diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin')
42 files changed, 0 insertions, 15124 deletions
diff --git a/crypto/krb5/doc/html/admin/admin_commands/index.html b/crypto/krb5/doc/html/admin/admin_commands/index.html deleted file mode 100644 index 43ebdc628847..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/index.html +++ /dev/null @@ -1,178 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Administration programs — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kadmin" href="kadmin_local.html" /> - <link rel="prev" title="Authentication indicators" href="../auth_indicator.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../auth_indicator.html" title="Authentication indicators" - accesskey="P">previous</a> | - <a href="kadmin_local.html" title="kadmin" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration programs">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="administration-programs"> -<h1>Administration programs<a class="headerlink" href="#administration-programs" title="Link to this heading">¶</a></h1> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l1"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l1"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l1"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l1"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l1"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l1"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l1"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l1"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l1"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l1"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</div> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Administration programs</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Administration programs</a><ul> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../auth_indicator.html" title="Authentication indicators" - >previous</a> | - <a href="kadmin_local.html" title="kadmin" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration programs">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html b/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html deleted file mode 100644 index 5ee67e70c4d4..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html +++ /dev/null @@ -1,223 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>k5srvutil — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="sserver" href="sserver.html" /> - <link rel="prev" title="ktutil" href="ktutil.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="ktutil.html" title="ktutil" - accesskey="P">previous</a> | - <a href="sserver.html" title="sserver" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="k5srvutil"> -<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>k5srvutil</strong> <em>operation</em> -[<strong>-i</strong>] -[<strong>-f</strong> <em>filename</em>] -[<strong>-e</strong> <em>keysalts</em>]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>k5srvutil allows an administrator to list keys currently in -a keytab, to obtain new keys for a principal currently in a keytab, -or to delete non-current keys from a keytab.</p> -<p><em>operation</em> must be one of the following:</p> -<dl class="simple"> -<dt><strong>list</strong></dt><dd><p>Lists the keys in a keytab, showing version number and principal -name.</p> -</dd> -<dt><strong>change</strong></dt><dd><p>Uses the kadmin protocol to update the keys in the Kerberos -database to new randomly-generated keys, and updates the keys in -the keytab to match. If a key’s version number doesn’t match the -version number stored in the Kerberos server’s database, then the -operation will fail. If the <strong>-i</strong> flag is given, k5srvutil will -prompt for confirmation before changing each key. If the <strong>-k</strong> -option is given, the old and new keys will be displayed. -Ordinarily, keys will be generated with the default encryption -types and key salts. This can be overridden with the <strong>-e</strong> -option. Old keys are retained in the keytab so that existing -tickets continue to work, but <strong>delold</strong> should be used after -such tickets expire, to prevent attacks against the old keys.</p> -</dd> -<dt><strong>delold</strong></dt><dd><p>Deletes keys that are not the most recent version from the keytab. -This operation should be used some time after a change operation -to remove old keys, after existing tickets issued for the service -have expired. If the <strong>-i</strong> flag is given, then k5srvutil will -prompt for confirmation for each principal.</p> -</dd> -<dt><strong>delete</strong></dt><dd><p>Deletes particular keys in the keytab, interactively prompting for -each key.</p> -</dd> -</dl> -<p>In all cases, the default keytab is used unless this is overridden by -the <strong>-f</strong> option.</p> -<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to edit the keytab in -place.</p> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">k5srvutil</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="ktutil.html" title="ktutil" - >previous</a> | - <a href="sserver.html" title="sserver" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html b/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html deleted file mode 100644 index b0545f3426a5..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html +++ /dev/null @@ -1,1030 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kadmin — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kadmind" href="kadmind.html" /> - <link rel="prev" title="Administration programs" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Administration programs" - accesskey="P">previous</a> | - <a href="kadmind.html" title="kadmind" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kadmin"> -<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p id="kadmin-synopsis"><strong>kadmin</strong> -[<strong>-O</strong>|<strong>-N</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] -[<strong>-w</strong> <em>password</em>] -[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] -[command args…]</p> -<p><strong>kadmin.local</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-e</strong> <em>enc</em>:<em>salt</em> …] -[<strong>-m</strong>] -[<strong>-x</strong> <em>db_args</em>] -[command args…]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5 -administration system. They provide nearly identical functionalities; -the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>. -Except as explicitly noted otherwise, this man page will use “kadmin” -to refer to both versions. kadmin provides for the maintenance of -Kerberos principals, password policies, and service key tables -(keytabs).</p> -<p>The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal notranslate"><span class="pre">kadmin/ADMINHOST</span></code> -(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin -server). If the credentials cache contains a ticket for one of these -principals, and the <strong>-c</strong> credentials_cache option is specified, that -ticket is used to authenticate to kadmind. Otherwise, the <strong>-p</strong> and -<strong>-k</strong> options are used to specify the client Kerberos principal name -used to authenticate. Once kadmin has determined the principal name, -it requests a service ticket from the KDC, and uses that service -ticket to authenticate to kadmind.</p> -<p>Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the primary KDC with sufficient permissions to read -the KDC database. If the KDC database uses the LDAP database module, -kadmin.local can be run on any host which can access the LDAP server.</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<dl class="simple" id="kadmin-options"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Use <em>realm</em> as the default database realm.</p> -</dd> -<dt><strong>-p</strong> <em>principal</em></dt><dd><p>Use <em>principal</em> to authenticate. Otherwise, kadmin will append -<code class="docutils literal notranslate"><span class="pre">/admin</span></code> to the primary principal name of the default ccache, -the value of the <strong>USER</strong> environment variable, or the username as -obtained with getpwuid, in order of preference.</p> -</dd> -<dt><strong>-k</strong></dt><dd><p>Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -<code class="docutils literal notranslate"><span class="pre">host/hostname</span></code>. If there is no keytab specified with the -<strong>-t</strong> option, then the default keytab will be used.</p> -</dd> -<dt><strong>-t</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> to decrypt the KDC response. This can only be used -with the <strong>-k</strong> option.</p> -</dd> -<dt><strong>-n</strong></dt><dd><p>Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure <strong>pkinit_anchors</strong> in the client’s -<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Then use the <strong>-n</strong> option with a principal -of the form <code class="docutils literal notranslate"><span class="pre">@REALM</span></code> (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use <code class="docutils literal notranslate"><span class="pre">kinit</span> -<span class="pre">-n</span></code> with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation.</p> -</dd> -<dt><strong>-c</strong> <em>credentials_cache</em></dt><dd><p>Use <em>credentials_cache</em> as the credentials cache. The cache -should contain a service ticket for the <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or -<code class="docutils literal notranslate"><span class="pre">kadmin/ADMINHOST</span></code> (where <em>ADMINHOST</em> is the fully-qualified -hostname of the admin server) service; it can be acquired with the -<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache.</p> -</dd> -<dt><strong>-w</strong> <em>password</em></dt><dd><p>Use <em>password</em> instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list.</p> -</dd> -<dt><strong>-q</strong> <em>query</em></dt><dd><p>Perform the specified query and then exit.</p> -</dd> -<dt><strong>-d</strong> <em>dbname</em></dt><dd><p>Specifies the name of the KDC database. This option does not -apply to the LDAP database module.</p> -</dd> -<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt><dd><p>Specifies the admin server which kadmin should contact.</p> -</dd> -<dt><strong>-m</strong></dt><dd><p>If using kadmin.local, prompt for the database master password -instead of reading it from a stash file.</p> -</dd> -<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> …”</dt><dd><p>Sets the keysalt list to be used for any new keys created. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible -values.</p> -</dd> -<dt><strong>-O</strong></dt><dd><p>Force use of old AUTH_GSSAPI authentication flavor.</p> -</dd> -<dt><strong>-N</strong></dt><dd><p>Prevent fallback to AUTH_GSSAPI authentication flavor.</p> -</dd> -<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>Specifies the database specific arguments. See the next section -for supported options.</p> -</dd> -</dl> -<p>Starting with release 1.14, if any command-line arguments remain after -the options, they will be treated as a single query to be executed. -This mode of operation is intended for scripts and behaves differently -from the interactive mode in several respects:</p> -<ul class="simple"> -<li><p>Query arguments are split by the shell, not by kadmin.</p></li> -<li><p>Informational and warning messages are suppressed. Error messages -and query output (e.g. for <strong>get_principal</strong>) will still be -displayed.</p></li> -<li><p>Confirmation prompts are disabled (as if <strong>-force</strong> was given). -Password prompts will still be issued as required.</p></li> -<li><p>The exit status will be non-zero if the query fails.</p></li> -</ul> -<p>The <strong>-q</strong> option does not carry these behavior differences; the query -will be processed as if it was entered interactively. The <strong>-q</strong> -option cannot be used in combination with a query in the remaining -arguments.</p> -</section> -<section id="database-options"> -<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Link to this heading">¶</a></h2> -<p>Database options can be used to override database-specific defaults. -Supported options for the DB2 module are:</p> -<blockquote> -<div><dl class="simple"> -<dt><strong>-x dbname=</strong>*filename*</dt><dd><p>Specifies the base filename of the DB2 database.</p> -</dd> -<dt><strong>-x lockiter</strong></dt><dd><p>Make iteration operations hold the lock for the duration of -the entire operation, rather than temporarily releasing the -lock while handling each principal. This is the default -behavior, but this option exists to allow command line -override of a [dbmodules] setting. First introduced in -release 1.13.</p> -</dd> -<dt><strong>-x unlockiter</strong></dt><dd><p>Make iteration operations unlock the database for each -principal, instead of holding the lock for the duration of the -entire operation. First introduced in release 1.13.</p> -</dd> -</dl> -</div></blockquote> -<p>Supported options for the LDAP module are:</p> -<blockquote> -<div><dl class="simple"> -<dt><strong>-x host=</strong><em>ldapuri</em></dt><dd><p>Specifies the LDAP server to connect to by a LDAP URI.</p> -</dd> -<dt><strong>-x binddn=</strong><em>bind_dn</em></dt><dd><p>Specifies the DN used to bind to the LDAP server.</p> -</dd> -<dt><strong>-x bindpwd=</strong><em>password</em></dt><dd><p>Specifies the password or SASL secret used to bind to the LDAP -server. Using this option may expose the password to other -users on the system via the process list; to avoid this, -instead stash the password using the <strong>stashsrvpw</strong> command of -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>.</p> -</dd> -<dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt><dd><p>Specifies the SASL mechanism used to bind to the LDAP server. -The bind DN is ignored if a SASL mechanism is used. New in -release 1.13.</p> -</dd> -<dt><strong>-x sasl_authcid=</strong><em>name</em></dt><dd><p>Specifies the authentication name used when binding to the -LDAP server with a SASL mechanism, if the mechanism requires -one. New in release 1.13.</p> -</dd> -<dt><strong>-x sasl_authzid=</strong><em>name</em></dt><dd><p>Specifies the authorization name used when binding to the LDAP -server with a SASL mechanism. New in release 1.13.</p> -</dd> -<dt><strong>-x sasl_realm=</strong><em>realm</em></dt><dd><p>Specifies the realm used when binding to the LDAP server with -a SASL mechanism, if the mechanism uses one. New in release -1.13.</p> -</dd> -<dt><strong>-x debug=</strong><em>level</em></dt><dd><p>sets the OpenLDAP client library debug level. <em>level</em> is an -integer to be interpreted by the library. Debugging messages -are printed to standard error. New in release 1.12.</p> -</dd> -</dl> -</div></blockquote> -</section> -<section id="commands"> -<h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> -<p>When using the remote client, available commands may be restricted -according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file -on the admin server.</p> -<section id="add-principal"> -<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></p> -</div></blockquote> -<p>Creates the principal <em>newprinc</em>, prompting twice for a password. If -no password policy is specified with the <strong>-policy</strong> option, and the -policy named <code class="docutils literal notranslate"><span class="pre">default</span></code> is assigned to the principal if it exists. -However, creating a policy named <code class="docutils literal notranslate"><span class="pre">default</span></code> will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p> -<p>Options:</p> -<dl> -<dt><strong>-expire</strong> <em>expdate</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The expiration date of the principal.</p> -</dd> -<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The password expiration date.</p> -</dd> -<dt><strong>-maxlife</strong> <em>maxlife</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum ticket life -for the principal.</p> -</dd> -<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum renewable -life of tickets for the principal.</p> -</dd> -<dt><strong>-kvno</strong> <em>kvno</em></dt><dd><p>The initial key version number.</p> -</dd> -<dt><strong>-policy</strong> <em>policy</em></dt><dd><p>The password policy used by this principal. If not specified, the -policy <code class="docutils literal notranslate"><span class="pre">default</span></code> is used if it exists (unless <strong>-clearpolicy</strong> -is specified).</p> -</dd> -<dt><strong>-clearpolicy</strong></dt><dd><p>Prevents any policy from being assigned when <strong>-policy</strong> is not -specified.</p> -</dd> -<dt>{-|+}<strong>allow_postdated</strong></dt><dd><p><strong>-allow_postdated</strong> prohibits this principal from obtaining -postdated tickets. <strong>+allow_postdated</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_forwardable</strong></dt><dd><p><strong>-allow_forwardable</strong> prohibits this principal from obtaining -forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_renewable</strong></dt><dd><p><strong>-allow_renewable</strong> prohibits this principal from obtaining -renewable tickets. <strong>+allow_renewable</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_proxiable</strong></dt><dd><p><strong>-allow_proxiable</strong> prohibits this principal from obtaining -proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_dup_skey</strong></dt><dd><p><strong>-allow_dup_skey</strong> disables user-to-user authentication for this -principal by prohibiting others from obtaining a service ticket -encrypted in this principal’s TGT session key. -<strong>+allow_dup_skey</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>requires_preauth</strong></dt><dd><p><strong>+requires_preauth</strong> requires this principal to preauthenticate -before being allowed to kinit. <strong>-requires_preauth</strong> clears this -flag. When <strong>+requires_preauth</strong> is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using -preauthentication.</p> -</dd> -<dt>{-|+}<strong>requires_hwauth</strong></dt><dd><p><strong>+requires_hwauth</strong> requires this principal to preauthenticate -using a hardware device before being allowed to kinit. -<strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was -performed using a hardware device to preauthenticate.</p> -</dd> -<dt>{-|+}<strong>ok_as_delegate</strong></dt><dd><p><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. <strong>-ok_as_delegate</strong> clears this -flag.</p> -</dd> -<dt>{-|+}<strong>allow_svr</strong></dt><dd><p><strong>-allow_svr</strong> prohibits the issuance of service tickets for this -principal. In release 1.17 and later, user-to-user service -tickets are still allowed unless the <strong>-allow_dup_skey</strong> flag is -also set. <strong>+allow_svr</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_tgs_req</strong></dt><dd><p><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -<strong>+allow_tgs_req</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>allow_tix</strong></dt><dd><p><strong>-allow_tix</strong> forbids the issuance of any tickets for this -principal. <strong>+allow_tix</strong> clears this flag.</p> -</dd> -<dt>{-|+}<strong>needchange</strong></dt><dd><p><strong>+needchange</strong> forces a password change on the next initial -authentication to this principal. <strong>-needchange</strong> clears this -flag.</p> -</dd> -<dt>{-|+}<strong>password_changing_service</strong></dt><dd><p><strong>+password_changing_service</strong> marks this principal as a password -change service principal.</p> -</dd> -<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt><dd><p><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation.</p> -</dd> -<dt>{-|+}<strong>no_auth_data_required</strong></dt><dd><p><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.</p> -</dd> -<dt>{-|+}<strong>lockdown_keys</strong></dt><dd><p><strong>+lockdown_keys</strong> prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local.</p> -</dd> -<dt><strong>-randkey</strong></dt><dd><p>Sets the key of the principal to a random value.</p> -</dd> -<dt><strong>-nokey</strong></dt><dd><p>Causes the principal to be created with no key. New in release -1.12.</p> -</dd> -<dt><strong>-pw</strong> <em>password</em></dt><dd><p>Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list.</p> -</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a -list of possible values.</p> -</dd> -<dt><strong>-x</strong> <em>db_princ_args</em></dt><dd><p>Indicates database-specific options. The options for the LDAP -database module are:</p> -<dl class="simple"> -<dt><strong>-x dn=</strong><em>dn</em></dt><dd><p>Specifies the LDAP object that will contain the Kerberos -principal being created.</p> -</dd> -<dt><strong>-x linkdn=</strong><em>dn</em></dt><dd><p>Specifies the LDAP object to which the newly created Kerberos -principal object will point.</p> -</dd> -<dt><strong>-x containerdn=</strong><em>container_dn</em></dt><dd><p>Specifies the container object under which the Kerberos -principal is to be created.</p> -</dd> -<dt><strong>-x tktpolicy=</strong><em>policy</em></dt><dd><p>Associates a ticket policy to the Kerberos principal.</p> -</dd> -</dl> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<ul class="simple"> -<li><p>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be -specified with the <strong>dn</strong> option.</p></li> -<li><p>If the <em>dn</em> or <em>containerdn</em> options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container.</p></li> -<li><p><em>dn</em> and <em>containerdn</em> should be within the subtrees or -principal container configured in the realm.</p></li> -</ul> -</div> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">jennifer</span> -<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span><span class="p">;</span> -<span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span><span class="o">.</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> -<span class="n">Principal</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="modify-principal"> -<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></p> -</div></blockquote> -<p>Modifies the specified principal, changing the fields as specified. -The options to <strong>add_principal</strong> also apply to this command, except -for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options. In addition, the -option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p> -<p>This command requires the <em>modify</em> privilege.</p> -<p>Alias: <strong>modprinc</strong></p> -<p>Options (in addition to the <strong>addprinc</strong> options):</p> -<dl class="simple"> -<dt><strong>-unlock</strong></dt><dd><p>Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate.</p> -</dd> -</dl> -</section> -<section id="rename-principal"> -<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></p> -</div></blockquote> -<p>Renames the specified <em>old_principal</em> to <em>new_principal</em>. This -command prompts for confirmation, unless the <strong>-force</strong> option is -given.</p> -<p>This command requires the <strong>add</strong> and <strong>delete</strong> privileges.</p> -<p>Alias: <strong>renprinc</strong></p> -</section> -<section id="add-alias"> -<span id="id4"></span><h3>add_alias<a class="headerlink" href="#add-alias" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>add_alias</strong> <em>alias_princ</em> <em>target_princ</em></p> -</div></blockquote> -<p>Create an alias <em>alias_princ</em> pointing to <em>target_princ</em>. Aliases may -be chained (that is, <em>target_princ</em> may itself be an alias) up to a -depth of 10.</p> -<p>This command requires the <strong>add</strong> privilege for <em>alias_princ</em> and the -<strong>modify</strong> privilege for <em>target_princ</em>.</p> -<p>(New in release 1.22.)</p> -<p>Aliases: <strong>alias</strong></p> -</section> -<section id="delete-principal"> -<span id="id5"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></p> -</div></blockquote> -<p>Deletes the specified <em>principal</em> or alias from the database. This -command prompts for deletion, unless the <strong>-force</strong> option is given.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delprinc</strong></p> -</section> -<section id="change-password"> -<span id="id6"></span><h3>change_password<a class="headerlink" href="#change-password" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>change_password</strong> [<em>options</em>] <em>principal</em></p> -</div></blockquote> -<p>Changes the password of <em>principal</em>. Prompts for a new password if -neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p> -<p>This command requires the <strong>changepw</strong> privilege, or that the -principal running the program is the same as the principal being -changed.</p> -<p>Alias: <strong>cpw</strong></p> -<p>The following options are available:</p> -<dl class="simple"> -<dt><strong>-randkey</strong></dt><dd><p>Sets the key of the principal to a random value.</p> -</dd> -<dt><strong>-pw</strong> <em>password</em></dt><dd><p>Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list.</p> -</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a -list of possible values.</p> -</dd> -<dt><strong>-keepold</strong></dt><dd><p>Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for <code class="docutils literal notranslate"><span class="pre">krbtgt</span></code> principals.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">cpw</span> <span class="n">systest</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">Password</span> <span class="k">for</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="n">changed</span><span class="o">.</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="purgekeys"> -<span id="id7"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></p> -</div></blockquote> -<p>Purges previously retained old keys (e.g., from <strong>change_password --keepold</strong>) from <em>principal</em>. If <strong>-keepkvno</strong> is specified, then -only purges keys with kvnos lower than <em>oldest_kvno_to_keep</em>. If -<strong>-all</strong> is specified, then all keys are purged. The <strong>-all</strong> option -is new in release 1.12.</p> -<p>This command requires the <strong>modify</strong> privilege.</p> -</section> -<section id="get-principal"> -<span id="id8"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></p> -</div></blockquote> -<p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs -fields as quoted tab-separated strings.</p> -<p>This command requires the <strong>inquire</strong> privilege, or that the principal -running the the program to be the same as the one being listed.</p> -<p>Alias: <strong>getprinc</strong></p> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span> -<span class="n">Principal</span><span class="p">:</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> -<span class="n">Expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Last</span> <span class="n">password</span> <span class="n">change</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> -<span class="n">Password</span> <span class="n">expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">7</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Last</span> <span class="n">modified</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> <span class="p">(</span><span class="n">bjaspan</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">)</span> -<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">0</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> -<span class="n">MKey</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span> -<span class="n">Attributes</span><span class="p">:</span> -<span class="n">Policy</span><span class="p">:</span> <span class="p">[</span><span class="n">none</span><span class="p">]</span> - -<span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="o">-</span><span class="n">terse</span> <span class="n">systest</span> -<span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">3</span> <span class="mi">86400</span> <span class="mi">604800</span> <span class="mi">1</span> -<span class="mi">785926535</span> <span class="mi">753241234</span> <span class="mi">785900000</span> -<span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">786100034</span> <span class="mi">0</span> <span class="mi">0</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="list-principals"> -<span id="id9"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>list_principals</strong> [<em>expression</em>]</p> -</div></blockquote> -<p>Retrieves all or some principal names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <code class="docutils literal notranslate"><span class="pre">?</span></code>, -<code class="docutils literal notranslate"><span class="pre">*</span></code>, and <code class="docutils literal notranslate"><span class="pre">[]</span></code>. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an <code class="docutils literal notranslate"><span class="pre">@</span></code> character, an -<code class="docutils literal notranslate"><span class="pre">@</span></code> character followed by the local realm is appended to the -expression.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>getprincs</strong></p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listprincs</span> <span class="n">test</span><span class="o">*</span> -<span class="n">test3</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> -<span class="n">test2</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> -<span class="n">test1</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> -<span class="n">testuser</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="get-strings"> -<span id="id10"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>get_strings</strong> <em>principal</em></p> -</div></blockquote> -<p>Displays string attributes on <em>principal</em>.</p> -<p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: <strong>getstrs</strong></p> -</section> -<section id="set-string"> -<span id="id11"></span><h3>set_string<a class="headerlink" href="#set-string" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></p> -</div></blockquote> -<p>Sets a string attribute on <em>principal</em>. String attributes are used to -supply per-principal configuration to the KDC and some KDC plugin -modules. The following string attribute names are recognized by the -KDC:</p> -<dl class="simple"> -<dt><strong>require_auth</strong></dt><dd><p>Specifies an authentication indicator which is required to -authenticate to the principal as a service. Multiple indicators -can be specified, separated by spaces; in this case any of the -specified indicators will be accepted. (New in release 1.14.)</p> -</dd> -<dt><strong>session_enctypes</strong></dt><dd><p>Specifies the encryption types supported for session keys when the -principal is authenticated to as a server. See -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the -accepted values.</p> -</dd> -<dt><strong>otp</strong></dt><dd><p>Enables One Time Passwords (OTP) preauthentication for a client -<em>principal</em>. The <em>value</em> is a JSON string representing an array -of objects, each having optional <code class="docutils literal notranslate"><span class="pre">type</span></code> and <code class="docutils literal notranslate"><span class="pre">username</span></code> fields.</p> -</dd> -<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies a matching expression that defines the certificate -attributes required for the client certificate used by the -principal during PKINIT authentication. The matching expression -is in the same format as those used by the <strong>pkinit_cert_match</strong> -option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. (New in release 1.16.)</p> -</dd> -<dt><strong>pac_privsvr_enctype</strong></dt><dd><p>Forces the encryption type of the PAC KDC checksum buffers to the -specified encryption type for tickets issued to this server, by -deriving a key from the local krbtgt key if it is of a different -encryption type. It may be necessary to set this value to -“aes256-sha1” on the cross-realm krbtgt entry for an Active -Directory realm when using aes-sha2 keys on the local krbtgt -entry.</p> -</dd> -</dl> -<p>This command requires the <strong>modify</strong> privilege.</p> -<p>Alias: <strong>setstr</strong></p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">set_string</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">session_enctypes</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span> -<span class="n">set_string</span> <span class="n">user</span><span class="nd">@FOO</span><span class="o">.</span><span class="n">COM</span> <span class="n">otp</span> <span class="s2">"[{""type"":""hotp"",""username"":""al""}]"</span> -</pre></div> -</div> -</section> -<section id="del-string"> -<span id="id12"></span><h3>del_string<a class="headerlink" href="#del-string" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>del_string</strong> <em>principal</em> <em>key</em></p> -</div></blockquote> -<p>Deletes a string attribute from <em>principal</em>.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delstr</strong></p> -</section> -<section id="add-policy"> -<span id="id13"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>add_policy</strong> [<em>options</em>] <em>policy</em></p> -</div></blockquote> -<p>Adds a password policy named <em>policy</em> to the database.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Alias: <strong>addpol</strong></p> -<p>The following options are available:</p> -<dl class="simple"> -<dt><strong>-maxlife</strong> <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the maximum -lifetime of a password.</p> -</dd> -<dt><strong>-minlife</strong> <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the minimum -lifetime of a password.</p> -</dd> -<dt><strong>-minlength</strong> <em>length</em></dt><dd><p>Sets the minimum length of a password.</p> -</dd> -<dt><strong>-minclasses</strong> <em>number</em></dt><dd><p>Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters.</p> -</dd> -<dt><strong>-history</strong> <em>number</em></dt><dd><p>Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module.</p> -</dd> -</dl> -<dl class="simple" id="policy-maxfailure"> -<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt><dd><p>Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -<em>maxnumber</em> value of 0 (the default) disables lockout.</p> -</dd> -</dl> -<dl class="simple" id="policy-failurecountinterval"> -<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the allowable time -between authentication failures. If an authentication failure -happens after <em>failuretime</em> has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -<em>failuretime</em> value of 0 (the default) means forever.</p> -</dd> -</dl> -<dl class="simple" id="policy-lockoutduration"> -<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with <code class="docutils literal notranslate"><span class="pre">modprinc</span> <span class="pre">-unlock</span></code>.</p> -</dd> -<dt><strong>-allowedkeysalts</strong></dt><dd><p>Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_policy</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"2 days"</span> <span class="o">-</span><span class="n">minlength</span> <span class="mi">5</span> <span class="n">guests</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="modify-policy"> -<span id="id14"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></p> -</div></blockquote> -<p>Modifies the password policy named <em>policy</em>. Options are as described -for <strong>add_policy</strong>.</p> -<p>This command requires the <strong>modify</strong> privilege.</p> -<p>Alias: <strong>modpol</strong></p> -</section> -<section id="delete-policy"> -<span id="id15"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></p> -</div></blockquote> -<p>Deletes the password policy named <em>policy</em>. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delpol</strong></p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kadmin: del_policy guests -Are you sure you want to delete the policy "guests"? -(yes/no): yes -kadmin: -</pre></div> -</div> -</section> -<section id="get-policy"> -<span id="id16"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></p> -</div></blockquote> -<p>Displays the values of the password policy named <em>policy</em>. With the -<strong>-terse</strong> flag, outputs the fields as quoted strings separated by -tabs.</p> -<p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: <strong>getpol</strong></p> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="n">admin</span> -<span class="n">Policy</span><span class="p">:</span> <span class="n">admin</span> -<span class="n">Maximum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">180</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Minimum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Minimum</span> <span class="n">password</span> <span class="n">length</span><span class="p">:</span> <span class="mi">6</span> -<span class="n">Minimum</span> <span class="n">number</span> <span class="n">of</span> <span class="n">password</span> <span class="n">character</span> <span class="n">classes</span><span class="p">:</span> <span class="mi">2</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">old</span> <span class="n">keys</span> <span class="n">kept</span><span class="p">:</span> <span class="mi">5</span> -<span class="n">Reference</span> <span class="n">count</span><span class="p">:</span> <span class="mi">17</span> - -<span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="o">-</span><span class="n">terse</span> <span class="n">admin</span> -<span class="n">admin</span> <span class="mi">15552000</span> <span class="mi">0</span> <span class="mi">6</span> <span class="mi">2</span> <span class="mi">5</span> <span class="mi">17</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -<p>The “Reference count” is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful.</p> -</section> -<section id="list-policies"> -<span id="id17"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>list_policies</strong> [<em>expression</em>]</p> -</div></blockquote> -<p>Retrieves all or some policy names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <code class="docutils literal notranslate"><span class="pre">?</span></code>, -<code class="docutils literal notranslate"><span class="pre">*</span></code>, and <code class="docutils literal notranslate"><span class="pre">[]</span></code>. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> -<span class="n">test</span><span class="o">-</span><span class="n">pol</span> -<span class="nb">dict</span><span class="o">-</span><span class="n">only</span> -<span class="n">once</span><span class="o">-</span><span class="n">a</span><span class="o">-</span><span class="nb">min</span> -<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> - -<span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> <span class="n">t</span><span class="o">*</span> -<span class="n">test</span><span class="o">-</span><span class="n">pol</span> -<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="ktadd"> -<span id="id18"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Link to this heading">¶</a></h3> -<blockquote> -<div><div class="line-block"> -<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> -<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div> -</div> -</div></blockquote> -<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a -keytab file. Each principal’s keys are randomized in the process. -The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> -command.</p> -<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. -With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p> -<p>The options are:</p> -<dl class="simple"> -<dt><strong>-k[eytab]</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is -used.</p> -</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the new keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a -list of possible values.</p> -</dd> -<dt><strong>-q</strong></dt><dd><p>Display less verbose information.</p> -</dd> -<dt><strong>-norandkey</strong></dt><dd><p>Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the -<strong>-e</strong> option.</p> -</dd> -</dl> -<p>An entry for each of the principal’s unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types.</p> -<p>Alias: <strong>xst</strong></p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> - <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> - <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="ktremove"> -<span id="id19"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</p> -</div></blockquote> -<p>Removes entries for the specified <em>principal</em> from a keytab. Requires -no permissions, since this does not require database access.</p> -<p>If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed.</p> -<p>The options are:</p> -<dl class="simple"> -<dt><strong>-k[eytab]</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is -used.</p> -</dd> -<dt><strong>-q</strong></dt><dd><p>Display less verbose information.</p> -</dd> -</dl> -<p>Alias: <strong>ktrem</strong></p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="nb">all</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> - <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="lock"> -<h3>lock<a class="headerlink" href="#lock" title="Link to this heading">¶</a></h3> -<p>Lock database exclusively. Use with extreme caution! This command -only works with the DB2 KDC database module.</p> -</section> -<section id="unlock"> -<h3>unlock<a class="headerlink" href="#unlock" title="Link to this heading">¶</a></h3> -<p>Release the exclusive database lock.</p> -</section> -<section id="list-requests"> -<h3>list_requests<a class="headerlink" href="#list-requests" title="Link to this heading">¶</a></h3> -<p>Lists available for kadmin requests.</p> -<p>Aliases: <strong>lr</strong>, <strong>?</strong></p> -</section> -<section id="quit"> -<h3>quit<a class="headerlink" href="#quit" title="Link to this heading">¶</a></h3> -<p>Exit program. If the database was locked, the lock is released.</p> -<p>Aliases: <strong>exit</strong>, <strong>q</strong></p> -</section> -</section> -<section id="history"> -<h2>HISTORY<a class="headerlink" href="#history" title="Link to this heading">¶</a></h2> -<p>The kadmin program was originally written by Tom Yu at MIT, as an -interface to the OpenVision Kerberos administration program.</p> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kadmin</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#database-options">DATABASE OPTIONS</a></li> -<li><a class="reference internal" href="#commands">COMMANDS</a><ul> -<li><a class="reference internal" href="#add-principal">add_principal</a></li> -<li><a class="reference internal" href="#modify-principal">modify_principal</a></li> -<li><a class="reference internal" href="#rename-principal">rename_principal</a></li> -<li><a class="reference internal" href="#add-alias">add_alias</a></li> -<li><a class="reference internal" href="#delete-principal">delete_principal</a></li> -<li><a class="reference internal" href="#change-password">change_password</a></li> -<li><a class="reference internal" href="#purgekeys">purgekeys</a></li> -<li><a class="reference internal" href="#get-principal">get_principal</a></li> -<li><a class="reference internal" href="#list-principals">list_principals</a></li> -<li><a class="reference internal" href="#get-strings">get_strings</a></li> -<li><a class="reference internal" href="#set-string">set_string</a></li> -<li><a class="reference internal" href="#del-string">del_string</a></li> -<li><a class="reference internal" href="#add-policy">add_policy</a></li> -<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> -<li><a class="reference internal" href="#delete-policy">delete_policy</a></li> -<li><a class="reference internal" href="#get-policy">get_policy</a></li> -<li><a class="reference internal" href="#list-policies">list_policies</a></li> -<li><a class="reference internal" href="#ktadd">ktadd</a></li> -<li><a class="reference internal" href="#ktremove">ktremove</a></li> -<li><a class="reference internal" href="#lock">lock</a></li> -<li><a class="reference internal" href="#unlock">unlock</a></li> -<li><a class="reference internal" href="#list-requests">list_requests</a></li> -<li><a class="reference internal" href="#quit">quit</a></li> -</ul> -</li> -<li><a class="reference internal" href="#history">HISTORY</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Administration programs" - >previous</a> | - <a href="kadmind.html" title="kadmind" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kadmind.html b/crypto/krb5/doc/html/admin/admin_commands/kadmind.html deleted file mode 100644 index d43a7f3ddcd3..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kadmind.html +++ /dev/null @@ -1,282 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kadmind — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kdb5_util" href="kdb5_util.html" /> - <link rel="prev" title="kadmin" href="kadmin_local.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kadmin_local.html" title="kadmin" - accesskey="P">previous</a> | - <a href="kdb5_util.html" title="kdb5_util" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kadmind"> -<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>kadmind</strong> -[<strong>-x</strong> <em>db_args</em>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-m</strong>] -[<strong>-nofork</strong>] -[<strong>-proponly</strong>] -[<strong>-port</strong> <em>port-number</em>] -[<strong>-P</strong> <em>pid_file</em>] -[<strong>-p</strong> <em>kdb5_util_path</em>] -[<strong>-K</strong> <em>kprop_path</em>] -[<strong>-k</strong> <em>kprop_port</em>] -[<strong>-F</strong> <em>dump_file</em>]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>kadmind starts the Kerberos administration server. kadmind typically -runs on the primary Kerberos server, which stores the KDC database. -If the KDC database uses the LDAP module, the administration server -and the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> and -<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> to administer the information in these database.</p> -<p>kadmind requires a number of configuration files to be set up in order -for it to work:</p> -<dl class="simple"> -<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a></dt><dd><p>The KDC configuration file contains configuration information for -the KDC and admin servers. kadmind uses settings in this file to -locate the Kerberos database, and is also affected by the -<strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related -settings.</p> -</dd> -<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></dt><dd><p>kadmind’s ACL (access control list) tells it which principals are -allowed to perform administration actions. The pathname to the -ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> -variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code>.</p> -</dd> -</dl> -<p>After the server begins running, it puts itself in the background and -disassociates itself from its controlling terminal.</p> -<p>kadmind can be configured for incremental database propagation. -Incremental propagation allows replica KDC servers to receive -principal and policy updates incrementally instead of receiving full -dumps of the database. This facility can be enabled in the -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file with the <strong>iprop_enable</strong> option. Incremental -propagation requires the principal <code class="docutils literal notranslate"><span class="pre">kiprop/PRIMARY\@REALM</span></code> (where -PRIMARY is the primary KDC’s canonical host name, and REALM the realm -name). In release 1.13, this principal is automatically created and -registered into the datebase.</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<dl class="simple"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the realm that kadmind will serve; if it is not -specified, the default realm of the host is used.</p> -</dd> -<dt><strong>-m</strong></dt><dd><p>causes the master database password to be fetched from the -keyboard (before the server puts itself in the background, if not -invoked with the <strong>-nofork</strong> option) rather than from a file on -disk.</p> -</dd> -<dt><strong>-nofork</strong></dt><dd><p>causes the server to remain in the foreground and remain -associated to the terminal.</p> -</dd> -<dt><strong>-proponly</strong></dt><dd><p>causes the server to only listen and respond to Kerberos replica -incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a replica KDC -provides incremental updates to other Kerberos replicas.</p> -</dd> -<dt><strong>-port</strong> <em>port-number</em></dt><dd><p>specifies the port on which the administration server listens for -connections. The default port is determined by the -<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-P</strong> <em>pid_file</em></dt><dd><p>specifies the file to which the PID of kadmind process should be -written after it starts up. This file can be used to identify -whether kadmind is still running and to allow init scripts to stop -the correct process.</p> -</dd> -<dt><strong>-p</strong> <em>kdb5_util_path</em></dt><dd><p>specifies the path to the kdb5_util command to use when dumping the -KDB in response to full resync requests when iprop is enabled.</p> -</dd> -<dt><strong>-K</strong> <em>kprop_path</em></dt><dd><p>specifies the path to the kprop command to use to send full dumps -to replicas in response to full resync requests.</p> -</dd> -<dt><strong>-k</strong> <em>kprop_port</em></dt><dd><p>specifies the port by which the kprop process that is spawned by -kadmind connects to the replica kpropd, in order to transfer the -dump file during an iprop full resync request.</p> -</dd> -<dt><strong>-F</strong> <em>dump_file</em></dt><dd><p>specifies the file path to be used for dumping the KDB in response -to full resync requests when iprop is enabled.</p> -</dd> -<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p> -</dd> -</dl> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -<p>As of release 1.22, kadmind supports systemd socket activation via the -LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by -the caller must correspond to configured listener addresses (via the -<strong>kadmind_listen</strong> or <strong>kpasswd_listen</strong> variables or equivalents) or -they will be ignored. Any configured listener addresses that do not -correspond to caller-provided sockets will be ignored if socket -activation is used.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kadmind</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kadmin_local.html" title="kadmin" - >previous</a> | - <a href="kdb5_util.html" title="kdb5_util" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html b/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html deleted file mode 100644 index 09765e3e4991..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ /dev/null @@ -1,549 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kdb5_ldap_util — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="krb5kdc" href="krb5kdc.html" /> - <link rel="prev" title="kdb5_util" href="kdb5_util.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kdb5_util.html" title="kdb5_util" - accesskey="P">previous</a> | - <a href="krb5kdc.html" title="krb5kdc" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kdb5-ldap-util"> -<span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p id="kdb5-ldap-util-synopsis"><strong>kdb5_ldap_util</strong> -[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]] -[<strong>-H</strong> <em>ldapuri</em>] -<strong>command</strong> -[<em>command_options</em>]</p> -</section> -<section id="description"> -<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>kdb5_ldap_util allows an administrator to manage realms, Kerberos -services and ticket policies.</p> -</section> -<section id="command-line-options"> -<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Link to this heading">¶</a></h2> -<dl class="simple" id="kdb5-ldap-util-options"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm to be operated on.</p> -</dd> -<dt><strong>-D</strong> <em>user_dn</em></dt><dd><p>Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server.</p> -</dd> -<dt><strong>-w</strong> <em>passwd</em></dt><dd><p>Specifies the password of <em>user_dn</em>. This option is not -recommended.</p> -</dd> -<dt><strong>-H</strong> <em>ldapuri</em></dt><dd><p>Specifies the URI of the LDAP server.</p> -</dd> -</dl> -<p>By default, kdb5_ldap_util operates on the default realm (as specified -in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) and connects and authenticates to the LDAP -server in the same manner as :ref:kadmind(8)` would given the -parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</section> -<section id="commands"> -<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> -<section id="create"> -<h3>create<a class="headerlink" href="#create" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-create"> -<div><p><strong>create</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-M</strong> <em>mkeyname</em>] -[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-s</strong>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</p> -</div></blockquote> -<p>Creates realm in directory. Options:</p> -<dl class="simple"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt><dd><p>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<code class="docutils literal notranslate"><span class="pre">:</span></code>).</p> -</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt><dd><p>Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees).</p> -</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt><dd><p>Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container.</p> -</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt><dd><p>Specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt><dd><p>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</p> -</dd> -<dt><strong>-M</strong> <em>mkeyname</em></dt><dd><p>Specifies the principal name for the master key in the database. -If not specified, the name is determined by the -<strong>master_key_name</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-m</strong></dt><dd><p>Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk.</p> -</dd> -<dt><strong>-P</strong> <em>password</em></dt><dd><p>Specifies the master database password. This option is not -recommended.</p> -</dd> -<dt><strong>-sf</strong> <em>stashfilename</em></dt><dd><p>Specifies the stash file of the master database password.</p> -</dd> -<dt><strong>-s</strong></dt><dd><p>Specifies that the stash file is to be created.</p> -</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for -principals in this realm.</p> -</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</p> -</dd> -<dt><em>ticket_flags</em></dt><dd><p>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create</span> <span class="o">-</span><span class="n">subtrees</span> <span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">sscope</span> <span class="n">SUB</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">Initializing</span> <span class="n">database</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span> -<span class="n">You</span> <span class="n">will</span> <span class="n">be</span> <span class="n">prompted</span> <span class="k">for</span> <span class="n">the</span> <span class="n">database</span> <span class="n">Master</span> <span class="n">Password</span><span class="o">.</span> -<span class="n">It</span> <span class="ow">is</span> <span class="n">important</span> <span class="n">that</span> <span class="n">you</span> <span class="n">NOT</span> <span class="n">FORGET</span> <span class="n">this</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="modify"> -<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-modify"> -<div><p><strong>modify</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</p> -</div></blockquote> -<p>Modifies the attributes of a realm. Options:</p> -<dl class="simple"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt><dd><p>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<code class="docutils literal notranslate"><span class="pre">:</span></code>). This list replaces the existing list.</p> -</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt><dd><p>Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees).</p> -</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt><dd><p>container object in which the principals of a realm will be -created.</p> -</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for -principals in this realm.</p> -</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</p> -</dd> -<dt><em>ticket_flags</em></dt><dd><p>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> - <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">modify</span> <span class="o">+</span><span class="n">requires_preauth</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">shell</span><span class="o">%</span> -</pre></div> -</div> -</section> -<section id="view"> -<span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-view"> -<div><p><strong>view</strong></p> -</div></blockquote> -<p>Displays the attributes of a realm.</p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">Realm</span> <span class="n">Name</span><span class="p">:</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> -<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">servers</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> -<span class="n">SearchScope</span><span class="p">:</span> <span class="n">ONE</span> -<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> -</pre></div> -</div> -</section> -<section id="destroy"> -<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-destroy"> -<div><p><strong>destroy</strong> [<strong>-f</strong>]</p> -</div></blockquote> -<p>Destroys an existing realm. Options:</p> -<dl class="simple"> -<dt><strong>-f</strong></dt><dd><p>If specified, will not prompt the user for confirmation.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -Password for "cn=admin,o=org": -Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? -(type 'yes' to confirm)? yes -OK, deleting database of 'ATHENA.MIT.EDU'... -shell% -</pre></div> -</div> -</section> -<section id="list"> -<span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-list"> -<div><p><strong>list</strong></p> -</div></blockquote> -<p>Lists the names of realms under the container.</p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> - <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="nb">list</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">OPENLDAP</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">MEDIA</span><span class="o">-</span><span class="n">LAB</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">shell</span><span class="o">%</span> -</pre></div> -</div> -</section> -<section id="stashsrvpw"> -<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-stashsrvpw"> -<div><p><strong>stashsrvpw</strong> -[<strong>-f</strong> <em>filename</em>] -<em>name</em></p> -</div></blockquote> -<p>Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options:</p> -<dl class="simple"> -<dt><strong>-f</strong> <em>filename</em></dt><dd><p>Specifies the complete path of the service password file. By -default, <code class="docutils literal notranslate"><span class="pre">/usr/local/var/service_passwd</span></code> is used.</p> -</dd> -<dt><em>name</em></dt><dd><p>Specifies the name of the object whose password is to be stored. -If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> are configured for -simple binding, this should be the distinguished name it will -use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or -<strong>ldap_kadmind_sasl_authcid</strong> variable.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">andrew</span><span class="o">/</span><span class="n">conf_keyfile</span> - <span class="n">cn</span><span class="o">=</span><span class="n">service</span><span class="o">-</span><span class="n">kdc</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="create-policy"> -<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-create-policy"> -<div><p><strong>create_policy</strong> -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></p> -</div></blockquote> -<p>Creates a ticket policy in the directory. Options:</p> -<dl class="simple"> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for -principals.</p> -</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of -tickets for principals.</p> -</dd> -<dt><em>ticket_flags</em></dt><dd><p>Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the <strong>add_principal</strong> -command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> -</dd> -<dt><em>policy_name</em></dt><dd><p>Specifies the name of the ticket policy.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create_policy</span> <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"1 day"</span> - <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"1 week"</span> <span class="o">-</span><span class="n">allow_postdated</span> <span class="o">+</span><span class="n">needchange</span> - <span class="o">-</span><span class="n">allow_forwardable</span> <span class="n">tktpolicy</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="modify-policy"> -<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-modify-policy"> -<div><p><strong>modify_policy</strong> -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></p> -</div></blockquote> -<p>Modifies the attributes of a ticket policy. Options are same as for -<strong>create_policy</strong>.