to the empty string
-with <code class="docutils literal notranslate"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. (New in release 1.18.)</p>
-</dd>
-<dt><strong>rdns</strong></dt><dd><p>If this flag is true, reverse name lookup will be used in addition
-to forward name lookup to canonicalizing hostnames for use in
-service principal names. If <strong>dns_canonicalize_hostname</strong> is set
-to false, this flag has no effect. The default value is true.</p>
-</dd>
-<dt><strong>realm_try_domains</strong></dt><dd><p>Indicate whether a host’s domain components should be used to
-determine the Kerberos realm of the host. The value of this
-variable is an integer: -1 means not to search, 0 means to try the
-host’s domain itself, 1 means to also try the domain’s immediate
-parent, and so forth. The library’s usual mechanism for locating
-Kerberos realms is used to determine whether a domain is a valid
-realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is
-set. The default is not to search domain components.</p>
-</dd>
-<dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime
-for initial ticket requests. The default value is 0.</p>
-</dd>
-<dt><strong>request_timeout</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the maximum total time for KDC and
-password change requests. This timeout does not affect the
-intervals between requests, so setting a low timeout may result in
-fewer requests being attempted and/or some servers not being
-contacted. A value of 0 indicates no specific maximum, in which
-case requests will time out if no server responds after several
-tries. The default value is 0. (New in release 1.22.)</p>
-</dd>
-<dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the
-groups allowed for SPAKE preauthentication. The possible values
-are:</p>
-<table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p>edwards25519</p></td>
-<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td>
-</tr>
-<tr class="row-even"><td><p>P-256</p></td>
-<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>
-</tr>
-<tr class="row-odd"><td><p>P-384</p></td>
-<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>
-</tr>
-<tr class="row-even"><td><p>P-521</p></td>
-<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>
-</tr>
-</tbody>
-</table>
-<p>The default value for the client is <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>. The default
-value for the KDC is empty. New in release 1.17.</p>
-</dd>
-<dt><strong>ticket_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial
-ticket requests. The default value is 1 day.</p>
-</dd>
-<dt><strong>udp_preference_limit</strong></dt><dd><p>When sending a message to the KDC, the library will try using TCP
-before UDP if the size of the message is above
-<strong>udp_preference_limit</strong>. If the message is smaller than
-<strong>udp_preference_limit</strong>, then UDP will be tried before TCP.
-Regardless of the size, both protocols will be tried if the first
-attempt fails.</p>
-</dd>
-<dt><strong>verify_ap_req_nofail</strong></dt><dd><p>If this flag is true, then an attempt to verify initial
-credentials will fail if the client machine does not have a
-keytab. The default value is false.</p>
-</dd>
-<dt><strong>client_aware_channel_bindings</strong></dt><dd><p>If this flag is true, then all application protocol authentication
-requests will be flagged to indicate that the application supports
-channel bindings when operating over a secure channel. The
-default value is false.</p>
-</dd>
-</dl>
-</section>
-<section id="realms">
-<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3>
-<p>Each tag in the [realms] section of the file is the name of a Kerberos
-realm. The value of the tag is a subsection with relations that
-define the properties of that particular realm. For each realm, the
-following tags may be specified in the realm’s subsection:</p>
-<dl>
-<dt><strong>admin_server</strong></dt><dd><p>Identifies the host where the administration server is running.
-Typically, this is the primary Kerberos server. This tag must be
-given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
-server for the realm.</p>
-</dd>
-<dt><strong>auth_to_local</strong></dt><dd><p>This tag allows you to set a general rule for mapping principal
-names to local user names. It will be used if there is not an
-explicit mapping for the principal name that is being
-translated. The possible values are:</p>
-<dl>
-<dt><strong>RULE:</strong><em>exp</em></dt><dd><p>The local name will be formulated from <em>exp</em>.</p>
-<p>The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>.
-The integer <em>n</em> indicates how many components the target
-principal should have. If this matches, then a string will be
-formed from <em>string</em>, substituting the realm of the principal
-for <code class="docutils literal notranslate"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for
-<code class="docutils literal notranslate"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal notranslate"><span class="pre">johndoe/admin</span></code> then
-<code class="docutils literal notranslate"><span class="pre">[2:$2$1foo]</span></code> would result in the string
-<code class="docutils literal notranslate"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then
-the <code class="docutils literal notranslate"><span class="pre">s//[g]</span></code> substitution command will be run over the
-string. The optional <strong>g</strong> will cause the substitution to be
-global over the <em>string</em>, instead of replacing only the first
-match in the <em>string</em>.</p>
-</dd>
-<dt><strong>DEFAULT</strong></dt><dd><p>The principal name will be used as the local user name. If
-the principal has more than one component or is not in the
-default realm, this rule is not applicable and the conversion
-will fail.</p>
-</dd>
-</dl>
-<p>For example:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[realms]
- ATHENA.MIT.EDU = {
- auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
- auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
- auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
- auth_to_local = DEFAULT
- }
-</pre></div>
-</div>
-<p>would result in any principal without <code class="docutils literal notranslate"><span class="pre">root</span></code> or <code class="docutils literal notranslate"><span class="pre">admin</span></code> as the
-second component to be translated with the default rule. A
-principal with a second component of <code class="docutils literal notranslate"><span class="pre">admin</span></code> will become its
-first component. <code class="docutils literal notranslate"><span class="pre">root</span></code> will be used as the local name for any
-principal with a second component of <code class="docutils literal notranslate"><span class="pre">root</span></code>. The exception to
-these two rules are any principals <code class="docutils literal notranslate"><span class="pre">johndoe/*</span></code>, which will
-always get the local name <code class="docutils literal notranslate"><span class="pre">guest</span></code>.</p>
-</dd>
-<dt><strong>auth_to_local_names</strong></dt><dd><p>This subsection allows you to set explicit mappings from principal
-names to local user names. The tag is the mapping name, and the
-value is the corresponding local user name.</p>
-</dd>
-<dt><strong>default_domain</strong></dt><dd><p>This tag specifies the domain used to expand hostnames when
-translating Kerberos 4 service principals to Kerberos 5 principals
-(for example, when converting <code class="docutils literal notranslate"><span class="pre">rcmd.hostname</span></code> to
-<code class="docutils literal notranslate"><span class="pre">host/hostname.domain</span></code>).</p>
-</dd>
-<dt><strong>disable_encrypted_timestamp</strong></dt><dd><p>If this flag is true, the client will not perform encrypted
-timestamp preauthentication if requested by the KDC. Setting this
-flag can help to prevent dictionary attacks by active attackers,
-if the realm’s KDCs support SPAKE preauthentication or if initial
-authentication always uses another mechanism or always uses FAST.
-This flag persists across client referrals during initial
-authentication. This flag does not prevent the KDC from offering
-encrypted timestamp. New in release 1.17.</p>
-</dd>
-<dt><strong>http_anchors</strong></dt><dd><p>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
-can be used to specify the location of the CA certificate which should be
-trusted to issue the certificate for a proxy server. If left unspecified,
-the system-wide default set of CA certificates is used.</p>
-<p>The syntax for values is similar to that of values for the
-<strong>pkinit_anchors</strong> tag:</p>
-<p><strong>FILE:</strong> <em>filename</em></p>
-<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p>
-<p><strong>DIR:</strong> <em>dirname</em></p>
-<p><em>dirname</em> is assumed to be an directory which contains CA certificates.
-All files in the directory will be examined; if they contain certificates
-(in PEM format), they will be used.</p>
-<p><strong>ENV:</strong> <em>envvar</em></p>
-<p><em>envvar</em> specifies the name of an environment variable which has been set
-to a value conforming to one of the previous values. For example,
-<code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has
-been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p>
-</dd>
-<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for the realm, or a
-UNIX domain socket path of a locally running KDC. An optional
-port number, separated from the hostname by a colon, may be
-included. If the name or address contains colons (for example, if
-it is an IPv6 address), enclose it in square brackets to
-distinguish the colon from a port separator. For your computer to
-be able to communicate with the KDC for each realm, this tag must
-be given a value in each realm subsection in the configuration
-file, or there must be DNS SRV records specifying the KDCs.</p>
-</dd>
-<dt><strong>kpasswd_server</strong></dt><dd><p>The location of the password change server for the realm, using
-the same syntax as <strong>kdc</strong>. If there is no such entry, DNS will
-be queried (unless forbidden by <strong>dns_lookup_kdc</strong>). Finally,
-port 464 on the <strong>admin_server</strong> host will be tried.</p>
-</dd>
-<dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is
-used as a fallback if <strong>primary_kdc</strong> is not specified.</p>
-</dd>
-<dt><strong>primary_kdc</strong></dt><dd><p>Identifies the primary KDC(s). Currently, this tag is used in only
-one case: If an attempt to get credentials fails because of an
-invalid password, the client software will attempt to contact the
-primary KDC, in case the user’s password has just been changed, and
-the updated database has not been propagated to the replica
-servers yet. New in release 1.19.</p>
-</dd>
-<dt><strong>sitename</strong></dt><dd><p>Specifies the name of the host’s site for the purpose of DNS-based
-KDC discovery for this realm. New in release 1.22.</p>
-</dd>
-<dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions
-to the <strong>default_domain</strong> mapping rule. It contains V4 instances
-(the tag name) which should be translated to some specific
-hostname (the tag value) as the second component in a Kerberos V5
-principal name.</p>
-</dd>
-<dt><strong>v4_realm</strong></dt><dd><p>This relation is used by the krb524 library routines when
-converting a V5 principal name to a V4 principal name. It is used
-when the V4 realm name and the V5 realm name are not the same, but
-still share the same principal names and passwords. The tag value
-is the Kerberos V4 realm name.</p>
-</dd>
-</dl>
-</section>
-<section id="domain-realm">
-<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Link to this heading">¶</a></h3>
-<p>The [domain_realm] section provides a translation from hostnames to
-Kerberos realms. Each tag is a domain name, providing the mapping for
-that domain and all subdomains. If the tag begins with a period
-(<code class="docutils literal notranslate"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be
-identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records.