</p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> - <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">modify_policy</span> - <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"60 minutes"</span> <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"10 hours"</span> - <span class="o">+</span><span class="n">allow_postdated</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">tktpolicy</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="view-policy"> -<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-view-policy"> -<div><p><strong>view_policy</strong> -<em>policy_name</em></p> -</div></blockquote> -<p>Displays the attributes of the named ticket policy.</p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view_policy</span> <span class="n">tktpolicy</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">Ticket</span> <span class="n">policy</span><span class="p">:</span> <span class="n">tktpolicy</span> -<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> -<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> -</pre></div> -</div> -</section> -<section id="destroy-policy"> -<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-destroy-policy"> -<div><p><strong>destroy_policy</strong> -[<strong>-force</strong>] -<em>policy_name</em></p> -</div></blockquote> -<p>Destroys an existing ticket policy. Options:</p> -<dl class="simple"> -<dt><strong>-force</strong></dt><dd><p>Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy.</p> -</dd> -<dt><em>policy_name</em></dt><dd><p>Specifies the name of the ticket policy.</p> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU destroy_policy tktpolicy -Password for "cn=admin,o=org": -This will delete the policy object 'tktpolicy', are you sure? -(type 'yes' to confirm)? yes -** policy object 'tktpolicy' deleted. -</pre></div> -</div> -</section> -<section id="list-policy"> -<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-ldap-util-list-policy"> -<div><p><strong>list_policy</strong></p> -</div></blockquote> -<p>Lists ticket policies.</p> -<p>Example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">list_policy</span> -<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> -<span class="n">tktpolicy</span> -<span class="n">tmppolicy</span> -<span class="n">userpolicy</span> -</pre></div> -</div> -</section> -</section> -<section id="environment"> -<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kdb5_ldap_util</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li> -<li><a class="reference internal" href="#commands">COMMANDS</a><ul> -<li><a class="reference internal" href="#create">create</a></li> -<li><a class="reference internal" href="#modify">modify</a></li> -<li><a class="reference internal" href="#view">view</a></li> -<li><a class="reference internal" href="#destroy">destroy</a></li> -<li><a class="reference internal" href="#list">list</a></li> -<li><a class="reference internal" href="#stashsrvpw">stashsrvpw</a></li> -<li><a class="reference internal" href="#create-policy">create_policy</a></li> -<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> -<li><a class="reference internal" href="#view-policy">view_policy</a></li> -<li><a class="reference internal" href="#destroy-policy">destroy_policy</a></li> -<li><a class="reference internal" href="#list-policy">list_policy</a></li> -</ul> -</li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kdb5_util.html" title="kdb5_util" - >previous</a> | - <a href="krb5kdc.html" title="krb5kdc" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html b/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html deleted file mode 100644 index 6b894aba1765..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html +++ /dev/null @@ -1,627 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kdb5_util — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> - <link rel="prev" title="kadmind" href="kadmind.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kadmind.html" title="kadmind" - accesskey="P">previous</a> | - <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kdb5-util"> -<span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p id="kdb5-util-synopsis"><strong>kdb5_util</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-M</strong> <em>mkeyname</em>] -[<strong>-m</strong>] -[<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-P</strong> <em>password</em>] -[<strong>-x</strong> <em>db_args</em>] -<em>command</em> [<em>command_options</em>]</p> -</section> -<section id="description"> -<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>kdb5_util allows an administrator to perform maintenance procedures on -the KDC database. Databases can be created, destroyed, and dumped to -or loaded from ASCII files. kdb5_util can create a Kerberos master -key stash file or perform live rollover of the master key.</p> -<p>When kdb5_util is run, it attempts to acquire the master key and open -the database. However, execution continues regardless of whether or -not kdb5_util successfully opens the database, because the database -may not exist yet or the stash file may be corrupt.</p> -<p>Note that some KDC database modules may not support all kdb5_util -commands.</p> -</section> -<section id="command-line-options"> -<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Link to this heading">¶</a></h2> -<dl class="simple" id="kdb5-util-options"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the Kerberos realm of the database.</p> -</dd> -<dt><strong>-d</strong> <em>dbname</em></dt><dd><p>specifies the name under which the principal database is stored; -by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The -password policy database and lock files are also derived from this -value.</p> -</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt><dd><p>specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt><dd><p>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</p> -</dd> -<dt><strong>-M</strong> <em>mkeyname</em></dt><dd><p>principal name for the master key in the database. If not -specified, the name is determined by the <strong>master_key_name</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-m</strong></dt><dd><p>specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk.</p> -</dd> -<dt><strong>-sf</strong> <em>stash_file</em></dt><dd><p>specifies the stash filename of the master database password. If -not specified, the filename is determined by the -<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><strong>-P</strong> <em>password</em></dt><dd><p>specifies the master database password. Using this option may -expose the password to other users on the system via the process -list.</p> -</dd> -<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>specifies database-specific options. See <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for -supported options.</p> -</dd> -</dl> -</section> -<section id="commands"> -<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> -<section id="create"> -<h3>create<a class="headerlink" href="#create" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-util-create"> -<div><p><strong>create</strong> [<strong>-s</strong>]</p> -</div></blockquote> -<p>Creates a new database. If the <strong>-s</strong> option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run.</p> -</section> -<section id="destroy"> -<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-util-destroy"> -<div><p><strong>destroy</strong> [<strong>-f</strong>]</p> -</div></blockquote> -<p>Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the <strong>-f</strong> argument, does not prompt the user.</p> -</section> -<section id="stash"> -<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-util-stash"> -<div><p><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</p> -</div></blockquote> -<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> -argument can be used to override the <em>keyfile</em> specified in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</section> -<section id="dump"> -<span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-util-dump"> -<div><p><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] -[<strong>-verbose</strong>] [<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> -<em>mkey_file</em>] [<strong>-rev</strong>] [<strong>-recurse</strong>] [<em>filename</em> -[<em>principals</em>…]]</p> -</div></blockquote> -<p>Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:</p> -<dl> -<dt><strong>-b7</strong></dt><dd><p>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on -releases prior to 1.2.2.</p> -</dd> -<dt><strong>-r13</strong></dt><dd><p>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</p> -</dd> -<dt><strong>-r18</strong></dt><dd><p>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</p> -</dd> -<dt><strong>-verbose</strong></dt><dd><p>causes the name of each principal and policy to be printed as it -is dumped.</p> -</dd> -<dt><strong>-mkey_convert</strong></dt><dd><p>prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed.</p> -</dd> -<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt><dd><p>the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed.</p> -</dd> -<dt><strong>-rev</strong></dt><dd><p>dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred.</p> -</dd> -<dt><strong>-recurse</strong></dt><dd><p>causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the <strong>-rev</strong> option will.</p> -<div class="versionchanged"> -<p><span class="versionmodified changed">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong> -option.</p> -</div> -<div class="versionchanged"> -<p><span class="versionmodified changed">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal.</p> -</div> -</dd> -</dl> -</section> -<section id="load"> -<span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Link to this heading">¶</a></h3> -<blockquote id="kdb5-util-load"> -<div><p><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>] -[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></p> -</div></blockquote> -<p>Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the <strong>-update</strong> option is given, <strong>load</strong> creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the <strong>-update</strong> flag is required.</p> -<p>Options:</p> -<dl class="simple"> -<dt><strong>-b7</strong></dt><dd><p>requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format -produced on releases prior to 1.2.2.</p> -</dd> -<dt><strong>-r13</strong></dt><dd><p>requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</p> -</dd> -<dt><strong>-r18</strong></dt><dd><p>requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</p> -</dd> -<dt><strong>-hash</strong></dt><dd><p>stores the database in hash format, if using the DB2 database -type. If this option is not specified, the database will be -stored in btree format. This option is not recommended, as -databases stored in hash format are known to corrupt data and lose -principals.</p> -</dd> -<dt><strong>-verbose</strong></dt><dd><p>causes the name of each principal and policy to be printed as it -is dumped.</p> -</dd> -<dt><strong>-update</strong></dt><dd><p>records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion.</p> -</dd> -</dl> -</section> -<section id="ark"> -<span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></p> -</div></blockquote> -<p>Adds new random keys to <em>principal</em> at the next available key version -number. Keys for the current highest key version number will be -preserved. The <strong>-e</strong> option specifies the list of encryption and -salt types to be used for the new keys.</p> -</section> -<section id="add-mkey"> -<h3>add_mkey<a class="headerlink" href="#add-mkey" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</p> -</div></blockquote> -<p>Adds a new master key to the master key principal, but does not mark -it as active. Existing master keys will remain. The <strong>-e</strong> option -specifies the encryption type of the new master key; see -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible -values. The <strong>-s</strong> option stashes the new master key in the stash -file, which will be created if it doesn’t already exist.</p> -<p>After a new master key is added, it should be propagated to replica -servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>. Then, -the stash files on the replica servers should be updated with the -kdb5_util <strong>stash</strong> command. Once those steps are complete, the key -is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p> -</section> -<section id="use-mkey"> -<h3>use_mkey<a class="headerlink" href="#use-mkey" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</p> -</div></blockquote> -<p>Sets the activation time of the master key specified by <em>mkeyVNO</em>. -Once a master key becomes active, it will be used to encrypt newly -created principal keys. If no <em>time</em> argument is given, the current -time is used, causing the specified master key version to become -active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string.</p> -<p>After a new master key becomes active, the kdb5_util -<strong>update_princ_encryption</strong> command can be used to update all -principal keys to be encrypted in the new master key.</p> -</section> -<section id="list-mkeys"> -<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>list_mkeys</strong></p> -</div></blockquote> -<p>List all master keys, from most recent to earliest, in the master key -principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>getprinc</strong>. A -<code class="docutils literal notranslate"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p> -</section> -<section id="purge-mkeys"> -<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</p> -</div></blockquote> -<p>Delete master keys from the master key principal that are not used to -protect any principals. This command can be used to remove old master -keys all principal keys are protected by a newer master key.</p> -<dl class="simple"> -<dt><strong>-f</strong></dt><dd><p>does not prompt for confirmation.</p> -</dd> -<dt><strong>-n</strong></dt><dd><p>performs a dry run, showing master keys that would be purged, but -not actually purging any keys.</p> -</dd> -<dt><strong>-v</strong></dt><dd><p>gives more verbose output.</p> -</dd> -</dl> -</section> -<section id="update-princ-encryption"> -<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>] -[<em>princ-pattern</em>]</p> -</div></blockquote> -<p>Update all principal records (or only those matching the -<em>princ-pattern</em> glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using a different -version, and give a count at the end of the number of principals -updated. If the <strong>-f</strong> option is not given, ask for confirmation -before starting to make changes. The <strong>-v</strong> option causes each -principal processed to be listed, with an indication as to whether it -needed updating or not. The <strong>-n</strong> option performs a dry run, only -showing the actions which would have been taken.</p> -</section> -<section id="tabdump"> -<h3>tabdump<a class="headerlink" href="#tabdump" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>] -<em>dumptype</em></p> -</div></blockquote> -<p>Dump selected fields of the database in a tabular format suitable for -reporting (e.g., using traditional Unix text processing tools) or -importing into relational databases. The data format is tab-separated -(default), or optionally comma-separated (CSV), with a fixed number of -columns. The output begins with a header line containing field names, -unless suppression is requested using the <strong>-H</strong> option.</p> -<p>The <em>dumptype</em> parameter specifies the name of an output table (see -below).</p> -<p>Options:</p> -<dl class="simple"> -<dt><strong>-H</strong></dt><dd><p>suppress writing the field names in a header line</p> -</dd> -<dt><strong>-c</strong></dt><dd><p>use comma separated values (CSV) format, with minimal quoting, -instead of the default tab-separated (unquoted, unescaped) format</p> -</dd> -<dt><strong>-e</strong></dt><dd><p>write empty hexadecimal string fields as empty fields instead of -as “-1”.</p> -</dd> -<dt><strong>-n</strong></dt><dd><p>produce numeric output for fields that normally have symbolic -output, such as enctypes and flag names. Also requests output of -time stamps as decimal POSIX time_t values.</p> -</dd> -<dt><strong>-o</strong> <em>outfile</em></dt><dd><p>write the dump to the specified output file instead of to standard -output</p> -</dd> -</dl> -<p>Dump types:</p> -<dl> -<dt><strong>alias</strong></dt><dd><p>principal alias information</p> -<dl class="simple"> -<dt><strong>aliasname</strong></dt><dd><p>the name of the alias</p> -</dd> -<dt><strong>targetname</strong></dt><dd><p>the target of the alias</p> -</dd> -</dl> -</dd> -<dt><strong>keydata</strong></dt><dd><p>principal encryption key information, including actual key data -(which is still encrypted in the master key)</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>keyindex</strong></dt><dd><p>index of this key in the principal’s key list</p> -</dd> -<dt><strong>kvno</strong></dt><dd><p>key version number</p> -</dd> -<dt><strong>enctype</strong></dt><dd><p>encryption type</p> -</dd> -<dt><strong>key</strong></dt><dd><p>key data as a hexadecimal string</p> -</dd> -<dt><strong>salttype</strong></dt><dd><p>salt type</p> -</dd> -<dt><strong>salt</strong></dt><dd><p>salt data as a hexadecimal string</p> -</dd> -</dl> -</dd> -<dt><strong>keyinfo</strong></dt><dd><p>principal encryption key information (as in <strong>keydata</strong> above), -excluding actual key data</p> -</dd> -<dt><strong>princ_flags</strong></dt><dd><p>principal boolean attributes. Flag names print as hexadecimal -numbers if the <strong>-n</strong> option is specified, and all flag positions -are printed regardless of whether or not they are set. If <strong>-n</strong> -is not specified, print all known flag names for each principal, -but only print hexadecimal flag names if the corresponding flag is -set.</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>flag</strong></dt><dd><p>flag name</p> -</dd> -<dt><strong>value</strong></dt><dd><p>boolean value (0 for clear, or 1 for set)</p> -</dd> -</dl> -</dd> -<dt><strong>princ_lockout</strong></dt><dd><p>state information used for tracking repeated password failures</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>last_success</strong></dt><dd><p>time stamp of most recent successful authentication</p> -</dd> -<dt><strong>last_failed</strong></dt><dd><p>time stamp of most recent failed authentication</p> -</dd> -<dt><strong>fail_count</strong></dt><dd><p>count of failed attempts</p> -</dd> -</dl> -</dd> -<dt><strong>princ_meta</strong></dt><dd><p>principal metadata</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>modby</strong></dt><dd><p>name of last principal to modify this principal</p> -</dd> -<dt><strong>modtime</strong></dt><dd><p>timestamp of last modification</p> -</dd> -<dt><strong>lastpwd</strong></dt><dd><p>timestamp of last password change</p> -</dd> -<dt><strong>policy</strong></dt><dd><p>policy object name</p> -</dd> -<dt><strong>mkvno</strong></dt><dd><p>key version number of the master key that encrypts this -principal’s key data</p> -</dd> -<dt><strong>hist_kvno</strong></dt><dd><p>key version number of the history key that encrypts the key -history data for this principal</p> -</dd> -</dl> -</dd> -<dt><strong>princ_stringattrs</strong></dt><dd><p>string attributes (key/value pairs)</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>key</strong></dt><dd><p>attribute name</p> -</dd> -<dt><strong>value</strong></dt><dd><p>attribute value</p> -</dd> -</dl> -</dd> -<dt><strong>princ_tktpolicy</strong></dt><dd><p>per-principal ticket policy data, including maximum ticket -lifetimes</p> -<dl class="simple"> -<dt><strong>name</strong></dt><dd><p>principal name</p> -</dd> -<dt><strong>expiration</strong></dt><dd><p>principal expiration date</p> -</dd> -<dt><strong>pw_expiration</strong></dt><dd><p>password expiration date</p> -</dd> -<dt><strong>max_life</strong></dt><dd><p>maximum ticket lifetime</p> -</dd> -<dt><strong>max_renew_life</strong></dt><dd><p>maximum renewable ticket lifetime</p> -</dd> -</dl> -</dd> -</dl> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util tabdump -o keyinfo.txt keyinfo -$ cat keyinfo.txt -name keyindex kvno enctype salttype salt -K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 -foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 -bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 -$ sqlite3 -sqlite> .mode tabs -sqlite> .import keyinfo.txt keyinfo -sqlite> select * from keyinfo where enctype like 'aes256-%'; -K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 -sqlite> .quit -$ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt -K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 -</pre></div> -</div> -</section> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kdb5_util</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li> -<li><a class="reference internal" href="#commands">COMMANDS</a><ul> -<li><a class="reference internal" href="#create">create</a></li> -<li><a class="reference internal" href="#destroy">destroy</a></li> -<li><a class="reference internal" href="#stash">stash</a></li> -<li><a class="reference internal" href="#dump">dump</a></li> -<li><a class="reference internal" href="#load">load</a></li> -<li><a class="reference internal" href="#ark">ark</a></li> -<li><a class="reference internal" href="#add-mkey">add_mkey</a></li> -<li><a class="reference internal" href="#use-mkey">use_mkey</a></li> -<li><a class="reference internal" href="#list-mkeys">list_mkeys</a></li> -<li><a class="reference internal" href="#purge-mkeys">purge_mkeys</a></li> -<li><a class="reference internal" href="#update-princ-encryption">update_princ_encryption</a></li> -<li><a class="reference internal" href="#tabdump">tabdump</a></li> -</ul> -</li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kadmind.html" title="kadmind" - >previous</a> | - <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kprop.html b/crypto/krb5/doc/html/admin/admin_commands/kprop.html deleted file mode 100644 index b78c0fa60f7e..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kprop.html +++ /dev/null @@ -1,215 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kprop — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kpropd" href="kpropd.html" /> - <link rel="prev" title="krb5kdc" href="krb5kdc.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="krb5kdc.html" title="krb5kdc" - accesskey="P">previous</a> | - <a href="kpropd.html" title="kpropd" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kprop"> -<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>kprop</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-f</strong> <em>file</em>] -[<strong>-d</strong>] -[<strong>-P</strong> <em>port</em>] -[<strong>-s</strong> <em>keytab</em>] -<em>replica_host</em></p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>kprop is used to securely propagate a Kerberos V5 database dump file -from the primary Kerberos server to a replica Kerberos server, which is -specified by <em>replica_host</em>. The dump file must be created by -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<dl class="simple"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p> -</dd> -<dt><strong>-f</strong> <em>file</em></dt><dd><p>Specifies the filename where the dumped principal database file is -to be found; by default the dumped database file is normally -<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/replica_datatrans</span></code>.</p> -</dd> -<dt><strong>-P</strong> <em>port</em></dt><dd><p>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> server -on the remote host.</p> -</dd> -<dt><strong>-d</strong></dt><dd><p>Prints debugging information.</p> -</dd> -<dt><strong>-s</strong> <em>keytab</em></dt><dd><p>Specifies the location of the keytab file.</p> -</dd> -</dl> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, -<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kprop</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="krb5kdc.html" title="krb5kdc" - >previous</a> | - <a href="kpropd.html" title="kpropd" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kpropd.html b/crypto/krb5/doc/html/admin/admin_commands/kpropd.html deleted file mode 100644 index 2fc3bbd9b3f6..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kpropd.html +++ /dev/null @@ -1,287 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kpropd — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kproplog" href="kproplog.html" /> - <link rel="prev" title="kprop" href="kprop.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kprop.html" title="kprop" - accesskey="P">previous</a> | - <a href="kproplog.html" title="kproplog" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kpropd"> -<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>kpropd</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-A</strong> <em>admin_server</em>] -[<strong>-a</strong> <em>acl_file</em>] -[<strong>-f</strong> <em>replica_dumpfile</em>] -[<strong>-F</strong> <em>principal_database</em>] -[<strong>-p</strong> <em>kdb5_util_prog</em>] -[<strong>-P</strong> <em>port</em>] -[<strong>–pid-file</strong>=<em>pid_file</em>] -[<strong>-D</strong>] -[<strong>-d</strong>] -[<strong>-s</strong> <em>keytab_file</em>]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>The <em>kpropd</em> command runs on the replica KDC server. It listens for -update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> program. If incremental -propagation is enabled, it periodically requests incremental updates -from the primary KDC.</p> -<p>When the replica receives a kprop request from the primary, kpropd -accepts the dumped KDC database and places it in a file, and then runs -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> to load the dumped database into the active -database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>. This allows the primary -Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> to propagate its database to -the replica servers. Upon a successful download of the KDC database -file, the replica Kerberos server will have an up-to-date KDC -database.</p> -<p>Where incremental propagation is not used, kpropd is commonly invoked -out of inetd(8) as a nowait service. This is done by adding a line to -the <code class="docutils literal notranslate"><span class="pre">/etc/inetd.conf</span></code> file which looks like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kprop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span> -</pre></div> -</div> -<p>kpropd can also run as a standalone daemon, backgrounding itself and -waiting for connections on port 754 (or the port specified with the -<strong>-P</strong> option if given). Standalone mode is required for incremental -propagation. Starting in release 1.11, kpropd automatically detects -whether it was run from inetd and runs in standalone mode if it is -not. Prior to release 1.11, the <strong>-S</strong> option is required to run -kpropd in standalone mode; this option is now accepted for backward -compatibility but does nothing.</p> -<p>Incremental propagation may be enabled with the <strong>iprop_enable</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If incremental propagation is -enabled, the replica periodically polls the primary KDC for updates, at -an interval determined by the <strong>iprop_replica_poll</strong> variable. If the -replica receives updates, kpropd updates its log file with any updates -from the primary. <a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to view a summary of -the update entry log on the replica KDC. If incremental propagation -is enabled, the principal <code class="docutils literal notranslate"><span class="pre">kiprop/replicahostname@REALM</span></code> (where -<em>replicahostname</em> is the name of the replica KDC host, and <em>REALM</em> is -the name of the Kerberos realm) must be present in the replica’s -keytab file.</p> -<p><a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to force full replication when iprop is -enabled.</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<dl class="simple"> -<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p> -</dd> -<dt><strong>-A</strong> <em>admin_server</em></dt><dd><p>Specifies the server to be contacted for incremental updates; by -default, the primary admin server is contacted.</p> -</dd> -<dt><strong>-f</strong> <em>file</em></dt><dd><p>Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/from_master</span></code>.</p> -</dd> -<dt><strong>-F</strong> <em>kerberos_db</em></dt><dd><p>Path to the Kerberos database file, if not the default.</p> -</dd> -<dt><strong>-p</strong></dt><dd><p>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> -program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SBINDIR</span></a><code class="docutils literal notranslate"><span class="pre">/kdb5_util</span></code>.</p> -</dd> -<dt><strong>-D</strong></dt><dd><p>In this mode, kpropd will not detach itself from the current job -and run in the background. Instead, it will run in the -foreground.</p> -</dd> -<dt><strong>-d</strong></dt><dd><p>Turn on debug mode. kpropd will print out debugging messages -during the database propogation and will run in the foreground -(implies <strong>-D</strong>).</p> -</dd> -<dt><strong>-P</strong></dt><dd><p>Allow for an alternate port number for kpropd to listen on. This -is only useful in combination with the <strong>-S</strong> option.</p> -</dd> -<dt><strong>-a</strong> <em>acl_file</em></dt><dd><p>Allows the user to specify the path to the kpropd.acl file; by -default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kpropd.acl</span></code>.</p> -</dd> -<dt><strong>–pid-file</strong>=<em>pid_file</em></dt><dd><p>In standalone mode, write the process ID of the daemon into -<em>pid_file</em>.</p> -</dd> -<dt><strong>-s</strong> <em>keytab_file</em></dt><dd><p>Path to a keytab to use for acquiring acceptor credentials.</p> -</dd> -<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>Database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p> -</dd> -</dl> -</section> -<section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> -<dl class="simple"> -<dt>kpropd.acl</dt><dd><p>Access file for kpropd; the default location is -<code class="docutils literal notranslate"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line -containing the principal of a host from which the local machine -will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>.</p> -</dd> -</dl> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, -<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, inetd(8)</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kpropd</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#files">FILES</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kprop.html" title="kprop" - >previous</a> | - <a href="kproplog.html" title="kproplog" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/kproplog.html b/crypto/krb5/doc/html/admin/admin_commands/kproplog.html deleted file mode 100644 index b551ef6560ac..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/kproplog.html +++ /dev/null @@ -1,240 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kproplog — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="ktutil" href="ktutil.html" /> - <link rel="prev" title="kpropd" href="kpropd.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kpropd.html" title="kpropd" - accesskey="P">previous</a> | - <a href="ktutil.html" title="ktutil" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kproplog"> -<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>kproplog</strong> [<strong>-h</strong>] [<strong>-e</strong> <em>num</em>] [-v] -<strong>kproplog</strong> [-R]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>The kproplog command displays the contents of the KDC database update -log to standard output. It can be used to keep track of incremental -updates to the principal database. The update log file contains the -update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> process on the primary -KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> process on the replica KDC -servers. When updates occur, they are logged to this file. -Subsequently any KDC replica configured for incremental updates will -request the current data from the primary KDC and update their log -file with any updates returned.</p> -<p>The kproplog command requires read access to the update log file. It -will display update entries only for the KDC it runs on.</p> -<p>If no options are specified, kproplog displays a summary of the update -log. If invoked on the primary, kproplog also displays all of the -update entries. If invoked on a replica KDC server, kproplog displays -only a summary of the updates, which includes the serial number of the -last update received and the associated time stamp of the last update.</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<dl> -<dt><strong>-R</strong></dt><dd><p>Reset the update log. This forces full resynchronization. If -used on a replica then that replica will request a full resync. -If used on the primary then all replicas will request full -resyncs.</p> -</dd> -<dt><strong>-h</strong></dt><dd><p>Display a summary of the update log. This information includes -the database version number, state of the database, the number of -updates in the log, the time stamp of the first and last update, -and the version number of the first and last update entry.</p> -</dd> -<dt><strong>-e</strong> <em>num</em></dt><dd><p>Display the last <em>num</em> update entries in the log. This is useful -when debugging synchronization between KDC servers.</p> -</dd> -<dt><strong>-v</strong></dt><dd><p>Display individual attributes per update. An example of the -output generated for one entry:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Update</span> <span class="n">Entry</span> - <span class="n">Update</span> <span class="n">serial</span> <span class="c1"># : 4</span> - <span class="n">Update</span> <span class="n">operation</span> <span class="p">:</span> <span class="n">Add</span> - <span class="n">Update</span> <span class="n">principal</span> <span class="p">:</span> <span class="n">test</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> - <span class="n">Update</span> <span class="n">size</span> <span class="p">:</span> <span class="mi">424</span> - <span class="n">Update</span> <span class="n">committed</span> <span class="p">:</span> <span class="kc">True</span> - <span class="n">Update</span> <span class="n">time</span> <span class="n">stamp</span> <span class="p">:</span> <span class="n">Fri</span> <span class="n">Feb</span> <span class="mi">20</span> <span class="mi">23</span><span class="p">:</span><span class="mi">37</span><span class="p">:</span><span class="mi">42</span> <span class="mi">2004</span> - <span class="n">Attributes</span> <span class="n">changed</span> <span class="p">:</span> <span class="mi">6</span> - <span class="n">Principal</span> - <span class="n">Key</span> <span class="n">data</span> - <span class="n">Password</span> <span class="n">last</span> <span class="n">changed</span> - <span class="n">Modifying</span> <span class="n">principal</span> - <span class="n">Modification</span> <span class="n">time</span> - <span class="n">TL</span> <span class="n">data</span> -</pre></div> -</div> -</dd> -</dl> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kproplog</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kpropd.html" title="kpropd" - >previous</a> | - <a href="ktutil.html" title="ktutil" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html b/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html deleted file mode 100644 index be54e201c8f5..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html +++ /dev/null @@ -1,266 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>krb5kdc — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kprop" href="kprop.html" /> - <link rel="prev" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" - accesskey="P">previous</a> | - <a href="kprop.html" title="kprop" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="krb5kdc"> -<span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>krb5kdc</strong> -[<strong>-x</strong> <em>db_args</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-k</strong> <em>keytype</em>] -[<strong>-M</strong> <em>mkeyname</em>] -[<strong>-p</strong> <em>portnum</em>] -[<strong>-m</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-n</strong>] -[<strong>-w</strong> <em>numworkers</em>] -[<strong>-P</strong> <em>pid_file</em>] -[<strong>-T</strong> <em>time_offset</em>]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>krb5kdc is the Kerberos version 5 Authentication Service and Key -Distribution Center (AS/KDC).</p> -</section> -<section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> -<p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server -should provide service. This option may be specified multiple times -to serve multiple realms. If no <strong>-r</strong> option is given, the default -realm (as specified in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) will be served.</p> -<p>The <strong>-d</strong> <em>dbname</em> option specifies the name under which the -principal database can be found. This option does not apply to the -LDAP database.</p> -<p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key -to be entered manually as a password when <strong>-m</strong> is given; the default -is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span></code>.</p> -<p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the -master key in the database (usually <code class="docutils literal notranslate"><span class="pre">K/M</span></code> in the KDC’s realm).</p> -<p>The <strong>-m</strong> option specifies that the master database password should -be fetched from the keyboard rather than from a stash file.</p> -<p>The <strong>-n</strong> option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal.</p> -<p>The <strong>-P</strong> <em>pid_file</em> option tells the KDC to write its PID into -<em>pid_file</em> after it starts up. This can be used to identify whether -the KDC is still running and to allow init scripts to stop the correct -process.</p> -<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP and TCP port -numbers which the KDC should listen on for Kerberos version 5 -requests, as a comma-separated list. This value overrides the port -numbers specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> section of -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but may be overridden by realm-specific values. -If no value is given from any source, the default port is 88.</p> -<p>The <strong>-w</strong> <em>numworkers</em> option tells the KDC to fork <em>numworkers</em> -processes to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file if -the <strong>-P</strong> option is also given) acts as a supervisor. The supervisor -will relay SIGHUP signals to the worker subprocesses, and will -terminate the worker subprocess if the it is itself terminated or if -any other worker process exits.</p> -<p>The <strong>-x</strong> <em>db_args</em> option specifies database-specific arguments. -See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for -supported arguments.</p> -<p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which -the KDC will operate under. It is intended only for testing purposes.</p> -</section> -<section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> -<p>The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. Per-realm options that can -be specified on the command line pertain for each realm that follows -it and are superseded by subsequent definitions of the same option.</p> -<p>For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">krb5kdc</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2001</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2002</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM2</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM3</span> -</pre></div> -</div> -<p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002 -for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file. The location of this file -may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable. -Per-realm parameters specified in this file take precedence over -options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> -description for further details.</p> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -<p>As of release 1.22, krb5kdc supports systemd socket activation via the -LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by -the caller must correspond to configured listener addresses (via the -<strong>kdc_listen</strong> variable or equivalent) or they will be ignored. Any -configured listener addresses that do not correspond to -caller-provided sockets will be ignored if socket activation is used.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">krb5kdc</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#example">EXAMPLE</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" - >previous</a> | - <a href="kprop.html" title="kprop" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/ktutil.html b/crypto/krb5/doc/html/admin/admin_commands/ktutil.html deleted file mode 100644 index 378675cca5d3..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/ktutil.html +++ /dev/null @@ -1,290 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>ktutil — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="k5srvutil" href="k5srvutil.html" /> - <link rel="prev" title="kproplog" href="kproplog.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kproplog.html" title="kproplog" - accesskey="P">previous</a> | - <a href="k5srvutil.html" title="k5srvutil" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="ktutil"> -<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>ktutil</strong></p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab. (Kerberos -V4 srvtab files are no longer supported.)</p> -</section> -<section id="commands"> -<h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> -<section id="list"> -<h3>list<a class="headerlink" href="#list" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</p> -</div></blockquote> -<p>Displays the current keylist. If <strong>-t</strong>, <strong>-k</strong>, and/or <strong>-e</strong> are -specified, also display the timestamp, key contents, or enctype -(respectively).</p> -<p>Alias: <strong>l</strong></p> -</section> -<section id="read-kt"> -<h3>read_kt<a class="headerlink" href="#read-kt" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>read_kt</strong> <em>keytab</em></p> -</div></blockquote> -<p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p> -<p>Alias: <strong>rkt</strong></p> -</section> -<section id="write-kt"> -<h3>write_kt<a class="headerlink" href="#write-kt" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>write_kt</strong> <em>keytab</em></p> -</div></blockquote> -<p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p> -<p>Alias: <strong>wkt</strong></p> -</section> -<section id="clear-list"> -<h3>clear_list<a class="headerlink" href="#clear-list" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>clear_list</strong></p> -</div></blockquote> -<p>Clear the current keylist.</p> -<p>Alias: <strong>clear</strong></p> -</section> -<section id="delete-entry"> -<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>delete_entry</strong> <em>slot</em></p> -</div></blockquote> -<p>Delete the entry in slot number <em>slot</em> from the current keylist.</p> -<p>Alias: <strong>delent</strong></p> -</section> -<section id="add-entry"> -<h3>add_entry<a class="headerlink" href="#add-entry" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> -<strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</p> -</div></blockquote> -<p>Add <em>principal</em> to keylist using key or password. If the <strong>-f</strong> flag -is specified, salt information will be fetched from the KDC; in this -case the <strong>-e</strong> flag may be omitted, or it may be supplied to force a -particular enctype. If the <strong>-f</strong> flag is not specified, the <strong>-e</strong> -flag must be specified, and the default salt will be used unless -overridden with the <strong>-s</strong> option.</p> -<p>Alias: <strong>addent</strong></p> -</section> -<section id="list-requests"> -<h3>list_requests<a class="headerlink" href="#list-requests" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>list_requests</strong></p> -</div></blockquote> -<p>Displays a listing of available commands.</p> -<p>Aliases: <strong>lr</strong>, <strong>?</strong></p> -</section> -<section id="quit"> -<h3>quit<a class="headerlink" href="#quit" title="Link to this heading">¶</a></h3> -<blockquote> -<div><p><strong>quit</strong></p> -</div></blockquote> -<p>Quits ktutil.</p> -<p>Aliases: <strong>exit</strong>, <strong>q</strong></p> -</section> -</section> -<section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> -<blockquote> -<div><div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> - <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> -<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> - <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> -<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">ktutil</span><span class="p">:</span> <span class="n">write_kt</span> <span class="n">alice</span><span class="o">.</span><span class="n">keytab</span> -<span class="n">ktutil</span><span class="p">:</span> -</pre></div> -</div> -</div></blockquote> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">ktutil</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#commands">COMMANDS</a><ul> -<li><a class="reference internal" href="#list">list</a></li> -<li><a class="reference internal" href="#read-kt">read_kt</a></li> -<li><a class="reference internal" href="#write-kt">write_kt</a></li> -<li><a class="reference internal" href="#clear-list">clear_list</a></li> -<li><a class="reference internal" href="#delete-entry">delete_entry</a></li> -<li><a class="reference internal" href="#add-entry">add_entry</a></li> -<li><a class="reference internal" href="#list-requests">list_requests</a></li> -<li><a class="reference internal" href="#quit">quit</a></li> -</ul> -</li> -<li><a class="reference internal" href="#example">EXAMPLE</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kproplog.html" title="kproplog" - >previous</a> | - <a href="k5srvutil.html" title="k5srvutil" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/admin_commands/sserver.html b/crypto/krb5/doc/html/admin/admin_commands/sserver.html deleted file mode 100644 index 5ff0a5ecd6ff..000000000000 --- a/crypto/krb5/doc/html/admin/admin_commands/sserver.html +++ /dev/null @@ -1,269 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>sserver — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="MIT Kerberos defaults" href="../../mitK5defaults.html" /> - <link rel="prev" title="k5srvutil" href="k5srvutil.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="k5srvutil.html" title="k5srvutil" - accesskey="P">previous</a> | - <a href="../../mitK5defaults.html" title="MIT Kerberos defaults" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="sserver"> -<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Link to this heading">¶</a></h1> -<section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> -<p><strong>sserver</strong> -[ <strong>-p</strong> <em>port</em> ] -[ <strong>-S</strong> <em>keytab</em> ] -[ <em>server_port</em> ]</p> -</section> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a> are a simple demonstration client/server -application. When sclient connects to sserver, it performs a Kerberos -authentication, and then sserver returns to sclient the Kerberos -principal which was used for the Kerberos authentication. It makes a -good test that Kerberos has been successfully installed on a machine.</p> -<p>The service name used by sserver and sclient is sample. Hence, -sserver will require that there be a keytab entry for the service -<code class="docutils literal notranslate"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></code>. This keytab is generated -using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program. The keytab file is usually -installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>.</p> -<p>The <strong>-S</strong> option allows for a different keytab than the default.</p> -<p>sserver is normally invoked out of inetd(8), using a line in -<code class="docutils literal notranslate"><span class="pre">/etc/inetd.conf</span></code> that looks like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">sserver</span> <span class="n">sserver</span> -</pre></div> -</div> -<p>Since <code class="docutils literal notranslate"><span class="pre">sample</span></code> is normally not a port defined in <code class="docutils literal notranslate"><span class="pre">/etc/services</span></code>, -you will usually have to add a line to <code class="docutils literal notranslate"><span class="pre">/etc/services</span></code> which looks -like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="mi">13135</span><span class="o">/</span><span class="n">tcp</span> -</pre></div> -</div> -<p>When using sclient, you will first have to have an entry in the -Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and then you have to get -Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>. Also, if you are running -the sclient program on a different host than the sserver it will be -connecting to, be sure that both hosts have an entry in /etc/services -for the sample tcp port, and that the same port number is in both -files.</p> -<p>When you run sclient you should see something like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">succeeded</span><span class="p">,</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> -<span class="n">reply</span> <span class="nb">len</span> <span class="mi">32</span><span class="p">,</span> <span class="n">contents</span><span class="p">:</span> -<span class="n">You</span> <span class="n">are</span> <span class="n">nlgilman</span><span class="nd">@JIMI</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -</section> -<section id="common-error-messages"> -<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Link to this heading">¶</a></h2> -<ol class="arabic"> -<li><p>kinit returns the error:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span> - <span class="n">initial</span> <span class="n">credentials</span> -</pre></div> -</div> -<p>This means that you didn’t create an entry for your username in the -Kerberos database.</p> -</li> -<li><p>sclient returns the error:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">unknown</span> <span class="n">service</span> <span class="n">sample</span><span class="o">/</span><span class="n">tcp</span><span class="p">;</span> <span class="n">check</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">services</span> -</pre></div> -</div> -<p>This means that you don’t have an entry in /etc/services for the -sample tcp port.</p> -</li> -<li><p>sclient returns the error:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">connect</span><span class="p">:</span> <span class="n">Connection</span> <span class="n">refused</span> -</pre></div> -</div> -<p>This probably means you didn’t edit /etc/inetd.conf correctly, or -you didn’t restart inetd after editing inetd.conf.</p> -</li> -<li><p>sclient returns the error:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sclient</span><span class="p">:</span> <span class="n">Server</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">using</span> - <span class="n">sendauth</span> -</pre></div> -</div> -<p>This means that the <code class="docutils literal notranslate"><span class="pre">sample/hostname@LOCAL.REALM</span></code> service was not -defined in the Kerberos database; it should be created using -<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and a keytab file needs to be generated to make -the key for that service principal available for sclient.</p> -</li> -<li><p>sclient returns the error:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">rejected</span><span class="p">,</span> <span class="n">error</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> - <span class="s2">"No such file or directory"</span> -</pre></div> -</div> -<p>This probably means sserver couldn’t find the keytab file. It was -probably not installed in the proper directory.</p> -</li> -</ol> -</section> -<section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment -variables.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, services(5), inetd(8)</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">sserver</a><ul> -<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#common-error-messages">COMMON ERROR MESSAGES</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">sserver</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="k5srvutil.html" title="k5srvutil" - >previous</a> | - <a href="../../mitK5defaults.html" title="MIT Kerberos defaults" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/advanced/index.html b/crypto/krb5/doc/html/admin/advanced/index.html deleted file mode 100644 index 07c786cf195f..000000000000 --- a/crypto/krb5/doc/html/admin/advanced/index.html +++ /dev/null @@ -1,158 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Advanced topics — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="Retiring DES" href="retiring-des.html" /> - <link rel="prev" title="Troubleshooting" href="../troubleshoot.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../troubleshoot.html" title="Troubleshooting" - accesskey="P">previous</a> | - <a href="retiring-des.html" title="Retiring DES" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Advanced topics">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="advanced-topics"> -<h1>Advanced topics<a class="headerlink" href="#advanced-topics" title="Link to this heading">¶</a></h1> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> -</ul> -</div> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Advanced topics</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Advanced topics</a><ul> -<li class="toctree-l3"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../troubleshoot.html" title="Troubleshooting" - >previous</a> | - <a href="retiring-des.html" title="Retiring DES" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Advanced topics">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/advanced/retiring-des.html b/crypto/krb5/doc/html/admin/advanced/retiring-des.html deleted file mode 100644 index 8dec27ded0a4..000000000000 --- a/crypto/krb5/doc/html/admin/advanced/retiring-des.html +++ /dev/null @@ -1,546 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Retiring DES — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="Various links" href="../various_envs.html" /> - <link rel="prev" title="Advanced topics" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Advanced topics" - accesskey="P">previous</a> | - <a href="../various_envs.html" title="Various links" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="retiring-des"> -<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Link to this heading">¶</a></h1> -<p>Version 5 of the Kerberos protocol was originally implemented using -the Data Encryption Standard (DES) as a block cipher for encryption. -While it was considered secure at the time, advancements in computational -ability have rendered DES vulnerable to brute force attacks on its 56-bit -keyspace. As such, it is now considered insecure and should not be -used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> -<section id="history"> -<h2>History<a class="headerlink" href="#history" title="Link to this heading">¶</a></h2> -<p>DES was used in the original Kerberos implementation, and was the -only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was -added in version 1.1, with full support following in version 1.2. -The Advanced Encryption Standard (AES), which supersedes DES, gained -partial support in version 1.3.0 of krb5 and full support in version 1.3.2. -However, deployments of krb5 using Kerberos databases created with older -versions of krb5 will not necessarily start using strong crypto for -ordinary operation without administrator intervention.</p> -<p>MIT krb5 began flagging deprecated encryption types with release 1.17, -and removed DES (single-DES) support in release 1.18. As a -consequence, a release prior to 1.18 is required to perform these -migrations.</p> -</section> -<section id="types-of-keys"> -<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Link to this heading">¶</a></h2> -<ul class="simple"> -<li><p>The database master key: This key is not exposed to user requests, -but is used to encrypt other key material stored in the kerberos -database. The database master key is currently stored as <code class="docutils literal notranslate"><span class="pre">K/M</span></code> -by default.</p></li> -<li><p>Password-derived keys: User principals frequently have keys -derived from a password. When a new password is set, the KDC -uses various string2key functions to generate keys in the database -for that principal.</p></li> -<li><p>Keytab keys: Application server principals generally use random -keys which are not derived from a password. When the database -entry is created, the KDC generates random keys of various enctypes -to enter in the database, which are conveyed to the application server -and stored in a keytab.</p></li> -<li><p>Session keys: These are short-term keys generated by the KDC while -processing client requests, with an enctype selected by the KDC.</p></li> -</ul> -<p>For details on the various enctypes and how enctypes are selected by the KDC -for session keys and client/server long-term keys, see <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a>. -When using the <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> interface to generate new long-term keys, -the <strong>-e</strong> argument can be used to force a particular set of enctypes, -overriding the KDC default values.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>When the KDC is selecting a session key, it has no knowledge about the -kerberos installation on the server which will receive the service ticket, -only what keys are in the database for the service principal. -In order to allow uninterrupted operation to -clients while migrating away from DES, care must be taken to ensure that -kerberos installations on application server machines are configured to -support newer encryption types before keys of those new encryption types -are created in the Kerberos database for those server principals.</p> -</div> -</section> -<section id="upgrade-procedure"> -<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Link to this heading">¶</a></h2> -<p>This procedure assumes that the KDC software has already been upgraded -to a modern version of krb5 that supports non-DES keys, so that the -only remaining task is to update the actual keys used to service requests. -The realm used for demonstrating this procedure, ZONE.MIT.EDU, -is an example of the worst-case scenario, where all keys in the realm -are DES. The realm was initially created with a very old version of krb5, -and <strong>supported_enctypes</strong> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> was set to a value -appropriate when the KDC was installed, but was not updated as the KDC -was upgraded:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="p">[</span><span class="o">...</span><span class="p">]</span> - <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> - <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">v4</span> <span class="n">des</span><span class="p">:</span><span class="n">norealm</span> <span class="n">des</span><span class="p">:</span><span class="n">onlyrealm</span> <span class="n">des</span><span class="p">:</span><span class="n">afs3</span> - <span class="p">}</span> -</pre></div> -</div> -<p>This resulted in the keys for all principals in the realm being forced -to DES-only, unless specifically requested using <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> -<p>Before starting the upgrade, all KDCs were running krb5 1.11, -and the database entries for some “high-value” principals were:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">15</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">14</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -</pre></div> -</div> -<p>The <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> key appears to have never been changed since creation -(its kvno is 1), and all three database entries have only a des-cbc-crc key.</p> -<section id="the-krbtgt-key-and-kdc-keys"> -<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Link to this heading">¶</a></h3> -<p>Perhaps the biggest single-step improvement in the security of the cell -is gained by strengthening the key of the ticket-granting service principal, -<code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>—if this principal’s key is compromised, so is the -entire realm. Since the server that will handle service tickets -for this principal is the KDC itself, it is easy to guarantee that it -will be configured to support any encryption types which might be -selected. However, the default KDC behavior when creating new keys is to -remove the old keys, which would invalidate all existing tickets issued -against that principal, rendering the TGTs cached by clients useless. -Instead, a new key can be created with the old key retained, so that -existing tickets will still function until their scheduled expiry -(see <a class="reference internal" href="../database.html#changing-krbtgt-key"><span class="std std-ref">Changing the krbtgt key</span></a>).