-Tag names should be in lower case. For example:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span>
- <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
- <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
- <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
-</pre></div>
-</div>
-<p>maps the host with the name <code class="docutils literal notranslate"><span class="pre">crash.mit.edu</span></code> into the
-<code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the
-domain <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not
-the host with the name <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code>. That host is matched
-by the third entry, which maps the host <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> and all hosts
-under the domain <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> that do not match a preceding rule
-into the realm <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code>.</p>
-<p>If no translation entry applies to a hostname used for a service
-principal for a service ticket request, the library will try to get a
-referral to the appropriate realm from the client realm’s KDC. If
-that does not succeed, the host’s realm is considered to be the
-hostname’s domain portion converted to uppercase, unless the
-<strong>realm_try_domains</strong> setting in [libdefaults] causes a different
-parent domain to be used.</p>
-</section>
-<section id="capaths">
-<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Link to this heading">¶</a></h3>
-<p>In order to perform direct (non-hierarchical) cross-realm
-authentication, configuration is needed to determine the
-authentication paths between realms.</p>
-<p>A client will use this section to find the authentication path between
-its realm and the realm of the server. The server will use this
-section to verify the authentication path used by the client, by
-checking the transited field of the received ticket.</p>
-<p>There is a tag for each participating client realm, and each tag has
-subtags for each of the server realms. The value of the subtags is an
-intermediate realm which may participate in the cross-realm
-authentication. The subtags may be repeated if there is more then one
-intermediate realm. A value of “.” means that the two realms share
-keys directly, and no intermediate realms should be allowed to
-participate.</p>
-<p>Only those entries which will be needed on the client or the server
-need to be present. A client needs a tag for its local realm with
-subtags for all the realms of servers it will need to authenticate to.
-A server needs a tag for each realm of the clients it will serve, with
-a subtag of the server realm.</p>
-<p>For example, <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> all wish to
-use the <code class="docutils literal notranslate"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub
-realm of <code class="docutils literal notranslate"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code>
-but not <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code> systems
-would look like this:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
- <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
- <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
- <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="p">}</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="p">}</span>
- <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-<p>The [capaths] section of the configuration file used on <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code>
-systems would look like this:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span>
- <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
- <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="p">}</span>
- <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="p">}</span>
- <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
- <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span>
- <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-<p>When a subtag is used more than once within a tag, clients will use
-the order of values to determine the path. The order of values is not
-important to servers.</p>
-</section>
-<section id="appdefaults">
-<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Link to this heading">¶</a></h3>
-<p>Each tag in the [appdefaults] section names a Kerberos V5 application
-or an option that is used by some Kerberos V5 application[s]. The
-value of the tag defines the default behaviors for that application.</p>
-<p>For example:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span>
- <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span>
- <span class="p">}</span>
- <span class="p">}</span>
- <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span>
- <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span>
- <span class="p">}</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span>
- <span class="p">}</span>
- <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span>
-</pre></div>
-</div>
-<p>The above four ways of specifying the value of an option are shown in
-order of decreasing precedence. In this example, if telnet is running
-in the realm EXAMPLE.COM, it should, by default, have option1 and
-option2 set to true. However, a telnet program in the realm
-<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal notranslate"><span class="pre">option1</span></code> set to false and
-<code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should
-have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to false by default. Any programs running in
-other realms should have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true.</p>
-<p>The list of specifiable options for each application may be found in
-that application’s man pages. The application defaults specified here
-are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p>
-</section>
-<section id="plugins">
-<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Link to this heading">¶</a></h3>
-<blockquote>
-<div><ul class="simple">
-<li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li>
-<li><p><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</p></li>
-<li><p><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</p></li>
-</ul>
-</div></blockquote>
-<p>Tags in the [plugins] section can be used to register dynamic plugin
-modules and to turn modules on and off. Not every krb5 pluggable
-interface uses the [plugins] section; the ones that do are documented
-here.</p>
-<p>New in release 1.9.</p>
-<p>Each pluggable interface corresponds to a subsection of [plugins].