</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> -<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> -<span class="o">></span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The new <code class="docutils literal notranslate"><span class="pre">krbtgt@REALM</span></code> key should be propagated to replica KDCs -immediately so that TGTs issued by the primary KDC can be used to -issue service tickets on replica KDCs. Replica KDCs will refuse -requests using the new TGT kvno until the new krbtgt entry has -been propagated to them.</p> -</div> -<p>It is necessary to explicitly specify the enctypes for the new database -entry, since <strong>supported_enctypes</strong> has not been changed. Leaving -<strong>supported_enctypes</strong> unchanged makes a potential rollback operation -easier, since all new keys of new enctypes are the result of explicit -administrator action and can be easily enumerated. -Upgrading the krbtgt key should have minimal user-visible disruption other -than that described in the note above, since only clients which list the -new enctypes as supported will use them, per the procedure -in <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>. -Once the krbtgt key is updated, the session and ticket keys for user -TGTs will be strong keys, but subsequent requests -for service tickets will still get DES keys until the service principals -have new keys generated. Application service -remains uninterrupted due to the key-selection procedure on the KDC.</p> -<p>After the change, the database entry is now:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">5</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> -<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> -<span class="p">[</span><span class="o">...</span><span class="p">]</span> -</pre></div> -</div> -<p>Since the expected disruptions from rekeying the krbtgt principal are -minor, after a short testing period, it is -appropriate to rekey the other high-value principals, <code class="docutils literal notranslate"><span class="pre">kadmin/admin@REALM</span></code> -and <code class="docutils literal notranslate"><span class="pre">kadmin/changepw@REALM</span></code>. These are the service principals used for -changing user passwords and updating application keytabs. The kadmin -and password-changing services are regular kerberized services, so the -session-key-selection algorithm described in <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a> -applies. It is particularly important to have strong session keys for -these services, since user passwords and new long-term keys are conveyed -over the encrypted channel.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> -<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> -<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="s2">"</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/admin@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> -<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="s2">"</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/changepw@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> -</pre></div> -</div> -<p>It is not necessary to retain a single-DES key for these services, since -password changes are not part of normal daily workflow, and disruption -from a client failure is likely to be minimal. Furthermore, if a kerberos -client experiences failure changing a user password or keytab key, -this indicates that that client will become inoperative once services -are rekeyed to non-DES enctypes. Such problems can be detected early -at this stage, giving more time for corrective action.</p> -</section> -<section id="adding-strong-keys-to-application-servers"> -<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Link to this heading">¶</a></h3> -<p>Before switching the default enctypes for new keys over to strong enctypes, -it may be desired to test upgrading a handful of services with the -new configuration before flipping the switch for the defaults. This -still requires using the <strong>-e</strong> argument in <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to get non-default -enctypes:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> -<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> -<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \</span> -<span class="o">></span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> <span class="o">-</span><span class="n">q</span> <span class="s2">"ktadd -e $</span><span class="si">{enctypes}</span><span class="s2"> </span><span class="se">\</span> -<span class="s2">> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU"</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -<p>Be sure to remove the old keys from the application keytab, per best -practice.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># k5srvutil -f /etc/zephyr/krb5.keytab delold</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -</section> -<section id="adding-strong-keys-by-default"> -<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Link to this heading">¶</a></h3> -<p>Once the high-visibility services have been rekeyed, it is probably -appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to generate keys with the new -encryption types by default. This enables server administrators to generate -new enctypes with the <strong>change</strong> subcommand of <a class="reference internal" href="../admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a>, -and causes user password -changes to add new encryption types for their entries. It will probably -be necessary to implement administrative controls to cause all user -principal keys to be updated in a reasonable period of time, whether -by forcing password changes or a password synchronization service that -has access to the current password and can add the new keys.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The krb5kdc process must be restarted for these changes to take effect.</p> -</div> -<p>At this point, all service administrators can update their services and the -servers behind them to take advantage of strong cryptography. -If necessary, the server’s krb5 installation should be configured and/or -upgraded to a version supporting non-DES keys. See <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a> for -krb5 version and configuration settings. -Only when the service is configured to accept non-DES keys should -the key version number be incremented and new keys generated -(<code class="docutils literal notranslate"><span class="pre">k5srvutil</span> <span class="pre">change</span> <span class="pre">&&</span> <span class="pre">k5srvutil</span> <span class="pre">delold</span></code>).</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil change</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># klist -e -k -t /etc/krb5.keytab</span> -<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> -<span class="n">KVNO</span> <span class="n">Timestamp</span> <span class="n">Principal</span> -<span class="o">----</span> <span class="o">-----------------</span> <span class="o">--------------------------------------------------------</span> - <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">10</span><span class="o">/</span><span class="mi">12</span> <span class="mi">17</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="mi">59</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> - <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> - <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> - <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span><span class="p">)</span> - <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> -<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil delold</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -<p>When a single service principal is shared by multiple backend servers in -a load-balanced environment, it may be necessary to schedule downtime -or adjust the population in the load-balanced pool in order to propagate -the updated keytab to all hosts in the pool with minimal service interruption.</p> -</section> -<section id="removing-des-keys-from-usage"> -<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Link to this heading">¶</a></h3> -<p>This situation remains something of a testing or transitory state, -as new DES keys are still being generated, and will be used if requested -by a client. To make more progress removing DES from the realm, the KDC -should be configured to not generate such keys by default.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>An attacker posing as a client can implement a brute force attack against -a DES key for any principal, if that key is in the current (highest-kvno) -key list. This attack is only possible if <strong>allow_weak_crypto = true</strong> -is enabled on the KDC. Setting the <strong>+requires_preauth</strong> flag on a -principal forces this attack to be an online attack, much slower than -the offline attack otherwise available to the attacker. However, setting -this flag on a service principal is not always advisable; see the entry in -<a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><span class="std std-ref">add_principal</span></a> for details.</p> -</div> -<p>The following KDC configuration will not generate DES keys by default:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>As before, the KDC process must be restarted for this change to take -effect. It is best practice to update kdc.conf on all KDCs, not just the -primary, to avoid unpleasant surprises should the primary fail and a -replica need to be promoted.</p> -</div> -<p>It is now appropriate to remove the legacy single-DES key from the -<code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> entry:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \</span> -<span class="o">></span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> -</pre></div> -</div> -<p>After the maximum ticket lifetime has passed, the old database entry -should be removed.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU'</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Old</span> <span class="n">keys</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">purged</span><span class="o">.</span> -</pre></div> -</div> -<p>After the KDC is restarted with the new <strong>supported_enctypes</strong>, -all user password changes and application keytab updates will not -generate DES keys by default.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU -Password for zonetest@ZONE.MIT.EDU: [enter old password] -Enter new password: [enter new password] -Enter it again: [enter new password] -Password changed. -contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' -[...] -Number of keys: 3 -Key: vno 9, aes256-cts-hmac-sha1-96 -Key: vno 9, aes128-cts-hmac-sha1-96 -Key: vno 9, des3-cbc-sha1 -[...] - -[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ -> -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' -Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. -</pre></div> -</div> -<p>Once all principals have been re-keyed, DES support can be disabled on the -KDC (<strong>allow_weak_crypto = false</strong>), and client machines can remove -<strong>allow_weak_crypto = true</strong> from their <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> configuration -files, completing the migration. <strong>allow_weak_crypto</strong> takes precedence over -all places where DES enctypes could be explicitly configured. DES keys will -not be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p> -</section> -<section id="support-for-legacy-services"> -<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Link to this heading">¶</a></h3> -<p>If there remain legacy services which do not support non-DES enctypes -(such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain -enabled on the KDC. Client machines need not have this setting, -though—applications which require DES can use API calls to allow -weak crypto on a per-request basis, overriding the system krb5.conf. -However, having <strong>allow_weak_crypto</strong> set on the KDC means that any -principals which have a DES key in the database could still use those -keys. To minimize the use of DES in the realm and restrict it to just -legacy services which require DES, it is necessary to remove all other -DES keys. The realm has been configured such that at password and -keytab change, no DES keys will be generated by default. The task -then reduces to requiring user password changes and having server -administrators update their service keytabs. Administrative outreach -will be necessary, and if the desire to eliminate DES is sufficiently -strong, the KDC administrators may choose to randkey any principals -which have not been rekeyed after some timeout period, forcing the -user to contact the helpdesk for access.</p> -</section> -</section> -<section id="the-database-master-key"> -<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Link to this heading">¶</a></h2> -<p>This procedure does not alter <code class="docutils literal notranslate"><span class="pre">K/M@REALM</span></code>, the key used to encrypt key -material in the Kerberos database. (This is the key stored in the stash file -on the KDC if stash files are used.) However, the security risk of -a single-DES key for <code class="docutils literal notranslate"><span class="pre">K/M</span></code> is minimal, given that access to material -encrypted in <code class="docutils literal notranslate"><span class="pre">K/M</span></code> (the Kerberos database) is generally tightly controlled. -If an attacker can gain access to the encrypted database, they likely -have access to the stash file as well, rendering the weak cryptography -broken by non-cryptographic means. As such, upgrading <code class="docutils literal notranslate"><span class="pre">K/M</span></code> to a stronger -encryption type is unlikely to be a high-priority task.</p> -<p>Is is possible to upgrade the master key used for the database, if -desired. Using <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>’s <strong>add_mkey</strong>, <strong>use_mkey</strong>, and -<strong>update_princ_encryption</strong> commands, a new master key can be added -and activated for use on new key material, and the existing entries -converted to the new master key.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Retiring DES</a><ul> -<li><a class="reference internal" href="#history">History</a></li> -<li><a class="reference internal" href="#types-of-keys">Types of keys</a></li> -<li><a class="reference internal" href="#upgrade-procedure">Upgrade procedure</a><ul> -<li><a class="reference internal" href="#the-krbtgt-key-and-kdc-keys">The krbtgt key and KDC keys</a></li> -<li><a class="reference internal" href="#adding-strong-keys-to-application-servers">Adding strong keys to application servers</a></li> -<li><a class="reference internal" href="#adding-strong-keys-by-default">Adding strong keys by default</a></li> -<li><a class="reference internal" href="#removing-des-keys-from-usage">Removing DES keys from usage</a></li> -<li><a class="reference internal" href="#support-for-legacy-services">Support for legacy services</a></li> -</ul> -</li> -<li><a class="reference internal" href="#the-database-master-key">The Database Master Key</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="#">Retiring DES</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Advanced topics" - >previous</a> | - <a href="../various_envs.html" title="Various links" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/appl_servers.html b/crypto/krb5/doc/html/admin/appl_servers.html deleted file mode 100644 index b6da7ebb3b80..000000000000 --- a/crypto/krb5/doc/html/admin/appl_servers.html +++ /dev/null @@ -1,304 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Application servers — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Host configuration" href="host_config.html" /> - <link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - accesskey="P">previous</a> | - <a href="host_config.html" title="Host configuration" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="application-servers"> -<h1>Application servers<a class="headerlink" href="#application-servers" title="Link to this heading">¶</a></h1> -<p>If you need to install the Kerberos V5 programs on an application -server, please refer to the Kerberos V5 Installation Guide. Once you -have installed the software, you need to add that host to the Kerberos -database (see <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>), and generate a keytab for that host, -that contains the host’s key. You also need to make sure the host’s -clock is within your maximum clock skew of the KDCs.</p> -<section id="keytabs"> -<h2>Keytabs<a class="headerlink" href="#keytabs" title="Link to this heading">¶</a></h2> -<p>A keytab is a host’s copy of its own keylist, which is analogous to a -user’s password. An application server that needs to authenticate -itself to the KDC has to have a keytab that contains its own principal -and key. Just as it is important for users to protect their -passwords, it is equally important for hosts to protect their keytabs. -You should always store keytab files on local disk, and make them -readable only by root, and you should never send a keytab file over a -network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> -command to extract a keytab on the host on which the keytab is to -reside.</p> -<section id="adding-principals-to-keytabs"> -<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Link to this heading">¶</a></h3> -<p>To generate a keytab, or to add a principal to an existing keytab, use -the <strong>ktadd</strong> command from kadmin. Here is a sample session, using -configuration files that enable only AES encryption:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> -</pre></div> -</div> -</section> -<section id="removing-principals-from-keytabs"> -<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Link to this heading">¶</a></h3> -<p>To remove a principal from an existing keytab, use the kadmin -<strong>ktremove</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -</section> -<section id="using-a-keytab-to-acquire-client-credentials"> -<h3>Using a keytab to acquire client credentials<a class="headerlink" href="#using-a-keytab-to-acquire-client-credentials" title="Link to this heading">¶</a></h3> -<p>While keytabs are ordinarily used to accept credentials from clients, -they can also be used to acquire initial credentials, allowing one -service to authenticate to another.</p> -<p>To manually obtain credentials using a keytab, use the <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> -<strong>-k</strong> option, together with the <strong>-t</strong> option if the keytab is not in -the default location.</p> -<p>Beginning with release 1.11, GSSAPI applications can be configured to -automatically obtain initial credentials from a keytab as needed. The -recommended configuration is as follows:</p> -<ol class="arabic simple"> -<li><p>Create a keytab containing a single entry for the desired client -identity.</p></li> -<li><p>Place the keytab in a location readable by the service, and set the -<strong>KRB5_CLIENT_KTNAME</strong> environment variable to its filename. -Alternatively, use the <strong>default_client_keytab_name</strong> profile -variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>, or use the default location of -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>.</p></li> -<li><p>Set <strong>KRB5CCNAME</strong> to a filename writable by the service, which -will not be used for any other purpose. Do not manually obtain -credentials at this location. (Another credential cache type -besides <strong>FILE</strong> can be used if desired, as long the cache will not -conflict with another use. A <strong>MEMORY</strong> cache can be used if the -service runs as a long-lived process. See <a class="reference internal" href="../basic/ccache_def.html#ccache-definition"><span class="std std-ref">Credential cache</span></a> -for details.)</p></li> -<li><p>Start the service. When it authenticates using GSSAPI, it will -automatically obtain credentials from the client keytab into the -specified credential cache, and refresh them before they expire.</p></li> -</ol> -</section> -</section> -<section id="clock-skew"> -<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Link to this heading">¶</a></h2> -<p>A Kerberos application server host must keep its clock synchronized or -it will reject authentication requests from clients. Modern operating -systems typically provide a facility to maintain the correct time; -make sure it is enabled. This is especially important on virtual -machines, where clocks tend to drift more rapidly than normal machine -clocks.</p> -<p>The default allowable clock skew is controlled by the <strong>clockskew</strong> -variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> -</section> -<section id="getting-dns-information-correct"> -<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Link to this heading">¶</a></h2> -<p>Several aspects of Kerberos rely on name service. When a hostname is -used to name a service, clients may canonicalize the hostname using -forward and possibly reverse name resolution. The result of this -canonicalization must match the principal entry in the host’s keytab, -or authentication will fail. To work with all client canonicalization -configurations, each host’s canonical name must be the fully-qualified -host name (including the domain), and each host’s IP address must -reverse-resolve to the canonical name.</p> -<p>Configuration of hostnames varies by operating system. On the -application server itself, canonicalization will typically use the -<code class="docutils literal notranslate"><span class="pre">/etc/hosts</span></code> file rather than the DNS. Ensure that the line for the -server’s hostname is in the following form:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">IP</span> <span class="n">address</span> <span class="n">fully</span><span class="o">-</span><span class="n">qualified</span> <span class="n">hostname</span> <span class="n">aliases</span> -</pre></div> -</div> -<p>Here is a sample <code class="docutils literal notranslate"><span class="pre">/etc/hosts</span></code> file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># this is a comment</span> -<span class="mf">127.0.0.1</span> <span class="n">localhost</span> <span class="n">localhost</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="mf">10.0.0.6</span> <span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">daffodil</span> <span class="n">trillium</span> <span class="n">wake</span><span class="o">-</span><span class="n">robin</span> -</pre></div> -</div> -<p>The output of <code class="docutils literal notranslate"><span class="pre">klist</span> <span class="pre">-k</span></code> for this example host should look like:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">viola</span><span class="c1"># klist -k</span> -<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> -<span class="n">KVNO</span> <span class="n">Principal</span> -<span class="o">----</span> <span class="o">------------------------------------------------------------</span> - <span class="mi">2</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<p>If you were to ssh to this host with a fresh credentials cache (ticket -file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, the output should list a service -principal of <code class="docutils literal notranslate"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></code>.</p> -</section> -<section id="configuring-your-firewall-to-work-with-kerberos-v5"> -<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Link to this heading">¶</a></h2> -<p>If you need off-site users to be able to get Kerberos tickets in your -realm, they must be able to get to your KDC. This requires either -that you have a replica KDC outside your firewall, or that you -configure your firewall to allow UDP requests into at least one of -your KDCs, on whichever port the KDC is running. (The default is port -88; other ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> -file.) Similarly, if you need off-site users to be able to change -their passwords in your realm, they must be able to get to your -Kerberos admin server on the kpasswd port (which defaults to 464). If -you need off-site users to be able to administer your Kerberos realm, -they must be able to get to your Kerberos admin server on the -administrative port (which defaults to 749).</p> -<p>If your on-site users inside your firewall will need to get to KDCs in -other realms, you will also need to configure your firewall to allow -outgoing TCP and UDP requests to port 88, and to port 464 to allow -password changes. If your on-site users inside your firewall will -need to get to Kerberos admin servers in other realms, you will also -need to allow outgoing TCP and UDP requests to port 749.</p> -<p>If any of your KDCs are outside your firewall, you will need to allow -kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> uses -the <code class="docutils literal notranslate"><span class="pre">krb5_prop</span></code> service on port 754 (tcp).</p> -<p>The book <em>UNIX System Security</em>, by David Curry, is a good starting -point for learning to configure firewalls.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Application servers</a><ul> -<li><a class="reference internal" href="#keytabs">Keytabs</a><ul> -<li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li> -<li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li> -<li><a class="reference internal" href="#using-a-keytab-to-acquire-client-credentials">Using a keytab to acquire client credentials</a></li> -</ul> -</li> -<li><a class="reference internal" href="#clock-skew">Clock Skew</a></li> -<li><a class="reference internal" href="#getting-dns-information-correct">Getting DNS information correct</a></li> -<li><a class="reference internal" href="#configuring-your-firewall-to-work-with-kerberos-v5">Configuring your firewall to work with Kerberos V5</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - >previous</a> | - <a href="host_config.html" title="Host configuration" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/auth_indicator.html b/crypto/krb5/doc/html/admin/auth_indicator.html deleted file mode 100644 index 0a8e684e45a5..000000000000 --- a/crypto/krb5/doc/html/admin/auth_indicator.html +++ /dev/null @@ -1,199 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Authentication indicators — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Administration programs" href="admin_commands/index.html" /> - <link rel="prev" title="HTTPS proxy configuration" href="https.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="https.html" title="HTTPS proxy configuration" - accesskey="P">previous</a> | - <a href="admin_commands/index.html" title="Administration programs" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="authentication-indicators"> -<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Link to this heading">¶</a></h1> -<p>As of release 1.14, the KDC can be configured to annotate tickets if -the client authenticated using a stronger preauthentication mechanism -such as <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a>. These -annotations are called “authentication indicators.” Service -principals can be configured to require particular authentication -indicators in order to authenticate to that service. An -authentication indicator value can be any string chosen by the KDC -administrator; there are no pre-set values.</p> -<p>To use authentication indicators with PKINIT or OTP, first configure -the KDC to include an indicator when that preauthentication mechanism -is used. For PKINIT, use the <strong>pkinit_indicator</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For OTP, use the <strong>indicator</strong> variable in the -token type definition, or specify the indicators in the <strong>otp</strong> user -string as described in <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a>.</p> -<p>To require an indicator to be present in order to authenticate to a -service principal, set the <strong>require_auth</strong> string attribute on the -principal to the indicator value to be required. If you wish to allow -one of several indicators to be accepted, you can specify multiple -indicator values separated by spaces.</p> -<p>For example, a realm could be configured to set the authentication -indicator value “strong” when PKINIT is used to authenticate, using a -setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span> -</pre></div> -</div> -<p>A service principal could be configured to require the “strong” -authentication indicator value:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin setstr host/high.value.server require_auth strong -Password for user/admin@KRBTEST.COM: -</pre></div> -</div> -<p>A user who authenticates with PKINIT would be able to obtain a ticket -for the service principal:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user -$ kvno host/high.value.server -host/high.value.server@KRBTEST.COM: kvno = 1 -</pre></div> -</div> -<p>but a user who authenticates with a password would not:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit user -Password for user@KRBTEST.COM: -$ kvno host/high.value.server -kvno: KDC policy rejects request while getting credentials for - host/high.value.server@KRBTEST.COM -</pre></div> -</div> -<p>GSSAPI server applications can inspect authentication indicators -through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><span class="std std-ref">auth-indicators</span></a> name -attribute.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Authentication indicators</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="https.html" title="HTTPS proxy configuration" - >previous</a> | - <a href="admin_commands/index.html" title="Administration programs" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/backup_host.html b/crypto/krb5/doc/html/admin/backup_host.html deleted file mode 100644 index 987b9e652e51..000000000000 --- a/crypto/krb5/doc/html/admin/backup_host.html +++ /dev/null @@ -1,182 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Backups of secure hosts — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="PKINIT configuration" href="pkinit.html" /> - <link rel="prev" title="Host configuration" href="host_config.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="host_config.html" title="Host configuration" - accesskey="P">previous</a> | - <a href="pkinit.html" title="PKINIT configuration" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="backups-of-secure-hosts"> -<h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Link to this heading">¶</a></h1> -<p>When you back up a secure host, you should exclude the host’s keytab -file from the backup. If someone obtained a copy of the keytab from a -backup, that person could make any host masquerade as the host whose -keytab was compromised. In many configurations, knowledge of the -host’s keytab also allows root access to the host. This could be -particularly dangerous if the compromised keytab was from one of your -KDCs. If the machine has a disk crash and the keytab file is lost, it -is easy to generate another keytab file. (See <a class="reference internal" href="appl_servers.html#add-princ-kt"><span class="std std-ref">Adding principals to keytabs</span></a>.) -If you are unable to exclude particular files from backups, you should -ensure that the backups are kept as secure as the host’s root -password.</p> -<section id="backing-up-the-kerberos-database"> -<h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Link to this heading">¶</a></h2> -<p>As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the replica KDCs, you -might never notice, since the next automatic propagation of the -database would install a fresh copy. However, if it happens to the -primary KDC, the corrupted database would be propagated to all of the -replicas during the next propagation. For this reason, MIT recommends -that you back up your Kerberos database regularly. Because the primary -KDC is continuously dumping the database to a file in order to -propagate it to the replica KDCs, it is a simple matter to have a cron -job periodically copy the dump file to a secure machine elsewhere on -your network. (Of course, it is important to make the host where -these backups are stored as secure as your KDCs, and to encrypt its -transmission across your network.) Then if your database becomes -corrupted, you can load the most recent dump onto the primary KDC. -(See <a class="reference internal" href="database.html#restore-from-dump"><span class="std std-ref">Dumping and loading a Kerberos database</span></a>.)</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Backups of secure hosts</a><ul> -<li><a class="reference internal" href="#backing-up-the-kerberos-database">Backing up the Kerberos database</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="host_config.html" title="Host configuration" - >previous</a> | - <a href="pkinit.html" title="PKINIT configuration" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/conf_files/index.html b/crypto/krb5/doc/html/admin/conf_files/index.html deleted file mode 100644 index a309e76072c9..000000000000 --- a/crypto/krb5/doc/html/admin/conf_files/index.html +++ /dev/null @@ -1,176 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Configuration Files — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="krb5.conf" href="krb5_conf.html" /> - <link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../install_appl_srv.html" title="UNIX Application Servers" - accesskey="P">previous</a> | - <a href="krb5_conf.html" title="krb5.conf" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="configuration-files"> -<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Link to this heading">¶</a></h1> -<p>Kerberos uses configuration files to allow administrators to specify -settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all -applications using the Kerboros library, on clients and servers. -For KDC-specific applications, additional settings can be specified in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the two files are merged into a configuration profile -used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> -is also only used on the KDC, it controls permissions for modifying the -KDC database.</p> -<section id="contents"> -<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> -<li class="toctree-l1"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l1"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> -</ul> -</div> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Configuration Files</a><ul> -<li><a class="reference internal" href="#contents">Contents</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuration Files</a><ul> -<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../install_appl_srv.html" title="UNIX Application Servers" - >previous</a> | - <a href="krb5_conf.html" title="krb5.conf" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html b/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html deleted file mode 100644 index 17e628141aa1..000000000000 --- a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html +++ /dev/null @@ -1,331 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kadm5.acl — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="Realm configuration decisions" href="../realm_config.html" /> - <link rel="prev" title="kdc.conf" href="kdc_conf.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="kdc_conf.html" title="kdc.conf" - accesskey="P">previous</a> | - <a href="../realm_config.html" title="Realm configuration decisions" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kadm5-acl"> -<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Link to this heading">¶</a></h1> -<section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> -<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List -(ACL) file to manage access rights to the Kerberos database. -For operations that affect principals, the ACL file also controls -which principals can operate on which other principals.</p> -<p>The default location of the Kerberos ACL file is -<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code> unless this is overridden by the <em>acl_file</em> -variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</section> -<section id="syntax"> -<h2>SYNTAX<a class="headerlink" href="#syntax" title="Link to this heading">¶</a></h2> -<p>Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate"><span class="pre">#</span></code>) are -ignored. Lines containing ACL entries have the format:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>Line order in the ACL file is important. The first matching entry -will control access for an actor principal on a target principal.</p> -</div> -<dl> -<dt><em>principal</em></dt><dd><p>(Partially or fully qualified Kerberos principal name.) Specifies -the principal whose permissions are to be set.</p> -<p>Each component of the name may be wildcarded using the <code class="docutils literal notranslate"><span class="pre">*</span></code> -character.</p> -</dd> -<dt><em>permissions</em></dt><dd><p>Specifies what operations may or may not be performed by a -<em>principal</em> matching a particular entry. This is a string of one or -more of the following list of characters or their upper-case -counterparts. If the character is <em>upper-case</em>, then the operation -is disallowed. If the character is <em>lower-case</em>, then the operation -is permitted.</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>a</p></td> -<td><p>[Dis]allows the addition of principals or policies</p></td> -</tr> -<tr class="row-even"><td><p>c</p></td> -<td><p>[Dis]allows the changing of passwords for principals</p></td> -</tr> -<tr class="row-odd"><td><p>d</p></td> -<td><p>[Dis]allows the deletion of principals or policies</p></td> -</tr> -<tr class="row-even"><td><p>e</p></td> -<td><p>[Dis]allows the extraction of principal keys</p></td> -</tr> -<tr class="row-odd"><td><p>i</p></td> -<td><p>[Dis]allows inquiries about principals or policies</p></td> -</tr> -<tr class="row-even"><td><p>l</p></td> -<td><p>[Dis]allows the listing of all principals or policies</p></td> -</tr> -<tr class="row-odd"><td><p>m</p></td> -<td><p>[Dis]allows the modification of principals or policies</p></td> -</tr> -<tr class="row-even"><td><p>p</p></td> -<td><p>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a>)</p></td> -</tr> -<tr class="row-odd"><td><p>s</p></td> -<td><p>[Dis]allows the explicit setting of the key for a principal</p></td> -</tr> -<tr class="row-even"><td><p>x</p></td> -<td><p>Short for admcilsp. All privileges (except <code class="docutils literal notranslate"><span class="pre">e</span></code>)</p></td> -</tr> -<tr class="row-odd"><td><p>*</p></td> -<td><p>Same as x.</p></td> -</tr> -</tbody> -</table> -</dd> -</dl> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The <code class="docutils literal notranslate"><span class="pre">extract</span></code> privilege is not included in the wildcard -privilege; it must be explicitly assigned. This privilege -allows the user to extract keys from the database, and must be -handled with great care to avoid disclosure of important keys -like those of the kadmin/* or krbtgt/* principals. The -<strong>lockdown_keys</strong> principal attribute can be used to prevent -key extraction from specific principals regardless of the -granted privilege.</p> -</div> -<dl> -<dt><em>target_principal</em></dt><dd><p>(Optional. Partially or fully qualified Kerberos principal name.) -Specifies the principal on which <em>permissions</em> may be applied. -Each component of the name may be wildcarded using the <code class="docutils literal notranslate"><span class="pre">*</span></code> -character.</p> -<p><em>target_principal</em> can also include back-references to <em>principal</em>, -in which <code class="docutils literal notranslate"><span class="pre">*number</span></code> matches the corresponding wildcard in -<em>principal</em>.</p> -</dd> -<dt><em>restrictions</em></dt><dd><p>(Optional) A string of flags. Allowed restrictions are:</p> -<blockquote> -<div><dl class="simple"> -<dt>{+|-}<em>flagname</em></dt><dd><p>flag is forced to the indicated value. The permissible flags -are the same as those for the <strong>default_principal_flags</strong> -variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> -</dd> -<dt><em>-clearpolicy</em></dt><dd><p>policy is forced to be empty.</p> -</dd> -<dt><em>-policy pol</em></dt><dd><p>policy is forced to be <em>pol</em>.</p> -</dd> -<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) associated value will be forced to -MIN(<em>time</em>, requested value).</p> -</dd> -</dl> -</div></blockquote> -<p>The above flags act as restrictions on any add or modify operation -which is allowed due to that ACL line.</p> -</dd> -</dl> -<div class="admonition warning"> -<p class="admonition-title">Warning</p> -<p>If the kadmind ACL file is modified, the kadmind daemon needs to be -restarted for changes to take effect.</p> -</div> -</section> -<section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> -<p>Here is an example of a kadm5.acl file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span> -<span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span> -<span class="n">joeadmin</span><span class="o">/*</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">i</span> <span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 3</span> -<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ci</span> <span class="o">*</span><span class="mi">1</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 4</span> -<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">l</span> <span class="o">*</span> <span class="c1"># line 5</span> -<span class="n">sms</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">x</span> <span class="o">*</span> <span class="o">-</span><span class="n">maxlife</span> <span class="mi">9</span><span class="n">h</span> <span class="o">-</span><span class="n">postdateable</span> <span class="c1"># line 6</span> -</pre></div> -</div> -<p>(line 1) Any principal in the <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> realm with an -<code class="docutils literal notranslate"><span class="pre">admin</span></code> instance has all administrative privileges except extracting -keys.</p> -<p>(lines 1-3) The user <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> has all permissions except -extracting keys with his <code class="docutils literal notranslate"><span class="pre">admin</span></code> instance, -<code class="docutils literal notranslate"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></code> (matches line 1). He has no -permissions at all with his null instance, <code class="docutils literal notranslate"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></code> -(matches line 2). His <code class="docutils literal notranslate"><span class="pre">root</span></code> and other non-<code class="docutils literal notranslate"><span class="pre">admin</span></code>, non-null -instances (e.g., <code class="docutils literal notranslate"><span class="pre">extra</span></code> or <code class="docutils literal notranslate"><span class="pre">dbadmin</span></code>) have inquire permissions -with any principal that has the instance <code class="docutils literal notranslate"><span class="pre">root</span></code> (matches line 3).</p> -<p>(line 4) Any <code class="docutils literal notranslate"><span class="pre">root</span></code> principal in <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> can inquire -or change the password of their null instance, but not any other -null instance. (Here, <code class="docutils literal notranslate"><span class="pre">*1</span></code> denotes a back-reference to the -component matching the first wildcard in the actor principal.)</p> -<p>(line 5) Any <code class="docutils literal notranslate"><span class="pre">root</span></code> principal in <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> can generate -the list of principals in the database, and the list of policies -in the database. This line is separate from line 4, because list -permission can only be granted globally, not to specific target -principals.</p> -<p>(line 6) Finally, the Service Management System principal -<code class="docutils literal notranslate"><span class="pre">sms@ATHENA.MIT.EDU</span></code> has all permissions except extracting keys, but -any principal that it creates or modifies will not be able to get -postdateable tickets or tickets with a life of longer than 9 hours.</p> -</section> -<section id="module-behavior"> -<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Link to this heading">¶</a></h2> -<p>The ACL file can coexist with other authorization modules in release -1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize -operations according to the rules above, but will never -authoritatively deny an operation, so other modules can authorize -operations in addition to those authorized by the ACL file.</p> -<p>To operate without an ACL file, set the <em>acl_file</em> variable in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></code>.</p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kadm5.acl</a><ul> -<li><a class="reference internal" href="#description">DESCRIPTION</a></li> -<li><a class="reference internal" href="#syntax">SYNTAX</a></li> -<li><a class="reference internal" href="#example">EXAMPLE</a></li> -<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kadm5.acl</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="kdc_conf.html" title="kdc.conf" - >previous</a> | - <a href="../realm_config.html" title="Realm configuration decisions" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html b/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html deleted file mode 100644 index e6bc02ccbb55..000000000000 --- a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html +++ /dev/null @@ -1,1064 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>kdc.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kadm5.acl" href="kadm5_acl.html" /> - <link rel="prev" title="krb5.conf" href="krb5_conf.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="krb5_conf.html" title="krb5.conf" - accesskey="P">previous</a> | - <a href="kadm5_acl.html" title="kadm5.acl" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kdc-conf"> -<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h1> -<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which -are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program. -Relations documented here may also be specified in krb5.conf; for the -KDC programs mentioned, krb5.conf and kdc.conf will be merged into a -single configuration profile.</p> -<p>Normally, the kdc.conf file is found in the KDC state directory, -<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code>. You can override the default location by setting the -environment variable <strong>KRB5_KDC_PROFILE</strong>.</p> -<p>Please note that you need to restart the KDC daemon for any configuration -changes to take effect.</p> -<section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> -<p>The kdc.conf file is set up in the same format as the -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p> -</section> -<section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> -<p>The kdc.conf file may contain the following sections:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></p></td> -<td><p>Default values for KDC behavior</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a></p></td> -<td><p>Realm-specific database configuration and settings</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a></p></td> -<td><p>Default database settings</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a></p></td> -<td><p>Per-database settings</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#logging"><span class="std std-ref">[logging]</span></a></p></td> -<td><p>Controls how Kerberos daemons perform logging</p></td> -</tr> -</tbody> -</table> -<section id="kdcdefaults"> -<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Link to this heading">¶</a></h3> -<p>Some relations in the [kdcdefaults] section specify default values for -realm variables, to be used if the [realms] subsection does not -contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for -the definitions of these relations.</p> -<ul class="simple"> -<li><p><strong>host_based_services</strong></p></li> -<li><p><strong>kdc_listen</strong></p></li> -<li><p><strong>kdc_ports</strong></p></li> -<li><p><strong>kdc_tcp_listen</strong></p></li> -<li><p><strong>kdc_tcp_ports</strong></p></li> -<li><p><strong>no_host_referral</strong></p></li> -<li><p><strong>restrict_anonymous_to_tgt</strong></p></li> -</ul> -<p>The following [kdcdefaults] variables have no per-realm equivalent:</p> -<dl class="simple"> -<dt><strong>kdc_max_dgram_reply_size</strong></dt><dd><p>Specifies the maximum packet size that can be sent over UDP. The -default value is 4096 bytes.</p> -</dd> -<dt><strong>kdc_tcp_listen_backlog</strong></dt><dd><p>(Integer.) Set the size of the listen queue length for the KDC -daemon. The value may be limited by OS settings. The default -value is 5.</p> -</dd> -<dt><strong>spake_preauth_kdc_challenge</strong></dt><dd><p>(String.) Specifies the group for a SPAKE optimistic challenge. -See the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> -for possible values. The default is not to issue an optimistic -challenge. (New in release 1.17.)</p> -</dd> -</dl> -</section> -<section id="realms"> -<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> -<p>Each tag in the [realms] section is the name of a Kerberos realm. The -value of the tag is a subsection where the relations define KDC -parameters for that particular realm. The following example shows how -to define one parameter for the ATHENA.MIT.EDU realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> - <span class="p">}</span> -</pre></div> -</div> -<p>The following tags may be specified in a [realms] subsection:</p> -<dl> -<dt><strong>acl_file</strong></dt><dd><p>(String.) Location of the access control list file that -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> uses to determine which principals are allowed -which permissions on the Kerberos database. To operate without an -ACL file, set this relation to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span> -<span class="pre">""</span></code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code>. For more -information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> -</dd> -<dt><strong>database_module</strong></dt><dd><p>(String.) This relation indicates the name of the configuration -section under <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> for database-specific parameters -used by the loadable database library. The default value is the -realm name. If this configuration section does not exist, default -values will be used for all database parameters.</p> -</dd> -<dt><strong>database_name</strong></dt><dd><p>(String, deprecated.) This relation specifies the location of the -Kerberos database for this realm, if the DB2 module is being used -and the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> configuration section does not specify a -database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/principal</span></code>.</p> -</dd> -<dt><strong>default_principal_expiration</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#abstime"><span class="std std-ref">Absolute time</span></a> string.) Specifies the default expiration date of -principals created in this realm. The default value is 0, which -means no expiration date.</p> -</dd> -<dt><strong>default_principal_flags</strong></dt><dd><p>(Flag string.) Specifies the default attributes of principals -created in this realm. The format for this string is a -comma-separated list of flags, with ‘+’ before each flag that -should be enabled and ‘-’ before each flag that should be -disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>, -<strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and -<strong>service</strong> flags default to enabled.</p> -<p>There are a number of possible flags:</p> -<dl class="simple"> -<dt><strong>allow-tickets</strong></dt><dd><p>Enabling this flag means that the KDC will issue tickets for -this principal. Disabling this flag essentially deactivates -the principal within this realm.</p> -</dd> -<dt><strong>dup-skey</strong></dt><dd><p>Enabling this flag allows the KDC to issue user-to-user -service tickets for this principal.</p> -</dd> -<dt><strong>forwardable</strong></dt><dd><p>Enabling this flag allows the principal to obtain forwardable -tickets.</p> -</dd> -<dt><strong>hwauth</strong></dt><dd><p>If this flag is enabled, then the principal is required to -preauthenticate using a hardware device before receiving any -tickets.</p> -</dd> -<dt><strong>no-auth-data-required</strong></dt><dd><p>Enabling this flag prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.</p> -</dd> -<dt><strong>ok-as-delegate</strong></dt><dd><p>If this flag is enabled, it hints the client that credentials -can and should be delegated when authenticating to the -service.</p> -</dd> -<dt><strong>ok-to-auth-as-delegate</strong></dt><dd><p>Enabling this flag allows the principal to use S4USelf tickets.</p> -</dd> -<dt><strong>postdateable</strong></dt><dd><p>Enabling this flag allows the principal to obtain postdateable -tickets.</p> -</dd> -<dt><strong>preauth</strong></dt><dd><p>If this flag is enabled on a client principal, then that -principal is required to preauthenticate to the KDC before -receiving any tickets. On a service principal, enabling this -flag means that service tickets for this principal will only -be issued to clients with a TGT that has the preauthenticated -bit set.</p> -</dd> -<dt><strong>proxiable</strong></dt><dd><p>Enabling this flag allows the principal to obtain proxy -tickets.</p> -</dd> -<dt><strong>pwchange</strong></dt><dd><p>Enabling this flag forces a password change for this -principal.</p> -</dd> -<dt><strong>pwservice</strong></dt><dd><p>If this flag is enabled, it marks this principal as a password -change service. This should only be used in special cases, -for example, if a user’s password has expired, then the user -has to get tickets for that principal without going through -the normal password authentication in order to be able to -change the password.</p> -</dd> -<dt><strong>renewable</strong></dt><dd><p>Enabling this flag allows the principal to obtain renewable -tickets.</p> -</dd> -<dt><strong>service</strong></dt><dd><p>Enabling this flag allows the the KDC to issue service tickets -for this principal. In release 1.17 and later, user-to-user -service tickets are still allowed if the <strong>dup-skey</strong> flag is -set.</p> -</dd> -<dt><strong>tgt-based</strong></dt><dd><p>Enabling this flag allows a principal to obtain tickets based -on a ticket-granting-ticket, rather than repeating the -authentication process that was used to obtain the TGT.</p> -</dd> -</dl> -</dd> -<dt><strong>dict_file</strong></dt><dd><p>(String.) Location of the dictionary file containing strings that -are not allowed as passwords. The file should contain one string -per line, with no additional whitespace. If none is specified or -if there is no policy assigned to the principal, no dictionary -checks of passwords will be performed.</p> -</dd> -<dt><strong>disable_pac</strong></dt><dd><p>(Boolean value.) If true, the KDC will not issue PACs for this -realm, and S4U2Self and S4U2Proxy operations will be disabled. -The default is false, which will permit the KDC to issue PACs. -New in release 1.20.</p> -</dd> -<dt><strong>encrypted_challenge_indicator</strong></dt><dd><p>(String.) Specifies the authentication indicator value that the KDC -asserts into tickets obtained using FAST encrypted challenge -pre-authentication. New in 1.16.</p> -</dd> -<dt><strong>host_based_services</strong></dt><dd><p>(Whitespace- or comma-separated list.) Lists services which will -get host-based referral processing even if the server principal is -not marked as host-based by the client.</p> -</dd> -<dt><strong>iprop_enable</strong></dt><dd><p>(Boolean value.) Specifies whether incremental database -propagation is enabled. The default value is false.</p> -</dd> -<dt><strong>iprop_ulogsize</strong></dt><dd><p>(Integer.) Specifies the maximum number of log entries to be -retained for incremental propagation. The default value is 1000. -Prior to release 1.11, the maximum value was 2500. New in release -1.19.</p> -</dd> -<dt><strong>iprop_master_ulogsize</strong></dt><dd><p>The name for <strong>iprop_ulogsize</strong> prior to release 1.19. Its value is -used as a fallback if <strong>iprop_ulogsize</strong> is not specified.</p> -</dd> -<dt><strong>iprop_replica_poll</strong></dt><dd><p>(Delta time string.) Specifies how often the replica KDC polls -for new updates from the primary. The default value is <code class="docutils literal notranslate"><span class="pre">2m</span></code> -(that is, two minutes). New in release 1.17.</p> -</dd> -<dt><strong>iprop_slave_poll</strong></dt><dd><p>(Delta time string.) The name for <strong>iprop_replica_poll</strong> prior to -release 1.17. Its value is used as a fallback if -<strong>iprop_replica_poll</strong> is not specified.</p> -</dd> -<dt><strong>iprop_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default (when <strong>iprop_enable</strong> is true) is to bind to the wildcard -address at the port specified in <strong>iprop_port</strong>. New in release -1.15.</p> -</dd> -<dt><strong>iprop_port</strong></dt><dd><p>(Port number.) Specifies the port number to be used for -incremental propagation. When <strong>iprop_enable</strong> is true, this -relation is required in the replica KDC configuration file, and -this relation or <strong>iprop_listen</strong> is required in the primary -configuration file, as there is no default port number. Port -numbers specified in <strong>iprop_listen</strong> entries will override this -port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.</p> -</dd> -<dt><strong>iprop_resync_timeout</strong></dt><dd><p>(Delta time string.) Specifies the amount of time to wait for a -full propagation to complete. This is optional in configuration -files, and is used by replica KDCs only. The default value is 5 -minutes (<code class="docutils literal notranslate"><span class="pre">5m</span></code>). New in release 1.11.</p> -</dd> -<dt><strong>iprop_logfile</strong></dt><dd><p>(File name.) Specifies where the update log file for the realm -database is to be stored. The default is to use the -<strong>database_name</strong> entry from the realms section of the krb5 config -file, with <code class="docutils literal notranslate"><span class="pre">.ulog</span></code> appended. (NOTE: If <strong>database_name</strong> isn’t -specified in the realms section, perhaps because the LDAP database -back end is being used, or the file name is specified in the -[dbmodules] section, then the hard-coded default for -<strong>database_name</strong> is used. Determination of the <strong>iprop_logfile</strong> -default value will not use values from the [dbmodules] section.)</p> -</dd> -<dt><strong>kadmind_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. -Each entry may be an interface address, a port number, an address -and port number separated by a colon, or a UNIX domain socket -pathname. If the address contains colons, enclose it in square -brackets. If no address is specified, the wildcard address is -used. To disable listening for kadmin RPC connections, set this -relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kadmind_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If -kadmind fails to bind to any of the specified addresses, it will -fail to start. The default is to bind to the wildcard address at -the port specified in <strong>kadmind_port</strong>, or the standard kadmin -port (749). New in release 1.15.</p> -</dd> -<dt><strong>kadmind_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> -daemon is to listen for this realm. Port numbers specified in -<strong>kadmind_listen</strong> entries will override this port number. The -assigned port for kadmind is 749, which is used by default.</p> -</dd> -<dt><strong>key_stash_file</strong></dt><dd><p>(String.) Specifies the location where the master key has been -stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</p> -</dd> -<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the listening -addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each -entry may be an interface address, a port number, an address and -port number separated by a colon, or a UNIX domain socket -pathname. If the address contains colons, enclose it in square -brackets. If no address is specified, the wildcard address is -used. If no port is specified, the standard port (88) is used. -To disable listening on UDP, set this relation to the empty string -with <code class="docutils literal notranslate"><span class="pre">kdc_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If the KDC daemon fails to bind to any -of the specified addresses, it will fail to start. The default is -to bind to the wildcard address on the standard port. New in -release 1.15.</p> -</dd> -<dt><strong>kdc_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong> -if that relation is not defined.</p> -</dd> -<dt><strong>kdc_tcp_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the TCP -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. -The syntax is identical to that of <strong>kdc_listen</strong>. To disable -listening on TCP, set this relation to the empty string with -<code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. The default is to bind to the same -addresses and ports as for UDP. New in release 1.15.</p> -</dd> -<dt><strong>kdc_tcp_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as -<strong>kdc_tcp_listen</strong> if that relation is not defined.