-All subsections support the same tags:</p>
-<dl class="simple">
-<dt><strong>disable</strong></dt><dd><p>This tag may have multiple values. If there are values for this
-tag, then the named modules will be disabled for the pluggable
-interface.</p>
-</dd>
-<dt><strong>enable_only</strong></dt><dd><p>This tag may have multiple values. If there are values for this
-tag, then only the named modules will be enabled for the pluggable
-interface.</p>
-</dd>
-<dt><strong>module</strong></dt><dd><p>This tag may have multiple values. Each value is a string of the
-form <code class="docutils literal notranslate"><span class="pre">modulename:pathname</span></code>, which causes the shared object
-located at <em>pathname</em> to be registered as a dynamic module named
-<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an
-absolute path, it will be treated as relative to the
-<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p>
-</dd>
-</dl>
-<p>For pluggable interfaces where module order matters, modules
-registered with a <strong>module</strong> tag normally come first, in the order
-they are registered, followed by built-in modules in the order they
-are documented below. If <strong>enable_only</strong> tags are used, then the
-order of those tags overrides the normal module order.</p>
-<p>The following subsections are currently supported within the [plugins]
-section:</p>
-<section id="ccselect-interface">
-<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Link to this heading">¶</a></h4>
-<p>The ccselect subsection controls modules for credential cache
-selection within a cache collection. In addition to any registered
-dynamic modules, the following built-in modules exist (and may be
-disabled with the disable tag):</p>
-<dl class="simple">
-<dt><strong>k5identity</strong></dt><dd><p>Uses a .k5identity file in the user’s home directory to select a
-client principal</p>
-</dd>
-<dt><strong>realm</strong></dt><dd><p>Uses the service realm to guess an appropriate cache from the
-collection</p>
-</dd>
-<dt><strong>hostname</strong></dt><dd><p>If the service principal is host-based, uses the service hostname
-to guess an appropriate cache from the collection</p>
-</dd>
-</dl>
-</section>
-<section id="pwqual-interface">
-<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Link to this heading">¶</a></h4>
-<p>The pwqual subsection controls modules for the password quality
-interface, which is used to reject weak passwords when passwords are
-changed. The following built-in modules exist for this interface:</p>
-<dl class="simple">
-<dt><strong>dict</strong></dt><dd><p>Checks against the realm dictionary file</p>
-</dd>
-<dt><strong>empty</strong></dt><dd><p>Rejects empty passwords</p>
-</dd>
-<dt><strong>hesiod</strong></dt><dd><p>Checks against user information stored in Hesiod (only if Kerberos
-was built with Hesiod support)</p>
-</dd>
-<dt><strong>princ</strong></dt><dd><p>Checks against components of the principal name</p>
-</dd>
-</dl>
-</section>
-<section id="kadm5-hook-interface">
-<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Link to this heading">¶</a></h4>
-<p>The kadm5_hook interface provides plugins with information on
-principal creation, modification, password changes and deletion. This
-interface can be used to write a plugin to synchronize MIT Kerberos
-with another database such as Active Directory. No plugins are built
-in for this interface.</p>
-</section>
-<section id="kadm5-auth-interface">
-<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Link to this heading">¶</a></h4>
-<p>The kadm5_auth section (introduced in release 1.16) controls modules
-for the kadmin authorization interface, which determines whether a
-client principal is allowed to perform a kadmin operation. The
-following built-in modules exist for this interface:</p>
-<dl class="simple">
-<dt><strong>acl</strong></dt><dd><p>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes
-operations which are allowed according to the rules in the file.</p>
-</dd>
-<dt><strong>self</strong></dt><dd><p>This module authorizes self-service operations including password
-changes, creation of new random keys, fetching the client’s
-principal record or string attributes, and fetching the policy
-record associated with the client principal.</p>
-</dd>
-</dl>
-</section>
-<section id="clpreauth-and-kdcpreauth-interfaces">
-<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Link to this heading">¶</a></h4>
-<p>The clpreauth and kdcpreauth interfaces allow plugin modules to
-provide client and KDC preauthentication mechanisms. The following
-built-in modules exist for these interfaces:</p>
-<dl class="simple">
-<dt><strong>pkinit</strong></dt><dd><p>This module implements the PKINIT preauthentication mechanism.</p>
-</dd>
-<dt><strong>encrypted_challenge</strong></dt><dd><p>This module implements the encrypted challenge FAST factor.</p>
-</dd>
-<dt><strong>encrypted_timestamp</strong></dt><dd><p>This module implements the encrypted timestamp mechanism.</p>
-</dd>
-</dl>
-</section>
-<section id="hostrealm-interface">
-<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Link to this heading">¶</a></h4>
-<p>The hostrealm section (introduced in release 1.12) controls modules
-for the host-to-realm interface, which affects the local mapping of
-hostnames to realm names and the choice of default realm. The following
-built-in modules exist for this interface:</p>
-<dl class="simple">
-<dt><strong>profile</strong></dt><dd><p>This module consults the [domain_realm] section of the profile for
-authoritative host-to-realm mappings, and the <strong>default_realm</strong>
-variable for the default realm.</p>
-</dd>
-<dt><strong>dns</strong></dt><dd><p>This module looks for DNS records for fallback host-to-realm
-mappings and the default realm. It only operates if the
-<strong>dns_lookup_realm</strong> variable is set to true.</p>
-</dd>
-<dt><strong>domain</strong></dt><dd><p>This module applies heuristics for fallback host-to-realm
-mappings. It implements the <strong>realm_try_domains</strong> variable, and
-uses the uppercased parent domain of the hostname if that does not
-produce a result.</p>
-</dd>
-</dl>
-</section>
-<section id="localauth-interface">
-<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Link to this heading">¶</a></h4>
-<p>The localauth section (introduced in release 1.12) controls modules
-for the local authorization interface, which affects the relationship
-between Kerberos principals and local system accounts. The following
-built-in modules exist for this interface:</p>
-<dl class="simple">
-<dt><strong>default</strong></dt><dd><p>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong>
-values.</p>
-</dd>
-<dt><strong>rule</strong></dt><dd><p>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong>
-values.</p>
-</dd>
-<dt><strong>names</strong></dt><dd><p>This module looks for an <strong>auth_to_local_names</strong> mapping for the
-principal name.</p>
-</dd>
-<dt><strong>auth_to_local</strong></dt><dd><p>This module processes <strong>auth_to_local</strong> values in the default
-realm’s section, and applies the default method if no
-<strong>auth_to_local</strong> values exist.</p>
-</dd>
-<dt><strong>k5login</strong></dt><dd><p>This module authorizes a principal to a local account according to
-the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</p>
-</dd>
-<dt><strong>an2ln</strong></dt><dd><p>This module authorizes a principal to a local account if the
-principal name maps to the local account name.</p>
-</dd>
-</dl>
-</section>
-<section id="certauth-interface">
-<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Link to this heading">¶</a></h4>
-<p>The certauth section (introduced in release 1.16) controls modules for
-the certificate authorization interface, which determines whether a
-certificate is allowed to preauthenticate a user via PKINIT. The
-following built-in modules exist for this interface:</p>
-<dl class="simple">
-<dt><strong>pkinit_san</strong></dt><dd><p>This module authorizes the certificate if it contains a PKINIT
-Subject Alternative Name for the requested client principal, or a
-Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong>
-is set to true for the realm.</p>
-</dd>
-<dt><strong>pkinit_eku</strong></dt><dd><p>This module rejects the certificate if it does not contain an
-Extended Key Usage attribute consistent with the
-<strong>pkinit_eku_checking</strong> value for the realm.</p>
-</dd>
-<dt><strong>dbmatch</strong></dt><dd><p>This module authorizes or rejects the certificate according to
-whether it matches the <strong>pkinit_cert_match</strong> string attribute on
-the client principal, if that attribute is present.</p>
-</dd>
-</dl>
-</section>
-</section>
-</section>
-<section id="pkinit-options">
-<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2>
-<div class="admonition note">
-<p class="admonition-title">Note</p>
-<p>The following are PKINIT-specific options. These values may
-be specified in [libdefaults] as global defaults, or within
-a realm-specific subsection of [libdefaults], or may be
-specified as realm-specific values in the [realms] section.