</p> -</dd> -<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening -addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each -entry may be an interface address, a port number, an address and -port number separated by a colon, or a UNIX domain socket -pathname. If the address contains colons, enclose it in square -brackets. If no address is specified, the wildcard address is -used. To disable listening for kpasswd requests, set this -relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kpasswd_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If -kadmind fails to bind to any of the specified addresses, it will -fail to start. The default is to bind to the wildcard address at -the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd -port (464). New in release 1.15.</p> -</dd> -<dt><strong>kpasswd_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> -daemon is to listen for password change requests for this realm. -Port numbers specified in <strong>kpasswd_listen</strong> entries will override -this port number. The assigned port for password change requests -is 464, which is used by default.</p> -</dd> -<dt><strong>master_key_name</strong></dt><dd><p>(String.) Specifies the name of the principal associated with the -master key. The default is <code class="docutils literal notranslate"><span class="pre">K/M</span></code>.</p> -</dd> -<dt><strong>master_key_type</strong></dt><dd><p>(Key type string.) Specifies the master key’s key type. The -default value for this is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span></code>. For a list of all possible -values, see <a class="reference internal" href="#encryption-types"><span class="std std-ref">Encryption types</span></a>.</p> -</dd> -<dt><strong>max_life</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period for -which a ticket may be valid in this realm. The default value is -24 hours.</p> -</dd> -<dt><strong>max_renewable_life</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period -during which a valid ticket may be renewed in this realm. -The default value is 0.</p> -</dd> -<dt><strong>no_host_referral</strong></dt><dd><p>(Whitespace- or comma-separated list.) Lists services to block -from getting host-based referral processing, even if the client -marks the server principal as host-based or the service is also -listed in <strong>host_based_services</strong>. <code class="docutils literal notranslate"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></code> will -disable referral processing altogether.</p> -</dd> -<dt><strong>reject_bad_transit</strong></dt><dd><p>(Boolean value.) If set to true, the KDC will check the list of -transited realms for cross-realm tickets against the transit path -computed from the realm names and the capaths section of its -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file; if the path in the ticket to be issued -contains any realms not in the computed path, the ticket will not -be issued, and an error will be returned to the client instead. -If this value is set to false, such tickets will be issued -anyways, and it will be left up to the application server to -validate the realm transit path.</p> -<p>If the disable-transited-check flag is set in the incoming -request, this check is not performed at all. Having the -<strong>reject_bad_transit</strong> option will cause such ticket requests to -be rejected always.</p> -<p>This transit path checking and config file option currently apply -only to TGS requests.</p> -<p>The default value is true.</p> -</dd> -<dt><strong>restrict_anonymous_to_tgt</strong></dt><dd><p>(Boolean value.) If set to true, the KDC will reject ticket -requests from anonymous principals to service principals other -than the realm’s ticket-granting service. This option allows -anonymous PKINIT to be enabled for use as FAST armor tickets -without allowing anonymous authentication to services. The -default value is false. New in release 1.9.</p> -</dd> -<dt><strong>spake_preauth_indicator</strong></dt><dd><p>(String.) Specifies an authentication indicator value that the -KDC asserts into tickets obtained using SPAKE pre-authentication. -The default is not to add any indicators. This option may be -specified multiple times. New in release 1.17.</p> -</dd> -<dt><strong>supported_enctypes</strong></dt><dd><p>(List of <em>key</em>:<em>salt</em> strings.) Specifies the default key/salt -combinations of principals for this realm. Any principals created -through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> will have keys of these types. The -default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span></code>. For lists of -possible values, see <a class="reference internal" href="#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a>.</p> -</dd> -</dl> -</section> -<section id="dbdefaults"> -<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Link to this heading">¶</a></h3> -<p>The [dbdefaults] section specifies default values for some database -parameters, to be used if the [dbmodules] subsection does not contain -a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the -definitions of these relations.</p> -<ul class="simple"> -<li><p><strong>ldap_kerberos_container_dn</strong></p></li> -<li><p><strong>ldap_kdc_dn</strong></p></li> -<li><p><strong>ldap_kdc_sasl_authcid</strong></p></li> -<li><p><strong>ldap_kdc_sasl_authzid</strong></p></li> -<li><p><strong>ldap_kdc_sasl_mech</strong></p></li> -<li><p><strong>ldap_kdc_sasl_realm</strong></p></li> -<li><p><strong>ldap_kadmind_dn</strong></p></li> -<li><p><strong>ldap_kadmind_sasl_authcid</strong></p></li> -<li><p><strong>ldap_kadmind_sasl_authzid</strong></p></li> -<li><p><strong>ldap_kadmind_sasl_mech</strong></p></li> -<li><p><strong>ldap_kadmind_sasl_realm</strong></p></li> -<li><p><strong>ldap_service_password_file</strong></p></li> -<li><p><strong>ldap_conns_per_server</strong></p></li> -</ul> -</section> -<section id="dbmodules"> -<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Link to this heading">¶</a></h3> -<p>The [dbmodules] section contains parameters used by the KDC database -library and database modules. Each tag in the [dbmodules] section is -the name of a Kerberos realm or a section name specified by a realm’s -<strong>database_module</strong> parameter. The following example shows how to -define one database parameter for the ATHENA.MIT.EDU realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> -</pre></div> -</div> -<p>The following tags may be specified in a [dbmodules] subsection:</p> -<dl class="simple"> -<dt><strong>database_name</strong></dt><dd><p>This DB2-specific tag indicates the location of the database in -the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/principal</span></code>.</p> -</dd> -<dt><strong>db_library</strong></dt><dd><p>This tag indicates the name of the loadable database module. The -value should be <code class="docutils literal notranslate"><span class="pre">db2</span></code> for the DB2 module, <code class="docutils literal notranslate"><span class="pre">klmdb</span></code> for the LMDB -module, or <code class="docutils literal notranslate"><span class="pre">kldap</span></code> for the LDAP module.</p> -</dd> -<dt><strong>disable_last_success</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, suppresses KDC updates to the “Last successful -authentication” field of principal entries requiring -preauthentication. Setting this flag may improve performance. -(Principal entries which do not require preauthentication never -update the “Last successful authentication” field.). First -introduced in release 1.9.</p> -</dd> -<dt><strong>disable_lockout</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, suppresses KDC updates to the “Last failed -authentication” and “Failed password attempts” fields of principal -entries requiring preauthentication. Setting this flag may -improve performance, but also disables account lockout. First -introduced in release 1.9.</p> -</dd> -<dt><strong>ldap_conns_per_server</strong></dt><dd><p>This LDAP-specific tag indicates the number of connections to be -maintained per LDAP server.</p> -</dd> -<dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt><dd><p>These LDAP-specific tags indicate the default DN for binding to -the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon uses -<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon and other -administrative programs use <strong>ldap_kadmind_dn</strong>. The kadmind DN -must have the rights to read and write the Kerberos data in the -LDAP database. The KDC DN must have the same rights, unless -<strong>disable_lockout</strong> and <strong>disable_last_success</strong> are true, in -which case it only needs to have rights to read the Kerberos data. -These tags are ignored if a SASL mechanism is set with -<strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</p> -</dd> -<dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt><dd><p>These LDAP-specific tags specify the SASL mechanism (such as -<code class="docutils literal notranslate"><span class="pre">EXTERNAL</span></code>) to use when binding to the LDAP server. New in -release 1.13.</p> -</dd> -<dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt><dd><p>These LDAP-specific tags specify the SASL authentication identity -to use when binding to the LDAP server. Not all SASL mechanisms -require an authentication identity. If the SASL mechanism -requires a secret (such as the password for <code class="docutils literal notranslate"><span class="pre">DIGEST-MD5</span></code>), these -tags also determine the name within the -<strong>ldap_service_password_file</strong> where the secret is stashed. New -in release 1.13.</p> -</dd> -<dt><strong>ldap_kdc_sasl_authzid</strong> and <strong>ldap_kadmind_sasl_authzid</strong></dt><dd><p>These LDAP-specific tags specify the SASL authorization identity -to use when binding to the LDAP server. In most circumstances -they do not need to be specified. New in release 1.13.</p> -</dd> -<dt><strong>ldap_kdc_sasl_realm</strong> and <strong>ldap_kadmind_sasl_realm</strong></dt><dd><p>These LDAP-specific tags specify the SASL realm to use when -binding to the LDAP server. In most circumstances they do not -need to be set. New in release 1.13.</p> -</dd> -<dt><strong>ldap_kerberos_container_dn</strong></dt><dd><p>This LDAP-specific tag indicates the DN of the container object -where the realm objects will be located.</p> -</dd> -<dt><strong>ldap_servers</strong></dt><dd><p>This LDAP-specific tag indicates the list of LDAP servers that the -Kerberos servers can connect to. The list of LDAP servers is -whitespace-separated. The LDAP server is specified by a LDAP URI. -It is recommended to use <code class="docutils literal notranslate"><span class="pre">ldapi:</span></code> or <code class="docutils literal notranslate"><span class="pre">ldaps:</span></code> URLs to connect -to the LDAP server.</p> -</dd> -<dt><strong>ldap_service_password_file</strong></dt><dd><p>This LDAP-specific tag indicates the file containing the stashed -passwords (created by <code class="docutils literal notranslate"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code>) for the -<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the -<strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names -for SASL authentication. This file must be kept secure.</p> -</dd> -<dt><strong>mapsize</strong></dt><dd><p>This LMDB-specific tag indicates the maximum size of the two -database environments in megabytes. The default value is 128. -Increase this value to address “Environment mapsize limit reached” -errors. New in release 1.17.</p> -</dd> -<dt><strong>max_readers</strong></dt><dd><p>This LMDB-specific tag indicates the maximum number of concurrent -reading processes for the databases. The default value is 128. -New in release 1.17.</p> -</dd> -<dt><strong>nosync</strong></dt><dd><p>This LMDB-specific tag can be set to improve the throughput of -kadmind and other administrative agents, at the expense of -durability (recent database changes may not survive a power outage -or other sudden reboot). It does not affect the throughput of the -KDC. The default value is false. New in release 1.17.</p> -</dd> -<dt><strong>unlockiter</strong></dt><dd><p>If set to <code class="docutils literal notranslate"><span class="pre">true</span></code>, this DB2-specific tag causes iteration -operations to release the database lock while processing each -principal. Setting this flag to <code class="docutils literal notranslate"><span class="pre">true</span></code> can prevent extended -blocking of KDC or kadmin operations when dumps of large databases -are in progress. First introduced in release 1.13.</p> -</dd> -</dl> -<p>The following tag may be specified directly in the [dbmodules] -section to control where database modules are loaded from:</p> -<dl class="simple"> -<dt><strong>db_module_dir</strong></dt><dd><p>This tag controls where the plugin system looks for database -modules. The value should be an absolute path.</p> -</dd> -</dl> -</section> -<section id="logging"> -<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h3> -<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following -relations:</p> -<dl class="simple"> -<dt><strong>admin_server</strong></dt><dd><p>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> performs logging.</p> -</dd> -<dt><strong>kdc</strong></dt><dd><p>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> performs logging.</p> -</dd> -<dt><strong>default</strong></dt><dd><p>Specifies how either daemon performs logging in the absence of -relations specific to the daemon.</p> -</dd> -<dt><strong>debug</strong></dt><dd><p>(Boolean value.) Specifies whether debugging messages are -included in log outputs other than SYSLOG. Debugging messages are -always included in the system log output because syslog performs -its own priority filtering. The default value is false. New in -release 1.15.</p> -</dd> -</dl> -<p>Logging specifications may have the following forms:</p> -<dl> -<dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt><dd><p>This value causes the daemon’s logging messages to go to the -<em>filename</em>. If the <code class="docutils literal notranslate"><span class="pre">=</span></code> form is used, the file is overwritten. -If the <code class="docutils literal notranslate"><span class="pre">:</span></code> form is used, the file is appended to.</p> -</dd> -<dt><strong>STDERR</strong></dt><dd><p>This value causes the daemon’s logging messages to go to its -standard error stream.</p> -</dd> -<dt><strong>CONSOLE</strong></dt><dd><p>This value causes the daemon’s logging messages to go to the -console, if the system supports it.</p> -</dd> -<dt><strong>DEVICE=</strong><em><devicename></em></dt><dd><p>This causes the daemon’s logging messages to go to the specified -device.</p> -</dd> -<dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt><dd><p>This causes the daemon’s logging messages to go to the system log.</p> -<p>For backward compatibility, a severity argument may be specified, -and must be specified in order to specify a facility. This -argument will be ignored.</p> -<p>The facility argument specifies the facility under which the -messages are logged. This may be any of the following facilities -supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>, -<strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>, -<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>. If no -facility is specified, the default is <strong>AUTH</strong>.</p> -</dd> -</dl> -<p>In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG_DAEMON, and -the logging messages from the administrative server will be appended -to the file <code class="docutils literal notranslate"><span class="pre">/var/adm/kadmin.log</span></code> and sent to the device -<code class="docutils literal notranslate"><span class="pre">/dev/tty04</span></code>.</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">logging</span><span class="p">]</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">CONSOLE</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">SYSLOG</span><span class="p">:</span><span class="n">INFO</span><span class="p">:</span><span class="n">DAEMON</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">adm</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">DEVICE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">tty04</span> -</pre></div> -</div> -<p>If no logging specification is given, the default is to use syslog. -To disable logging entirely, specify <code class="docutils literal notranslate"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p> -</section> -<section id="otp"> -<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Link to this heading">¶</a></h3> -<p>Each subsection of [otp] is the name of an OTP token type. The tags -within the subsection define the configuration required to forward a -One Time Password request to a RADIUS server.</p> -<p>For each token type, the following tags may be specified:</p> -<dl class="simple"> -<dt><strong>server</strong></dt><dd><p>This is the server to send the RADIUS request to. It can be a -hostname with optional port, an ip address with optional port, or -a Unix domain socket address. The default is -<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/<name>.socket</span></code>.</p> -</dd> -<dt><strong>secret</strong></dt><dd><p>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code>) -containing the secret used to encrypt the RADIUS packets. The -secret should appear in the first line of the file by itself; -leading and trailing whitespace on the line will be removed. If -the value of <strong>server</strong> is a Unix domain socket address, this tag -is optional, and an empty secret will be used if it is not -specified. Otherwise, this tag is required.</p> -</dd> -<dt><strong>timeout</strong></dt><dd><p>An integer which specifies the time in seconds during which the -KDC should attempt to contact the RADIUS server. This tag is the -total time across all retries and should be less than the time -which an OTP value remains valid for. The default is 5 seconds.</p> -</dd> -<dt><strong>retries</strong></dt><dd><p>This tag specifies the number of retries to make to the RADIUS -server. The default is 3 retries (4 tries).</p> -</dd> -<dt><strong>strip_realm</strong></dt><dd><p>If this tag is <code class="docutils literal notranslate"><span class="pre">true</span></code>, the principal without the realm will be -passed to the RADIUS server. Otherwise, the realm will be -included. The default value is <code class="docutils literal notranslate"><span class="pre">true</span></code>.</p> -</dd> -<dt><strong>indicator</strong></dt><dd><p>This tag specifies an authentication indicator to be included in -the ticket if this token type is used to authenticate. This -option may be specified multiple times. (New in release 1.14.)</p> -</dd> -</dl> -<p>In the following example, requests are sent to a remote server via UDP:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[otp] - MyRemoteTokenType = { - server = radius.mydomain.com:1812 - secret = SEmfiajf42$ - timeout = 15 - retries = 5 - strip_realm = true - } -</pre></div> -</div> -<p>An implicit default token type named <code class="docutils literal notranslate"><span class="pre">DEFAULT</span></code> is defined for when -the per-principal configuration does not specify a token type. Its -configuration is shown below. You may override this token type to -something applicable for your situation:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> - <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> -</pre></div> -</div> -</section> -</section> -<section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The following are pkinit-specific options. These values may -be specified in [kdcdefaults] as global defaults, or within -a realm-specific subsection of [realms]. Also note that a -realm-specific value over-rides, does not add to, a generic -[kdcdefaults] specification. The search order is:</p> -</div> -<ol class="arabic"> -<li><p>realm-specific subsection of [realms]:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> - <span class="p">}</span> -</pre></div> -</div> -</li> -<li><p>generic value in the [kdcdefaults] section:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> -</pre></div> -</div> -</li> -</ol> -<p>For information about the syntax of some of these options, see -<a class="reference internal" href="krb5_conf.html#pkinit-identity"><span class="std std-ref">Specifying PKINIT identity information</span></a> in -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> -<dl> -<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which -the KDC trusts to sign client certificates. This option is -required if pkinit is to be supported by the KDC. This option may -be specified multiple times.</p> -</dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum strength of Diffie-Hellman group the KDC is -willing to accept for key exchange. Valid values in order of -increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. -The default is 2048. (P-256, P-384, and P-521 are new in release -1.22.)</p> -</dd> -<dt><strong>pkinit_allow_upn</strong></dt><dd><p>Specifies that the KDC is willing to accept client certificates -with the Microsoft UserPrincipalName (UPN) Subject Alternative -Name (SAN). This means the KDC accepts the binding of the UPN in -the certificate to the Kerberos principal name. The default value -is false.</p> -<p>Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently -no option to disable SAN checking in the KDC.</p> -</dd> -<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage (EKU) values the KDC -is willing to accept in client certificates. The values -recognized in the kdc.conf file are:</p> -<dl class="simple"> -<dt><strong>kpClientAuth</strong></dt><dd><p>This is the default value and specifies that client -certificates must have the id-pkinit-KPClientAuth EKU as -defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> -</dd> -<dt><strong>scLogin</strong></dt><dd><p>If scLogin is specified, client certificates with the -Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be -accepted.</p> -</dd> -<dt><strong>none</strong></dt><dd><p>If none is specified, then client certificates will not be -checked to verify they have an acceptable EKU. The use of -this option is not recommended.</p> -</dd> -</dl> -</dd> -<dt><strong>pkinit_identity</strong></dt><dd><p>Specifies the location of the KDC’s X.509 identity information. -This option is required if pkinit is to be supported by the KDC.</p> -</dd> -<dt><strong>pkinit_indicator</strong></dt><dd><p>Specifies an authentication indicator to include in the ticket if -pkinit is used to authenticate. This option may be specified -multiple times. (New in release 1.14.)</p> -</dd> -<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be -used by the KDC to complete the trust chain between a client’s -certificate and a trusted anchor. This option may be specified -multiple times.</p> -</dd> -<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL) -information to be used by the KDC when verifying the validity of -client certificates. This option may be specified multiple times.</p> -</dd> -<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and <strong>pkinit_require_crl_checking</strong> is false, then verification -succeeds.</p> -<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is -no CRL information available for the issuing CA, then verification -fails.</p> -<p><strong>pkinit_require_crl_checking</strong> should be set to true if the -policy is such that up-to-date CRLs must be present for every CA.</p> -</dd> -<dt><strong>pkinit_require_freshness</strong></dt><dd><p>Specifies whether to require clients to include a freshness token -in PKINIT requests. The default value is false. (New in release -1.17.)</p> -</dd> -</dl> -</section> -<section id="encryption-types"> -<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h2> -<p>Any tag in the configuration files which requires a list of encryption -types can be set to some combination of the following strings. -Encryption types marked as “weak” and “deprecated” are available for -compatibility but not recommended for use.</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>des3-cbc-raw</p></td> -<td><p>Triple DES cbc mode raw (weak)</p></td> -</tr> -<tr class="row-even"><td><p>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</p></td> -<td><p>Triple DES cbc mode with HMAC/sha1 (deprecated)</p></td> -</tr> -<tr class="row-odd"><td><p>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</p></td> -<td><p>AES-256 CTS mode with 96-bit SHA-1 HMAC</p></td> -</tr> -<tr class="row-even"><td><p>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</p></td> -<td><p>AES-128 CTS mode with 96-bit SHA-1 HMAC</p></td> -</tr> -<tr class="row-odd"><td><p>aes256-cts-hmac-sha384-192 aes256-sha2</p></td> -<td><p>AES-256 CTS mode with 192-bit SHA-384 HMAC</p></td> -</tr> -<tr class="row-even"><td><p>aes128-cts-hmac-sha256-128 aes128-sha2</p></td> -<td><p>AES-128 CTS mode with 128-bit SHA-256 HMAC</p></td> -</tr> -<tr class="row-odd"><td><p>arcfour-hmac rc4-hmac arcfour-hmac-md5</p></td> -<td><p>RC4 with HMAC/MD5 (deprecated)</p></td> -</tr> -<tr class="row-even"><td><p>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</p></td> -<td><p>Exportable RC4 with HMAC/MD5 (weak)</p></td> -</tr> -<tr class="row-odd"><td><p>camellia256-cts-cmac camellia256-cts</p></td> -<td><p>Camellia-256 CTS mode with CMAC</p></td> -</tr> -<tr class="row-even"><td><p>camellia128-cts-cmac camellia128-cts</p></td> -<td><p>Camellia-128 CTS mode with CMAC</p></td> -</tr> -<tr class="row-odd"><td><p>des3</p></td> -<td><p>The triple DES family: des3-cbc-sha1</p></td> -</tr> -<tr class="row-even"><td><p>aes</p></td> -<td><p>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</p></td> -</tr> -<tr class="row-odd"><td><p>rc4</p></td> -<td><p>The RC4 family: arcfour-hmac</p></td> -</tr> -<tr class="row-even"><td><p>camellia</p></td> -<td><p>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</p></td> -</tr> -</tbody> -</table> -<p>The string <strong>DEFAULT</strong> can be used to refer to the default set of -types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign (“-“). -Types or families can be prefixed with a plus sign (“+”) for symmetry; -it has the same meaning as just listing the type or family. For -example, “<code class="docutils literal notranslate"><span class="pre">DEFAULT</span> <span class="pre">-rc4</span></code>” would be the default set of encryption -types with RC4 types removed, and “<code class="docutils literal notranslate"><span class="pre">des3</span> <span class="pre">DEFAULT</span></code>” would be the -default set of encryption types with triple DES types moved to the -front.</p> -<p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos -operations, they are not supported by very old versions of our GSSAPI -implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given keys of these encryption -types in the KDC database.</p> -<p>The <strong>aes128-sha2</strong> and <strong>aes256-sha2</strong> encryption types are new in -release 1.15. Services running versions of krb5 without support for -these newer encryption types must not be given keys of these -encryption types in the KDC database.</p> -</section> -<section id="keysalt-lists"> -<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Link to this heading">¶</a></h2> -<p>Kerberos keys for users are usually derived from passwords. Kerberos -commands and configuration parameters that affect generation of keys -take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt -lists</em>. Each keysalt pair is an enctype name followed by a salttype -name, in the format <em>enc</em>:<em>salt</em>. Individual keysalt list members are -separated by comma (“,”) characters or space characters. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">e</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> -</pre></div> -</div> -<p>would start up kadmin so that by default it would generate -password-derived keys for the <strong>aes256-cts</strong> and <strong>aes128-cts</strong> -encryption types, using a <strong>normal</strong> salt.</p> -<p>To ensure that people who happen to pick the same password do not have -the same key, Kerberos 5 incorporates more information into the key -using something called a salt. The supported salt types are as -follows:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>normal</p></td> -<td><p>default for Kerberos Version 5</p></td> -</tr> -<tr class="row-even"><td><p>norealm</p></td> -<td><p>same as the default, without using realm information</p></td> -</tr> -<tr class="row-odd"><td><p>onlyrealm</p></td> -<td><p>uses only realm information as the salt</p></td> -</tr> -<tr class="row-even"><td><p>special</p></td> -<td><p>generate a random salt</p></td> -</tr> -</tbody> -</table> -</section> -<section id="sample-kdc-conf-file"> -<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Link to this heading">¶</a></h2> -<p>Here’s an example of a kdc.conf file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> - <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> -<span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span> - <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> - <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> - <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> - <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> - <span class="n">database_module</span> <span class="o">=</span> <span class="n">openldap_ldapconf</span> - <span class="p">}</span> - -<span class="p">[</span><span class="n">logging</span><span class="p">]</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">log</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> - -<span class="p">[</span><span class="n">dbdefaults</span><span class="p">]</span> - <span class="n">ldap_kerberos_container_dn</span> <span class="o">=</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbcontainer</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">mit</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">edu</span> - -<span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">openldap_ldapconf</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">db_library</span> <span class="o">=</span> <span class="n">kldap</span> - <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">ldap_kdc_dn</span> <span class="o">=</span> <span class="s2">"cn=krbadmin,dc=mit,dc=edu"</span> - <span class="c1"># this object needs to have read rights on</span> - <span class="c1"># the realm container and principal subtrees</span> - <span class="n">ldap_kadmind_dn</span> <span class="o">=</span> <span class="s2">"cn=krbadmin,dc=mit,dc=edu"</span> - <span class="c1"># this object needs to have read and write rights on</span> - <span class="c1"># the realm container and principal subtrees</span> - <span class="n">ldap_service_password_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span> - <span class="n">ldap_servers</span> <span class="o">=</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">ldap_conns_per_server</span> <span class="o">=</span> <span class="mi">5</span> - <span class="p">}</span> -</pre></div> -</div> -</section> -<section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kdc.conf</span></code></p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">kdc.conf</a><ul> -<li><a class="reference internal" href="#structure">Structure</a></li> -<li><a class="reference internal" href="#sections">Sections</a><ul> -<li><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></li> -<li><a class="reference internal" href="#realms">[realms]</a></li> -<li><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></li> -<li><a class="reference internal" href="#dbmodules">[dbmodules]</a></li> -<li><a class="reference internal" href="#logging">[logging]</a></li> -<li><a class="reference internal" href="#otp">[otp]</a></li> -</ul> -</li> -<li><a class="reference internal" href="#pkinit-options">PKINIT options</a></li> -<li><a class="reference internal" href="#encryption-types">Encryption types</a></li> -<li><a class="reference internal" href="#keysalt-lists">Keysalt lists</a></li> -<li><a class="reference internal" href="#sample-kdc-conf-file">Sample kdc.conf File</a></li> -<li><a class="reference internal" href="#files">FILES</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">kdc.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="krb5_conf.html" title="krb5.conf" - >previous</a> | - <a href="kadm5_acl.html" title="kadm5.acl" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html b/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html deleted file mode 100644 index f1438242431d..000000000000 --- a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html +++ /dev/null @@ -1,1350 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>krb5.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> - <script src="../../_static/documentation_options.js?v=236fef3b"></script> - <script src="../../_static/doctools.js?v=888ff710"></script> - <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="index" title="Index" href="../../genindex.html" /> - <link rel="search" title="Search" href="../../search.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="next" title="kdc.conf" href="kdc_conf.html" /> - <link rel="prev" title="Configuration Files" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Configuration Files" - accesskey="P">previous</a> | - <a href="kdc_conf.html" title="kdc.conf" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="krb5-conf"> -<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h1> -<p>The krb5.conf file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -<code class="docutils literal notranslate"><span class="pre">/etc</span></code>. You can override the default location by setting the -environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated -filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are -present will be read. Starting in release 1.14, directory names can -also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory -whose names consist solely of alphanumeric characters, dashes, or -underscores will be read.</p> -<section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> -<p>The krb5.conf file is set up in the style of a Windows INI file. -Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace) -are ignored as comments. Sections are headed by the section name, in -square brackets. Each section may contain zero or more relations, of -the form:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> -</pre></div> -</div> -<p>or:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> - <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span> -<span class="p">}</span> -</pre></div> -</div> -<p>The krb5.conf file can include other files using either of the -following directives at the beginning of a line:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span> -<span class="n">includedir</span> <span class="n">DIRNAME</span> -</pre></div> -</div> -<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or -directory must exist and be readable. Including a directory includes -all files within the directory whose names consist solely of -alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in “.conf” are also included, unless the -name begins with “.”. Included profile files are syntactically -independent of their parents, so each included file must begin with a -section header. Starting in release 1.17, files are read in -alphanumeric order; in previous releases, they may be read in any -order.</p> -<p>Placing a ‘*’ after the closing bracket of a section name indicates -that the section is <em>final</em>, meaning that if the same section appears -again later, it will be ignored. A subsection can be marked as final -by placing a ‘*’ after either the tag name or the closing brace. A -relation can be marked as final by placing a ‘*’ after the tag name. -Prior to release 1.22, only sections and subsections can be marked as -final, and the flag only causes values to be ignored if they appear in -later files specified in <strong>KRB5_CONFIG</strong>, not if they appear later -within the same file or an included file.</p> -<p>The krb5.conf file can specify that configuration should be obtained -from a loadable module, rather than the file itself, using the -following directive at the beginning of a line before any section -headers:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span> -</pre></div> -</div> -<p><em>MODULEPATH</em> may be relative to the library path of the krb5 -installation, or it may be an absolute path. <em>RESIDUAL</em> is provided -to the module at initialization time. If krb5.conf uses a module -directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p> -</section> -<section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> -<p>The krb5.conf file may contain the following sections:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td> -<td><p>Settings used by the Kerberos V5 library</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></p></td> -<td><p>Realm-specific contact information and settings</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></p></td> -<td><p>Maps server hostnames to Kerberos realms</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></p></td> -<td><p>Authentication paths for non-hierarchical cross-realm</p></td> -</tr> -<tr class="row-odd"><td><p><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></p></td> -<td><p>Settings used by some Kerberos V5 applications</p></td> -</tr> -<tr class="row-even"><td><p><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></p></td> -<td><p>Controls plugin module registration</p></td> -</tr> -</tbody> -</table> -<p>Additionally, krb5.conf may include any of the relations described in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p> -<section id="libdefaults"> -<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Link to this heading">¶</a></h3> -<p>The libdefaults section may contain any of the following relations:</p> -<dl> -<dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys. -In future releases, this flag will allow des3-cbc-sha1 to be used -at all. The default value for this tag is false. (Added in -release 1.21.)</p> -</dd> -<dt><strong>allow_rc4</strong></dt><dd><p>Permit the KDC to issue tickets with arcfour-hmac session keys. -In future releases, this flag will allow arcfour-hmac to be used -at all. The default value for this tag is false. (Added in -release 1.21.)</p> -</dd> -<dt><strong>allow_weak_crypto</strong></dt><dd><p>If this flag is set to false, then weak encryption types (as noted -in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered -out of the lists <strong>default_tgs_enctypes</strong>, -<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default -value for this tag is false.</p> -</dd> -<dt><strong>canonicalize</strong></dt><dd><p>If this flag is set to true, initial ticket requests to the KDC -will request canonicalization of the client principal name, and -answers with different client principals than the requested -principal will be accepted. The default value is false.</p> -</dd> -<dt><strong>ccache_type</strong></dt><dd><p>This parameter determines the format of credential cache types -created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value -is 4, which represents the most current format. Smaller values -can be used for compatibility with very old implementations of -Kerberos which interact with credential caches on the same host.</p> -</dd> -<dt><strong>clockskew</strong></dt><dd><p>Sets the maximum allowable amount of clockskew in seconds that the -library will tolerate before assuming that a Kerberos message is -invalid. The default value is 300 seconds, or five minutes.</p> -<p>The clockskew setting is also used when evaluating ticket start -and expiration times. For example, tickets that have reached -their expiration time can still be used (and renewed if they are -renewable tickets) if they have been expired for a shorter -duration than the <strong>clockskew</strong> setting.</p> -</dd> -<dt><strong>default_ccache_name</strong></dt><dd><p>This relation specifies the name of the default credential cache. -The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter -expansion (see below). New in release 1.11.</p> -</dd> -<dt><strong>default_client_keytab_name</strong></dt><dd><p>This relation specifies the name of the default keytab for -obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This -relation is subject to parameter expansion (see below). -New in release 1.11.</p> -</dd> -<dt><strong>default_keytab_name</strong></dt><dd><p>This relation specifies the default keytab name to be used by -application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This -relation is subject to parameter expansion (see below).</p> -</dd> -<dt><strong>default_rcache_name</strong></dt><dd><p>This relation specifies the name of the default replay cache. -The default is <code class="docutils literal notranslate"><span class="pre">dfl:</span></code>. This relation is subject to parameter -expansion (see below). New in release 1.18.</p> -</dd> -<dt><strong>default_realm</strong></dt><dd><p>Identifies the default Kerberos realm for the client. Set its -value to your Kerberos realm. If this value is not set, then a -realm must be specified with every Kerberos principal when -invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</p> -</dd> -<dt><strong>default_tgs_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that -the client should request when making a TGS-REQ, in order of -preference from highest to lowest. The list may be delimited with -commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag. -Starting in release 1.18, the default value is the value of -<strong>permitted_enctypes</strong>. For previous releases or if -<strong>permitted_enctypes</strong> is not set, the default value is -<code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -<p>Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.</p> -</dd> -<dt><strong>default_tkt_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that -the client should request when making an AS-REQ, in order of -preference from highest to lowest. The format is the same as for -default_tgs_enctypes. Starting in release 1.18, the default -value is the value of <strong>permitted_enctypes</strong>. For previous -releases or if <strong>permitted_enctypes</strong> is not set, the default -value is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -<p>Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.</p> -</dd> -<dt><strong>dns_canonicalize_hostname</strong></dt><dd><p>Indicate whether name lookups will be used to canonicalize -hostnames for use in service principal names. Setting this flag -to false can improve security by reducing reliance on DNS, but -means that short hostnames will not be canonicalized to -fully-qualified hostnames. If this option is set to <code class="docutils literal notranslate"><span class="pre">fallback</span></code> (new -in release 1.18), DNS canonicalization will only be performed the -server hostname is not found with the original name when -requesting credentials. The default value is true.</p> -</dd> -<dt><strong>dns_lookup_kdc</strong></dt><dd><p>Indicate whether DNS SRV records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. (Note that the admin_server -entry must be in the krb5.conf realm information in order to -contact kadmind, because the DNS implementation for kadmin is -incomplete.)</p> -<p>Enabling this option does open up a type of denial-of-service -attack, if someone spoofs the DNS records and redirects you to -another server. However, it’s no worse than a denial of service, -because that fake KDC will be unable to decode anything you send -it (besides the initial ticket request, which has no encrypted -data), and anything the fake KDC sends will not be trusted without -verification using some secret that it won’t know.</p> -</dd> -<dt><strong>dns_lookup_realm</strong></dt><dd><p>Indicate whether DNS TXT records should be used to map hostnames -to realm names for hostnames not listed in the [domain_realm] -section, and to determine the default realm if <strong>default_realm</strong> -is not set. The default value is false.</p> -</dd> -<dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. SRV records are used as a -fallback if no URI records were found. The default value is true. -New in release 1.15.</p> -</dd> -<dt><strong>enforce_ok_as_delegate</strong></dt><dd><p>If this flag to true, GSSAPI credential delegation will be -disabled when the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> flag is not set in the -service ticket. If this flag is false, the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> -ticket flag is only enforced when an application specifically -requests enforcement. The default value is false.</p> -</dd> -<dt><strong>err_fmt</strong></dt><dd><p>This relation allows for custom error message formatting. If a -value is set, error messages will be formatted by substituting a -normal error message for %M and an error code for %C in the value.</p> -</dd> -<dt><strong>extra_addresses</strong></dt><dd><p>This allows a computer to use multiple local addresses, in order -to allow Kerberos to work in a network that uses NATs while still -using address-restricted tickets. The addresses should be in a -comma-separated list. This option has no effect if -<strong>noaddresses</strong> is true.</p> -</dd> -<dt><strong>forwardable</strong></dt><dd><p>If this flag is true, initial tickets will be forwardable by -default, if allowed by the KDC. The default value is false.</p> -</dd> -<dt><strong>ignore_acceptor_hostname</strong></dt><dd><p>When accepting GSSAPI or krb5 security contexts for host-based -service principals, ignore any hostname passed by the calling -application, and allow clients to authenticate to any service -principal in the keytab matching the service name and realm name -(if given). This option can improve the administrative -flexibility of server applications on multihomed hosts, but could -compromise the security of virtual hosting environments. The -default value is false. New in release 1.10.</p> -</dd> -<dt><strong>k5login_authoritative</strong></dt><dd><p>If this flag is true, principals must be listed in a local user’s -k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> -file exists. If this flag is false, a principal may still be -granted login access through other mechanisms even if a k5login -file exists but does not list the principal. The default value is -true.</p> -</dd> -<dt><strong>k5login_directory</strong></dt><dd><p>If set, the library will look for a local user’s k5login file -within the named directory, with a filename corresponding to the -local username. If not set, the library will look for k5login -files in the user’s home directory, with the filename .k5login. -For security reasons, .k5login files must be owned by -the local user or by root.</p> -</dd> -<dt><strong>kcm_mach_service</strong></dt><dd><p>On macOS only, determines the name of the bootstrap service used to -contact the KCM daemon for the KCM credential cache type. If the -value is <code class="docutils literal notranslate"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM -daemon. The default value is <code class="docutils literal notranslate"><span class="pre">org.h5l.kcm</span></code>.</p> -</dd> -<dt><strong>kcm_socket</strong></dt><dd><p>Determines the path to the Unix domain socket used to access the -KCM daemon for the KCM credential cache type. If the value is -<code class="docutils literal notranslate"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM -daemon. The default value is -<code class="docutils literal notranslate"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</p> -</dd> -<dt><strong>kdc_default_options</strong></dt><dd><p>Default KDC options (Xored for multiple values) when requesting -initial tickets. By default it is set to 0x00000010 -(KDC_OPT_RENEWABLE_OK).</p> -</dd> -<dt><strong>kdc_timesync</strong></dt><dd><p>Accepted values for this relation are 1 or 0. If it is nonzero, -client machines will compute the difference between their time and -the time returned by the KDC in the timestamps in the tickets and -use this value to correct for an inaccurate system clock when -requesting service tickets or authenticating to services. This -corrective factor is only used by the Kerberos library; it is not -used to change the system clock. The default value is 1.</p> -</dd> -<dt><strong>noaddresses</strong></dt><dd><p>If this flag is true, requests for initial tickets will not be -made with address restrictions set, allowing the tickets to be -used across NATs. The default value is true.</p> -</dd> -<dt><strong>permitted_enctypes</strong></dt><dd><p>Identifies the encryption types that servers will permit for -session keys and for ticket and authenticator encryption, ordered -by preference from highest to lowest. Starting in release 1.18, -this tag also acts as the default value for -<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The -default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> -</dd> -<dt><strong>plugin_base_dir</strong></dt><dd><p>If set, determines the base directory where krb5 plugins are -located. The default value is the <code class="docutils literal notranslate"><span class="pre">krb5/plugins</span></code> subdirectory -of the krb5 library directory. This relation is subject to -parameter expansion (see below) in release 1.17 and later.</p> -</dd> -<dt><strong>preferred_preauth_types</strong></dt><dd><p>This allows you to set the preferred preauthentication types which -the client will attempt before others which may be advertised by a -KDC. The default value for this setting is “17, 16, 15, 14”, -which forces libkrb5 to attempt to use PKINIT if it is supported.</p> -</dd> -<dt><strong>proxiable</strong></dt><dd><p>If this flag is true, initial tickets will be proxiable by -default, if allowed by the KDC. The default value is false.</p> -</dd> -<dt><strong>qualify_shortname</strong></dt><dd><p>If this string is set, it determines the domain suffix for -single-component hostnames when DNS canonicalization is not used -(either because <strong>dns_canonicalize_hostname</strong> is false or because -forward canonicalization failed). The default value is the first -search domain of the system’s DNS configuration. To disable -qualification of shortnames, set this relation to the empty string -with <code class="docutils literal notranslate"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">""</span></code>. (New in release 1.18.)</p> -</dd> -<dt><strong>rdns</strong></dt><dd><p>If this flag is true, reverse name lookup will be used in addition -to forward name lookup to canonicalizing hostnames for use in -service principal names. If <strong>dns_canonicalize_hostname</strong> is set -to false, this flag has no effect. The default value is true.</p> -</dd> -<dt><strong>realm_try_domains</strong></dt><dd><p>Indicate whether a host’s domain components should be used to -determine the Kerberos realm of the host. The value of this -variable is an integer: -1 means not to search, 0 means to try the -host’s domain itself, 1 means to also try the domain’s immediate -parent, and so forth. The library’s usual mechanism for locating -Kerberos realms is used to determine whether a domain is a valid -realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is -set. The default is not to search domain components.</p> -</dd> -<dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime -for initial ticket requests. The default value is 0.</p> -</dd> -<dt><strong>request_timeout</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the maximum total time for KDC and -password change requests. This timeout does not affect the -intervals between requests, so setting a low timeout may result in -fewer requests being attempted and/or some servers not being -contacted. A value of 0 indicates no specific maximum, in which -case requests will time out if no server responds after several -tries. The default value is 0. (New in release 1.22.)</p> -</dd> -<dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the -groups allowed for SPAKE preauthentication. The possible values -are:</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>edwards25519</p></td> -<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td> -</tr> -<tr class="row-even"><td><p>P-256</p></td> -<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -<tr class="row-odd"><td><p>P-384</p></td> -<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -<tr class="row-even"><td><p>P-521</p></td> -<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> -</tr> -</tbody> -</table> -<p>The default value for the client is <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>. The default -value for the KDC is empty. New in release 1.17.</p> -</dd> -<dt><strong>ticket_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial -ticket requests. The default value is 1 day.</p> -</dd> -<dt><strong>udp_preference_limit</strong></dt><dd><p>When sending a message to the KDC, the library will try using TCP -before UDP if the size of the message is above -<strong>udp_preference_limit</strong>. If the message is smaller than -<strong>udp_preference_limit</strong>, then UDP will be tried before TCP. -Regardless of the size, both protocols will be tried if the first -attempt fails.</p> -</dd> -<dt><strong>verify_ap_req_nofail</strong></dt><dd><p>If this flag is true, then an attempt to verify initial -credentials will fail if the client machine does not have a -keytab. The default value is false.</p> -</dd> -<dt><strong>client_aware_channel_bindings</strong></dt><dd><p>If this flag is true, then all application protocol authentication -requests will be flagged to indicate that the application supports -channel bindings when operating over a secure channel. The -default value is false.</p> -</dd> -</dl> -</section> -<section id="realms"> -<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> -<p>Each tag in the [realms] section of the file is the name of a Kerberos -realm. The value of the tag is a subsection with relations that -define the properties of that particular realm. For each realm, the -following tags may be specified in the realm’s subsection:</p> -<dl> -<dt><strong>admin_server</strong></dt><dd><p>Identifies the host where the administration server is running. -Typically, this is the primary Kerberos server. This tag must be -given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> -server for the realm.</p> -</dd> -<dt><strong>auth_to_local</strong></dt><dd><p>This tag allows you to set a general rule for mapping principal -names to local user names. It will be used if there is not an -explicit mapping for the principal name that is being -translated. The possible values are:</p> -<dl> -<dt><strong>RULE:</strong><em>exp</em></dt><dd><p>The local name will be formulated from <em>exp</em>.</p> -<p>The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>. -The integer <em>n</em> indicates how many components the target -principal should have. If this matches, then a string will be -formed from <em>string</em>, substituting the realm of the principal -for <code class="docutils literal notranslate"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for -<code class="docutils literal notranslate"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal notranslate"><span class="pre">johndoe/admin</span></code> then -<code class="docutils literal notranslate"><span class="pre">[2:$2$1foo]</span></code> would result in the string -<code class="docutils literal notranslate"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then -the <code class="docutils literal notranslate"><span class="pre">s//[g]</span></code> substitution command will be run over the -string. The optional <strong>g</strong> will cause the substitution to be -global over the <em>string</em>, instead of replacing only the first -match in the <em>string</em>.</p> -</dd> -<dt><strong>DEFAULT</strong></dt><dd><p>The principal name will be used as the local user name. If -the principal has more than one component or is not in the -default realm, this rule is not applicable and the conversion -will fail.</p> -</dd> -</dl> -<p>For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[realms] - ATHENA.MIT.EDU = { - auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ - auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// - auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auth_to_local = DEFAULT - } -</pre></div> -</div> -<p>would result in any principal without <code class="docutils literal notranslate"><span class="pre">root</span></code> or <code class="docutils literal notranslate"><span class="pre">admin</span></code> as the -second component to be translated with the default rule. A -principal with a second component of <code class="docutils literal notranslate"><span class="pre">admin</span></code> will become its -first component. <code class="docutils literal notranslate"><span class="pre">root</span></code> will be used as the local name for any -principal with a second component of <code class="docutils literal notranslate"><span class="pre">root</span></code>. The exception to -these two rules are any principals <code class="docutils literal notranslate"><span class="pre">johndoe/*</span></code>, which will -always get the local name <code class="docutils literal notranslate"><span class="pre">guest</span></code>.</p> -</dd> -<dt><strong>auth_to_local_names</strong></dt><dd><p>This subsection allows you to set explicit mappings from principal -names to local user names. The tag is the mapping name, and the -value is the corresponding local user name.</p> -</dd> -<dt><strong>default_domain</strong></dt><dd><p>This tag specifies the domain used to expand hostnames when -translating Kerberos 4 service principals to Kerberos 5 principals -(for example, when converting <code class="docutils literal notranslate"><span class="pre">rcmd.hostname</span></code> to -<code class="docutils literal notranslate"><span class="pre">host/hostname.domain</span></code>).</p> -</dd> -<dt><strong>disable_encrypted_timestamp</strong></dt><dd><p>If this flag is true, the client will not perform encrypted -timestamp preauthentication if requested by the KDC. Setting this -flag can help to prevent dictionary attacks by active attackers, -if the realm’s KDCs support SPAKE preauthentication or if initial -authentication always uses another mechanism or always uses FAST. -This flag persists across client referrals during initial -authentication. This flag does not prevent the KDC from offering -encrypted timestamp. New in release 1.17.</p> -</dd> -<dt><strong>http_anchors</strong></dt><dd><p>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag -can be used to specify the location of the CA certificate which should be -trusted to issue the certificate for a proxy server. If left unspecified, -the system-wide default set of CA certificates is used.</p> -<p>The syntax for values is similar to that of values for the -<strong>pkinit_anchors</strong> tag:</p> -<p><strong>FILE:</strong> <em>filename</em></p> -<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p> -<p><strong>DIR:</strong> <em>dirname</em></p> -<p><em>dirname</em> is assumed to be an directory which contains CA certificates. -All files in the directory will be examined; if they contain certificates -(in PEM format), they will be used.</p> -<p><strong>ENV:</strong> <em>envvar</em></p> -<p><em>envvar</em> specifies the name of an environment variable which has been set -to a value conforming to one of the previous values. For example, -<code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has -been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> -</dd> -<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for the realm, or a -UNIX domain socket path of a locally running KDC. An optional -port number, separated from the hostname by a colon, may be -included. If the name or address contains colons (for example, if -it is an IPv6 address), enclose it in square brackets to -distinguish the colon from a port separator. For your computer to -be able to communicate with the KDC for each realm, this tag must -be given a value in each realm subsection in the configuration -file, or there must be DNS SRV records specifying the KDCs.</p> -</dd> -<dt><strong>kpasswd_server</strong></dt><dd><p>The location of the password change server for the realm, using -the same syntax as <strong>kdc</strong>. If there is no such entry, DNS will -be queried (unless forbidden by <strong>dns_lookup_kdc</strong>). Finally, -port 464 on the <strong>admin_server</strong> host will be tried.</p> -</dd> -<dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is -used as a fallback if <strong>primary_kdc</strong> is not specified.</p> -</dd> -<dt><strong>primary_kdc</strong></dt><dd><p>Identifies the primary KDC(s). Currently, this tag is used in only -one case: If an attempt to get credentials fails because of an -invalid password, the client software will attempt to contact the -primary KDC, in case the user’s password has just been changed, and -the updated database has not been propagated to the replica -servers yet. New in release 1.19.</p> -</dd> -<dt><strong>sitename</strong></dt><dd><p>Specifies the name of the host’s site for the purpose of DNS-based -KDC discovery for this realm. New in release 1.22.</p> -</dd> -<dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions -to the <strong>default_domain</strong> mapping rule. It contains V4 instances -(the tag name) which should be translated to some specific -hostname (the tag value) as the second component in a Kerberos V5 -principal name.</p> -</dd> -<dt><strong>v4_realm</strong></dt><dd><p>This relation is used by the krb524 library routines when -converting a V5 principal name to a V4 principal name. It is used -when the V4 realm name and the V5 realm name are not the same, but -still share the same principal names and passwords. The tag value -is the Kerberos V4 realm name.</p> -</dd> -</dl> -</section> -<section id="domain-realm"> -<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Link to this heading">¶</a></h3> -<p>The [domain_realm] section provides a translation from hostnames to -Kerberos realms. Each tag is a domain name, providing the mapping for -that domain and all subdomains. If the tag begins with a period -(<code class="docutils literal notranslate"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be -identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records. -Tag names should be in lower case. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> - <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<p>maps the host with the name <code class="docutils literal notranslate"><span class="pre">crash.mit.edu</span></code> into the -<code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the -domain <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not -the host with the name <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code>. That host is matched -by the third entry, which maps the host <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> and all hosts -under the domain <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> that do not match a preceding rule -into the realm <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> -<p>If no translation entry applies to a hostname used for a service -principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm’s KDC. If -that does not succeed, the host’s realm is considered to be the -hostname’s domain portion converted to uppercase, unless the -<strong>realm_try_domains</strong> setting in [libdefaults] causes a different -parent domain to be used.</p> -</section> -<section id="capaths"> -<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Link to this heading">¶</a></h3> -<p>In order to perform direct (non-hierarchical) cross-realm -authentication, configuration is needed to determine the -authentication paths between realms.</p> -<p>A client will use this section to find the authentication path between -its realm and the realm of the server. The server will use this -section to verify the authentication path used by the client, by -checking the transited field of the received ticket.</p> -<p>There is a tag for each participating client realm, and each tag has -subtags for each of the server realms. The value of the subtags is an -intermediate realm which may participate in the cross-realm -authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of “.” means that the two realms share -keys directly, and no intermediate realms should be allowed to -participate.</p> -<p>Only those entries which will be needed on the client or the server -need to be present. A client needs a tag for its local realm with -subtags for all the realms of servers it will need to authenticate to. -A server needs a tag for each realm of the clients it will serve, with -a subtag of the server realm.</p> -<p>For example, <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> all wish to -use the <code class="docutils literal notranslate"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub -realm of <code class="docutils literal notranslate"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> -but not <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code> systems -would look like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> -</pre></div> -</div> -<p>The [capaths] section of the configuration file used on <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> -systems would look like this:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> - <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> - <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> - <span class="p">}</span> -</pre></div> -</div> -<p>When a subtag is used more than once within a tag, clients will use -the order of values to determine the path. The order of values is not -important to servers.</p> -</section> -<section id="appdefaults"> -<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Link to this heading">¶</a></h3> -<p>Each tag in the [appdefaults] section names a Kerberos V5 application -or an option that is used by some Kerberos V5 application[s]. The -value of the tag defines the default behaviors for that application.</p> -<p>For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span> - <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> - <span class="p">}</span> - <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> - <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> -</pre></div> -</div> -<p>The above four ways of specifying the value of an option are shown in -order of decreasing precedence. In this example, if telnet is running -in the realm EXAMPLE.COM, it should, by default, have option1 and -option2 set to true. However, a telnet program in the realm -<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal notranslate"><span class="pre">option1</span></code> set to false and -<code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should -have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to false by default. Any programs running in -other realms should have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true.</p> -<p>The list of specifiable options for each application may be found in -that application’s man pages. The application defaults specified here -are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p> -</section> -<section id="plugins"> -<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Link to this heading">¶</a></h3> -<blockquote> -<div><ul class="simple"> -<li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li> -<li><p><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</p></li> -<li><p><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</p></li> -</ul> -</div></blockquote> -<p>Tags in the [plugins] section can be used to register dynamic plugin -modules and to turn modules on and off. Not every krb5 pluggable -interface uses the [plugins] section; the ones that do are documented -here.</p> -<p>New in release 1.9.</p> -<p>Each pluggable interface corresponds to a subsection of [plugins]. -All subsections support the same tags:</p> -<dl class="simple"> -<dt><strong>disable</strong></dt><dd><p>This tag may have multiple values. If there are values for this -tag, then the named modules will be disabled for the pluggable -interface.</p> -</dd> -<dt><strong>enable_only</strong></dt><dd><p>This tag may have multiple values. If there are values for this -tag, then only the named modules will be enabled for the pluggable -interface.</p> -</dd> -<dt><strong>module</strong></dt><dd><p>This tag may have multiple values. Each value is a string of the -form <code class="docutils literal notranslate"><span class="pre">modulename:pathname</span></code>, which causes the shared object -located at <em>pathname</em> to be registered as a dynamic module named -<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an -absolute path, it will be treated as relative to the -<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> -</dd> -</dl> -<p>For pluggable interfaces where module order matters, modules -registered with a <strong>module</strong> tag normally come first, in the order -they are registered, followed by built-in modules in the order they -are documented below. If <strong>enable_only</strong> tags are used, then the -order of those tags overrides the normal module order.</p> -<p>The following subsections are currently supported within the [plugins] -section:</p> -<section id="ccselect-interface"> -<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Link to this heading">¶</a></h4> -<p>The ccselect subsection controls modules for credential cache -selection within a cache collection. In addition to any registered -dynamic modules, the following built-in modules exist (and may be -disabled with the disable tag):</p> -<dl class="simple"> -<dt><strong>k5identity</strong></dt><dd><p>Uses a .k5identity file in the user’s home directory to select a -client principal</p> -</dd> -<dt><strong>realm</strong></dt><dd><p>Uses the service realm to guess an appropriate cache from the -collection</p> -</dd> -<dt><strong>hostname</strong></dt><dd><p>If the service principal is host-based, uses the service hostname -to guess an appropriate cache from the collection</p> -</dd> -</dl> -</section> -<section id="pwqual-interface"> -<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Link to this heading">¶</a></h4> -<p>The pwqual subsection controls modules for the password quality -interface, which is used to reject weak passwords when passwords are -changed. The following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>dict</strong></dt><dd><p>Checks against the realm dictionary file</p> -</dd> -<dt><strong>empty</strong></dt><dd><p>Rejects empty passwords</p> -</dd> -<dt><strong>hesiod</strong></dt><dd><p>Checks against user information stored in Hesiod (only if Kerberos -was built with Hesiod support)</p> -</dd> -<dt><strong>princ</strong></dt><dd><p>Checks against components of the principal name</p> -</dd> -</dl> -</section> -<section id="kadm5-hook-interface"> -<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Link to this heading">¶</a></h4> -<p>The kadm5_hook interface provides plugins with information on -principal creation, modification, password changes and deletion. This -interface can be used to write a plugin to synchronize MIT Kerberos -with another database such as Active Directory. No plugins are built -in for this interface.</p> -</section> -<section id="kadm5-auth-interface"> -<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Link to this heading">¶</a></h4> -<p>The kadm5_auth section (introduced in release 1.16) controls modules -for the kadmin authorization interface, which determines whether a -client principal is allowed to perform a kadmin operation. The -following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>acl</strong></dt><dd><p>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes -operations which are allowed according to the rules in the file.</p> -</dd> -<dt><strong>self</strong></dt><dd><p>This module authorizes self-service operations including password -changes, creation of new random keys, fetching the client’s -principal record or string attributes, and fetching the policy -record associated with the client principal.</p> -</dd> -</dl> -</section> -<section id="clpreauth-and-kdcpreauth-interfaces"> -<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Link to this heading">¶</a></h4> -<p>The clpreauth and kdcpreauth interfaces allow plugin modules to -provide client and KDC preauthentication mechanisms. The following -built-in modules exist for these interfaces:</p> -<dl class="simple"> -<dt><strong>pkinit</strong></dt><dd><p>This module implements the PKINIT preauthentication mechanism.</p> -</dd> -<dt><strong>encrypted_challenge</strong></dt><dd><p>This module implements the encrypted challenge FAST factor.</p> -</dd> -<dt><strong>encrypted_timestamp</strong></dt><dd><p>This module implements the encrypted timestamp mechanism.</p> -</dd> -</dl> -</section> -<section id="hostrealm-interface"> -<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Link to this heading">¶</a></h4> -<p>The hostrealm section (introduced in release 1.12) controls modules -for the host-to-realm interface, which affects the local mapping of -hostnames to realm names and the choice of default realm. The following -built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>profile</strong></dt><dd><p>This module consults the [domain_realm] section of the profile for -authoritative host-to-realm mappings, and the <strong>default_realm</strong> -variable for the default realm.</p> -</dd> -<dt><strong>dns</strong></dt><dd><p>This module looks for DNS records for fallback host-to-realm -mappings and the default realm. It only operates if the -<strong>dns_lookup_realm</strong> variable is set to true.</p> -</dd> -<dt><strong>domain</strong></dt><dd><p>This module applies heuristics for fallback host-to-realm -mappings. It implements the <strong>realm_try_domains</strong> variable, and -uses the uppercased parent domain of the hostname if that does not -produce a result.</p> -</dd> -</dl> -</section> -<section id="localauth-interface"> -<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Link to this heading">¶</a></h4> -<p>The localauth section (introduced in release 1.12) controls modules -for the local authorization interface, which affects the relationship -between Kerberos principals and local system accounts. The following -built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>default</strong></dt><dd><p>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong> -values.</p> -</dd> -<dt><strong>rule</strong></dt><dd><p>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong> -values.</p> -</dd> -<dt><strong>names</strong></dt><dd><p>This module looks for an <strong>auth_to_local_names</strong> mapping for the -principal name.</p> -</dd> -<dt><strong>auth_to_local</strong></dt><dd><p>This module processes <strong>auth_to_local</strong> values in the default -realm’s section, and applies the default method if no -<strong>auth_to_local</strong> values exist.</p> -</dd> -<dt><strong>k5login</strong></dt><dd><p>This module authorizes a principal to a local account according to -the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</p> -</dd> -<dt><strong>an2ln</strong></dt><dd><p>This module authorizes a principal to a local account if the -principal name maps to the local account name.</p> -</dd> -</dl> -</section> -<section id="certauth-interface"> -<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Link to this heading">¶</a></h4> -<p>The certauth section (introduced in release 1.16) controls modules for -the certificate authorization interface, which determines whether a -certificate is allowed to preauthenticate a user via PKINIT. The -following built-in modules exist for this interface:</p> -<dl class="simple"> -<dt><strong>pkinit_san</strong></dt><dd><p>This module authorizes the certificate if it contains a PKINIT -Subject Alternative Name for the requested client principal, or a -Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong> -is set to true for the realm.</p> -</dd> -<dt><strong>pkinit_eku</strong></dt><dd><p>This module rejects the certificate if it does not contain an -Extended Key Usage attribute consistent with the -<strong>pkinit_eku_checking</strong> value for the realm.</p> -</dd> -<dt><strong>dbmatch</strong></dt><dd><p>This module authorizes or rejects the certificate according to -whether it matches the <strong>pkinit_cert_match</strong> string attribute on -the client principal, if that attribute is present.</p> -</dd> -</dl> -</section> -</section> -</section> -<section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>The following are PKINIT-specific options. These values may -be specified in [libdefaults] as global defaults, or within -a realm-specific subsection of [libdefaults], or may be -specified as realm-specific values in the [realms] section. -A realm-specific value overrides, not adds to, a generic -[libdefaults] specification. The search order is:</p> -</div> -<ol class="arabic"> -<li><p>realm-specific subsection of [libdefaults]:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> - <span class="p">}</span> -</pre></div> -</div> -</li> -<li><p>realm-specific value in the [realms] section:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span> - <span class="p">}</span> -</pre></div> -</div> -</li> -<li><p>generic value in the [libdefaults] section:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> -</pre></div> -</div> -</li> -</ol> -<section id="specifying-pkinit-identity-information"> -<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Link to this heading">¶</a></h3> -<p>The syntax for specifying Public Key identity, trust, and revocation -information for PKINIT is as follows:</p> -<dl> -<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt><dd><p>This option has context-specific behavior.</p> -<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em> -specifies the name of a PEM-format file containing the user’s -certificate. If <em>keyfilename</em> is not specified, the user’s -private key is expected to be in <em>filename</em> as well. Otherwise, -<em>keyfilename</em> is the name of the file containing the private key.</p> -<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to -be the name of an OpenSSL-style ca-bundle file.</p> -</dd> -<dt><strong>DIR:</strong><em>dirname</em></dt><dd><p>This option has context-specific behavior.</p> -<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em> -specifies a directory with files named <code class="docutils literal notranslate"><span class="pre">*.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">*.key</span></code> -where the first part of the file name is the same for matching -pairs of certificate and private key files. When a file with a -name ending with <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is found, a matching file ending with -<code class="docutils literal notranslate"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file -is found, then the certificate in the <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is not used.</p> -<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to -be an OpenSSL-style hashed CA directory where each CA cert is -stored in a file named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure -is encouraged, but all files in the directory will be examined and -if they contain certificates (in PEM format), they will be used.</p> -<p>In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style -hashed CA directory where each revocation list is stored in a file -named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged, -but all files in the directory will be examined and if they -contain a revocation list (in PEM format), they will be used.</p> -</dd> -<dt><strong>PKCS12:</strong><em>filename</em></dt><dd><p><em>filename</em> is the name of a PKCS #12 format file, containing the -user’s certificate and private key.</p> -</dd> -<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt><dd><p>All keyword/values are optional. <em>modname</em> specifies the location -of a library implementing PKCS #11. If a value is encountered -with no keyword, it is assumed to be the <em>modname</em>. If no -module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>. -<code class="docutils literal notranslate"><span class="pre">slotid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">token=</span></code> may be specified to force the use of -a particular smard card reader or token if there is more than one -available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to -force the selection of a particular certificate on the device. -Specifier values must not contain colon characters, as colons are -always treated as separators. See the <strong>pkinit_cert_match</strong> -configuration option for more ways to select a particular -certificate to use for PKINIT.</p> -</dd> -<dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has -been set to a value conforming to one of the previous values. For -example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable -<code class="docutils literal notranslate"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> -</dd> -</dl> -</section> -<section id="pkinit-krb5-conf-options"> -<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Link to this heading">¶</a></h3> -<dl> -<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which -the client trusts to sign KDC certificates. This option may be -specified multiple times. These values from the config file are -not used if the user specifies X509_anchors on the command line.</p> -</dd> -<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies matching rules that the client certificate must match -before it is used to attempt PKINIT authentication. If a user has -multiple certificates available (on a smart card, or via other -media), there must be exactly one certificate chosen before -attempting PKINIT authentication. This option may be specified -multiple times. All the available certificates are checked -against each rule in order until there is a match of exactly one -certificate.</p> -<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2253.html"><strong>RFC 2253</strong></a> -string representations from the certificate Subject DN and Issuer -DN values.</p> -<p>The syntax of the matching rules is:</p> -<blockquote> -<div><p>[<em>relation-operator</em>]<em>component-rule</em> …</p> -</div></blockquote> -<p>where:</p> -<dl> -<dt><em>relation-operator</em></dt><dd><p>can be either <code class="docutils literal notranslate"><span class="pre">&&</span></code>, meaning all component rules must match, -or <code class="docutils literal notranslate"><span class="pre">||</span></code>, meaning only one component rule must match. The -default is <code class="docutils literal notranslate"><span class="pre">&&</span></code>.</p> -</dd> -<dt><em>component-rule</em></dt><dd><p>can be one of the following. Note that there is no -punctuation or whitespace between component rules.</p> -<blockquote> -<div><div class="line-block"> -<div class="line"><strong><SUBJECT></strong><em>regular-expression</em></div> -<div class="line"><strong><ISSUER></strong><em>regular-expression</em></div> -<div class="line"><strong><SAN></strong><em>regular-expression</em></div> -<div class="line"><strong><EKU></strong><em>extended-key-usage-list</em></div> -<div class="line"><strong><KU></strong><em>key-usage-list</em></div> -</div> -</div></blockquote> -<p><em>extended-key-usage-list</em> is a comma-separated list of -required Extended Key Usage values. All values in the list -must be present in the certificate. Extended Key Usage values -can be:</p> -<ul class="simple"> -<li><p>pkinit</p></li> -<li><p>msScLogin</p></li> -<li><p>clientAuth</p></li> -<li><p>emailProtection</p></li> -</ul> -<p><em>key-usage-list</em> is a comma-separated list of required Key -Usage values. All values in the list must be present in the -certificate. Key Usage values can be:</p> -<ul class="simple"> -<li><p>digitalSignature</p></li> -<li><p>keyEncipherment</p></li> -</ul> -</dd> -</dl> -<p>Examples:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||<</span><span class="n">SUBJECT</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*<</span><span class="n">SAN</span><span class="o">>.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&&<</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">ISSUER</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*</span> -<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o"><</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">KU</span><span class="o">></span><span class="n">digitalSignature</span> -</pre></div> -</div> -</dd> -<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage value the KDC -certificate presented to the client must contain. (Note that if -the KDC certificate has the pkinit SubjectAlternativeName encoded -as the Kerberos TGS name, EKU checking is not necessary since the -issuing CA has certified this as a KDC certificate.) The values -recognized in the krb5.conf file are:</p> -<dl class="simple"> -<dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> -</dd> -<dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the -id-kp-serverAuth EKU will be accepted. This key usage value -is used in most commercially issued server certificates.</p> -</dd> -<dt><strong>none</strong></dt><dd><p>If <strong>none</strong> is specified, then the KDC certificate will not be -checked to verify it has an acceptable EKU. The use of this -option is not recommended.</p> -</dd> -</dl> -</dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the group of the Diffie-Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, P-256, -4096, P-384, and P-521. The default is 2048. (P-256, P-384, and -P-521 are new in release 1.22.)</p> -</dd> -<dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509 -identity information. If this option is specified multiple times, -each value is attempted in order until certificates are found. -Note that these values are not used if the user specifies -<strong>X509_user_identity</strong> on the command line.</p> -</dd> -<dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing -to accept a KDC certificate with a dNSName SAN (Subject -Alternative Name) rather than requiring the id-pkinit-san as -defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple -times. Its value should contain the acceptable hostname for the -KDC (as contained in its certificate).</p> -</dd> -<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be -used by the client to complete the trust chain between a KDC -certificate and a trusted anchor. This option may be specified -multiple times.</p> -</dd> -<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and <strong>pkinit_require_crl_checking</strong> is false, then verification -succeeds.</p> -<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is -no CRL information available for the issuing CA, then verification -fails.</p> -<p><strong>pkinit_require_crl_checking</strong> should be set to true if the -policy is such that up-to-date CRLs must be present for every CA.</p> -</dd> -<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL) -information to be used by the client when verifying the validity -of the KDC certificate presented. This option may be specified -multiple times.</p> -</dd> -</dl> -</section> -</section> -<section id="parameter-expansion"> -<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Link to this heading">¶</a></h2> -<p>Starting with release 1.11, several variables, such as -<strong>default_keytab_name</strong>, allow parameters to be expanded. -Valid parameters are:</p> -<blockquote> -<div><table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>%{TEMP}</p></td> -<td><p>Temporary directory</p></td> -</tr> -<tr class="row-even"><td><p>%{uid}</p></td> -<td><p>Unix real UID or Windows SID</p></td> -</tr> -<tr class="row-odd"><td><p>%{euid}</p></td> -<td><p>Unix effective user ID or Windows SID</p></td> -</tr> -<tr class="row-even"><td><p>%{USERID}</p></td> -<td><p>Same as %{uid}</p></td> -</tr> -<tr class="row-odd"><td><p>%{null}</p></td> -<td><p>Empty string</p></td> -</tr> -<tr class="row-even"><td><p>%{LIBDIR}</p></td> -<td><p>Installation library directory</p></td> -</tr> -<tr class="row-odd"><td><p>%{BINDIR}</p></td> -<td><p>Installation binary directory</p></td> -</tr> -<tr class="row-even"><td><p>%{SBINDIR}</p></td> -<td><p>Installation admin binary directory</p></td> -</tr> -<tr class="row-odd"><td><p>%{username}</p></td> -<td><p>(Unix) Username of effective user ID</p></td> -</tr> -<tr class="row-even"><td><p>%{APPDATA}</p></td> -<td><p>(Windows) Roaming application data for current user</p></td> -</tr> -<tr class="row-odd"><td><p>%{COMMON_APPDATA}</p></td> -<td><p>(Windows) Application data for all users</p></td> -</tr> -<tr class="row-even"><td><p>%{LOCAL_APPDATA}</p></td> -<td><p>(Windows) Local application data for current user</p></td> -</tr> -<tr class="row-odd"><td><p>%{SYSTEM}</p></td> -<td><p>(Windows) Windows system folder</p></td> -</tr> -<tr class="row-even"><td><p>%{WINDOWS}</p></td> -<td><p>(Windows) Windows folder</p></td> -</tr> -<tr class="row-odd"><td><p>%{USERCONFIG}</p></td> -<td><p>(Windows) Per-user MIT krb5 config file directory</p></td> -</tr> -<tr class="row-even"><td><p>%{COMMONCONFIG}</p></td> -<td><p>(Windows) Common MIT krb5 config file directory</p></td> -</tr> -</tbody> -</table> -</div></blockquote> -</section> -<section id="sample-krb5-conf-file"> -<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Link to this heading">¶</a></h2> -<p>Here is an example of a generic krb5.conf file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span> - -<span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="p">}</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="p">}</span> - -<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> - <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - -<span class="p">[</span><span class="n">capaths</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> - <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span> - <span class="p">}</span> -</pre></div> -</div> -</section> -<section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> -<p><code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code></p> -</section> -<section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> -<p>syslog(3)</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">krb5.conf</a><ul> -<li><a class="reference internal" href="#structure">Structure</a></li> -<li><a class="reference internal" href="#sections">Sections</a><ul> -<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li> -<li><a class="reference internal" href="#realms">[realms]</a></li> -<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li> -<li><a class="reference internal" href="#capaths">[capaths]</a></li> -<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li> -<li><a class="reference internal" href="#plugins">[plugins]</a><ul> -<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li> -<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li> -<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li> -<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li> -<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li> -<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li> -<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li> -<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li> -</ul> -</li> -</ul> -</li> -<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul> -<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li> -<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li> -</ul> -</li> -<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li> -<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li> -<li><a class="reference internal" href="#files">FILES</a></li> -<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Configuration Files" - >previous</a> | - <a href="kdc_conf.html" title="kdc.conf" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/conf_ldap.html b/crypto/krb5/doc/html/admin/conf_ldap.html deleted file mode 100644 index d43a45cfd90c..000000000000 --- a/crypto/krb5/doc/html/admin/conf_ldap.html +++ /dev/null @@ -1,274 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Configuring Kerberos with OpenLDAP back-end — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Application servers" href="appl_servers.html" /> - <link rel="prev" title="Account lockout" href="lockout.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="lockout.html" title="Account lockout" - accesskey="P">previous</a> | - <a href="appl_servers.html" title="Application servers" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuring Kerberos with OpenLDAP back-end">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="configuring-kerberos-with-openldap-back-end"> -<span id="conf-ldap"></span><h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Link to this heading">¶</a></h1> -<blockquote> -<div><ol class="arabic"> -<li><p>Make sure the LDAP server is using local authentication -(<code class="docutils literal notranslate"><span class="pre">ldapi://</span></code>) or TLS (<code class="docutils literal notranslate"><span class="pre">ldaps</span></code>). See -<a class="reference external" href="https://www.openldap.org/doc/admin/tls.html">https://www.openldap.org/doc/admin/tls.html</a> for instructions on -configuring TLS support in OpenLDAP.</p></li> -<li><p>Add the Kerberos schema file to the LDAP Server using the OpenLDAP -LDIF file from the krb5 source directory -(<code class="docutils literal notranslate"><span class="pre">src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif</span></code>). -The following example uses local authentication:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ldapadd</span> <span class="o">-</span><span class="n">Y</span> <span class="n">EXTERNAL</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldapi</span><span class="p">:</span><span class="o">///</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">openldap</span><span class="o">.</span><span class="n">ldif</span> -</pre></div> -</div> -</li> -<li><p>Choose DNs for the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> servers -to bind to the LDAP server, and create them if necessary. Specify -these DNs with the <strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> -directives in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The kadmind DN will also be -used for administrative commands such as <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> -<p>Alternatively, you may configure krb5kdc and kadmind to use SASL -authentication to access the LDAP server; see the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> -relations <strong>ldap_kdc_sasl_mech</strong> and similar.</p> -</li> -<li><p>Specify a location for the LDAP service password file by setting -<strong>ldap_service_password_file</strong>. Use <code class="docutils literal notranslate"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code> -to stash passwords for the KDC and kadmind DNs chosen above. For -example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbadmin</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">example</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">com</span> -</pre></div> -</div> -<p>Skip this step if you are using SASL authentication and the -mechanism does not require a password.</p> -</li> -<li><p>Choose a DN for the global Kerberos container entry (but do not -create the entry at this time). Specify this DN with the -<strong>ldap_kerberos_container_dn</strong> directive in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. -Realm container entries will be created underneath this DN. -Principal entries may exist either underneath the realm container -(the default) or in separate trees referenced from the realm -container.</p></li> -<li><p>Configure the LDAP server ACLs to enable the KDC and kadmin server -DNs to read and write the Kerberos data. If -<strong>disable_last_success</strong> and <strong>disable_lockout</strong> are both set to -true in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm, then the -KDC DN only requires read access to the Kerberos data.</p> -<p>Sample access control information:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">base</span><span class="o">=</span><span class="s2">""</span> - <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> - -<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">base</span><span class="o">=</span><span class="s2">"cn=Subschema"</span> - <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> - -<span class="c1"># Provide access to the realm container.</span> -<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">subtree</span><span class="o">=</span> <span class="s2">"cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"</span> - <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=kdc-service,dc=example,dc=com"</span> <span class="n">write</span> - <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=adm-service,dc=example,dc=com"</span> <span class="n">write</span> - <span class="n">by</span> <span class="o">*</span> <span class="n">none</span> - -<span class="c1"># Provide access to principals, if not underneath the realm container.</span> -<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">subtree</span><span class="o">=</span> <span class="s2">"ou=users,dc=example,dc=com"</span> - <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=kdc-service,dc=example,dc=com"</span> <span class="n">write</span> - <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=adm-service,dc=example,dc=com"</span> <span class="n">write</span> - <span class="n">by</span> <span class="o">*</span> <span class="n">none</span> - -<span class="n">access</span> <span class="n">to</span> <span class="o">*</span> - <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> -</pre></div> -</div> -<p>If the locations of the container and principals or the DNs of the -service objects for a realm are changed then this information -should be updated.</p> -</li> -<li><p>In <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, make sure the following relations are set -in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>db_library (set to ``kldap``) -ldap_kerberos_container_dn -ldap_kdc_dn -ldap_kadmind_dn -ldap_service_password_file -ldap_servers -</pre></div> -</div> -</li> -<li><p>Create the realm using <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>:</p> -<blockquote> -<div><p>kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s</p> -</div></blockquote> -<p>Use the <strong>-subtrees</strong> option if the principals are to exist in a -separate subtree from the realm container. Before executing the -command, make sure that the subtree mentioned above -<code class="docutils literal notranslate"><span class="pre">(ou=users,dc=example,dc=com)</span></code> exists. If the principals will -exist underneath the realm container, omit the <strong>-subtrees</strong> option -and do not worry about creating the principal subtree.</p> -<p>For more information, refer to the section <a class="reference internal" href="database.html#ops-on-ldap"><span class="std std-ref">Operations on the LDAP database</span></a>.</p> -<p>The realm object is created under the -<strong>ldap_kerberos_container_dn</strong> specified in the configuration -file. This operation will also create the Kerberos container, if -not present already. This container can be used to store -information related to multiple realms.</p> -</li> -<li><p>Add an <code class="docutils literal notranslate"><span class="pre">eq</span></code> index for <code class="docutils literal notranslate"><span class="pre">krbPrincipalName</span></code> to speed up principal -lookup operations. See -<a class="reference external" href="https://www.openldap.org/doc/admin/tuning.html#Indexes">https://www.openldap.org/doc/admin/tuning.html#Indexes</a> for -details.</p></li> -</ol> -</div></blockquote> -<p>With the LDAP back end it is possible to provide aliases for principal -entries. Beginning in release 1.22, aliases can be added with the -kadmin <strong>add_alias</strong> command, but it is also possible (in release 1.7 -or later) to provide aliases through direct manipulation of the LDAP -entries.</p> -<p>An entry with aliases contains multiple values of the -<em>krbPrincipalName</em> attribute. Since LDAP attribute values are not -ordered, it is necessary to specify which principal name is canonical, -by using the <em>krbCanonicalName</em> attribute. Therefore, to create -aliases for an entry, first set the <em>krbCanonicalName</em> attribute of -the entry to the canonical principal name (which should be identical -to the pre-existing <em>krbPrincipalName</em> value), and then add additional -<em>krbPrincipalName</em> attributes for the aliases.</p> -<p>Principal aliases are only returned by the KDC when the client -requests canonicalization. Canonicalization is normally requested for -service principals; for client principals, an explicit flag is often -required (e.g., <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-C</span></code>) and canonicalization is only performed -for initial ticket requests.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Configuring Kerberos with OpenLDAP back-end</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="lockout.html" title="Account lockout" - >previous</a> | - <a href="appl_servers.html" title="Application servers" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuring Kerberos with OpenLDAP back-end">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/database.html b/crypto/krb5/doc/html/admin/database.html deleted file mode 100644 index 82bf7a225306..000000000000 --- a/crypto/krb5/doc/html/admin/database.html +++ /dev/null @@ -1,706 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Database administration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Database types" href="dbtypes.html" /> - <link rel="prev" title="Realm configuration decisions" href="realm_config.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="realm_config.html" title="Realm configuration decisions" - accesskey="P">previous</a> | - <a href="dbtypes.html" title="Database types" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="database-administration"> -<h1>Database administration<a class="headerlink" href="#database-administration" title="Link to this heading">¶</a></h1> -<p>A Kerberos database contains all of a realm’s Kerberos principals, -their passwords, and other administrative information about each -principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> -program to manipulate the Kerberos database as a whole, and the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to make changes to the entries in the -database. (One notable exception is that users will use the -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> program to change their own passwords.) The kadmin -program has its own command-line interface, to which you type the -database administrating commands.</p> -<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> provides a means to create, delete, load, or dump -a Kerberos database. It also contains commands to roll over the -database master key, and to stash a copy of the key so that the -<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemons can use the database -without manual input.</p> -<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> provides for the maintenance of Kerberos principals, -password policies, and service key tables (keytabs). Normally it -operates as a network client using Kerberos authentication to -communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, but there is also a variant, named -kadmin.local, which directly accesses the Kerberos database on the -local filesystem (or through LDAP). kadmin.local is necessary to set -up enough of the database to be able to use the remote version.</p> -<p>kadmin can authenticate to the admin server using the service -principal <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal notranslate"><span class="pre">kadmin/HOST</span></code> (where <em>HOST</em> is the -hostname of the admin server). If the credentials cache contains a -ticket for either service principal and the <strong>-c</strong> ccache option is -specified, that ticket is used to authenticate to KADM5. Otherwise, -the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos -principal name used to authenticate. Once kadmin has determined the -principal name, it requests a <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> Kerberos service ticket -from the KDC, and uses that service ticket to authenticate to KADM5.</p> -<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for the available kadmin and kadmin.local -commands and options.</p> -<section id="principals"> -<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Link to this heading">¶</a></h2> -<p>Each entry in the Kerberos database contains a Kerberos principal and -the attributes and policies associated with that principal.</p> -<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> -<strong>add_principal</strong> command. User principals should usually be created -with the <code class="docutils literal notranslate"><span class="pre">+requires_preauth</span> <span class="pre">-allow_svr</span></code> options to help mitigate -dictionary attacks (see <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">Addressing dictionary attack risks</span></a>):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">alice</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> -</pre></div> -</div> -<p>User principals which will authenticate with <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT configuration</span></a> should -instead by created with the <code class="docutils literal notranslate"><span class="pre">-nokey</span></code> option:</p> -<blockquote> -<div><p>kadmin: addprinc -nokey alice</p> -</div></blockquote> -<p>Service principals can be created with the <code class="docutils literal notranslate"><span class="pre">-nokey</span></code> option; -long-term keys will be added when a keytab is generated:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">nokey</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="n">foo</span><span class="o">.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -<p>To modify attributes of an existing principal, use the kadmin -<strong>modify_principal</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">expire</span> <span class="n">tomorrow</span> <span class="n">alice</span> -<span class="n">Principal</span> <span class="s2">"alice@KRBTEST.COM"</span> <span class="n">modified</span><span class="o">.</span> -</pre></div> -</div> -<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kadmin: delprinc alice -Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes -Principal "alice@KRBTEST.COM" deleted. -Make sure that you have removed this principal from all ACLs before reusing. -</pre></div> -</div> -<p>To change a principal’s password, use the kadmin <strong>change_password</strong> -command. Password changes made through kadmin are subject to the same -password policies as would apply to password changes made through -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>.</p> -<p>To view the attributes of a principal, use the kadmin` -<strong>get_principal</strong> command.</p> -<p>To generate a listing of principals, use the kadmin -<strong>list_principals</strong> command.</p> -<p>To give a principal additional names, use the kadmin <strong>add_alias</strong> -command to create aliases to the principal (new in release 1.22). -Aliases can be removed with the <strong>delete_principal</strong> command.</p> -</section> -<section id="policies"> -<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Link to this heading">¶</a></h2> -<p>A policy is a set of rules governing passwords. Policies can dictate -minimum and maximum password lifetimes, minimum number of characters -and character classes a password must contain, and the number of old -passwords kept in the database.</p> -<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>add_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"1 year"</span> <span class="o">-</span><span class="n">history</span> <span class="mi">3</span> <span class="n">stduser</span> -</pre></div> -</div> -<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> -command. To delete a policy, use the kadmin <strong>delete_policy</strong> -command.</p> -<p>To associate a policy with a principal, use the kadmin -<strong>modify_principal</strong> command with the <strong>-policy</strong> option:</p> -<blockquote> -<div><p>kadmin: modprinc -policy stduser alice -Principal “<a class="reference external" href="mailto:alice%40KRBTEST.COM">alice<span>@</span>KRBTEST<span>.</span>COM</a>” modified.</p> -</div></blockquote> -<p>A principal entry may be associated with a nonexistent policy, either -because the policy did not exist at the time of associated or was -deleted afterwards. kadmin will warn when associated a principal with -a nonexistent policy, and will annotate the policy name with “[does -not exist]” in the <strong>get_principal</strong> output.</p> -<section id="updating-the-history-key"> -<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Link to this heading">¶</a></h3> -<p>If a policy specifies a number of old keys kept of two or more, the -stored old keys are encrypted in a history key, which is found in the -key data of the <code class="docutils literal notranslate"><span class="pre">kadmin/history</span></code> principal.</p> -<p>Currently there is no support for proper rollover of the history key, -but you can change the history key (for example, to use a better -encryption type) at the cost of invalidating currently stored old -keys. To change the history key, run:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">history</span> -</pre></div> -</div> -<p>This command will fail if you specify the <strong>-keepold</strong> flag. Only one -new history key will be created, even if you specify multiple key/salt -combinations.</p> -<p>In the future, we plan to migrate towards encrypting old keys in the -master key instead of the history key, and implementing proper -rollover support for stored old keys.</p> -</section> -</section> -<section id="privileges"> -<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Link to this heading">¶</a></h2> -<p>Administrative privileges for the Kerberos database are stored in the -file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>A common use of an admin instance is so you can grant -separate permissions (such as administrator access to the -Kerberos database) to a separate Kerberos principal. For -example, the user <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> might have a principal for -his administrative use, called <code class="docutils literal notranslate"><span class="pre">joeadmin/admin</span></code>. This -way, <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> would obtain <code class="docutils literal notranslate"><span class="pre">joeadmin/admin</span></code> tickets -only when he actually needs to use those permissions.</p> -</div> -</section> -<section id="operations-on-the-kerberos-database"> -<span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Link to this heading">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command is the primary tool for administrating -the Kerberos database when using the DB2 or LMDB modules (see -<a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types</span></a>). Creating a database is described in -<a class="reference internal" href="install_kdc.html#create-db"><span class="std std-ref">Create the KDC database</span></a>.</p> -<p>To create a stash file using the master password (because the database -was not created with one using the <code class="docutils literal notranslate"><span class="pre">create</span> <span class="pre">-s</span></code> flag, or after -restoring from a backup which did not contain the stash file), use the -kdb5_util <strong>stash</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util stash -kdb5_util: Cannot find/read stored master key while reading master key -kdb5_util: Warning: proceeding without master key -Enter KDC database master key: <= Type the KDC database master password. -</pre></div> -</div> -<p>To destroy a database, use the kdb5_util destroy command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util destroy -Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? -(type 'yes' to confirm)? yes -OK, deleting database '/var/krb5kdc/principal'... -** Database '/var/krb5kdc/principal' destroyed. -</pre></div> -</div> -<section id="dumping-and-loading-a-kerberos-database"> -<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Link to this heading">¶</a></h3> -<p>To dump a Kerberos database into a text file for backup or transfer -purposes, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command on one of the -KDCs:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dump dumpfile - -$ kbd5_util dump -verbose dumpfile -kadmin/admin@ATHENA.MIT.EDU -krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -kadmin/history@ATHENA.MIT.EDU -K/M@ATHENA.MIT.EDU -kadmin/changepw@ATHENA.MIT.EDU -</pre></div> -</div> -<p>You may specify which principals to dump, using full principal names -including realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU -kadmin/admin@ATHENA.MIT.EDU -K/M@ATHENA.MIT.EDU -</pre></div> -</div> -<p>To restore a Kerberos database dump from a file, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>load</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util load dumpfile -</pre></div> -</div> -<p>To update an existing database with a partial dump file containing -only some principals, use the <code class="docutils literal notranslate"><span class="pre">-update</span></code> flag:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util load -update someprincs -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>If the database file exists, and the <em>-update</em> flag was not -given, <em>kdb5_util</em> will overwrite the existing database.</p> -</div> -</section> -<section id="updating-the-master-key"> -<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Link to this heading">¶</a></h3> -<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> allows the master key -to be changed using a rollover process, with minimal loss of -availability. To roll over the master key, follow these steps:</p> -<ol class="arabic"> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to view the -current master key version number (KVNO). If you have never rolled -over the master key before, this will likely be version 1:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util list_mkeys -Master keys for Principal: K/M@KRBTEST.COM -KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * -</pre></div> -</div> -</li> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></code> to ensure that a -master key activation list is present in the database. This step -is unnecessary in release 1.11.4 or later, or if the database was -initially created with release 1.7 or later.</p></li> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></code> to create a new -master key and write it to the stash file. Enter a secure password -when prompted. If this is the first time you are changing the -master key, the new key will have version 2. The new master key -will not be used until you make it active.</p></li> -<li><p>Propagate the database to all replica KDCs, either manually or by -waiting until the next scheduled propagation. If you do not have -any replica KDCs, you can skip this and the next step.</p></li> -<li><p>On each replica KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to verify that -the new master key is present, and then <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">stash</span></code> to -write the new master key to the replica KDC’s stash file.</p></li> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></code> to begin using the -new master key. Replace <code class="docutils literal notranslate"><span class="pre">2</span></code> with the version of the new master -key, as appropriate. You can optionally specify a date for the new -master key to become active; by default, it will become active -immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> must be -restarted for this change to take full effect.</p></li> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></code>. -This command will iterate over the database and re-encrypt all keys -in the new master key. If the database is large and uses DB2, the -primary KDC will become unavailable while this command runs, but -clients should fail over to replica KDCs (if any are present) -during this time period. In release 1.13 and later, you can -instead run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></code> to -use unlocked iteration; this variant will take longer, but will -keep the database available to the KDC and kadmind while it runs.</p></li> -<li><p>Wait until the above changes have propagated to all replica KDCs -and until all running KDC and kadmind processes have serviced -requests using updated principal entries.</p></li> -<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></code> to clean up the -old master key.</p></li> -</ol> -</section> -</section> -<section id="operations-on-the-ldap-database"> -<span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Link to this heading">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a> command is the primary tool for -administrating the Kerberos database when using the LDAP module. -Creating an LDAP Kerberos database is describe in <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a>.</p> -<p>To view a list of realms in the LDAP database, use the kdb5_ldap_util -<strong>list</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list -KRBTEST.COM -</pre></div> -</div> -<p>To modify the attributes of a realm, use the kdb5_ldap_util <strong>modify</strong> -command. For example, to change the default realm’s maximum ticket -life:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify -maxtktlife "10 hours" -</pre></div> -</div> -<p>To display the attributes of a realm, use the kdb5_ldap_util <strong>view</strong> -command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view - Realm Name: KRBTEST.COM - Maximum Ticket Life: 0 days 00:10:00 -</pre></div> -</div> -<p>To remove a realm from the LDAP database, destroying its contents, use -the kdb5_ldap_util <strong>destroy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy -Deleting KDC database of 'KRBTEST.COM', are you sure? -(type 'yes' to confirm)? yes -OK, deleting database of 'KRBTEST.COM'... -** Database of 'KRBTEST.COM' destroyed. -</pre></div> -</div> -<section id="ticket-policy-operations"> -<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Link to this heading">¶</a></h3> -<p>Unlike the DB2 and LMDB modules, the LDAP module supports ticket -policy objects, which can be associated with principals to restrict -maximum ticket lifetimes and set mandatory principal flags. Ticket -policy objects are distinct from the password policies described -earlier on this page, and are chiefly managed through kdb5_ldap_util -rather than kadmin. To create a new ticket policy, use the -kdb5_ldap_util <strong>create_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util create_policy -maxrenewlife "2 days" users -</pre></div> -</div> -<p>To associate a ticket policy with a principal, use the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal</strong> (or <strong>add_principal</strong>) command -with the <strong>-x tktpolicy=</strong><em>policy</em> option:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy=users alice -</pre></div> -</div> -<p>To remove a ticket policy reference from a principal, use the same -command with an empty <em>policy</em>:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy= alice -</pre></div> -</div> -<p>To list the existing ticket policy objects, use the kdb5_ldap_util -<strong>list_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list_policy -users -</pre></div> -</div> -<p>To modify the attributes of a ticket policy object, use the -kdb5_ldap_util <strong>modify_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users -</pre></div> -</div> -<p>To view the attributes of a ticket policy object, use the -kdb5_ldap_util <strong>view_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view_policy users - Ticket policy: users - Maximum renewable life: 2 days 00:00:00 - Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR -</pre></div> -</div> -<p>To destroy an ticket policy object, use the kdb5_ldap_util -<strong>destroy_policy</strong> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy_policy users -This will delete the policy object 'users', are you sure? -(type 'yes' to confirm)? yes -** policy object 'users' deleted. -</pre></div> -</div> -</section> -</section> -<section id="cross-realm-authentication"> -<span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Link to this heading">¶</a></h2> -<p>In order for a KDC in one realm to authenticate Kerberos users in a -different realm, it must share a key with the KDC in the other realm. -In both databases, there must be krbtgt service principals for both realms. -For example, if you need to do cross-realm authentication between the realms -<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal notranslate"><span class="pre">EXAMPLE.COM</span></code>, you would need to add the -principals <code class="docutils literal notranslate"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></code> and -<code class="docutils literal notranslate"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></code> to both databases. -These principals must all have the same passwords, key version -numbers, and encryption types; this may require explicitly setting -the key version number with the <strong>-kvno</strong> option.</p> -<p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators -would run the following commands on the KDCs in both realms:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span><span class="p">:</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> <span class="o">-</span><span class="n">e</span> <span class="s2">"aes256-cts:normal"</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> -<span class="n">kadmin</span><span class="p">:</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>Even if most principals in a realm are generally created -with the <strong>requires_preauth</strong> flag enabled, this flag is not -desirable on cross-realm authentication keys because doing -so makes it impossible to disable preauthentication on a -service-by-service basis. Disabling it as in the example -above is recommended.</p> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>It is very important that these principals have good -passwords. MIT recommends that TGT principal passwords be -at least 26 characters of random ASCII text.</p> -</div> -</section> -<section id="changing-the-krbtgt-key"> -<span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Link to this heading">¶</a></h2> -<p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>. The key for this principal is created -when the Kerberos database is initialized and need not be changed. -However, it will only have the encryption types supported by the KDC -at the time of the initial database creation. To allow use of newer -encryption types for the TGT, this key has to be changed.