-A realm-specific value overrides, not adds to, a generic
-[libdefaults] specification. The search order is:</p>
-</div>
-<ol class="arabic">
-<li><p>realm-specific subsection of [libdefaults]:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
- <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</li>
-<li><p>realm-specific value in the [realms] section:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
- <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</li>
-<li><p>generic value in the [libdefaults] section:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
- <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span>
-</pre></div>
-</div>
-</li>
-</ol>
-<section id="specifying-pkinit-identity-information">
-<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Link to this heading">¶</a></h3>
-<p>The syntax for specifying Public Key identity, trust, and revocation
-information for PKINIT is as follows:</p>
-<dl>
-<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt><dd><p>This option has context-specific behavior.</p>
-<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em>
-specifies the name of a PEM-format file containing the user’s
-certificate. If <em>keyfilename</em> is not specified, the user’s
-private key is expected to be in <em>filename</em> as well. Otherwise,
-<em>keyfilename</em> is the name of the file containing the private key.</p>
-<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to
-be the name of an OpenSSL-style ca-bundle file.</p>
-</dd>
-<dt><strong>DIR:</strong><em>dirname</em></dt><dd><p>This option has context-specific behavior.</p>
-<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em>
-specifies a directory with files named <code class="docutils literal notranslate"><span class="pre">*.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">*.key</span></code>
-where the first part of the file name is the same for matching
-pairs of certificate and private key files. When a file with a
-name ending with <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is found, a matching file ending with
-<code class="docutils literal notranslate"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file
-is found, then the certificate in the <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is not used.</p>
-<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to
-be an OpenSSL-style hashed CA directory where each CA cert is
-stored in a file named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure
-is encouraged, but all files in the directory will be examined and
-if they contain certificates (in PEM format), they will be used.</p>
-<p>In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style
-hashed CA directory where each revocation list is stored in a file
-named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged,
-but all files in the directory will be examined and if they
-contain a revocation list (in PEM format), they will be used.</p>
-</dd>
-<dt><strong>PKCS12:</strong><em>filename</em></dt><dd><p><em>filename</em> is the name of a PKCS #12 format file, containing the
-user’s certificate and private key.</p>
-</dd>
-<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt><dd><p>All keyword/values are optional. <em>modname</em> specifies the location
-of a library implementing PKCS #11. If a value is encountered
-with no keyword, it is assumed to be the <em>modname</em>. If no
-module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>.
-<code class="docutils literal notranslate"><span class="pre">slotid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">token=</span></code> may be specified to force the use of
-a particular smard card reader or token if there is more than one
-available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to
-force the selection of a particular certificate on the device.
-Specifier values must not contain colon characters, as colons are
-always treated as separators. See the <strong>pkinit_cert_match</strong>
-configuration option for more ways to select a particular
-certificate to use for PKINIT.</p>
-</dd>
-<dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has
-been set to a value conforming to one of the previous values. For
-example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable
-<code class="docutils literal notranslate"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p>
-</dd>
-</dl>
-</section>
-<section id="pkinit-krb5-conf-options">
-<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Link to this heading">¶</a></h3>
-<dl>
-<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which
-the client trusts to sign KDC certificates. This option may be
-specified multiple times. These values from the config file are
-not used if the user specifies X509_anchors on the command line.</p>
-</dd>
-<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies matching rules that the client certificate must match
-before it is used to attempt PKINIT authentication. If a user has
-multiple certificates available (on a smart card, or via other
-media), there must be exactly one certificate chosen before
-attempting PKINIT authentication. This option may be specified
-multiple times. All the available certificates are checked
-against each rule in order until there is a match of exactly one
-certificate.</p>
-<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2253.html"><strong>RFC 2253</strong></a>
-string representations from the certificate Subject DN and Issuer
-DN values.</p>
-<p>The syntax of the matching rules is:</p>
-<blockquote>
-<div><p>[<em>relation-operator</em>]<em>component-rule</em> …</p>
-</div></blockquote>
-<p>where:</p>
-<dl>
-<dt><em>relation-operator</em></dt><dd><p>can be either <code class="docutils literal notranslate"><span class="pre">&amp;&amp;</span></code>, meaning all component rules must match,