</p> -<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> -<strong>change_password</strong> command would invalidate any previously issued -TGTs. Therefore, when changing this key, normally one should use the -<strong>-keepold</strong> flag to change_password to retain the previous key in the -database as well as the new key. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<div class="admonition warning"> -<p class="admonition-title">Warning</p> -<p>After issuing this command, the old key is still valid -and is still vulnerable to (for instance) brute force -attacks. To completely retire an old key or encryption -type, run the kadmin <strong>purgekeys</strong> command to delete keys -with older kvnos, ideally first making sure that all -tickets issued with the old keys have expired.</p> -</div> -<p>Only the first krbtgt key of the newest key version is used to encrypt -ticket-granting tickets. However, the set of encryption types present -in the krbtgt keys is used by default to determine the session key -types supported by the krbtgt service (see -<a class="reference internal" href="enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>). Because non-MIT Kerberos clients -sometimes send a limited set of encryption types when making AS -requests, it can be important for the krbtgt service to support -multiple encryption types. This can be accomplished by giving the -krbtgt principal multiple keys, which is usually as simple as not -specifying any <strong>-e</strong> option when changing the krbtgt key, or by -setting the <strong>session_enctypes</strong> string attribute on the krbtgt -principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>).</p> -<p>Due to a bug in releases 1.8 through 1.13, renewed and forwarded -tickets may not work if the original ticket was obtained prior to a -krbtgt key change and the modified ticket is obtained afterwards. -Upgrading the KDC to release 1.14 or later will correct this bug.</p> -</section> -<section id="incremental-database-propagation"> -<span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Link to this heading">¶</a></h2> -<section id="overview"> -<h3>Overview<a class="headerlink" href="#overview" title="Link to this heading">¶</a></h3> -<p>At some very large sites, dumping and transmitting the database can -take more time than is desirable for changes to propagate from the -primary KDC to the replica KDCs. The incremental propagation support -added in the 1.7 release is intended to address this.</p> -<p>With incremental propagation enabled, all programs on the primary KDC -that change the database also write information about the changes to -an “update log” file, maintained as a circular buffer of a certain -size. A process on each replica KDC connects to a service on the -primary KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> server) and -periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes.</p> -<p>Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> -<table class="docutils align-default"> -<tbody> -<tr class="row-odd"><td><p>iprop_enable</p></td> -<td><p><em>boolean</em></p></td> -<td><p>If <em>true</em>, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is <em>false</em>.</p></td> -</tr> -<tr class="row-even"><td><p>iprop_master_ulogsize</p></td> -<td><p><em>integer</em></p></td> -<td><p>Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.</p></td> -</tr> -<tr class="row-odd"><td><p>iprop_replica_poll</p></td> -<td><p><em>time interval</em></p></td> -<td><p>Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes.</p></td> -</tr> -<tr class="row-even"><td><p>iprop_port</p></td> -<td><p><em>integer</em></p></td> -<td><p>Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files.</p></td> -</tr> -<tr class="row-odd"><td><p>iprop_resync_timeout</p></td> -<td><p><em>integer</em></p></td> -<td><p>Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes).</p></td> -</tr> -<tr class="row-even"><td><p>iprop_logfile</p></td> -<td><p><em>file name</em></p></td> -<td><p>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</p></td> -</tr> -</tbody> -</table> -<p>Both primary and replica sides must have a principal named -<code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> (where <em>hostname</em> is the lowercase, -fully-qualified, canonical name for the host) registered in the -Kerberos database, and have keys for that principal stored in the -default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). The <code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> principal may -have been created automatically for the primary KDC, but it must -always be created for replica KDCs.</p> -<p>On the primary KDC side, the <code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> principal must be -listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, and given the -<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><span class="std std-ref">Privileges</span></a>).</p> -<p>On the replica KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> should be run. When -incremental propagation is enabled, it will connect to the kadmind on -the primary KDC and start requesting updates.</p> -<p>The normal kprop mechanism is disabled by the incremental propagation -support. However, if the replica has been unable to fetch changes -from the primary KDC for too long (network problems, perhaps), the log -on the primary may wrap around and overwrite some of the updates that -the replica has not yet retrieved. In this case, the replica will -instruct the primary KDC to dump the current database out to a file -and invoke a one-time kprop propagation, with special options to also -convey the point in the update log at which the replica should resume -fetching incremental updates. Thus, all the keytab and ACL setup -previously described for kprop propagation is still needed.</p> -<p>If an environment has a large number of replicas, it may be desirable -to arrange them in a hierarchy instead of having the primary serve -updates to every replica. To do this, run <code class="docutils literal notranslate"><span class="pre">kadmind</span> <span class="pre">-proponly</span></code> on -each intermediate replica, and <code class="docutils literal notranslate"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></code> on -downstream replicas to direct each one to the appropriate upstream -replica.</p> -<p>There are several known restrictions in the current implementation:</p> -<ul class="simple"> -<li><p>The incremental update protocol does not transport changes to policy -objects. Any policy changes on the primary will result in full -resyncs to all replicas.</p></li> -<li><p>The replica’s KDB module must support locking; it cannot be using the -LDAP KDB module.</p></li> -<li><p>The primary and replica must be able to initiate TCP connections in -both directions, without an intervening NAT.</p></li> -</ul> -</section> -<section id="sun-mit-incremental-propagation-differences"> -<h3>Sun/MIT incremental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differences" title="Link to this heading">¶</a></h3> -<p>Sun donated the original code for supporting incremental database -propagation to MIT. Some changes have been made in the MIT source -tree that will be visible to administrators. (These notes are based -on Sun’s patches. Changes to Sun’s implementation since then may not -be reflected here.)</p> -<p>The Sun config file support looks for <code class="docutils literal notranslate"><span class="pre">sunw_dbprop_enable</span></code>, -<code class="docutils literal notranslate"><span class="pre">sunw_dbprop_master_ulogsize</span></code>, and <code class="docutils literal notranslate"><span class="pre">sunw_dbprop_slave_poll</span></code>.</p> -<p>The incremental propagation service is implemented as an ONC RPC -service. In the Sun implementation, the service is registered with -rpcbind (also known as portmapper) and the client looks up the port -number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn’t always work well, the port -number must be specified in the config file on both the primary and -replica sides.</p> -<p>The Sun implementation hard-codes pathnames in <code class="docutils literal notranslate"><span class="pre">/var/krb5</span></code> for the -update log and the per-replica kprop dump files. In the MIT -implementation, the pathname for the update log is specified in the -config file, and the per-replica dump files are stored in -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/replica_datatrans_hostname</span></code>.</p> -</section> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Database administration</a><ul> -<li><a class="reference internal" href="#principals">Principals</a></li> -<li><a class="reference internal" href="#policies">Policies</a><ul> -<li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li> -</ul> -</li> -<li><a class="reference internal" href="#privileges">Privileges</a></li> -<li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Kerberos database</a><ul> -<li><a class="reference internal" href="#dumping-and-loading-a-kerberos-database">Dumping and loading a Kerberos database</a></li> -<li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li> -</ul> -</li> -<li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP database</a><ul> -<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a></li> -</ul> -</li> -<li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a></li> -<li><a class="reference internal" href="#changing-the-krbtgt-key">Changing the krbtgt key</a></li> -<li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a><ul> -<li><a class="reference internal" href="#overview">Overview</a></li> -<li><a class="reference internal" href="#sun-mit-incremental-propagation-differences">Sun/MIT incremental propagation differences</a></li> -</ul> -</li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="realm_config.html" title="Realm configuration decisions" - >previous</a> | - <a href="dbtypes.html" title="Database types" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/dbtypes.html b/crypto/krb5/doc/html/admin/dbtypes.html deleted file mode 100644 index ce0f45850902..000000000000 --- a/crypto/krb5/doc/html/admin/dbtypes.html +++ /dev/null @@ -1,286 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Database types — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Account lockout" href="lockout.html" /> - <link rel="prev" title="Database administration" href="database.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="database.html" title="Database administration" - accesskey="P">previous</a> | - <a href="lockout.html" title="Account lockout" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database types">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="database-types"> -<span id="dbtypes"></span><h1>Database types<a class="headerlink" href="#database-types" title="Link to this heading">¶</a></h1> -<p>A Kerberos database can be implemented with one of three built-in -database providers, called KDB modules. Software which incorporates -the MIT krb5 KDC may also provide its own KDB module. The following -subsections describe the three built-in KDB modules and the -configuration specific to them.</p> -<p>The database type can be configured with the <strong>db_library</strong> variable -in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">db_library</span> <span class="o">=</span> <span class="n">db2</span> - <span class="p">}</span> -</pre></div> -</div> -<p>If the <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> realm subsection contains a -<strong>database_module</strong> setting, then the subsection within -<code class="docutils literal notranslate"><span class="pre">[dbmodules]</span></code> should use that name instead of <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> -<p>To transition from one database type to another, stop the -<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> service, use <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">dump</span></code> to create a dump -file, change the <strong>db_library</strong> value and set any appropriate -configuration for the new database type, and use <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">load</span></code> to -create and populate the new database. If the new database type is -LDAP, create the new database using <code class="docutils literal notranslate"><span class="pre">kdb5_ldap_util</span></code> and populate it -from the dump file using <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">load</span> <span class="pre">-update</span></code>. Then restart the -<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> services.</p> -<section id="berkeley-database-module-db2"> -<h2>Berkeley database module (db2)<a class="headerlink" href="#berkeley-database-module-db2" title="Link to this heading">¶</a></h2> -<p>The default KDB module is <code class="docutils literal notranslate"><span class="pre">db2</span></code>, which uses a version of the -Berkeley DB library. It creates four files based on the database -pathname. If the pathname ends with <code class="docutils literal notranslate"><span class="pre">principal</span></code> then the four files -are:</p> -<ul class="simple"> -<li><p><code class="docutils literal notranslate"><span class="pre">principal</span></code>, containing principal entry data</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.ok</span></code>, a lock file for the principal database</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.kadm5</span></code>, containing policy object data</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.kadm5.lock</span></code>, a lock file for the policy database</p></li> -</ul> -<p>For large databases, the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command (perhaps -invoked by <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or by <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> for incremental -propagation) may cause <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> to stop for a noticeable -period of time while it iterates over the database. This delay can be -avoided by disabling account lockout features so that the KDC does not -perform database writes (see <a class="reference internal" href="lockout.html#disable-lockout"><span class="std std-ref">KDC performance and account lockout</span></a>). Alternatively, -a slower form of iteration can be enabled by setting the -<strong>unlockiter</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code>. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">db_library</span> <span class="o">=</span> <span class="n">db2</span> - <span class="n">unlockiter</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> -</pre></div> -</div> -<p>In rare cases, a power failure or other unclean system shutdown may -cause inconsistencies in the internal pointers within a database file, -such that <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">dump</span></code> cannot retrieve all principal entries in -the database. In this situation, it may be possible to retrieve all -of the principal data by running <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">dump</span> <span class="pre">-recurse</span></code> to -iterate over the database using the tree pointers instead of the -iteration pointers. Running <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">dump</span> <span class="pre">-rev</span></code> to iterate over -the database backwards may also retrieve some of the data which is not -retrieved by a normal dump operation.</p> -</section> -<section id="lightning-memory-mapped-database-module-klmdb"> -<h2>Lightning Memory-Mapped Database module (klmdb)<a class="headerlink" href="#lightning-memory-mapped-database-module-klmdb" title="Link to this heading">¶</a></h2> -<p>The klmdb module was added in release 1.17. It uses the LMDB library, -and may offer better performance and reliability than the db2 module. -It creates four files based on the database pathname. If the pathname -ends with <code class="docutils literal notranslate"><span class="pre">principal</span></code>, then the four files are:</p> -<ul class="simple"> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.mdb</span></code>, containing policy object data and most principal -entry data</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.mdb-lock</span></code>, a lock file for the primary database</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.lockout.mdb</span></code>, containing the account lockout attributes -(last successful authentication time, last failed authentication -time, and number of failed attempts) for each principal entry</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">principal.lockout.mdb-lock</span></code>, a lock file for the lockout database</p></li> -</ul> -<p>Separating out the lockout attributes ensures that the KDC will never -block on an administrative operation such as a database dump or load. -It also allows the KDC to operate without write access to the primary -database. If both account lockout features are disabled (see -<a class="reference internal" href="lockout.html#disable-lockout"><span class="std std-ref">KDC performance and account lockout</span></a>), the lockout database files will be created -but will not subsequently be opened, and the account lockout -attributes will always have zero values.</p> -<p>Because LMDB creates a memory map to the database files, it requires a -configured memory map size which also determines the maximum size of -the database. This size is applied equally to the two databases, so -twice the configured size will be consumed in the process address -space; this is primarily a limitation on 32-bit platforms. The -default value of 128 megabytes should be sufficient for several -hundred thousand principal entries. If the limit is reached, kadmin -operations will fail and the error message “Environment mapsize limit -reached” will appear in the kadmind log file. In this case, the -<strong>mapsize</strong> variable can be used to increase the map size. The -following example sets the map size to 512 megabytes:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">db_library</span> <span class="o">=</span> <span class="n">klmdb</span> - <span class="n">mapsize</span> <span class="o">=</span> <span class="mi">512</span> - <span class="p">}</span> -</pre></div> -</div> -<p>LMDB has a configurable maximum number of readers. The default value -of 128 should be sufficient for most deployments. If you are going to -use a large number of KDC worker processes, it may be necessary to set -the <strong>max_readers</strong> variable to a larger number.</p> -<p>By default, LMDB synchronizes database files to disk after each write -transaction to ensure durability in the case of an unclean system -shutdown. The klmdb module always turns synchronization off for the -lockout database to ensure reasonable KDC performance, but leaves it -on for the primary database. If high throughput for administrative -operations (including password changes) is required, the <strong>nosync</strong> -variable can be set to “true” to disable synchronization for the -primary database.</p> -<p>The klmdb module does not support explicit locking with the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>lock</strong> command.</p> -</section> -<section id="ldap-module-kldap"> -<h2>LDAP module (kldap)<a class="headerlink" href="#ldap-module-kldap" title="Link to this heading">¶</a></h2> -<p>The kldap module stores principal and policy data using an LDAP -server. To use it you must configure an LDAP server to use the -Kerberos schema. See <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a> for details.</p> -<p>Because <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> is single-threaded, latency in LDAP database -accesses may limit KDC operation throughput. If the LDAP server is -located on the same server host as the KDC and accessed through an -<code class="docutils literal notranslate"><span class="pre">ldapi://</span></code> URL, latency should be minimal. If this is not possible, -consider starting multiple KDC worker processes with the -<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> <strong>-w</strong> option to enable concurrent processing of KDC -requests.</p> -<p>The kldap module does not support explicit locking with the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>lock</strong> command.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Database types</a><ul> -<li><a class="reference internal" href="#berkeley-database-module-db2">Berkeley database module (db2)</a></li> -<li><a class="reference internal" href="#lightning-memory-mapped-database-module-klmdb">Lightning Memory-Mapped Database module (klmdb)</a></li> -<li><a class="reference internal" href="#ldap-module-kldap">LDAP module (kldap)</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="database.html" title="Database administration" - >previous</a> | - <a href="lockout.html" title="Account lockout" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database types">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/dictionary.html b/crypto/krb5/doc/html/admin/dictionary.html deleted file mode 100644 index 12ff2f2187ad..000000000000 --- a/crypto/krb5/doc/html/admin/dictionary.html +++ /dev/null @@ -1,224 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Addressing dictionary attack risks — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Principal names and DNS" href="princ_dns.html" /> - <link rel="prev" title="SPAKE Preauthentication" href="spake.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="spake.html" title="SPAKE Preauthentication" - accesskey="P">previous</a> | - <a href="princ_dns.html" title="Principal names and DNS" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="addressing-dictionary-attack-risks"> -<span id="dictionary"></span><h1>Addressing dictionary attack risks<a class="headerlink" href="#addressing-dictionary-attack-risks" title="Link to this heading">¶</a></h1> -<p>Kerberos initial authentication is normally secured using the client -principal’s long-term key, which for users is generally derived from a -password. Using a pasword-derived long-term key carries the risk of a -dictionary attack, where an attacker tries a sequence of possible -passwords, possibly requiring much less effort than would be required -to try all possible values of the key. Even if <a class="reference internal" href="database.html#policies"><span class="std std-ref">password policy -objects</span></a> are used to force users not to pick trivial -passwords, dictionary attacks can sometimes be successful against a -significant fraction of the users in a realm. Dictionary attacks are -not a concern for principals using random keys.</p> -<p>A dictionary attack may be online or offline. An online dictionary -attack is performed by trying each password in a separate request to -the KDC, and is therefore visible to the KDC and also limited in speed -by the KDC’s processing power and the network capacity between the -client and the KDC. Online dictionary attacks can be mitigated using -<a class="reference internal" href="lockout.html#lockout"><span class="std std-ref">account lockout</span></a>. This measure is not totally -satisfactory, as it makes it easy for an attacker to deny access to a -client principal.</p> -<p>An offline dictionary attack is performed by obtaining a ciphertext -generated using the password-derived key, and trying each password -against the ciphertext. This category of attack is invisible to the -KDC and can be performed much faster than an online attack. The -attack will generally take much longer with more recent encryption -types (particularly the ones based on AES), because those encryption -types use a much more expensive string-to-key function. However, the -best defense is to deny the attacker access to a useful ciphertext. -The required defensive measures depend on the attacker’s level of -network access.</p> -<p>An off-path attacker has no access to packets sent between legitimate -users and the KDC. An off-path attacker could gain access to an -attackable ciphertext either by making an AS request for a client -principal which does not have the <strong>+requires_preauth</strong> flag, or by -making a TGS request (after authenticating as a different user) for a -server principal which does not have the <strong>-allow_svr</strong> flag. To -address off-path attackers, a KDC administrator should set those flags -on principals with password-derived keys:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_principal</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">princname</span> -</pre></div> -</div> -<p>An attacker with passive network access (one who can monitor packets -sent between legitimate users and the KDC, but cannot change them or -insert their own packets) can gain access to an attackable ciphertext -by observing an authentication by a user using the most common form of -preauthentication, encrypted timestamp. Any of the following methods -can prevent dictionary attacks by attackers with passive network -access:</p> -<ul class="simple"> -<li><p>Enabling <a class="reference internal" href="spake.html#spake"><span class="std std-ref">SPAKE preauthentication</span></a> (added in release -1.17) on the KDC, and ensuring that all clients are able to support -it.</p></li> -<li><p>Using an <a class="reference internal" href="https.html#https"><span class="std std-ref">HTTPS proxy</span></a> for communication with the KDC, -if the attacker cannot monitor communication between the proxy -server and the KDC.</p></li> -<li><p>Using FAST, protecting the initial authentication with either a -random key (such as a host key) or with <a class="reference internal" href="pkinit.html#anonymous-pkinit"><span class="std std-ref">anonymous PKINIT</span></a>.</p></li> -</ul> -<p>An attacker with active network access (one who can inject or modify -packets sent between legitimate users and the KDC) can try to fool the -client software into sending an attackable ciphertext using an -encryption type and salt string of the attacker’s choosing. Any of the -following methods can prevent dictionary attacks by active attackers:</p> -<ul class="simple"> -<li><p>Enabling SPAKE preauthentication and setting the -<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the -<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection of the client configuration.</p></li> -<li><p>Using an HTTPS proxy as described above, configured in the client’s -krb5.conf realm configuration. If <a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC discovery</span></a> is used to locate a proxy server, an active -attacker may be able to use DNS spoofing to cause the client to use -a different HTTPS server or to not use HTTPS.</p></li> -<li><p>Using FAST as described above.</p></li> -</ul> -<p>If <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a> are used for -initial authentication, the principal’s long-term keys are not used -and dictionary attacks are usually not a concern.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Addressing dictionary attack risks</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="spake.html" title="SPAKE Preauthentication" - >previous</a> | - <a href="princ_dns.html" title="Principal names and DNS" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/enctypes.html b/crypto/krb5/doc/html/admin/enctypes.html deleted file mode 100644 index 39ea0772bda7..000000000000 --- a/crypto/krb5/doc/html/admin/enctypes.html +++ /dev/null @@ -1,394 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Encryption types — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="HTTPS proxy configuration" href="https.html" /> - <link rel="prev" title="Principal names and DNS" href="princ_dns.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="princ_dns.html" title="Principal names and DNS" - accesskey="P">previous</a> | - <a href="https.html" title="HTTPS proxy configuration" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Encryption types">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="encryption-types"> -<span id="enctypes"></span><h1>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h1> -<p>Kerberos can use a variety of cipher algorithms to protect data. A -Kerberos <strong>encryption type</strong> (also known as an <strong>enctype</strong>) is a -specific combination of a cipher algorithm with an integrity algorithm -to provide both confidentiality and integrity to data.</p> -<section id="enctypes-in-requests"> -<h2>Enctypes in requests<a class="headerlink" href="#enctypes-in-requests" title="Link to this heading">¶</a></h2> -<p>Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and -TGS-REQs. The client uses the AS-REQ to obtain initial tickets -(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to -obtain service tickets.</p> -<p>The KDC uses three different keys when issuing a ticket to a client:</p> -<ul class="simple"> -<li><p>The long-term key of the service: the KDC uses this to encrypt the -actual service ticket. The KDC only uses the first long-term key in -the most recent kvno for this purpose.</p></li> -<li><p>The session key: the KDC randomly chooses this key and places one -copy inside the ticket and the other copy inside the encrypted part -of the reply.</p></li> -<li><p>The reply-encrypting key: the KDC uses this to encrypt the reply it -sends to the client. For AS replies, this is a long-term key of the -client principal. For TGS replies, this is either the session key of the -authenticating ticket, or a subsession key.</p></li> -</ul> -<p>Each of these keys is of a specific enctype.</p> -<p>Each request type allows the client to submit a list of enctypes that -it is willing to accept. For the AS-REQ, this list affects both the -session key selection and the reply-encrypting key selection. For the -TGS-REQ, this list only affects the session key selection.</p> -</section> -<section id="session-key-selection"> -<span id="id1"></span><h2>Session key selection<a class="headerlink" href="#session-key-selection" title="Link to this heading">¶</a></h2> -<p>The KDC chooses the session key enctype by taking the intersection of -its <strong>permitted_enctypes</strong> list, the list of long-term keys for the -most recent kvno of the service, and the client’s requested list of -enctypes. Starting in krb5-1.21, all services are assumed to support -aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session -keys will not be issued by default.</p> -<p>Starting in krb5-1.11, it is possible to set a string attribute on a -service principal to control what session key enctypes the KDC may -issue for service tickets for that principal, overriding the service’s -long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. -See <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a> in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for details.</p> -</section> -<section id="choosing-enctypes-for-a-service"> -<h2>Choosing enctypes for a service<a class="headerlink" href="#choosing-enctypes-for-a-service" title="Link to this heading">¶</a></h2> -<p>Generally, a service should have a key of the strongest -enctype that both it and the KDC support. If the KDC is running a -release earlier than krb5-1.11, it is also useful to generate an -additional key for each enctype that the service can support. The KDC -will only use the first key in the list of long-term keys for encrypting -the service ticket, but the additional long-term keys indicate the -other enctypes that the service supports.</p> -<p>As noted above, starting with release krb5-1.11, there are additional -configuration settings that control session key enctype selection -independently of the set of long-term keys that the KDC has stored for -a service principal.</p> -</section> -<section id="configuration-variables"> -<h2>Configuration variables<a class="headerlink" href="#configuration-variables" title="Link to this heading">¶</a></h2> -<p>The following <code class="docutils literal notranslate"><span class="pre">[libdefaults]</span></code> settings in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> will -affect how enctypes are chosen.</p> -<dl class="simple"> -<dt><strong>allow_weak_crypto</strong></dt><dd><p>defaults to <em>false</em> starting with krb5-1.8. When <em>false</em>, removes -weak enctypes from <strong>permitted_enctypes</strong>, -<strong>default_tkt_enctypes</strong>, and <strong>default_tgs_enctypes</strong>. Do not -set this to <em>true</em> unless the use of weak enctypes is an -acceptable risk for your environment and the weak enctypes are -required for backward compatibility.</p> -</dd> -<dt><strong>allow_des3</strong></dt><dd><p>was added in release 1.21 and defaults to <em>false</em>. Unless this -flag is set to <em>true</em>, the KDC will not issue tickets with -des3-cbc-sha1 session keys. In a future release, this flag will -control whether des3-cbc-sha1 is permitted in similar fashion to -weak enctypes.</p> -</dd> -<dt><strong>allow_rc4</strong></dt><dd><p>was added in release 1.21 and defaults to <em>false</em>. Unless this -flag is set to <em>true</em>, the KDC will not issue tickets with -arcfour-hmac session keys. In a future release, this flag will -control whether arcfour-hmac is permitted in similar fashion to -weak enctypes.</p> -</dd> -<dt><strong>permitted_enctypes</strong></dt><dd><p>controls the set of enctypes that a service will permit for -session keys and for ticket and authenticator encryption. The KDC -and other programs that access the Kerberos database will ignore -keys of non-permitted enctypes. Starting in release 1.18, this -setting also acts as the default for <strong>default_tkt_enctypes</strong> and -<strong>default_tgs_enctypes</strong>.</p> -</dd> -<dt><strong>default_tkt_enctypes</strong></dt><dd><p>controls the default set of enctypes that the Kerberos client -library requests when making an AS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded.</p> -</dd> -<dt><strong>default_tgs_enctypes</strong></dt><dd><p>controls the default set of enctypes that the Kerberos client -library requests when making a TGS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded.</p> -</dd> -</dl> -<p>The following per-realm setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> affects the -generation of long-term keys.</p> -<dl class="simple"> -<dt><strong>supported_enctypes</strong></dt><dd><p>controls the default set of enctype-salttype pairs that <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> -will use for generating long-term keys, either randomly or from -passwords</p> -</dd> -</dl> -</section> -<section id="enctype-compatibility"> -<h2>Enctype compatibility<a class="headerlink" href="#enctype-compatibility" title="Link to this heading">¶</a></h2> -<p>See <a class="reference internal" href="conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> for additional information about enctypes.</p> -<table class="docutils align-default"> -<thead> -<tr class="row-odd"><th class="head"><p>enctype</p></th> -<th class="head"><p>weak?</p></th> -<th class="head"><p>krb5</p></th> -<th class="head"><p>Windows</p></th> -</tr> -</thead> -<tbody> -<tr class="row-even"><td><p>des-cbc-crc</p></td> -<td><p>weak</p></td> -<td><p><1.18</p></td> -<td><p>>=2000</p></td> -</tr> -<tr class="row-odd"><td><p>des-cbc-md4</p></td> -<td><p>weak</p></td> -<td><p><1.18</p></td> -<td><p>?</p></td> -</tr> -<tr class="row-even"><td><p>des-cbc-md5</p></td> -<td><p>weak</p></td> -<td><p><1.18</p></td> -<td><p>>=2000</p></td> -</tr> -<tr class="row-odd"><td><p>des3-cbc-sha1</p></td> -<td><p>deprecated</p></td> -<td><p>>=1.1</p></td> -<td><p>none</p></td> -</tr> -<tr class="row-even"><td><p>arcfour-hmac</p></td> -<td><p>deprecated</p></td> -<td><p>>=1.3</p></td> -<td><p>>=2000</p></td> -</tr> -<tr class="row-odd"><td><p>arcfour-hmac-exp</p></td> -<td><p>weak</p></td> -<td><p>>=1.3</p></td> -<td><p>>=2000</p></td> -</tr> -<tr class="row-even"><td><p>aes128-cts-hmac-sha1-96</p></td> -<td></td> -<td><p>>=1.3</p></td> -<td><p>>=Vista</p></td> -</tr> -<tr class="row-odd"><td><p>aes256-cts-hmac-sha1-96</p></td> -<td></td> -<td><p>>=1.3</p></td> -<td><p>>=Vista</p></td> -</tr> -<tr class="row-even"><td><p>aes128-cts-hmac-sha256-128</p></td> -<td></td> -<td><p>>=1.15</p></td> -<td><p>none</p></td> -</tr> -<tr class="row-odd"><td><p>aes256-cts-hmac-sha384-192</p></td> -<td></td> -<td><p>>=1.15</p></td> -<td><p>none</p></td> -</tr> -<tr class="row-even"><td><p>camellia128-cts-cmac</p></td> -<td></td> -<td><p>>=1.9</p></td> -<td><p>none</p></td> -</tr> -<tr class="row-odd"><td><p>camellia256-cts-cmac</p></td> -<td></td> -<td><p>>=1.9</p></td> -<td><p>none</p></td> -</tr> -</tbody> -</table> -<p>krb5 releases 1.18 and later do not support single-DES. krb5 releases -1.8 and later disable the single-DES enctypes by default. Microsoft -Windows releases Windows 7 and later disable single-DES enctypes by -default.</p> -<p>krb5 releases 1.17 and later flag deprecated encryption types -(including <code class="docutils literal notranslate"><span class="pre">des3-cbc-sha1</span></code> and <code class="docutils literal notranslate"><span class="pre">arcfour-hmac</span></code>) in KDC logs and -kadmin output. krb5 release 1.19 issues a warning during initial -authentication if <code class="docutils literal notranslate"><span class="pre">des3-cbc-sha1</span></code> is used. Future releases will -disable <code class="docutils literal notranslate"><span class="pre">des3-cbc-sha1</span></code> by default and eventually remove support for -it.</p> -</section> -<section id="migrating-away-from-older-encryption-types"> -<h2>Migrating away from older encryption types<a class="headerlink" href="#migrating-away-from-older-encryption-types" title="Link to this heading">¶</a></h2> -<p>Administrator intervention may be required to migrate a realm away -from legacy encryption types, especially if the realm was created -using krb5 release 1.2 or earlier. This migration should be performed -before upgrading to krb5 versions which disable or remove support for -legacy encryption types.</p> -<p>If there is a <strong>supported_enctypes</strong> setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> on -the KDC, make sure that it does not include weak or deprecated -encryption types. This will ensure that newly created keys do not use -those encryption types by default.</p> -<p>Check the <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> principal using the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> -<strong>getprinc</strong> command. If it lists a weak or deprecated encryption -type as the first key, it must be migrated using the procedure in -<a class="reference internal" href="database.html#changing-krbtgt-key"><span class="std std-ref">Changing the krbtgt key</span></a>.</p> -<p>Check the <code class="docutils literal notranslate"><span class="pre">kadmin/history</span></code> principal, which should have only one key -entry. If it uses a weak or deprecated encryption type, it should be -upgraded following the notes in <a class="reference internal" href="database.html#updating-history-key"><span class="std std-ref">Updating the history key</span></a>.</p> -<p>Check the other kadmin principals: kadmin/changepw, kadmin/admin, and -any kadmin/hostname principals that may exist. These principals can -be upgraded with <strong>change_password -randkey</strong> in kadmin.</p> -<p>Check the <code class="docutils literal notranslate"><span class="pre">K/M</span></code> entry. If it uses a weak or deprecated encryption -type, it should be upgraded following the procedure in -<a class="reference internal" href="database.html#updating-master-key"><span class="std std-ref">Updating the master key</span></a>.</p> -<p>User and service principals using legacy encryption types can be -enumerated with the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>tabdump keyinfo</strong> command.</p> -<p>Service principals can be migrated with a keytab rotation on the -service host, which can be accomplished using the <a class="reference internal" href="admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a> -<strong>change</strong> and <strong>delold</strong> commands. Allow enough time for existing -tickets to expire between the change and delold operations.</p> -<p>User principals with password-based keys can be migrated with a -password change. The realm administrator can set a password -expiration date using the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal --pwexpire</strong> command to force a password change.</p> -<p>If a legacy encryption type has not yet been disabled by default in -the version of krb5 running on the KDC, it can be disabled -administratively with the <strong>permitted_enctypes</strong> variable. For -example, setting <strong>permitted_enctypes</strong> to <code class="docutils literal notranslate"><span class="pre">DEFAULT</span> <span class="pre">-des3</span> <span class="pre">-rc4</span></code> will -cause any database keys of the triple-DES and RC4 encryption types to -be ignored.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Encryption types</a><ul> -<li><a class="reference internal" href="#enctypes-in-requests">Enctypes in requests</a></li> -<li><a class="reference internal" href="#session-key-selection">Session key selection</a></li> -<li><a class="reference internal" href="#choosing-enctypes-for-a-service">Choosing enctypes for a service</a></li> -<li><a class="reference internal" href="#configuration-variables">Configuration variables</a></li> -<li><a class="reference internal" href="#enctype-compatibility">Enctype compatibility</a></li> -<li><a class="reference internal" href="#migrating-away-from-older-encryption-types">Migrating away from older encryption types</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="princ_dns.html" title="Principal names and DNS" - >previous</a> | - <a href="https.html" title="HTTPS proxy configuration" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Encryption types">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/env_variables.html b/crypto/krb5/doc/html/admin/env_variables.html deleted file mode 100644 index b0c410511f5d..000000000000 --- a/crypto/krb5/doc/html/admin/env_variables.html +++ /dev/null @@ -1,151 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Environment variables — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Troubleshooting" href="troubleshoot.html" /> - <link rel="prev" title="MIT Kerberos defaults" href="../mitK5defaults.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../mitK5defaults.html" title="MIT Kerberos defaults" - accesskey="P">previous</a> | - <a href="troubleshoot.html" title="Troubleshooting" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Environment variables">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="environment-variables"> -<h1>Environment variables<a class="headerlink" href="#environment-variables" title="Link to this heading">¶</a></h1> -<p>This content has moved to <a class="reference internal" href="../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Environment variables</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../mitK5defaults.html" title="MIT Kerberos defaults" - >previous</a> | - <a href="troubleshoot.html" title="Troubleshooting" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Environment variables">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/host_config.html b/crypto/krb5/doc/html/admin/host_config.html deleted file mode 100644 index 244bea57db4a..000000000000 --- a/crypto/krb5/doc/html/admin/host_config.html +++ /dev/null @@ -1,360 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Host configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Backups of secure hosts" href="backup_host.html" /> - <link rel="prev" title="Application servers" href="appl_servers.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="appl_servers.html" title="Application servers" - accesskey="P">previous</a> | - <a href="backup_host.html" title="Backups of secure hosts" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Host configuration">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="host-configuration"> -<h1>Host configuration<a class="headerlink" href="#host-configuration" title="Link to this heading">¶</a></h1> -<p>All hosts running Kerberos software, whether they are clients, -application servers, or KDCs, can be configured using -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Here we describe some of the behavior changes -you might want to make.</p> -<section id="default-realm"> -<h2>Default realm<a class="headerlink" href="#default-realm" title="Link to this heading">¶</a></h2> -<p>In the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section, the <strong>default_realm</strong> realm -relation sets the default Kerberos realm. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<p>The default realm affects Kerberos behavior in the following ways:</p> -<ul class="simple"> -<li><p>When a principal name is parsed from text, the default realm is used -if no <code class="docutils literal notranslate"><span class="pre">@REALM</span></code> component is specified.</p></li> -<li><p>The default realm affects login authorization as described below.</p></li> -<li><p>For programs which operate on a Kerberos database, the default realm -is used to determine which database to operate on, unless the <strong>-r</strong> -parameter is given to specify a realm.</p></li> -<li><p>A server program may use the default realm when looking up its key -in a <a class="reference internal" href="install_appl_srv.html#keytab-file"><span class="std std-ref">keytab file</span></a>, if its realm is not -determined by <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> configuration or by the server -program itself.</p></li> -<li><p>If <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> is passed the <strong>-n</strong> flag, it requests anonymous -tickets from the default realm.</p></li> -</ul> -<p>In some situations, these uses of the default realm might conflict. -For example, it might be desirable for principal name parsing to use -one realm by default, but for login authorization to use a second -realm. In this situation, the first realm can be configured as the -default realm, and <strong>auth_to_local</strong> relations can be used as -described below to use the second realm for login authorization.</p> -</section> -<section id="login-authorization"> -<span id="id1"></span><h2>Login authorization<a class="headerlink" href="#login-authorization" title="Link to this heading">¶</a></h2> -<p>If a host runs a Kerberos-enabled login service such as OpenSSH with -GSSAPIAuthentication enabled, login authorization rules determine -whether a Kerberos principal is allowed to access a local account.</p> -<p>By default, a Kerberos principal is allowed access to an account if -its realm matches the default realm and its name matches the account -name. (For historical reasons, access is also granted by default if -the name has two components and the second component matches the -default realm; for instance, <code class="docutils literal notranslate"><span class="pre">alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU</span></code> -is granted access to the <code class="docutils literal notranslate"><span class="pre">alice</span></code> account if <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> is -the default realm.)</p> -<p>The simplest way to control local access is using <a class="reference internal" href="../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> -files. To use these, place a <code class="docutils literal notranslate"><span class="pre">.k5login</span></code> file in the home directory -of each account listing the principal names which should have login -access to that account. If it is not desirable to use <code class="docutils literal notranslate"><span class="pre">.k5login</span></code> -files located in account home directories, the <strong>k5login_directory</strong> -relation in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section can specify a directory -containing one file per account uname.</p> -<p>By default, if a <code class="docutils literal notranslate"><span class="pre">.k5login</span></code> file is present, it controls -authorization both positively and negatively–any principal name -contained in the file is granted access and any other principal name -is denied access, even if it would have had access if the <code class="docutils literal notranslate"><span class="pre">.k5login</span></code> -file didn’t exist. The <strong>k5login_authoritative</strong> relation in the -<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section can be set to false to make <code class="docutils literal notranslate"><span class="pre">.k5login</span></code> -files provide positive authorization only.</p> -<p>The <strong>auth_to_local</strong> relation in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section for the -default realm can specify pattern-matching rules to control login -authorization. For example, the following configuration allows access -to principals from a different realm than the default realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[realms] - DEFAULT.REALM = { - # Allow access to principals from OTHER.REALM. - # - # [1:$1@$0] matches single-component principal names and creates - # a selection string containing the principal name and realm. - # - # (.*@OTHER\.REALM) matches against the selection string, so that - # only principals in OTHER.REALM are matched. - # - # s/@OTHER\.REALM$// removes the realm name, leaving behind the - # principal name as the account name. - auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// - - # Also allow principals from the default realm. Omit this line - # to only allow access to principals in OTHER.REALM. - auth_to_local = DEFAULT - } -</pre></div> -</div> -<p>The <strong>auth_to_local_names</strong> subsection of the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section -for the default realm can specify explicit mappings from principal -names to local accounts. The key used in this subsection is the -principal name without realm, so it is only safe to use in a Kerberos -environment with a single realm or a tightly controlled set of realms. -An example use of <strong>auth_to_local_names</strong> might be:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">auth_to_local_names</span> <span class="o">=</span> <span class="p">{</span> - <span class="c1"># Careful, these match principals in any realm!</span> - <span class="n">host</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="o">=</span> <span class="n">hostaccount</span> - <span class="n">fred</span> <span class="o">=</span> <span class="n">localfred</span> - <span class="p">}</span> - <span class="p">}</span> -</pre></div> -</div> -<p>Local authorization behavior can also be modified using plugin -modules; see <a class="reference internal" href="../plugindev/hostrealm.html#hostrealm-plugin"><span class="std std-ref">Host-to-realm interface (hostrealm)</span></a> for details.</p> -</section> -<section id="plugin-module-configuration"> -<span id="plugin-config"></span><h2>Plugin module configuration<a class="headerlink" href="#plugin-module-configuration" title="Link to this heading">¶</a></h2> -<p>Many aspects of Kerberos behavior, such as client preauthentication -and KDC service location, can be modified through the use of plugin -modules. For most of these behaviors, you can use the <a class="reference internal" href="conf_files/krb5_conf.html#plugins"><span class="std std-ref">[plugins]</span></a> -section of krb5.conf to register third-party modules, and to switch -off registered or built-in modules.</p> -<p>A plugin module takes the form of a Unix shared object -(<code class="docutils literal notranslate"><span class="pre">modname.so</span></code>) or Windows DLL (<code class="docutils literal notranslate"><span class="pre">modname.dll</span></code>). If you have -installed a third-party plugin module and want to register it, you do -so using the <strong>module</strong> relation in the appropriate subsection of the -[plugins] section. The value for <strong>module</strong> must give the module name -and the path to the module, separated by a colon. The module name -will often be the same as the shared object’s name, but in unusual -cases (such as a shared object which implements multiple modules for -the same interface) it might not be. For example, to register a -client preauthentication module named <code class="docutils literal notranslate"><span class="pre">mypreauth</span></code> installed at -<code class="docutils literal notranslate"><span class="pre">/path/to/mypreauth.so</span></code>, you could write:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> - <span class="n">clpreauth</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">module</span> <span class="o">=</span> <span class="n">mypreauth</span><span class="p">:</span><span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">mypreauth</span><span class="o">.</span><span class="n">so</span> - <span class="p">}</span> -</pre></div> -</div> -<p>Many of the pluggable behaviors in MIT krb5 contain built-in modules -which can be switched off. You can disable a built-in module (or one -you have registered) using the <strong>disable</strong> directive in the -appropriate subsection of the [plugins] section. For example, to -disable the use of .k5identity files to select credential caches, you -could write:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> - <span class="n">ccselect</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">disable</span> <span class="o">=</span> <span class="n">k5identity</span> - <span class="p">}</span> -</pre></div> -</div> -<p>If you want to disable multiple modules, specify the <strong>disable</strong> -directive multiple times, giving one module to disable each time.</p> -<p>Alternatively, you can explicitly specify which modules you want to be -enabled for that behavior using the <strong>enable_only</strong> directive. For -example, to make <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> check password quality using only a -module you have registered, and no other mechanism, you could write:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> - <span class="n">pwqual</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">module</span> <span class="o">=</span> <span class="n">mymodule</span><span class="p">:</span><span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">mymodule</span><span class="o">.</span><span class="n">so</span> - <span class="n">enable_only</span> <span class="o">=</span> <span class="n">mymodule</span> - <span class="p">}</span> -</pre></div> -</div> -<p>Again, if you want to specify multiple modules, specify the -<strong>enable_only</strong> directive multiple times, giving one module to enable -each time.</p> -<p>Some Kerberos interfaces use different mechanisms to register plugin -modules.</p> -<section id="kdc-location-modules"> -<h3>KDC location modules<a class="headerlink" href="#kdc-location-modules" title="Link to this heading">¶</a></h3> -<p>For historical reasons, modules to control how KDC servers are located -are registered simply by placing the shared object or DLL into the -“libkrb5” subdirectory of the krb5 plugin directory, which defaults to -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LIBDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5/plugins</span></code>. For example, Samba’s winbind krb5 -locator plugin would be registered by placing its shared object in -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LIBDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5/plugins/libkrb5/winbind_krb5_locator.so</span></code>.</p> -</section> -<section id="gssapi-mechanism-modules"> -<span id="gssapi-plugin-config"></span><h3>GSSAPI mechanism modules<a class="headerlink" href="#gssapi-mechanism-modules" title="Link to this heading">¶</a></h3> -<p>GSSAPI mechanism modules are registered using the file -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal notranslate"><span class="pre">/gss/mech</span></code> or configuration files in the -<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal notranslate"><span class="pre">/gss/mech.d</span></code> directory with a <code class="docutils literal notranslate"><span class="pre">.conf</span></code> -suffix. Each line in these files has the form:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">name</span> <span class="n">oid</span> <span class="n">pathname</span> <span class="p">[</span><span class="n">options</span><span class="p">]</span> <span class="o"><</span><span class="nb">type</span><span class="o">></span> -</pre></div> -</div> -<p>Only the name, oid, and pathname are required. <em>name</em> is the -mechanism name, which may be used for debugging or logging purposes. -<em>oid</em> is the object identifier of the GSSAPI mechanism to be -registered. <em>pathname</em> is a path to the module shared object or DLL. -<em>options</em> (if present) are options provided to the plugin module, -surrounded in square brackets. <em>type</em> (if present) can be used to -indicate a special type of module. Currently the only special module -type is “interposer”, for a module designed to intercept calls to -other mechanisms.</p> -<p>If the environment variable <strong>GSS_MECH_CONFIG</strong> is set, its value is -used as the sole mechanism configuration filename.</p> -</section> -<section id="configuration-profile-modules"> -<span id="profile-plugin-config"></span><h3>Configuration profile modules<a class="headerlink" href="#configuration-profile-modules" title="Link to this heading">¶</a></h3> -<p>A configuration profile module replaces the information source for -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> itself. To use a profile module, begin krb5.conf -with the line:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">PATHNAME</span><span class="p">:</span><span class="n">STRING</span> -</pre></div> -</div> -<p>where <em>PATHNAME</em> is a path to the module shared object or DLL, and -<em>STRING</em> is a string to provide to the module. The module will then -take over, and the rest of krb5.conf will be ignored.</p> -</section> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Host configuration</a><ul> -<li><a class="reference internal" href="#default-realm">Default realm</a></li> -<li><a class="reference internal" href="#login-authorization">Login authorization</a></li> -<li><a class="reference internal" href="#plugin-module-configuration">Plugin module configuration</a><ul> -<li><a class="reference internal" href="#kdc-location-modules">KDC location modules</a></li> -<li><a class="reference internal" href="#gssapi-mechanism-modules">GSSAPI mechanism modules</a></li> -<li><a class="reference internal" href="#configuration-profile-modules">Configuration profile modules</a></li> -</ul> -</li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="appl_servers.html" title="Application servers" - >previous</a> | - <a href="backup_host.html" title="Backups of secure hosts" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Host configuration">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/https.html b/crypto/krb5/doc/html/admin/https.html deleted file mode 100644 index 3c1c24feb43d..000000000000 --- a/crypto/krb5/doc/html/admin/https.html +++ /dev/null @@ -1,191 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>HTTPS proxy configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Authentication indicators" href="auth_indicator.html" /> - <link rel="prev" title="Encryption types" href="enctypes.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="enctypes.html" title="Encryption types" - accesskey="P">previous</a> | - <a href="auth_indicator.html" title="Authentication indicators" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="https-proxy-configuration"> -<span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Link to this heading">¶</a></h1> -<p>In addition to being able to use UDP or TCP to communicate directly -with a KDC as is outlined in RFC4120, and with kpasswd services in a -similar fashion, the client libraries can attempt to use an HTTPS -proxy server to communicate with a KDC or kpasswd service, using the -protocol outlined in [MS-KKDCP].</p> -<p>Communicating with a KDC through an HTTPS proxy allows clients to -contact servers when network firewalls might otherwise prevent them -from doing so. The use of TLS also encrypts all traffic between the -clients and the KDC, preventing observers from conducting password -dictionary attacks or from observing the client and server principals -being authenticated, at additional computational cost to both clients -and servers.</p> -<p>An HTTPS proxy server is provided as a feature in some versions of -Microsoft Windows Server, and a WSGI implementation named <cite>kdcproxy</cite> -is available in the python package index.</p> -<section id="configuring-the-clients"> -<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Link to this heading">¶</a></h2> -<p>To use an HTTPS proxy, a client host must trust the CA which issued -that proxy’s SSL certificate. If that CA’s certificate is not in the -system-wide default set of trusted certificates, configure the -following relation in the client host’s <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in -the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> -</pre></div> -</div> -<p>Adjust the pathname to match the path of the file which contains a -copy of the CA’s certificate. The <cite>http_anchors</cite> option is documented -more fully in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> -<p>Configure the client to access the KDC and kpasswd service by -specifying their locations in its <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the form -of HTTPS URLs for the proxy server:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdc</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span> -<span class="n">kpasswd_server</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span> -</pre></div> -</div> -<p>If the proxy and client are properly configured, client commands such -as <code class="docutils literal notranslate"><span class="pre">kinit</span></code>, <code class="docutils literal notranslate"><span class="pre">kvno</span></code>, and <code class="docutils literal notranslate"><span class="pre">kpasswd</span></code> should all function normally.