-or <code class="docutils literal notranslate"><span class="pre">||</span></code>, meaning only one component rule must match. The
-default is <code class="docutils literal notranslate"><span class="pre">&amp;&amp;</span></code>.</p>
-</dd>
-<dt><em>component-rule</em></dt><dd><p>can be one of the following. Note that there is no
-punctuation or whitespace between component rules.</p>
-<blockquote>
-<div><div class="line-block">
-<div class="line"><strong>&lt;SUBJECT&gt;</strong><em>regular-expression</em></div>
-<div class="line"><strong>&lt;ISSUER&gt;</strong><em>regular-expression</em></div>
-<div class="line"><strong>&lt;SAN&gt;</strong><em>regular-expression</em></div>
-<div class="line"><strong>&lt;EKU&gt;</strong><em>extended-key-usage-list</em></div>
-<div class="line"><strong>&lt;KU&gt;</strong><em>key-usage-list</em></div>
-</div>
-</div></blockquote>
-<p><em>extended-key-usage-list</em> is a comma-separated list of
-required Extended Key Usage values. All values in the list
-must be present in the certificate. Extended Key Usage values
-can be:</p>
-<ul class="simple">
-<li><p>pkinit</p></li>
-<li><p>msScLogin</p></li>
-<li><p>clientAuth</p></li>
-<li><p>emailProtection</p></li>
-</ul>
-<p><em>key-usage-list</em> is a comma-separated list of required Key
-Usage values. All values in the list must be present in the
-certificate. Key Usage values can be:</p>
-<ul class="simple">
-<li><p>digitalSignature</p></li>
-<li><p>keyEncipherment</p></li>
-</ul>
-</dd>
-</dl>
-<p>Examples:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||&lt;</span><span class="n">SUBJECT</span><span class="o">&gt;.*</span><span class="n">DoE</span><span class="o">.*&lt;</span><span class="n">SAN</span><span class="o">&gt;.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
-<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&amp;&amp;&lt;</span><span class="n">EKU</span><span class="o">&gt;</span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o">&lt;</span><span class="n">ISSUER</span><span class="o">&gt;.*</span><span class="n">DoE</span><span class="o">.*</span>
-<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&lt;</span><span class="n">EKU</span><span class="o">&gt;</span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o">&lt;</span><span class="n">KU</span><span class="o">&gt;</span><span class="n">digitalSignature</span>
-</pre></div>
-</div>
-</dd>
-<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage value the KDC
-certificate presented to the client must contain. (Note that if
-the KDC certificate has the pkinit SubjectAlternativeName encoded
-as the Kerberos TGS name, EKU checking is not necessary since the
-issuing CA has certified this as a KDC certificate.) The values
-recognized in the krb5.conf file are:</p>
-<dl class="simple">
-<dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have
-the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>
-</dd>
-<dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the
-id-kp-serverAuth EKU will be accepted. This key usage value
-is used in most commercially issued server certificates.</p>
-</dd>
-<dt><strong>none</strong></dt><dd><p>If <strong>none</strong> is specified, then the KDC certificate will not be
-checked to verify it has an acceptable EKU. The use of this
-option is not recommended.</p>
-</dd>
-</dl>
-</dd>
-<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the group of the Diffie-Hellman key the client will
-attempt to use. The acceptable values are 1024, 2048, P-256,
-4096, P-384, and P-521. The default is 2048. (P-256, P-384, and
-P-521 are new in release 1.22.)</p>
-</dd>
-<dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509
-identity information. If this option is specified multiple times,
-each value is attempted in order until certificates are found.
-Note that these values are not used if the user specifies
-<strong>X509_user_identity</strong> on the command line.</p>
-</dd>
-<dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing
-to accept a KDC certificate with a dNSName SAN (Subject
-Alternative Name) rather than requiring the id-pkinit-san as
-defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple
-times. Its value should contain the acceptable hostname for the
-KDC (as contained in its certificate).</p>
-</dd>
-<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be
-used by the client to complete the trust chain between a KDC
-certificate and a trusted anchor. This option may be specified
-multiple times.</p>
-</dd>
-<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the
-available revocation information to see if a certificate has been
-revoked. If a match is found for the certificate in a CRL,
-verification fails. If the certificate being verified is not
-listed in a CRL, or there is no CRL present for its issuing CA,
-and <strong>pkinit_require_crl_checking</strong> is false, then verification
-succeeds.</p>
-<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
-no CRL information available for the issuing CA, then verification
-fails.</p>
-<p><strong>pkinit_require_crl_checking</strong> should be set to true if the
-policy is such that up-to-date CRLs must be present for every CA.</p>
-</dd>
-<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL)
-information to be used by the client when verifying the validity
-of the KDC certificate presented. This option may be specified
-multiple times.</p>
-</dd>
-</dl>
-</section>
-</section>
-<section id="parameter-expansion">
-<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Link to this heading">¶</a></h2>
-<p>Starting with release 1.11, several variables, such as
-<strong>default_keytab_name</strong>, allow parameters to be expanded.