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">HTTPS proxy configuration</a><ul> -<li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="enctypes.html" title="Encryption types" - >previous</a> | - <a href="auth_indicator.html" title="Authentication indicators" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/index.html b/crypto/krb5/doc/html/admin/index.html deleted file mode 100644 index 3b6687a56713..000000000000 --- a/crypto/krb5/doc/html/admin/index.html +++ /dev/null @@ -1,184 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>For administrators — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Installation guide" href="install.html" /> - <link rel="prev" title="sclient" href="../user/user_commands/sclient.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../user/user_commands/sclient.html" title="sclient" - accesskey="P">previous</a> | - <a href="install.html" title="Installation guide" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__For administrators">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="for-administrators"> -<h1>For administrators<a class="headerlink" href="#for-administrators" title="Link to this heading">¶</a></h1> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l1"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l1"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l1"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l1"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l1"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l1"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l1"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l1"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l1"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l1"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l1"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l1"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l1"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l1"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l1"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l1"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l1"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -</ul> -</div> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l1"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l1"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l1"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l1"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</div> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">For administrators</a><ul> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="current reference internal" href="#">For administrators</a><ul> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../user/user_commands/sclient.html" title="sclient" - >previous</a> | - <a href="install.html" title="Installation guide" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__For administrators">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/install.html b/crypto/krb5/doc/html/admin/install.html deleted file mode 100644 index 4fb8c1575526..000000000000 --- a/crypto/krb5/doc/html/admin/install.html +++ /dev/null @@ -1,195 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Installation guide — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Installing KDCs" href="install_kdc.html" /> - <link rel="prev" title="For administrators" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="For administrators" - accesskey="P">previous</a> | - <a href="install_kdc.html" title="Installing KDCs" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installation guide">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="installation-guide"> -<h1>Installation guide<a class="headerlink" href="#installation-guide" title="Link to this heading">¶</a></h1> -<section id="contents"> -<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="install_kdc.html">Installing KDCs</a><ul> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-and-configure-the-primary-kdc">Install and configure the primary KDC</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#edit-kdc-configuration-files">Edit KDC configuration files</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#create-the-kdc-database">Create the KDC database</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#start-the-kerberos-daemons-on-the-primary-kdc">Start the Kerberos daemons on the primary KDC</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-the-replica-kdcs">Install the replica KDCs</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#switching-primary-and-replica-kdcs">Switching primary and replica KDCs</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#incremental-database-propagation">Incremental database propagation</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a><ul> -<li class="toctree-l2"><a class="reference internal" href="install_clients.html#client-machine-configuration-files">Client machine configuration files</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a><ul> -<li class="toctree-l2"><a class="reference internal" href="install_appl_srv.html#the-keytab-file">The keytab file</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_appl_srv.html#some-advice-about-secure-hosts">Some advice about secure hosts</a></li> -</ul> -</li> -</ul> -</div> -</section> -<section id="additional-references"> -<h2>Additional references<a class="headerlink" href="#additional-references" title="Link to this heading">¶</a></h2> -<ol class="arabic simple"> -<li><p>Debian: <a class="reference external" href="http://techpubs.spinlocksolutions.com/dklar/kerberos.html">Setting up MIT Kerberos 5</a></p></li> -<li><p>Solaris: <a class="reference external" href="https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html">Configuring the Kerberos Service</a></p></li> -</ol> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Installation guide</a><ul> -<li><a class="reference internal" href="#contents">Contents</a></li> -<li><a class="reference internal" href="#additional-references">Additional references</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Installation guide</a><ul> -<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="For administrators" - >previous</a> | - <a href="install_kdc.html" title="Installing KDCs" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installation guide">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/install_appl_srv.html b/crypto/krb5/doc/html/admin/install_appl_srv.html deleted file mode 100644 index 4ee80b824cf8..000000000000 --- a/crypto/krb5/doc/html/admin/install_appl_srv.html +++ /dev/null @@ -1,223 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>UNIX Application Servers — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Configuration Files" href="conf_files/index.html" /> - <link rel="prev" title="Installing and configuring UNIX client machines" href="install_clients.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="install_clients.html" title="Installing and configuring UNIX client machines" - accesskey="P">previous</a> | - <a href="conf_files/index.html" title="Configuration Files" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__UNIX Application Servers">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="unix-application-servers"> -<h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Link to this heading">¶</a></h1> -<p>An application server is a host that provides one or more services -over the network. Application servers can be “secure” or “insecure.” -A “secure” host is set up to require authentication from every client -connecting to it. An “insecure” host will still provide Kerberos -authentication, but will also allow unauthenticated clients to -connect.</p> -<p>If you have Kerberos V5 installed on all of your client machines, MIT -recommends that you make your hosts secure, to take advantage of the -security that Kerberos authentication affords. However, if you have -some clients that do not have Kerberos V5 installed, you can run an -insecure server, and still take advantage of Kerberos V5’s single -sign-on capability.</p> -<section id="the-keytab-file"> -<span id="keytab-file"></span><h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Link to this heading">¶</a></h2> -<p>All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. -The keytab file is an local copy of the host’s key. The keytab file -is a potential point of entry for a break-in, and if compromised, -would allow unrestricted access to its host. The keytab file should -be readable only by root, and should exist only on the machine’s local -disk. The file should not be part of any backup of the machine, -unless access to the backup data is secured as tightly as access to -the machine’s root password.</p> -<p>In order to generate a keytab for a host, the host must have a -principal in the Kerberos database. The procedure for adding hosts to -the database is described fully in <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>. (See -<a class="reference internal" href="install_kdc.html#replica-host-key"><span class="std std-ref">Create host keytabs for replica KDCs</span></a> for a brief description.) The keytab is -generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd"><span class="std std-ref">ktadd</span></a> -command.</p> -<p>For example, to generate a keytab file to allow the host -<code class="docutils literal notranslate"><span class="pre">trillium.mit.edu</span></code> to authenticate for the services host, ftp, and -pop, the administrator <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> would issue the command (on -<code class="docutils literal notranslate"><span class="pre">trillium.mit.edu</span></code>):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">trillium</span><span class="o">%</span> <span class="n">kadmin</span> -<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Password</span> <span class="k">for</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">ftp</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">pop</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ftp</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">pop</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">quit</span> -<span class="n">trillium</span><span class="o">%</span> -</pre></div> -</div> -<p>If you generate the keytab file on another host, you need to get a -copy of the keytab file onto the destination host (<code class="docutils literal notranslate"><span class="pre">trillium</span></code>, in -the above example) without sending it unencrypted over the network.</p> -</section> -<section id="some-advice-about-secure-hosts"> -<h2>Some advice about secure hosts<a class="headerlink" href="#some-advice-about-secure-hosts" title="Link to this heading">¶</a></h2> -<p>Kerberos V5 can protect your host from certain types of break-ins, but -it is possible to install Kerberos V5 and still leave your host -vulnerable to attack. Obviously an installation guide is not the -place to try to include an exhaustive list of countermeasures for -every possible attack, but it is worth noting some of the larger holes -and how to close them.</p> -<p>We recommend that backups of secure machines exclude the keytab file -(<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). If this is not possible, the backups should at least be -done locally, rather than over a network, and the backup tapes should -be physically secured.</p> -<p>The keytab file and any programs run by root, including the Kerberos -V5 binaries, should be kept on local disk. The keytab file should be -readable only by root.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">UNIX Application Servers</a><ul> -<li><a class="reference internal" href="#the-keytab-file">The keytab file</a></li> -<li><a class="reference internal" href="#some-advice-about-secure-hosts">Some advice about secure hosts</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">UNIX Application Servers</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="install_clients.html" title="Installing and configuring UNIX client machines" - >previous</a> | - <a href="conf_files/index.html" title="Configuration Files" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__UNIX Application Servers">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/install_clients.html b/crypto/krb5/doc/html/admin/install_clients.html deleted file mode 100644 index 57dec1f64e63..000000000000 --- a/crypto/krb5/doc/html/admin/install_clients.html +++ /dev/null @@ -1,205 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="UNIX Application Servers" href="install_appl_srv.html" /> - <link rel="prev" title="Installing KDCs" href="install_kdc.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="install_kdc.html" title="Installing KDCs" - accesskey="P">previous</a> | - <a href="install_appl_srv.html" title="UNIX Application Servers" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="installing-and-configuring-unix-client-machines"> -<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Link to this heading">¶</a></h1> -<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, -<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>. All of -these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">BINDIR</span></a>.</p> -<p>You can often integrate Kerberos with the login system on client -machines, typically through the use of PAM. The details vary by -operating system, and should be covered in your operating system’s -documentation. If you do this, you will need to make sure your users -know to use their Kerberos passwords when they log in.</p> -<p>You will also need to educate your users to use the ticket management -programs kinit, klist, and kdestroy. If you do not have Kerberos -password changing integrated into the native password program (again, -typically through PAM), you will need to educate users to use kpasswd -in place of its non-Kerberos counterparts passwd.</p> -<section id="client-machine-configuration-files"> -<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Link to this heading">¶</a></h2> -<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file. -At a minimum, it should define a <strong>default_realm</strong> setting in -<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>. If you are not using DNS SRV records -(<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), it must -also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section containing information for your -realm’s KDCs.</p> -<p>Consider setting <strong>rdns</strong> to false in order to reduce your dependence -on precisely correct DNS information for service hostnames. Turning -this flag off means that service hostnames will be canonicalized -through forward name resolution (which adds your domain name to -unqualified hostnames, and resolves CNAME records in DNS), but not -through reverse address lookup. The default value of this flag is -true for historical reasons only.</p> -<p>If you anticipate users frequently logging into remote hosts -(e.g., using ssh) using forwardable credentials, consider setting -<strong>forwardable</strong> to true so that users obtain forwardable tickets by -default. Otherwise users will need to use <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-f</span></code> to get -forwardable tickets.</p> -<p>Consider adjusting the <strong>ticket_lifetime</strong> setting to match the likely -length of sessions for your users. For instance, if most of your -users will be logging in for an eight-hour workday, you could set the -default to ten hours so that tickets obtained in the morning expire -shortly after the end of the workday. Users can still manually -request longer tickets when necessary, up to the maximum allowed by -each user’s principal record on the KDC.</p> -<p>If a client host may access services in different realms, it may be -useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> mapping so that clients know -which hosts belong to which realms. However, if your clients and KDC -are running release 1.7 or later, it is also reasonable to leave this -section out on client machines and just define it in the KDC’s -krb5.conf.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Installing and configuring UNIX client machines</a><ul> -<li><a class="reference internal" href="#client-machine-configuration-files">Client machine configuration files</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing and configuring UNIX client machines</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="install_kdc.html" title="Installing KDCs" - >previous</a> | - <a href="install_appl_srv.html" title="UNIX Application Servers" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/install_kdc.html b/crypto/krb5/doc/html/admin/install_kdc.html deleted file mode 100644 index 24e753728717..000000000000 --- a/crypto/krb5/doc/html/admin/install_kdc.html +++ /dev/null @@ -1,651 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Installing KDCs — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Installing and configuring UNIX client machines" href="install_clients.html" /> - <link rel="prev" title="Installation guide" href="install.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="install.html" title="Installation guide" - accesskey="P">previous</a> | - <a href="install_clients.html" title="Installing and configuring UNIX client machines" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing KDCs">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="installing-kdcs"> -<h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Link to this heading">¶</a></h1> -<p>When setting up Kerberos in a production environment, it is best to -have multiple replica KDCs alongside with a primary KDC to ensure the -continued availability of the Kerberized services. Each KDC contains -a copy of the Kerberos database. The primary KDC contains the -writable copy of the realm database, which it replicates to the -replica KDCs at regular intervals. All database changes (such as -password changes) are made on the primary KDC. Replica KDCs provide -Kerberos ticket-granting services, but not database administration, -when the primary KDC is unavailable. MIT recommends that you install -all of your KDCs to be able to function as either the primary or one -of the replicas. This will enable you to easily switch your primary -KDC with one of the replicas if necessary (see -<a class="reference internal" href="#switch-primary-replica"><span class="std std-ref">Switching primary and replica KDCs</span></a>). This installation procedure is based -on that recommendation.</p> -<div class="admonition warning"> -<p class="admonition-title">Warning</p> -<ul class="simple"> -<li><p>The Kerberos system relies on the availability of correct time -information. Ensure that the primary and all replica KDCs have -properly synchronized clocks.</p></li> -<li><p>It is best to install and run KDCs on secured and dedicated -hardware with limited access. If your KDC is also a file -server, FTP server, Web server, or even just a client machine, -someone who obtained root access through a security hole in any -of those areas could potentially gain access to the Kerberos -database.</p></li> -</ul> -</div> -<section id="install-and-configure-the-primary-kdc"> -<h2>Install and configure the primary KDC<a class="headerlink" href="#install-and-configure-the-primary-kdc" title="Link to this heading">¶</a></h2> -<p>Install Kerberos either from the OS-provided packages or from the -source (See <a class="reference internal" href="../build/doing_build.html#do-build"><span class="std std-ref">Building within a single tree</span></a>).</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>For the purpose of this document we will use the following -names:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span> <span class="n">primary</span> <span class="n">KDC</span> -<span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span> <span class="n">replica</span> <span class="n">KDC</span> -<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span> <span class="n">realm</span> <span class="n">name</span> -<span class="o">.</span><span class="n">k5</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span> <span class="n">stash</span> <span class="n">file</span> -<span class="n">admin</span><span class="o">/</span><span class="n">admin</span> <span class="o">-</span> <span class="n">admin</span> <span class="n">principal</span> -</pre></div> -</div> -<p>See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the default names and locations -of the relevant to this topic files. Adjust the names and -paths to your system environment.</p> -</div> -</section> -<section id="edit-kdc-configuration-files"> -<h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Link to this heading">¶</a></h2> -<p>Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> and -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, to reflect the correct information (such as -domain-realm mappings and Kerberos servers names) for your realm. -(See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the recommended default locations for -these files).</p> -<p>Most of the tags in the configuration have default values that will -work well for most sites. There are some tags in the -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file whose values must be specified, and this -section will explain those.</p> -<p>If the locations for these configuration files differs from the -default ones, set <strong>KRB5_CONFIG</strong> and <strong>KRB5_KDC_PROFILE</strong> environment -variables to point to the krb5.conf and kdc.conf respectively. For -example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">KRB5_CONFIG</span><span class="o">=/</span><span class="n">yourdir</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">conf</span> -<span class="n">export</span> <span class="n">KRB5_KDC_PROFILE</span><span class="o">=/</span><span class="n">yourdir</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">conf</span> -</pre></div> -</div> -<section id="krb5-conf"> -<h3>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h3> -<p>If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames"><span class="std std-ref">Mapping hostnames onto Kerberos realms</span></a>), -you must specify the <strong>default_realm</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> -section. If you are not using DNS URI or SRV records (see -<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a> and <a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), you must include the -<strong>kdc</strong> tag for each <em>realm</em> in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section. To -communicate with the kadmin server in each realm, the <strong>admin_server</strong> -tag must be set in the -<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section.</p> -<p>An example krb5.conf file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - -<span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - <span class="p">}</span> -</pre></div> -</div> -</section> -<section id="kdc-conf"> -<h3>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h3> -<p>The kdc.conf file can be used to control the listening ports of the -KDC and kadmind, as well as realm-specific defaults, the database type -and location, and logging.</p> -<p>An example kdc.conf file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> - <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> - -<span class="p">[</span><span class="n">realms</span><span class="p">]</span> - <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span> - <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> - <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> - <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span> - <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> - <span class="c1"># If the default location does not suit your setup,</span> - <span class="c1"># explicitly configure the following values:</span> - <span class="c1"># database_name = /var/krb5kdc/principal</span> - <span class="c1"># key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU</span> - <span class="c1"># acl_file = /var/krb5kdc/kadm5.acl</span> - <span class="p">}</span> - -<span class="p">[</span><span class="n">logging</span><span class="p">]</span> - <span class="c1"># By default, the KDC and kadmind will log output using</span> - <span class="c1"># syslog. You can instead send log output to files like this:</span> - <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">.</span><span class="n">log</span> - <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> - <span class="n">default</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5lib</span><span class="o">.</span><span class="n">log</span> -</pre></div> -</div> -<p>Replace <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal notranslate"><span class="pre">kerberos.mit.edu</span></code> with the name of -your Kerberos realm and server respectively.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>You have to have write permission on the target directories -(these directories must exist) used by <strong>database_name</strong>, -<strong>key_stash_file</strong>, and <strong>acl_file</strong>.</p> -</div> -</section> -</section> -<section id="create-the-kdc-database"> -<span id="create-db"></span><h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Link to this heading">¶</a></h2> -<p>You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command on the primary KDC to -create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><span class="std std-ref">stash file</span></a>.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>If you choose not to install a stash file, the KDC will -prompt you for the master key each time it starts up. This -means that the KDC will not be able to start automatically, -such as after a system reboot.</p> -</div> -<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> will prompt you for the master password for the -Kerberos database. This password can be any string. A good password -is one you can remember, but that no one else can guess. Examples of -bad passwords are words that can be found in a dictionary, any common -or popular name, especially a famous person (or cartoon character), -your username in any form (e.g., forward, backward, repeated twice, -etc.), and any of the sample passwords that appear in this manual. -One example of a password which might be good if it did not appear in -this manual is “MITiys4K5!”, which represents the sentence “MIT is -your source for Kerberos 5!” (It’s the first letter of each word, -substituting the numeral “4” for the word “for”, and includes the -punctuation mark at the end.)</p> -<p>The following is an example of how to create a Kerberos database and -stash file on the primary KDC, using the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command. -Replace <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> with the name of your Kerberos realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_util</span> <span class="n">create</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">s</span> - -<span class="n">Initializing</span> <span class="n">database</span> <span class="s1">'/usr/local/var/krb5kdc/principal'</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span><span class="p">,</span> -<span class="n">master</span> <span class="n">key</span> <span class="n">name</span> <span class="s1">'K/M@ATHENA.MIT.EDU'</span> -<span class="n">You</span> <span class="n">will</span> <span class="n">be</span> <span class="n">prompted</span> <span class="k">for</span> <span class="n">the</span> <span class="n">database</span> <span class="n">Master</span> <span class="n">Password</span><span class="o">.</span> -<span class="n">It</span> <span class="ow">is</span> <span class="n">important</span> <span class="n">that</span> <span class="n">you</span> <span class="n">NOT</span> <span class="n">FORGET</span> <span class="n">this</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">master</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">it</span> <span class="n">again</span><span class="o">.</span> -<span class="n">shell</span><span class="o">%</span> -</pre></div> -</div> -<p>This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code> (or at the locations specified -in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> -<ul class="simple"> -<li><p>two Kerberos database files, <code class="docutils literal notranslate"><span class="pre">principal</span></code>, and <code class="docutils literal notranslate"><span class="pre">principal.ok</span></code></p></li> -<li><p>the Kerberos administrative database file, <code class="docutils literal notranslate"><span class="pre">principal.kadm5</span></code></p></li> -<li><p>the administrative database lock file, <code class="docutils literal notranslate"><span class="pre">principal.kadm5.lock</span></code></p></li> -<li><p>the stash file, in this example <code class="docutils literal notranslate"><span class="pre">.k5.ATHENA.MIT.EDU</span></code>. If you do -not want a stash file, run the above command without the <strong>-s</strong> -option.</p></li> -</ul> -<p>For more information on administrating Kerberos database see -<a class="reference internal" href="database.html#db-operations"><span class="std std-ref">Operations on the Kerberos database</span></a>.</p> -</section> -<section id="add-administrators-to-the-acl-file"> -<span id="admin-acl"></span><h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Link to this heading">¶</a></h2> -<p>Next, you need create an Access Control List (ACL) file and put the -Kerberos principal of at least one of the administrators into it. -This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon to control which -principals may view and make privileged modifications to the Kerberos -database files. The ACL filename is determined by the <strong>acl_file</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code>.</p> -<p>For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> -</section> -<section id="add-administrators-to-the-kerberos-database"> -<span id="addadmin-kdb"></span><h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Link to this heading">¶</a></h2> -<p>Next you need to add administrative principals (i.e., principals who -are allowed to administer Kerberos database) to the Kerberos database. -You <em>must</em> add at least one principal now to allow communication -between the Kerberos administration daemon kadmind and the kadmin -program over the network for further administration. To do this, use -the kadmin.local utility on the primary KDC. kadmin.local is designed -to be run on the primary KDC host without using Kerberos -authentication to an admin server; instead, it must have read and -write access to the Kerberos database on the local filesystem.</p> -<p>The administrative principals you create should be the ones you added -to the ACL file (see <a class="reference internal" href="#admin-acl"><span class="std std-ref">Add administrators to the ACL file</span></a>).</p> -<p>In the following example, the administrative principal <code class="docutils literal notranslate"><span class="pre">admin/admin</span></code> -is created:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> - -<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> - -<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"admin/admin@ATHENA.MIT.EDU"</span><span class="p">;</span> -<span class="n">assigning</span> <span class="s2">"default"</span><span class="o">.</span> -<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Enter</span> <span class="n">a</span> <span class="n">password</span><span class="o">.</span> -<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">it</span> <span class="n">again</span><span class="o">.</span> -<span class="n">Principal</span> <span class="s2">"admin/admin@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> -<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span> -</pre></div> -</div> -</section> -<section id="start-the-kerberos-daemons-on-the-primary-kdc"> -<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the primary KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-primary-kdc" title="Link to this heading">¶</a></h2> -<p>At this point, you are ready to start the Kerberos KDC -(<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>) and administrative daemons on the primary KDC. To -do so, type:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> -<span class="n">shell</span><span class="o">%</span> <span class="n">kadmind</span> -</pre></div> -</div> -<p>Each server daemon will fork and run in the background.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>Assuming you want these daemons to start up automatically at -boot time, you can add them to the KDC’s <code class="docutils literal notranslate"><span class="pre">/etc/rc</span></code> or -<code class="docutils literal notranslate"><span class="pre">/etc/inittab</span></code> file. You need to have a -<a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><span class="std std-ref">stash file</span></a> in order to do this.</p> -</div> -<p>You can verify that they started properly by checking for their -startup messages in the logging locations you defined in -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> (see <a class="reference internal" href="conf_files/kdc_conf.html#logging"><span class="std std-ref">[logging]</span></a>). For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">tail</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">.</span><span class="n">log</span> -<span class="n">Dec</span> <span class="mi">02</span> <span class="mi">12</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">47</span> <span class="n">beeblebrox</span> <span class="n">krb5kdc</span><span class="p">[</span><span class="mi">3187</span><span class="p">](</span><span class="n">info</span><span class="p">):</span> <span class="n">commencing</span> <span class="n">operation</span> -<span class="n">shell</span><span class="o">%</span> <span class="n">tail</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> -<span class="n">Dec</span> <span class="mi">02</span> <span class="mi">12</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">52</span> <span class="n">beeblebrox</span> <span class="n">kadmind</span><span class="p">[</span><span class="mi">3189</span><span class="p">](</span><span class="n">info</span><span class="p">):</span> <span class="n">starting</span> -</pre></div> -</div> -<p>Any errors the daemons encounter while starting will also be listed in -the logging output.</p> -<p>As an additional verification, check if <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> succeeds -against the principals that you have created on the previous step -(<a class="reference internal" href="#addadmin-kdb"><span class="std std-ref">Add administrators to the Kerberos database</span></a>). Run:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -</section> -<section id="install-the-replica-kdcs"> -<h2>Install the replica KDCs<a class="headerlink" href="#install-the-replica-kdcs" title="Link to this heading">¶</a></h2> -<p>You are now ready to start configuring the replica KDCs.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>Assuming you are setting the KDCs up so that you can easily -switch the primary KDC with one of the replicas, you should -perform each of these steps on the primary KDC as well as -the replica KDCs, unless these instructions specify -otherwise.</p> -</div> -<section id="create-host-keytabs-for-replica-kdcs"> -<span id="replica-host-key"></span><h3>Create host keytabs for replica KDCs<a class="headerlink" href="#create-host-keytabs-for-replica-kdcs" title="Link to this heading">¶</a></h3> -<p>Each KDC needs a <code class="docutils literal notranslate"><span class="pre">host</span></code> key in the Kerberos database. These keys -are used for mutual authentication when propagating the database dump -file from the primary KDC to the secondary KDC servers.</p> -<p>On the primary KDC, connect to administrative interface and create the -host principal for each of the KDCs’ <code class="docutils literal notranslate"><span class="pre">host</span></code> services. For example, -if the primary KDC were called <code class="docutils literal notranslate"><span class="pre">kerberos.mit.edu</span></code>, and you had a -replica KDC named <code class="docutils literal notranslate"><span class="pre">kerberos-1.mit.edu</span></code>, you would type the -following:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kadmin</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"host/kerberos.mit.edu@ATHENA.MIT.EDU"</span><span class="p">;</span> <span class="n">assigning</span> <span class="s2">"default"</span> -<span class="n">Principal</span> <span class="s2">"host/kerberos.mit.edu@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> - -<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"host/kerberos-1.mit.edu@ATHENA.MIT.EDU"</span><span class="p">;</span> <span class="n">assigning</span> <span class="s2">"default"</span> -<span class="n">Principal</span> <span class="s2">"host/kerberos-1.mit.edu@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> -</pre></div> -</div> -<p>It is not strictly necessary to have the primary KDC server in the -Kerberos database, but it can be handy if you want to be able to swap -the primary KDC with one of the replicas.</p> -<p>Next, extract <code class="docutils literal notranslate"><span class="pre">host</span></code> random keys for all participating KDCs and -store them in each host’s default keytab file. Ideally, you should -extract each keytab locally on its own KDC. If this is not feasible, -you should use an encrypted session to send them across the network. -To extract a keytab directly on a replica KDC called -<code class="docutils literal notranslate"><span class="pre">kerberos-1.mit.edu</span></code>, you would execute the following command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -<p>If you are instead extracting a keytab for the replica KDC called -<code class="docutils literal notranslate"><span class="pre">kerberos-1.mit.edu</span></code> on the primary KDC, you should use a dedicated -temporary keytab file for that machine’s keytab:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> - <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> -</pre></div> -</div> -<p>The file <code class="docutils literal notranslate"><span class="pre">/tmp/kerberos-1.keytab</span></code> can then be installed as -<code class="docutils literal notranslate"><span class="pre">/etc/krb5.keytab</span></code> on the host <code class="docutils literal notranslate"><span class="pre">kerberos-1.mit.edu</span></code>.</p> -</section> -<section id="configure-replica-kdcs"> -<h3>Configure replica KDCs<a class="headerlink" href="#configure-replica-kdcs" title="Link to this heading">¶</a></h3> -<p>Database propagation copies the contents of the primary’s database, -but does not propagate configuration files, stash files, or the kadm5 -ACL file. The following files must be copied by hand to each replica -(see <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the default locations for these files):</p> -<ul class="simple"> -<li><p>krb5.conf</p></li> -<li><p>kdc.conf</p></li> -<li><p>kadm5.acl</p></li> -<li><p>master key stash file</p></li> -</ul> -<p>Move the copied files into their appropriate directories, exactly as -on the primary KDC. kadm5.acl is only needed to allow a replica to -swap with the primary KDC.</p> -<p>The database is propagated from the primary KDC to the replica KDCs -via the <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> daemon. You must explicitly specify the -principals which are allowed to provide Kerberos dump updates on the -replica machine with a new database. Create a file named kpropd.acl -in the KDC state directory containing the <code class="docutils literal notranslate"><span class="pre">host</span></code> principals for each -of the KDCs:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -<span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -</pre></div> -</div> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>If you expect that the primary and replica KDCs will be -switched at some point of time, list the host principals -from all participating KDC servers in kpropd.acl files on -all of the KDCs. Otherwise, you only need to list the -primary KDC’s host principal in the kpropd.acl files of the -replica KDCs.</p> -</div> -<p>Then, add the following line to <code class="docutils literal notranslate"><span class="pre">/etc/inetd.conf</span></code> on each KDC -(adjust the path to kpropd):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">krb5_prop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span> -</pre></div> -</div> -<p>You also need to add the following line to <code class="docutils literal notranslate"><span class="pre">/etc/services</span></code> on each -KDC, if it is not already present (assuming that the default port is -used):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">krb5_prop</span> <span class="mi">754</span><span class="o">/</span><span class="n">tcp</span> <span class="c1"># Kerberos replica propagation</span> -</pre></div> -</div> -<p>Restart inetd daemon.</p> -<p>Alternatively, start <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> as a stand-alone daemon. This is -required when incremental propagation is enabled.</p> -<p>Now that the replica KDC is able to accept database propagation, -you’ll need to propagate the database from the primary server.</p> -<p>NOTE: Do not start the replica KDC yet; you still do not have a copy -of the primary’s database.</p> -</section> -<section id="propagate-the-database-to-each-replica-kdc"> -<span id="kprop-to-replicas"></span><h3>Propagate the database to each replica KDC<a class="headerlink" href="#propagate-the-database-to-each-replica-kdc" title="Link to this heading">¶</a></h3> -<p>First, create a dump file of the database on the primary KDC, as -follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_util</span> <span class="n">dump</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">replica_datatrans</span> -</pre></div> -</div> -<p>Then, manually propagate the database to each replica KDC, as in the -following example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kprop</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">replica_datatrans</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> - -<span class="n">Database</span> <span class="n">propagation</span> <span class="n">to</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="p">:</span> <span class="n">SUCCEEDED</span> -</pre></div> -</div> -<p>You will need a script to dump and propagate the database. The -following is an example of a Bourne shell script that will do this.</p> -<div class="admonition note"> -<p class="admonition-title">Note</p> -<p>Remember that you need to replace <code class="docutils literal notranslate"><span class="pre">/usr/local/var/krb5kdc</span></code> -with the name of the KDC state directory.</p> -</div> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>#!/bin/sh - -kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" - -kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans - -for kdc in $kdclist -do - kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc -done -</pre></div> -</div> -<p>You will need to set up a cron job to run this script at the intervals -you decided on earlier (see <a class="reference internal" href="realm_config.html#db-prop"><span class="std std-ref">Database propagation</span></a>).</p> -<p>Now that the replica KDC has a copy of the Kerberos database, you can -start the krb5kdc daemon:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> -</pre></div> -</div> -<p>As with the primary KDC, you will probably want to add this command to -the KDCs’ <code class="docutils literal notranslate"><span class="pre">/etc/rc</span></code> or <code class="docutils literal notranslate"><span class="pre">/etc/inittab</span></code> files, so they will start -the krb5kdc daemon automatically at boot time.</p> -<section id="propagation-failed"> -<h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Link to this heading">¶</a></h4> -<p>You may encounter the following error messages. For a more detailed -discussion on possible causes and solutions click on the error link -to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot"><span class="std std-ref">Troubleshooting</span></a> section.</p> -<ol class="arabic simple"> -<li><p><a class="reference internal" href="troubleshoot.html#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></p></li> -<li><p><a class="reference internal" href="troubleshoot.html#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></p></li> -<li><p><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange"><span class="std std-ref">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</span></a></p></li> -</ol> -</section> -</section> -</section> -<section id="add-kerberos-principals-to-the-database"> -<h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Link to this heading">¶</a></h2> -<p>Once your KDCs are set up and running, you are ready to use -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to load principals for your users, hosts, and other -services into the Kerberos database. This procedure is described -fully in <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>.</p> -<p>You may occasionally want to use one of your replica KDCs as the -primary. This might happen if you are upgrading the primary KDC, or -if your primary KDC has a disk crash. See the following section for -the instructions.</p> -</section> -<section id="switching-primary-and-replica-kdcs"> -<span id="switch-primary-replica"></span><h2>Switching primary and replica KDCs<a class="headerlink" href="#switching-primary-and-replica-kdcs" title="Link to this heading">¶</a></h2> -<p>You may occasionally want to use one of your replica KDCs as the -primary. This might happen if you are upgrading the primary KDC, or -if your primary KDC has a disk crash.</p> -<p>Assuming you have configured all of your KDCs to be able to function -as either the primary KDC or a replica KDC (as this document -recommends), all you need to do to make the changeover is:</p> -<p>If the primary KDC is still running, do the following on the <em>old</em> -primary KDC:</p> -<ol class="arabic simple"> -<li><p>Kill the kadmind process.</p></li> -<li><p>Disable the cron job that propagates the database.</p></li> -<li><p>Run your database propagation script manually, to ensure that the -replicas all have the latest copy of the database (see -<a class="reference internal" href="#kprop-to-replicas"><span class="std std-ref">Propagate the database to each replica KDC</span></a>).</p></li> -</ol> -<p>On the <em>new</em> primary KDC:</p> -<ol class="arabic simple"> -<li><p>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon (see <a class="reference internal" href="#start-kdc-daemons"><span class="std std-ref">Start the Kerberos daemons on the primary KDC</span></a>).</p></li> -<li><p>Set up the cron job to propagate the database (see -<a class="reference internal" href="#kprop-to-replicas"><span class="std std-ref">Propagate the database to each replica KDC</span></a>).</p></li> -<li><p>Switch the CNAMEs of the old and new primary KDCs. If you can’t do -this, you’ll need to change the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file on every -client machine in your Kerberos realm.</p></li> -</ol> -</section> -<section id="incremental-database-propagation"> -<h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Link to this heading">¶</a></h2> -<p>If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to replica KDCs. See -<a class="reference internal" href="database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a> for details.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Installing KDCs</a><ul> -<li><a class="reference internal" href="#install-and-configure-the-primary-kdc">Install and configure the primary KDC</a></li> -<li><a class="reference internal" href="#edit-kdc-configuration-files">Edit KDC configuration files</a><ul> -<li><a class="reference internal" href="#krb5-conf">krb5.conf</a></li> -<li><a class="reference internal" href="#kdc-conf">kdc.conf</a></li> -</ul> -</li> -<li><a class="reference internal" href="#create-the-kdc-database">Create the KDC database</a></li> -<li><a class="reference internal" href="#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li> -<li><a class="reference internal" href="#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li> -<li><a class="reference internal" href="#start-the-kerberos-daemons-on-the-primary-kdc">Start the Kerberos daemons on the primary KDC</a></li> -<li><a class="reference internal" href="#install-the-replica-kdcs">Install the replica KDCs</a><ul> -<li><a class="reference internal" href="#create-host-keytabs-for-replica-kdcs">Create host keytabs for replica KDCs</a></li> -<li><a class="reference internal" href="#configure-replica-kdcs">Configure replica KDCs</a></li> -<li><a class="reference internal" href="#propagate-the-database-to-each-replica-kdc">Propagate the database to each replica KDC</a><ul> -<li><a class="reference internal" href="#propagation-failed">Propagation failed?</a></li> -</ul> -</li> -</ul> -</li> -<li><a class="reference internal" href="#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li> -<li><a class="reference internal" href="#switching-primary-and-replica-kdcs">Switching primary and replica KDCs</a></li> -<li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing KDCs</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> -<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="install.html" title="Installation guide" - >previous</a> | - <a href="install_clients.html" title="Installing and configuring UNIX client machines" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing KDCs">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/lockout.html b/crypto/krb5/doc/html/admin/lockout.html deleted file mode 100644 index 3bedd7fb93dd..000000000000 --- a/crypto/krb5/doc/html/admin/lockout.html +++ /dev/null @@ -1,291 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Account lockout — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> - <link rel="prev" title="Database types" href="dbtypes.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="dbtypes.html" title="Database types" - accesskey="P">previous</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="account-lockout"> -<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Link to this heading">¶</a></h1> -<p>As of release 1.8, the KDC can be configured to lock out principals -after a number of failed authentication attempts within a period of -time. Account lockout can make it more difficult to attack a -principal’s password by brute force, but also makes it easy for an -attacker to deny access to a principal.</p> -<section id="configuring-account-lockout"> -<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Link to this heading">¶</a></h2> -<p>Account lockout only works for principals with the -<strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot -know whether or not a client successfully decrypted the ticket it -issued. It is also important to set the <strong>-allow_svr</strong> flag on a -principal to protect its password from an off-line dictionary attack -through a TGS request. You can set these flags on a principal with -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> as follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><span class="std std-ref">policy objects</span></a>. There may be an existing policy associated with user -principals (such as the “default” policy), or you may need to create a -new one and associate it with each user principal.</p> -<p>The policy parameters related to account lockout are:</p> -<ul class="simple"> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-maxfailure"><span class="std std-ref">maxfailure</span></a>: the number of failed attempts -before the principal is locked out</p></li> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-failurecountinterval"><span class="std std-ref">failurecountinterval</span></a>: the -allowable interval between failed attempts</p></li> -<li><p><a class="reference internal" href="admin_commands/kadmin_local.html#policy-lockoutduration"><span class="std std-ref">lockoutduration</span></a>: the amount of time -a principal is locked out for</p></li> -</ul> -<p>Here is an example of setting these parameters on a new policy and -associating it with a principal:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxfailure</span> <span class="mi">10</span> <span class="o">-</span><span class="n">failurecountinterval</span> <span class="mi">180</span> - <span class="o">-</span><span class="n">lockoutduration</span> <span class="mi">60</span> <span class="n">lockout_policy</span> -<span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">policy</span> <span class="n">lockout_policy</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -</section> -<section id="testing-account-lockout"> -<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Link to this heading">¶</a></h2> -<p>To test that account lockout is working, try authenticating as the -principal (hopefully not one that might be in use) multiple times with -the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you -might see:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -$ kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -$ kinit user -kinit: Client's credentials have been revoked while getting initial credentials -</pre></div> -</div> -</section> -<section id="account-lockout-principal-state"> -<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Link to this heading">¶</a></h2> -<p>A principal entry keeps three pieces of state related to account -lockout:</p> -<ul class="simple"> -<li><p>The time of last successful authentication</p></li> -<li><p>The time of last failed authentication</p></li> -<li><p>A counter of failed attempts</p></li> -</ul> -<p>The time of last successful authentication is not actually needed for -the account lockout system to function, but may be of administrative -interest. These fields can be observed with the <strong>getprinc</strong> kadmin -command. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">user</span> -<span class="n">Principal</span><span class="p">:</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> -<span class="o">...</span> -<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> -<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Dec</span> <span class="mi">03</span> <span class="mi">12</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mi">33</span> <span class="n">EST</span> <span class="mi">2012</span> -<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">2</span> -<span class="o">...</span> -</pre></div> -</div> -<p>A principal which has been locked out can be administratively unlocked -with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">unlock</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>This command will reset the number of failed attempts to 0.</p> -</section> -<section id="kdc-replication-and-account-lockout"> -<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>The account lockout state of a principal is not replicated by either -traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of -this, the number of attempts an attacker can make within a time period -is multiplied by the number of KDCs. For instance, if the -<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in -the environment (a primary and three replicas), an attacker could make -as many as 40 attempts before the principal is locked out on all four -KDCs.</p> -<p>An administrative unlock is propagated from the primary to the replica -KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each replica to -reset to 1 on the next failure.</p> -<p>If a KDC environment uses a replication strategy other than kprop or -incremental propagation, such as the LDAP KDB module with multi-master -LDAP replication, then account lockout state may be replicated between -KDCs and the concerns of this section may not apply.</p> -</section> -<section id="kdc-performance-and-account-lockout"> -<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>In order to fully track account lockout state, the KDC must write to -the the database on each successful and failed authentication. -Writing to the database is generally more expensive than reading from -it, so these writes may have a significant impact on KDC performance. -As of release 1.9, it is possible to turn off account lockout state -tracking in order to improve performance, by setting the -<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the -database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> - <span class="n">DB</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> - <span class="n">disable_lockout</span> <span class="o">=</span> <span class="n">true</span> - <span class="p">}</span> -</pre></div> -</div> -<p>Of the two variables, setting <strong>disable_last_success</strong> will usually -have the largest positive impact on performance, and will still allow -account lockout policies to operate. However, it will make it -impossible to observe the last successful authentication time with -kadmin.</p> -</section> -<section id="kdc-setup-and-account-lockout"> -<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Link to this heading">¶</a></h2> -<p>To update the account lockout state on principals, the KDC must be -able to write to the principal database. For the DB2 module, no -special setup is required. For the LDAP module, the KDC DN must be -granted write access to the principal objects. If the KDC DN has only -read access, account lockout will not function.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Account lockout</a><ul> -<li><a class="reference internal" href="#configuring-account-lockout">Configuring account lockout</a></li> -<li><a class="reference internal" href="#testing-account-lockout">Testing account lockout</a></li> -<li><a class="reference internal" href="#account-lockout-principal-state">Account lockout principal state</a></li> -<li><a class="reference internal" href="#kdc-replication-and-account-lockout">KDC replication and account lockout</a></li> -<li><a class="reference internal" href="#kdc-performance-and-account-lockout">KDC performance and account lockout</a></li> -<li><a class="reference internal" href="#kdc-setup-and-account-lockout">KDC setup and account lockout</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="dbtypes.html" title="Database types" - >previous</a> | - <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/otp.html b/crypto/krb5/doc/html/admin/otp.html deleted file mode 100644 index 0014ca1aaa2e..000000000000 --- a/crypto/krb5/doc/html/admin/otp.html +++ /dev/null @@ -1,239 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>OTP Preauthentication — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="SPAKE Preauthentication" href="spake.html" /> - <link rel="prev" title="PKINIT configuration" href="pkinit.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="pkinit.html" title="PKINIT configuration" - accesskey="P">previous</a> | - <a href="spake.html" title="SPAKE Preauthentication" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="otp-preauthentication"> -<span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Link to this heading">¶</a></h1> -<p>OTP is a preauthentication mechanism for Kerberos 5 which uses One -Time Passwords (OTP) to authenticate the client to the KDC. The OTP -is passed to the KDC over an encrypted FAST channel in clear-text. -The KDC uses the password along with per-user configuration to proxy -the request to a third-party RADIUS system. This enables -out-of-the-box compatibility with a large number of already widely -deployed proprietary systems.</p> -<p>Additionally, our implementation of the OTP system allows for the -passing of RADIUS requests over a UNIX domain stream socket. This -permits the use of a local companion daemon which can handle the -details of authentication.