-Valid parameters are:</p>
-<blockquote>
-<div><table class="docutils align-default">
-<tbody>
-<tr class="row-odd"><td><p>%{TEMP}</p></td>
-<td><p>Temporary directory</p></td>
-</tr>
-<tr class="row-even"><td><p>%{uid}</p></td>
-<td><p>Unix real UID or Windows SID</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{euid}</p></td>
-<td><p>Unix effective user ID or Windows SID</p></td>
-</tr>
-<tr class="row-even"><td><p>%{USERID}</p></td>
-<td><p>Same as %{uid}</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{null}</p></td>
-<td><p>Empty string</p></td>
-</tr>
-<tr class="row-even"><td><p>%{LIBDIR}</p></td>
-<td><p>Installation library directory</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{BINDIR}</p></td>
-<td><p>Installation binary directory</p></td>
-</tr>
-<tr class="row-even"><td><p>%{SBINDIR}</p></td>
-<td><p>Installation admin binary directory</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{username}</p></td>
-<td><p>(Unix) Username of effective user ID</p></td>
-</tr>
-<tr class="row-even"><td><p>%{APPDATA}</p></td>
-<td><p>(Windows) Roaming application data for current user</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{COMMON_APPDATA}</p></td>
-<td><p>(Windows) Application data for all users</p></td>
-</tr>
-<tr class="row-even"><td><p>%{LOCAL_APPDATA}</p></td>
-<td><p>(Windows) Local application data for current user</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{SYSTEM}</p></td>
-<td><p>(Windows) Windows system folder</p></td>
-</tr>
-<tr class="row-even"><td><p>%{WINDOWS}</p></td>
-<td><p>(Windows) Windows folder</p></td>
-</tr>
-<tr class="row-odd"><td><p>%{USERCONFIG}</p></td>
-<td><p>(Windows) Per-user MIT krb5 config file directory</p></td>
-</tr>
-<tr class="row-even"><td><p>%{COMMONCONFIG}</p></td>
-<td><p>(Windows) Common MIT krb5 config file directory</p></td>
-</tr>
-</tbody>
-</table>
-</div></blockquote>
-</section>
-<section id="sample-krb5-conf-file">
-<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Link to this heading">¶</a></h2>
-<p>Here is an example of a generic krb5.conf file:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
- <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
- <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span>
- <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span>
-
-<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
- <span class="p">}</span>
- <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
- <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
- <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
- <span class="p">}</span>
-
-<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span>
- <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
-
-<span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
- <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
- <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span>
- <span class="p">}</span>
-</pre></div>
-</div>
-</section>
-<section id="files">
-<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2>
-<p><code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code></p>
-</section>
-<section id="see-also">
-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>
-<p>syslog(3)</p>
-</section>
-</section>
-
-
- <div class="clearer"></div>
- </div>
- </div>
- </div>
- </div>
- <div class="sidebar">
-
- <h2>On this page</h2>
- <ul>
-<li><a class="reference internal" href="#">krb5.conf</a><ul>
-<li><a class="reference internal" href="#structure">Structure</a></li>
-<li><a class="reference internal" href="#sections">Sections</a><ul>
-<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li>
-<li><a class="reference internal" href="#realms">[realms]</a></li>
-<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li>
-<li><a class="reference internal" href="#capaths">[capaths]</a></li>
-<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li>
-<li><a class="reference internal" href="#plugins">[plugins]</a><ul>
-<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li>
-<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li>
-<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li>
-<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li>
-<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li>
-<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li>
-<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li>
-<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li>
-</ul>
-</li>
-</ul>
-</li>
-<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul>
-<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li>
-<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li>
-</ul>
-</li>
-<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li>
-<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li>
-<li><a class="reference internal" href="#files">FILES</a></li>
-<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
-</ul>
-</li>
-</ul>
-
- <br/>
- <h2>Table of contents</h2>
- <ul class="current">
-<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
-<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
-<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
-<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
-<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
-<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
-</ul>
-</li>
-<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
-</ul>
-</li>
-<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
-</ul>
-
- <br/>
- <h4><a href="../../index.html">Full Table of Contents</a></h4>
- <h4>Search</h4>
- <form class="search" action="../../search.html" method="get">
- <input type="text" name="q" size="18" />
- <input type="submit" value="Go" />
- <input type="hidden" name="check_keywords" value="yes" />
- <input type="hidden" name="area" value="default" />
- </form>
-
- </div>
- <div class="clearer"></div>
- </div>
- </div>
-
- <div class="footer-wrapper">
- <div class="footer" >
- <div class="right" ><i>Release: 1.22-final</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.
- </div>
- <div class="left">
-
- <a href="../../index.html" title="Full Table of Contents"
- >Contents</a> |
- <a href="index.html" title="Configuration Files"
- >previous</a> |
- <a href="kdc_conf.html" title="kdc.conf"
- >next</a> |
- <a href="../../genindex.html" title="General Index"
- >index</a> |
- <a href="../../search.html" title="Enter search criteria"
- >Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
- </div>
- </div>
- </div>
-
- </body>
-</html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-12 20:25:23 +0000