</p> -<section id="defining-token-types"> -<h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Link to this heading">¶</a></h2> -<p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> or -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> according to the following format:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> - <span class="o"><</span><span class="n">name</span><span class="o">></span> <span class="o">=</span> <span class="p">{</span> - <span class="n">server</span> <span class="o">=</span> <span class="o"><</span><span class="n">host</span><span class="p">:</span><span class="n">port</span> <span class="ow">or</span> <span class="n">filename</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">see</span> <span class="n">below</span><span class="p">)</span> - <span class="n">secret</span> <span class="o">=</span> <span class="o"><</span><span class="n">filename</span><span class="o">></span> - <span class="n">timeout</span> <span class="o">=</span> <span class="o"><</span><span class="n">integer</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="mi">5</span> <span class="p">[</span><span class="n">seconds</span><span class="p">])</span> - <span class="n">retries</span> <span class="o">=</span> <span class="o"><</span><span class="n">integer</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="mi">3</span><span class="p">)</span> - <span class="n">strip_realm</span> <span class="o">=</span> <span class="o"><</span><span class="n">boolean</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">true</span><span class="p">)</span> - <span class="n">indicator</span> <span class="o">=</span> <span class="o"><</span><span class="n">string</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">none</span><span class="p">)</span> - <span class="p">}</span> -</pre></div> -</div> -<p>If the server field begins with ‘/’, it will be interpreted as a UNIX -socket. Otherwise, it is assumed to be in the format host:port. When -a UNIX domain socket is specified, the secret field is optional and an -empty secret is used by default. If the server field is not -specified, it defaults to <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">RUNSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/<name>.socket</span></code>.</p> -<p>When forwarding the request over RADIUS, by default the principal is -used in the User-Name attribute of the RADIUS packet. The strip_realm -parameter controls whether the principal is forwarded with or without -the realm portion.</p> -<p>If an indicator field is present, tickets issued using this token type -will be annotated with the specified authentication indicator (see -<a class="reference internal" href="auth_indicator.html#auth-indicator"><span class="std std-ref">Authentication indicators</span></a>). This key may be specified multiple times to -add multiple indicators.</p> -</section> -<section id="the-default-token-type"> -<h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Link to this heading">¶</a></h2> -<p>A default token type is used internally when no token type is specified for a -given user. It is defined as follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> - <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span> - <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span> - <span class="p">}</span> -</pre></div> -</div> -<p>The administrator may override the internal <code class="docutils literal notranslate"><span class="pre">DEFAULT</span></code> token type -simply by defining a configuration with the same name.</p> -</section> -<section id="token-instance-configuration"> -<h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Link to this heading">¶</a></h2> -<p>To enable OTP for a client principal, the administrator must define -the <strong>otp</strong> string attribute for that principal. (See -<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>.) The <strong>otp</strong> user string is a JSON string of the -format:</p> -<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span>[{ -<span class="w"> </span>"type":<span class="w"> </span><span class="nt"><string></span>, -<span class="w"> </span>"username":<span class="w"> </span><span class="nt"><string></span>, -<span class="w"> </span>"indicators":<span class="w"> </span>[<span class="nt"><string></span>,<span class="w"> </span>...] -<span class="w"> </span>},<span class="w"> </span>...] -</pre></div> -</div> -<p>This is an array of token objects. Both fields of token objects are -optional. The <strong>type</strong> field names the token type of this token; if -not specified, it defaults to <code class="docutils literal notranslate"><span class="pre">DEFAULT</span></code>. The <strong>username</strong> field -specifies the value to be sent in the User-Name RADIUS attribute. If -not specified, the principal name is sent, with or without realm as -defined in the token type. The <strong>indicators</strong> field specifies a list -of authentication indicators to annotate tickets with, overriding any -indicators specified in the token type.</p> -<p>For ease of configuration, an empty array (<code class="docutils literal notranslate"><span class="pre">[]</span></code>) is treated as -equivalent to one DEFAULT token (<code class="docutils literal notranslate"><span class="pre">[{}]</span></code>).</p> -</section> -<section id="other-considerations"> -<h2>Other considerations<a class="headerlink" href="#other-considerations" title="Link to this heading">¶</a></h2> -<ol class="arabic simple"> -<li><p>FAST is required for OTP to work.</p></li> -</ol> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">OTP Preauthentication</a><ul> -<li><a class="reference internal" href="#defining-token-types">Defining token types</a></li> -<li><a class="reference internal" href="#the-default-token-type">The default token type</a></li> -<li><a class="reference internal" href="#token-instance-configuration">Token instance configuration</a></li> -<li><a class="reference internal" href="#other-considerations">Other considerations</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="pkinit.html" title="PKINIT configuration" - >previous</a> | - <a href="spake.html" title="SPAKE Preauthentication" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/pkinit.html b/crypto/krb5/doc/html/admin/pkinit.html deleted file mode 100644 index 2a30ed7c391d..000000000000 --- a/crypto/krb5/doc/html/admin/pkinit.html +++ /dev/null @@ -1,480 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>PKINIT configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="OTP Preauthentication" href="otp.html" /> - <link rel="prev" title="Backups of secure hosts" href="backup_host.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="backup_host.html" title="Backups of secure hosts" - accesskey="P">previous</a> | - <a href="otp.html" title="OTP Preauthentication" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="pkinit-configuration"> -<span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration" title="Link to this heading">¶</a></h1> -<p>PKINIT is a preauthentication mechanism for Kerberos 5 which uses -X.509 certificates to authenticate the KDC to clients and vice versa. -PKINIT can also be used to enable anonymity support, allowing clients -to communicate securely with the KDC or with application servers -without authenticating as a particular client principal.</p> -<section id="creating-certificates"> -<h2>Creating certificates<a class="headerlink" href="#creating-certificates" title="Link to this heading">¶</a></h2> -<p>PKINIT requires an X.509 certificate for the KDC and one for each -client principal which will authenticate using PKINIT. For anonymous -PKINIT, a KDC certificate is required, but client certificates are -not. A commercially issued server certificate can be used for the KDC -certificate, but generally cannot be used for client certificates.</p> -<p>The instruction in this section describe how to establish a -certificate authority and create standard PKINIT certificates. Skip -this section if you are using a commercially issued server certificate -as the KDC certificate for anonymous PKINIT, or if you are configuring -a client to use an Active Directory KDC.</p> -<section id="generating-a-certificate-authority-certificate"> -<h3>Generating a certificate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certificate" title="Link to this heading">¶</a></h3> -<p>You can establish a new certificate authority (CA) for use with a -PKINIT deployment with the commands:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> -<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">key</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">out</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">days</span> <span class="mi">3650</span> -</pre></div> -</div> -<p>The second command will ask for the values of several certificate -fields. These fields can be set to any values. You can adjust the -expiration time of the CA certificate by changing the number after -<code class="docutils literal notranslate"><span class="pre">-days</span></code>. Since the CA certificate must be deployed to client -machines each time it changes, it should normally have an expiration -time far in the future; however, expiration times after 2037 may cause -interoperability issues in rare circumstances.</p> -<p>The result of these commands will be two files, cakey.pem and -cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which -must be carefully protected. cacert.pem will contain the CA -certificate, which must be placed in the filesystems of the KDC and -each client host. cakey.pem will be required to create KDC and client -certificates.</p> -</section> -<section id="generating-a-kdc-certificate"> -<h3>Generating a KDC certificate<a class="headerlink" href="#generating-a-kdc-certificate" title="Link to this heading">¶</a></h3> -<p>A KDC certificate for use with PKINIT is required to have some unusual -fields, which makes generating them with OpenSSL somewhat complicated. -First, you will need a file containing the following:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[kdc_cert] -basicConstraints=CA:FALSE -keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement -extendedKeyUsage=1.3.6.1.5.2.3.5 -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name - -[kdc_princ_name] -realm=EXP:0,GeneralString:${ENV::REALM} -principal_name=EXP:1,SEQUENCE:kdc_principal_seq - -[kdc_principal_seq] -name_type=EXP:0,INTEGER:2 -name_string=EXP:1,SEQUENCE:kdc_principals - -[kdc_principals] -princ1=GeneralString:krbtgt -princ2=GeneralString:${ENV::REALM} -</pre></div> -</div> -<p>If the above contents are placed in extensions.kdc, you can generate -and sign a KDC certificate with the following commands:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> -<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> <span class="o">-</span><span class="n">key</span> <span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> -<span class="n">env</span> <span class="n">REALM</span><span class="o">=</span><span class="n">YOUR_REALMNAME</span> <span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="n">req</span> <span class="o">-</span><span class="ow">in</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> \ - <span class="o">-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">CA</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdc</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">days</span> <span class="mi">365</span> \ - <span class="o">-</span><span class="n">extfile</span> <span class="n">extensions</span><span class="o">.</span><span class="n">kdc</span> <span class="o">-</span><span class="n">extensions</span> <span class="n">kdc_cert</span> <span class="o">-</span><span class="n">CAcreateserial</span> -<span class="n">rm</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> -</pre></div> -</div> -<p>The second command will ask for the values of certificate fields, -which can be set to any values. In the third command, substitute your -KDC’s realm name for YOUR_REALMNAME. You can adjust the certificate’s -expiration date by changing the number after <code class="docutils literal notranslate"><span class="pre">-days</span></code>. Remember to -create a new KDC certificate before the old one expires.</p> -<p>The result of this operation will be in two files, kdckey.pem and -kdc.pem. Both files must be placed in the KDC’s filesystem. -kdckey.pem, which contains the KDC’s private key, must be carefully -protected.</p> -<p>If you examine the KDC certificate with <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">x509</span> <span class="pre">-in</span> <span class="pre">kdc.pem</span> -<span class="pre">-text</span> <span class="pre">-noout</span></code>, OpenSSL will not know how to display the KDC principal -name in the Subject Alternative Name extension, so it will appear as -<code class="docutils literal notranslate"><span class="pre">othername:<unsupported></span></code>. This is normal and does not mean -anything is wrong with the KDC certificate.</p> -</section> -<section id="generating-client-certificates"> -<h3>Generating client certificates<a class="headerlink" href="#generating-client-certificates" title="Link to this heading">¶</a></h3> -<p>PKINIT client certificates also must have some unusual certificate -fields. To generate a client certificate with OpenSSL for a -single-component principal name, you will need an extensions file -(different from the KDC extensions file above) containing:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[client_cert] -basicConstraints=CA:FALSE -keyUsage=digitalSignature,keyEncipherment,keyAgreement -extendedKeyUsage=1.3.6.1.5.2.3.4 -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name - -[princ_name] -realm=EXP:0,GeneralString:${ENV::REALM} -principal_name=EXP:1,SEQUENCE:principal_seq - -[principal_seq] -name_type=EXP:0,INTEGER:1 -name_string=EXP:1,SEQUENCE:principals - -[principals] -princ1=GeneralString:${ENV::CLIENT} -</pre></div> -</div> -<p>If the above contents are placed in extensions.client, you can -generate and sign a client certificate with the following commands:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> -<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">key</span> <span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">out</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> -<span class="n">env</span> <span class="n">REALM</span><span class="o">=</span><span class="n">YOUR_REALMNAME</span> <span class="n">CLIENT</span><span class="o">=</span><span class="n">YOUR_PRINCNAME</span> <span class="n">openssl</span> <span class="n">x509</span> \ - <span class="o">-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">CA</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">req</span> <span class="o">-</span><span class="ow">in</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> \ - <span class="o">-</span><span class="n">extensions</span> <span class="n">client_cert</span> <span class="o">-</span><span class="n">extfile</span> <span class="n">extensions</span><span class="o">.</span><span class="n">client</span> \ - <span class="o">-</span><span class="n">days</span> <span class="mi">365</span> <span class="o">-</span><span class="n">out</span> <span class="n">client</span><span class="o">.</span><span class="n">pem</span> -<span class="n">rm</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> -</pre></div> -</div> -<p>Normally, the first two commands should be run on the client host, and -the resulting client.req file transferred to the certificate authority -host for the third command. As in the previous steps, the second -command will ask for the values of certificate fields, which can be -set to any values. In the third command, substitute your realm’s name -for YOUR_REALMNAME and the client’s principal name (without realm) for -YOUR_PRINCNAME. You can adjust the certificate’s expiration date by -changing the number after <code class="docutils literal notranslate"><span class="pre">-days</span></code>.</p> -<p>The result of this operation will be two files, clientkey.pem and -client.pem. Both files must be present on the client’s host; -clientkey.pem, which contains the client’s private key, must be -protected from access by others.</p> -<p>As in the KDC certificate, OpenSSL will display the client principal -name as <code class="docutils literal notranslate"><span class="pre">othername:<unsupported></span></code> in the Subject Alternative Name -extension of a PKINIT client certificate.</p> -<p>If the client principal name contains more than one component -(e.g. <code class="docutils literal notranslate"><span class="pre">host/example.com@REALM</span></code>), the <code class="docutils literal notranslate"><span class="pre">[principals]</span></code> section of -<code class="docutils literal notranslate"><span class="pre">extensions.client</span></code> must be altered to contain multiple entries. -(Simply setting <code class="docutils literal notranslate"><span class="pre">CLIENT</span></code> to <code class="docutils literal notranslate"><span class="pre">host/example.com</span></code> would generate a -certificate for <code class="docutils literal notranslate"><span class="pre">host\/example.com@REALM</span></code> which would not match the -multi-component principal name.) For a two-component principal, the -section should read:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[principals] -princ1=GeneralString:${ENV::CLIENT1} -princ2=GeneralString:${ENV::CLIENT2} -</pre></div> -</div> -<p>The environment variables <code class="docutils literal notranslate"><span class="pre">CLIENT1</span></code> and <code class="docutils literal notranslate"><span class="pre">CLIENT2</span></code> must then be set -to the first and second components when running <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">x509</span></code>.</p> -</section> -</section> -<section id="configuring-the-kdc"> -<h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Link to this heading">¶</a></h2> -<p>The KDC must have filesystem access to the KDC certificate (kdc.pem) -and the KDC private key (kdckey.pem). Configure the following -relation in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file, either in the -<a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> section or in a <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection (with -appropriate pathnames):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_identity</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">pem</span><span class="p">,</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> -</pre></div> -</div> -<p>If any clients will authenticate using regular (as opposed to -anonymous) PKINIT, the KDC must also have filesystem access to the CA -certificate (cacert.pem), and the following configuration (with the -appropriate pathname):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> -</pre></div> -</div> -<p>Because of the larger size of requests and responses using PKINIT, you -may also need to allow TCP access to the KDC:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> -</pre></div> -</div> -<p>Restart the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to pick up the configuration -changes.</p> -<p>The principal entry for each PKINIT-using client must be configured to -require preauthentication. Ensure this with the command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'modprinc +requires_preauth YOUR_PRINCNAME'</span> -</pre></div> -</div> -<p>Starting with release 1.12, it is possible to remove the long-term -keys of a principal entry, which can save some space in the database -and help to clarify some PKINIT-related error conditions by not asking -for a password:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'purgekeys -all YOUR_PRINCNAME'</span> -</pre></div> -</div> -<p>These principal options can also be specified at principal creation -time as follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'add_principal +requires_preauth -nokey YOUR_PRINCNAME'</span> -</pre></div> -</div> -<p>By default, the KDC requires PKINIT client certificates to have the -standard Extended Key Usage and Subject Alternative Name attributes -for PKINIT. Starting in release 1.16, it is possible to authorize -client certificates based on the subject or other criteria instead of -the standard PKINIT Subject Alternative Name, by setting the -<strong>pkinit_cert_match</strong> string attribute on each client principal entry. -For example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="n">set_string</span> <span class="n">user</span><span class="nd">@REALM</span> <span class="n">pkinit_cert_match</span> <span class="s2">"<SUBJECT>CN=user@REALM$"</span> -</pre></div> -</div> -<p>The <strong>pkinit_cert_match</strong> string attribute follows the syntax used by -the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> <strong>pkinit_cert_match</strong> relation. To allow the -use of non-PKINIT client certificates, it will also be necessary to -disable key usage checking using the <strong>pkinit_eku_checking</strong> relation; -for example:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">none</span> -</pre></div> -</div> -</section> -<section id="configuring-the-clients"> -<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Link to this heading">¶</a></h2> -<p>Client hosts must be configured to trust the issuing authority for the -KDC certificate. For a newly established certificate authority, the -client host must have filesystem access to the CA certificate -(cacert.pem) and the following relation in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> in the -appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection (with appropriate pathnames):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> -</pre></div> -</div> -<p>If the KDC certificate is a commercially issued server certificate, -the issuing certificate is most likely included in a system directory. -You can specify it by filename as above, or specify the whole -directory like so:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span> -</pre></div> -</div> -<p>A commercially issued server certificate will usually not have the -standard PKINIT principal name or Extended Key Usage extensions, so -the following additional configuration is required:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">kpServerAuth</span> -<span class="n">pkinit_kdc_hostname</span> <span class="o">=</span> <span class="n">hostname</span><span class="o">.</span><span class="n">of</span><span class="o">.</span><span class="n">kdc</span><span class="o">.</span><span class="n">certificate</span> -</pre></div> -</div> -<p>Multiple <strong>pkinit_kdc_hostname</strong> relations can be configured to -recognize multiple KDC certificates. If the KDC is an Active -Directory domain controller, setting <strong>pkinit_kdc_hostname</strong> is -necessary, but it should not be necessary to set -<strong>pkinit_eku_checking</strong>.</p> -<p>To perform regular (as opposed to anonymous) PKINIT authentication, a -client host must have filesystem access to a client certificate -(client.pem), and the corresponding private key (clientkey.pem). -Configure the following relations in the client host’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection -(with appropriate pathnames):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_identities</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">client</span><span class="o">.</span><span class="n">pem</span><span class="p">,</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> -</pre></div> -</div> -<p>If the KDC and client are properly configured, it should now be -possible to run <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">username</span></code> without entering a password.</p> -</section> -<section id="anonymous-pkinit"> -<span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Link to this heading">¶</a></h2> -<p>Anonymity support in Kerberos allows a client to obtain a ticket -without authenticating as any particular principal. Such a ticket can -be used as a FAST armor ticket, or to securely communicate with an -application server anonymously.</p> -<p>To configure anonymity support, you must generate or otherwise procure -a KDC certificate and configure the KDC host, but you do not need to -generate any client certificates. On the KDC, you must set the -<strong>pkinit_identity</strong> variable to provide the KDC certificate, but do -not need to set the <strong>pkinit_anchors</strong> variable or store the issuing -certificate if you won’t have any client certificates to verify. On -client hosts, you must set the <strong>pkinit_anchors</strong> variable (and -possibly <strong>pkinit_kdc_hostname</strong> and <strong>pkinit_eku_checking</strong>) in order -to trust the issuing authority for the KDC certificate, but do not -need to set the <strong>pkinit_identities</strong> variable.</p> -<p>Anonymity support is not enabled by default. To enable it, you must -create the principal <code class="docutils literal notranslate"><span class="pre">WELLKNOWN/ANONYMOUS</span></code> using the command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'addprinc -randkey WELLKNOWN/ANONYMOUS'</span> -</pre></div> -</div> -<p>Some Kerberos deployments include application servers which lack -proper access control, and grant some level of access to any user who -can authenticate. In such an environment, enabling anonymity support -on the KDC would present a security issue. If you need to enable -anonymity support for TGTs (for use as FAST armor tickets) without -enabling anonymous authentication to application servers, you can set -the variable <strong>restrict_anonymous_to_tgt</strong> to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the -appropriate <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection of the KDC’s -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file.</p> -<p>To obtain anonymous credentials on a client, run <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-n</span></code>, or -<code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-n</span> <span class="pre">@REALMNAME</span></code> to specify a realm. The resulting tickets -will have the client name <code class="docutils literal notranslate"><span class="pre">WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS</span></code>.</p> -</section> -<section id="freshness-tokens"> -<h2>Freshness tokens<a class="headerlink" href="#freshness-tokens" title="Link to this heading">¶</a></h2> -<p>Freshness tokens can ensure that the client has recently had access to -its certificate private key. If freshness tokens are not required by -the KDC, a client program with temporary possession of the private key -can compose requests for future timestamps and use them later.</p> -<p>In release 1.17 and later, freshness tokens are supported by the -client and are sent by the KDC when the client indicates support for -them. Because not all clients support freshness tokens yet, they are -not required by default. To check if freshness tokens are supported -by a realm’s clients, look in the KDC logs for the lines:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">PKINIT</span><span class="p">:</span> <span class="n">freshness</span> <span class="n">token</span> <span class="n">received</span> <span class="kn">from</span> <span class="o"><</span><span class="n">client</span> <span class="n">principal</span><span class="o">></span> -<span class="n">PKINIT</span><span class="p">:</span> <span class="n">no</span> <span class="n">freshness</span> <span class="n">token</span> <span class="n">received</span> <span class="kn">from</span> <span class="o"><</span><span class="n">client</span> <span class="n">principal</span><span class="o">></span> -</pre></div> -</div> -<p>To require freshness tokens for all clients in a realm (except for -clients authenticating anonymously), set the -<strong>pkinit_require_freshness</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the appropriate -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection of the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file. To -test that this option is in effect, run <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-X</span> <span class="pre">disable_freshness</span></code> -and verify that authentication is unsuccessful.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">PKINIT configuration</a><ul> -<li><a class="reference internal" href="#creating-certificates">Creating certificates</a><ul> -<li><a class="reference internal" href="#generating-a-certificate-authority-certificate">Generating a certificate authority certificate</a></li> -<li><a class="reference internal" href="#generating-a-kdc-certificate">Generating a KDC certificate</a></li> -<li><a class="reference internal" href="#generating-client-certificates">Generating client certificates</a></li> -</ul> -</li> -<li><a class="reference internal" href="#configuring-the-kdc">Configuring the KDC</a></li> -<li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li> -<li><a class="reference internal" href="#anonymous-pkinit">Anonymous PKINIT</a></li> -<li><a class="reference internal" href="#freshness-tokens">Freshness tokens</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="backup_host.html" title="Backups of secure hosts" - >previous</a> | - <a href="otp.html" title="OTP Preauthentication" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/princ_dns.html b/crypto/krb5/doc/html/admin/princ_dns.html deleted file mode 100644 index fe10f1cefc68..000000000000 --- a/crypto/krb5/doc/html/admin/princ_dns.html +++ /dev/null @@ -1,266 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Principal names and DNS — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Encryption types" href="enctypes.html" /> - <link rel="prev" title="Addressing dictionary attack risks" href="dictionary.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - accesskey="P">previous</a> | - <a href="enctypes.html" title="Encryption types" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Principal names and DNS">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="principal-names-and-dns"> -<h1>Principal names and DNS<a class="headerlink" href="#principal-names-and-dns" title="Link to this heading">¶</a></h1> -<p>Kerberos clients can do DNS lookups to canonicalize service principal -names. This can cause difficulties when setting up Kerberos -application servers, especially when the client’s name for the service -is different from what the service thinks its name is.</p> -<section id="service-principal-names"> -<h2>Service principal names<a class="headerlink" href="#service-principal-names" title="Link to this heading">¶</a></h2> -<p>A frequently used kind of principal name is the host-based service -principal name. This kind of principal name has two components: a -service name and a hostname. For example, <code class="docutils literal notranslate"><span class="pre">imap/imap.example.com</span></code> -is the principal name of the “imap” service on the host -“imap.example.com”. Other possible service names for the first -component include “host” (remote login services such as ssh), “HTTP”, -and “nfs” (Network File System).</p> -<p>Service administrators often publish well-known hostname aliases that -they would prefer users to use instead of the canonical name of the -service host. This gives service administrators more flexibility in -deploying services. For example, a shell login server might be named -“long-vanity-hostname.example.com”, but users will naturally prefer to -type something like “login.example.com”. Hostname aliases also allow -for administrators to set up load balancing for some sorts of services -based on rotating <code class="docutils literal notranslate"><span class="pre">CNAME</span></code> records in DNS.</p> -</section> -<section id="service-principal-canonicalization"> -<h2>Service principal canonicalization<a class="headerlink" href="#service-principal-canonicalization" title="Link to this heading">¶</a></h2> -<p>In the MIT krb5 client library, canonicalization of host-based service -principals is controlled by the <strong>dns_canonicalize_hostname</strong>, -<strong>rnds</strong>, and <strong>qualify_shortname</strong> variables in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> -<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal notranslate"><span class="pre">true</span></code> (the default -value), the client performs forward resolution by looking up the IPv4 -and/or IPv6 addresses of the hostname using <code class="docutils literal notranslate"><span class="pre">getaddrinfo()</span></code>. This -process will typically add a domain suffix to the hostname if needed, -and follow CNAME records in the DNS. If <strong>rdns</strong> is also set to -<code class="docutils literal notranslate"><span class="pre">true</span></code> (the default), the client will then perform a reverse lookup -of the first returned Internet address using <code class="docutils literal notranslate"><span class="pre">getnameinfo()</span></code>, -finding the name associated with the PTR record.</p> -<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal notranslate"><span class="pre">false</span></code>, the hostname is -not canonicalized using DNS. If the hostname has only one component -(i.e. it contains no “.” characters), the host’s primary DNS search -domain will be appended, if there is one. The <strong>qualify_shortname</strong> -variable can be used to override or disable this suffix.</p> -<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal notranslate"><span class="pre">fallback</span></code> (added in -release 1.18), the hostname is initially treated according to the -rules for <code class="docutils literal notranslate"><span class="pre">dns_canonicalize_hostname=false</span></code>. If a ticket request -fails because the service principal is unknown, the hostname will be -canonicalized according to the rules for -<code class="docutils literal notranslate"><span class="pre">dns_canonicalize_hostname=true</span></code> and the request will be retried.</p> -<p>In all cases, the hostname is converted to lowercase, and any trailing -dot is removed.</p> -</section> -<section id="reverse-dns-mismatches"> -<h2>Reverse DNS mismatches<a class="headerlink" href="#reverse-dns-mismatches" title="Link to this heading">¶</a></h2> -<p>Sometimes, an enterprise will have control over its forward DNS but -not its reverse DNS. The reverse DNS is sometimes under the control -of the Internet service provider of the enterprise, and the enterprise -may not have much influence in setting up reverse DNS records for its -address space. If there are difficulties with getting forward and -reverse DNS to match, it is best to set <code class="docutils literal notranslate"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></code> on client -machines.</p> -</section> -<section id="overriding-application-behavior"> -<h2>Overriding application behavior<a class="headerlink" href="#overriding-application-behavior" title="Link to this heading">¶</a></h2> -<p>Applications can choose to use a default hostname component in their -service principal name when accepting authentication, which avoids -some sorts of hostname mismatches. Because not all relevant -applications do this yet, using the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> setting:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">ignore_acceptor_hostname</span> <span class="o">=</span> <span class="n">true</span> -</pre></div> -</div> -<p>will allow the Kerberos library to override the application’s choice -of service principal hostname and will allow a server program to -accept incoming authentications using any key in its keytab that -matches the service name and realm name (if given). This setting -defaults to “false” and is available in releases krb5-1.10 and later.</p> -</section> -<section id="provisioning-keytabs"> -<h2>Provisioning keytabs<a class="headerlink" href="#provisioning-keytabs" title="Link to this heading">¶</a></h2> -<p>One service principal entry that should be in the keytab is a -principal whose hostname component is the canonical hostname that -<code class="docutils literal notranslate"><span class="pre">getaddrinfo()</span></code> reports for all known aliases for the host. If the -reverse DNS information does not match this canonical hostname, an -additional service principal entry should be in the keytab for this -different hostname.</p> -</section> -<section id="specific-application-advice"> -<h2>Specific application advice<a class="headerlink" href="#specific-application-advice" title="Link to this heading">¶</a></h2> -<section id="secure-shell-ssh"> -<h3>Secure shell (ssh)<a class="headerlink" href="#secure-shell-ssh" title="Link to this heading">¶</a></h3> -<p>Setting <code class="docutils literal notranslate"><span class="pre">GSSAPIStrictAcceptorCheck</span> <span class="pre">=</span> <span class="pre">no</span></code> in the configuration file -of modern versions of the openssh daemon will allow the daemon to try -any key in its keytab when accepting a connection, rather than looking -for the keytab entry that matches the host’s own idea of its name -(typically the name that <code class="docutils literal notranslate"><span class="pre">gethostname()</span></code> returns). This requires -krb5-1.10 or later.</p> -</section> -<section id="openldap-ldapsearch-etc"> -<h3>OpenLDAP (ldapsearch, etc.)<a class="headerlink" href="#openldap-ldapsearch-etc" title="Link to this heading">¶</a></h3> -<p>OpenLDAP’s SASL implementation performs reverse DNS lookup in order to -canonicalize service principal names, even if <strong>rdns</strong> is set to -<code class="docutils literal notranslate"><span class="pre">false</span></code> in the Kerberos configuration. To disable this behavior, -add <code class="docutils literal notranslate"><span class="pre">SASL_NOCANON</span> <span class="pre">on</span></code> to <code class="docutils literal notranslate"><span class="pre">ldap.conf</span></code>, or set the -<code class="docutils literal notranslate"><span class="pre">LDAPSASL_NOCANON</span></code> environment variable.</p> -</section> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Principal names and DNS</a><ul> -<li><a class="reference internal" href="#service-principal-names">Service principal names</a></li> -<li><a class="reference internal" href="#service-principal-canonicalization">Service principal canonicalization</a></li> -<li><a class="reference internal" href="#reverse-dns-mismatches">Reverse DNS mismatches</a></li> -<li><a class="reference internal" href="#overriding-application-behavior">Overriding application behavior</a></li> -<li><a class="reference internal" href="#provisioning-keytabs">Provisioning keytabs</a></li> -<li><a class="reference internal" href="#specific-application-advice">Specific application advice</a><ul> -<li><a class="reference internal" href="#secure-shell-ssh">Secure shell (ssh)</a></li> -<li><a class="reference internal" href="#openldap-ldapsearch-etc">OpenLDAP (ldapsearch, etc.)</a></li> -</ul> -</li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - >previous</a> | - <a href="enctypes.html" title="Encryption types" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Principal names and DNS">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/realm_config.html b/crypto/krb5/doc/html/admin/realm_config.html deleted file mode 100644 index a1fe446b2d63..000000000000 --- a/crypto/krb5/doc/html/admin/realm_config.html +++ /dev/null @@ -1,400 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Realm configuration decisions — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Database administration" href="database.html" /> - <link rel="prev" title="kadm5.acl" href="conf_files/kadm5_acl.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="conf_files/kadm5_acl.html" title="kadm5.acl" - accesskey="P">previous</a> | - <a href="database.html" title="Database administration" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Realm configuration decisions">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="realm-configuration-decisions"> -<h1>Realm configuration decisions<a class="headerlink" href="#realm-configuration-decisions" title="Link to this heading">¶</a></h1> -<p>Before installing Kerberos V5, it is necessary to consider the -following issues:</p> -<ul class="simple"> -<li><p>The name of your Kerberos realm (or the name of each realm, if you -need more than one).</p></li> -<li><p>How you will assign your hostnames to Kerberos realms.</p></li> -<li><p>Which ports your KDC and and kadmind services will use, if they will -not be using the default ports.</p></li> -<li><p>How many replica KDCs you need and where they should be located.</p></li> -<li><p>The hostnames of your primary and replica KDCs.</p></li> -<li><p>How frequently you will propagate the database from the primary KDC -to the replica KDCs.</p></li> -</ul> -<section id="realm-name"> -<h2>Realm name<a class="headerlink" href="#realm-name" title="Link to this heading">¶</a></h2> -<p>Although your Kerberos realm can be any ASCII string, convention is to -make it the same as your domain name, in upper-case letters.</p> -<p>For example, hosts in the domain <code class="docutils literal notranslate"><span class="pre">example.com</span></code> would be in the -Kerberos realm:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -</pre></div> -</div> -<p>If you need multiple Kerberos realms, MIT recommends that you use -descriptive names which end with your domain name, such as:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">BOSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -<span class="n">HOUSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> -</pre></div> -</div> -</section> -<section id="mapping-hostnames-onto-kerberos-realms"> -<span id="mapping-hostnames"></span><h2>Mapping hostnames onto Kerberos realms<a class="headerlink" href="#mapping-hostnames-onto-kerberos-realms" title="Link to this heading">¶</a></h2> -<p>Mapping hostnames onto Kerberos realms is done in one of three ways.</p> -<p>The first mechanism works through a set of rules in the -<a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. You can specify -mappings for an entire domain or on a per-hostname basis. Typically -you would do this by specifying the mappings for a given domain or -subdomain and listing the exceptions.</p> -<p>The second mechanism is to use KDC host-based service referrals. With -this method, the KDC’s krb5.conf has a full [domain_realm] mapping for -hosts, but the clients do not, or have mappings for only a subset of -the hosts they might contact. When a client needs to contact a server -host for which it has no mapping, it will ask the client realm’s KDC -for the service ticket, and will receive a referral to the appropriate -service realm.</p> -<p>To use referrals, clients must be running MIT krb5 1.6 or later, and -the KDC must be running MIT krb5 1.7 or later. The -<strong>host_based_services</strong> and <strong>no_host_referral</strong> variables in the -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> section of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> can be used to -fine-tune referral behavior on the KDC.</p> -<p>It is also possible for clients to use DNS TXT records, if -<strong>dns_lookup_realm</strong> is enabled in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Such lookups -are disabled by default because DNS is an insecure protocol and security -holes could result if DNS records are spoofed. If enabled, the client -will try to look up a TXT record formed by prepending the prefix -<code class="docutils literal notranslate"><span class="pre">_kerberos</span></code> to the hostname in question. If that record is not -found, the client will attempt a lookup by prepending <code class="docutils literal notranslate"><span class="pre">_kerberos</span></code> to the -host’s domain name, then its parent domain, up to the top-level domain. -For the hostname <code class="docutils literal notranslate"><span class="pre">boston.engineering.example.com</span></code>, the names looked up -would be:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">_kerberos</span><span class="o">.</span><span class="n">boston</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> -<span class="n">_kerberos</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> -<span class="n">_kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> -<span class="n">_kerberos</span><span class="o">.</span><span class="n">com</span> -</pre></div> -</div> -<p>The value of the first TXT record found is taken as the realm name.</p> -<p>Even if you do not choose to use this mechanism within your site, -you may wish to set it up anyway, for use when interacting with other sites.</p> -</section> -<section id="ports-for-the-kdc-and-admin-services"> -<h2>Ports for the KDC and admin services<a class="headerlink" href="#ports-for-the-kdc-and-admin-services" title="Link to this heading">¶</a></h2> -<p>The default ports used by Kerberos are port 88 for the KDC and port -749 for the admin server. You can, however, choose to run on other -ports, as long as they are specified in each host’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> files or in DNS SRV records, and the -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file on each KDC. For a more thorough treatment of -port numbers used by the Kerberos V5 programs, refer to the -<a class="reference internal" href="appl_servers.html#conf-firewall"><span class="std std-ref">Configuring your firewall to work with Kerberos V5</span></a>.</p> -</section> -<section id="replica-kdcs"> -<h2>Replica KDCs<a class="headerlink" href="#replica-kdcs" title="Link to this heading">¶</a></h2> -<p>Replica KDCs provide an additional source of Kerberos ticket-granting -services in the event of inaccessibility of the primary KDC. The -number of replica KDCs you need and the decision of where to place them, -both physically and logically, depends on the specifics of your -network.</p> -<p>Kerberos authentication requires that each client be able to contact a -KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a replica KDC to take up the slack.</p> -<p>Some considerations include:</p> -<ul class="simple"> -<li><p>Have at least one replica KDC as a backup, for when the primary KDC -is down, is being upgraded, or is otherwise unavailable.</p></li> -<li><p>If your network is split such that a network outage is likely to -cause a network partition (some segment or segments of the network -to become cut off or isolated from other segments), have a replica -KDC accessible to each segment.</p></li> -<li><p>If possible, have at least one replica KDC in a different building -from the primary, in case of power outages, fires, or other -localized disasters.</p></li> -</ul> -</section> -<section id="hostnames-for-kdcs"> -<span id="kdc-hostnames"></span><h2>Hostnames for KDCs<a class="headerlink" href="#hostnames-for-kdcs" title="Link to this heading">¶</a></h2> -<p>MIT recommends that your KDCs have a predefined set of CNAME records -(DNS hostname aliases), such as <code class="docutils literal notranslate"><span class="pre">kerberos</span></code> for the primary KDC and -<code class="docutils literal notranslate"><span class="pre">kerberos-1</span></code>, <code class="docutils literal notranslate"><span class="pre">kerberos-2</span></code>, … for the replica KDCs. This way, -if you need to swap a machine, you only need to change a DNS entry, -rather than having to change hostnames.</p> -<p>As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS -using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is -also a DNS domain name. These records indicate the hostname and port -number to contact for that service, optionally with weighting and -prioritization. The domain name used in the SRV record name is the -realm name. Several different Kerberos-related service names are -used:</p> -<dl> -<dt>_kerberos._udp</dt><dd><p>This is for contacting any KDC by UDP. This entry will be used -the most often. Normally you should list port 88 on each of your -KDCs.</p> -</dd> -<dt>_kerberos._tcp</dt><dd><p>This is for contacting any KDC by TCP. Normally you should use -port 88. This entry should be omitted if the KDC does not listen -on TCP ports, as was the default prior to release 1.13.</p> -</dd> -<dt>_kerberos-master._udp</dt><dd><p>This entry should refer to those KDCs, if any, that will -immediately see password changes to the Kerberos database. If a -user is logging in and the password appears to be incorrect, the -client will retry with the primary KDC before failing with an -“incorrect password” error given.</p> -<p>If you have only one KDC, or for whatever reason there is no -accessible KDC that would get database changes faster than the -others, you do not need to define this entry.</p> -</dd> -<dt>_kerberos-adm._tcp</dt><dd><p>This should list port 749 on your primary KDC. Support for it is -not complete at this time, but it will eventually be used by the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program and related utilities. For now, you will -also need the <strong>admin_server</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> -</dd> -<dt>_kerberos-master._tcp</dt><dd><p>The corresponding TCP port for _kerberos-master._udp, assuming the -primary KDC listens on a TCP port.</p> -</dd> -<dt>_kpasswd._udp</dt><dd><p>This entry should list port 464 on your primary KDC. It is used -when a user changes her password. If this entry is not defined -but a _kerberos-adm._tcp entry is defined, the client will use the -_kerberos-adm._tcp entry with the port number changed to 464.</p> -</dd> -<dt>_kpasswd._tcp</dt><dd><p>The corresponding TCP port for _kpasswd._udp.</p> -</dd> -</dl> -<p>The DNS SRV specification requires that the hostnames listed be the -canonical names, not aliases. So, for example, you might include the -following records in your (BIND-style) zone file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ORIGIN foobar.com. -_kerberos TXT "FOOBAR.COM" -kerberos CNAME daisy -kerberos-1 CNAME use-the-force-luke -kerberos-2 CNAME bunny-rabbit -_kerberos._udp SRV 0 0 88 daisy - SRV 0 0 88 use-the-force-luke - SRV 0 0 88 bunny-rabbit -_kerberos-master._udp SRV 0 0 88 daisy -_kerberos-adm._tcp SRV 0 0 749 daisy -_kpasswd._udp SRV 0 0 464 daisy -</pre></div> -</div> -<p>Clients can also be configured with the explicit location of services -using the <strong>kdc</strong>, <strong>master_kdc</strong>, <strong>admin_server</strong>, and -<strong>kpasswd_server</strong> variables in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section of -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Even if some clients will be configured with -explicit server locations, providing SRV records will still benefit -unconfigured clients, and be useful for other sites.</p> -<p>Clients can be configured with the <strong>sitename</strong> realm variable (new in -release 1.22). If a site name is set, the client first attempts SRV -record lookups with “.*sitename*._sites” inserted after the service -and protocol name and before the Kerberos realm. Site-specific -records may indicate servers more proximal to the client, allowing for -faster access.</p> -</section> -<section id="kdc-discovery"> -<span id="id1"></span><h2>KDC Discovery<a class="headerlink" href="#kdc-discovery" title="Link to this heading">¶</a></h2> -<p>As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7553.html"><strong>RFC 7553</strong></a>). Limitations with the SRV record format may -result in extra DNS queries in situations where a client must failover -to other transport types, or find a primary server. The URI record -can convey more information about a realm’s KDCs with a single query.</p> -<p>The client performs a query for the following URI records:</p> -<ul class="simple"> -<li><p><code class="docutils literal notranslate"><span class="pre">_kerberos.REALM</span></code> for finding KDCs.</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">_kerberos-adm.REALM</span></code> for finding kadmin services.</p></li> -<li><p><code class="docutils literal notranslate"><span class="pre">_kpasswd.REALM</span></code> for finding password services.</p></li> -</ul> -<p>The URI record includes a priority, weight, and a URI string that -consists of case-insensitive colon separated fields, in the form -<code class="docutils literal notranslate"><span class="pre">scheme:[flags]:transport:residual</span></code>.</p> -<ul class="simple"> -<li><p><em>scheme</em> defines the registered URI type. It should always be -<code class="docutils literal notranslate"><span class="pre">krb5srv</span></code>.</p></li> -<li><p><em>flags</em> contains zero or more flag characters. Currently the only -valid flag is <code class="docutils literal notranslate"><span class="pre">m</span></code>, which indicates that the record is for a -primary server.</p></li> -<li><p><em>transport</em> defines the transport type of the residual URL or -address. Accepted values are <code class="docutils literal notranslate"><span class="pre">tcp</span></code>, <code class="docutils literal notranslate"><span class="pre">udp</span></code>, or <code class="docutils literal notranslate"><span class="pre">kkdcp</span></code> for the -MS-KKDCP type.</p></li> -<li><p><em>residual</em> contains the hostname, IP address, or URL to be -contacted using the specified transport, with an optional port -extension. The MS-KKDCP transport type uses a HTTPS URL, and can -include a port and/or path extension.</p></li> -</ul> -<p>An example of URI records in a zone file:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">_kerberos</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">URI</span> <span class="mi">10</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">:</span><span class="n">m</span><span class="p">:</span><span class="n">tcp</span><span class="p">:</span><span class="n">kdc1</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> - <span class="n">URI</span> <span class="mi">20</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">:</span><span class="n">m</span><span class="p">:</span><span class="n">udp</span><span class="p">:</span><span class="n">kdc2</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="mi">89</span> - <span class="n">URI</span> <span class="mi">40</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">::</span><span class="n">udp</span><span class="p">:</span><span class="mf">10.10.0.23</span> - <span class="n">URI</span> <span class="mi">30</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">::</span><span class="n">kkdcp</span><span class="p">:</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">proxy</span><span class="p">:</span><span class="mi">89</span><span class="o">/</span><span class="n">auth</span> -</pre></div> -</div> -<p>URI lookups are enabled by default, and can be disabled by setting -<strong>dns_uri_lookup</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section of -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> to False. When enabled, URI lookups take -precedence over SRV lookups, falling back to SRV lookups if no URI -records are found.</p> -<p>The <strong>sitename</strong> variable in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section of -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to URI lookups as well as SRV lookups.</p> -</section> -<section id="database-propagation"> -<span id="db-prop"></span><h2>Database propagation<a class="headerlink" href="#database-propagation" title="Link to this heading">¶</a></h2> -<p>The Kerberos database resides on the primary KDC, and must be -propagated regularly (usually by a cron job) to the replica KDCs. In -deciding how frequently the propagation should happen, you will need -to balance the amount of time the propagation takes against the -maximum reasonable amount of time a user should have to wait for a -password change to take effect.</p> -<p>If the propagation time is longer than this maximum reasonable time -(e.g., you have a particularly large database, you have a lot of -replicas, or you experience frequent network delays), you may wish to -cut down on your propagation delay by performing the propagation in -parallel. To do this, have the primary KDC propagate the database to -one set of replicas, and then have each of these replicas propagate -the database to additional replicas.</p> -<p>See also <a class="reference internal" href="database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a></p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Realm configuration decisions</a><ul> -<li><a class="reference internal" href="#realm-name">Realm name</a></li> -<li><a class="reference internal" href="#mapping-hostnames-onto-kerberos-realms">Mapping hostnames onto Kerberos realms</a></li> -<li><a class="reference internal" href="#ports-for-the-kdc-and-admin-services">Ports for the KDC and admin services</a></li> -<li><a class="reference internal" href="#replica-kdcs">Replica KDCs</a></li> -<li><a class="reference internal" href="#hostnames-for-kdcs">Hostnames for KDCs</a></li> -<li><a class="reference internal" href="#kdc-discovery">KDC Discovery</a></li> -<li><a class="reference internal" href="#database-propagation">Database propagation</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="conf_files/kadm5_acl.html" title="kadm5.acl" - >previous</a> | - <a href="database.html" title="Database administration" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Realm configuration decisions">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/spake.html b/crypto/krb5/doc/html/admin/spake.html deleted file mode 100644 index de215dfbc571..000000000000 --- a/crypto/krb5/doc/html/admin/spake.html +++ /dev/null @@ -1,197 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>SPAKE Preauthentication — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Addressing dictionary attack risks" href="dictionary.html" /> - <link rel="prev" title="OTP Preauthentication" href="otp.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="otp.html" title="OTP Preauthentication" - accesskey="P">previous</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="spake-preauthentication"> -<span id="spake"></span><h1>SPAKE Preauthentication<a class="headerlink" href="#spake-preauthentication" title="Link to this heading">¶</a></h1> -<p>SPAKE preauthentication (added in release 1.17) uses public key -cryptography techniques to protect against <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">password dictionary -attacks</span></a>. Unlike <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a>, it does not -require any additional infrastructure such as certificates; it simply -needs to be turned on. Using SPAKE preauthentication may modestly -increase the CPU and network load on the KDC.</p> -<p>SPAKE preauthentication can use one of four elliptic curve groups for -its password-authenticated key exchange. The recommended group is -<code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>; three NIST curves (<code class="docutils literal notranslate"><span class="pre">P-256</span></code>, <code class="docutils literal notranslate"><span class="pre">P-384</span></code>, and -<code class="docutils literal notranslate"><span class="pre">P-521</span></code>) are also supported.</p> -<p>By default, SPAKE with the <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code> group is enabled on -clients, but the KDC does not offer SPAKE by default. To turn it on, -set the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> to a -list of allowed groups. This variable affects both the client and the -KDC. Simply setting it to <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code> is recommended:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> - <span class="n">spake_preauth_groups</span> <span class="o">=</span> <span class="n">edwards25519</span> -</pre></div> -</div> -<p>Set the <strong>+requires_preauth</strong> and <strong>-allow_svr</strong> flags on client -principal entries, as you would for any preauthentication mechanism:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> -</pre></div> -</div> -<p>Clients which do not implement SPAKE preauthentication will fall back -to encrypted timestamp.</p> -<p>An active attacker can force a fallback to encrypted timestamp by -modifying the initial KDC response, defeating the protection against -dictionary attacks. To prevent this fallback on clients which do -implement SPAKE preauthentication, set the -<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the -<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection for realms whose KDCs offer SPAKE -preauthentication.</p> -<p>By default, SPAKE preauthentication requires an extra network round -trip to the KDC during initial authentication. If most of the clients -in a realm support SPAKE, this extra round trip can be eliminated -using an optimistic challenge, by setting the -<strong>spake_preauth_kdc_challenge</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> to a -single group name:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> - <span class="n">spake_preauth_kdc_challenge</span> <span class="o">=</span> <span class="n">edwards25519</span> -</pre></div> -</div> -<p>Using optimistic challenge will cause the KDC to do extra work for -initial authentication requests that do not result in SPAKE -preauthentication, but will save work when SPAKE preauthentication is -used.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">SPAKE Preauthentication</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="otp.html" title="OTP Preauthentication" - >previous</a> | - <a href="dictionary.html" title="Addressing dictionary attack risks" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/troubleshoot.html b/crypto/krb5/doc/html/admin/troubleshoot.html deleted file mode 100644 index 812508f5b31e..000000000000 --- a/crypto/krb5/doc/html/admin/troubleshoot.html +++ /dev/null @@ -1,264 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Troubleshooting — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Advanced topics" href="advanced/index.html" /> - <link rel="prev" title="Environment variables" href="env_variables.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="env_variables.html" title="Environment variables" - accesskey="P">previous</a> | - <a href="advanced/index.html" title="Advanced topics" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="troubleshooting"> -<span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Link to this heading">¶</a></h1> -<section id="trace-logging"> -<span id="id1"></span><h2>Trace logging<a class="headerlink" href="#trace-logging" title="Link to this heading">¶</a></h2> -<p>Most programs using MIT krb5 1.9 or later can be made to provide -information about internal krb5 library operations using trace -logging. To enable this, set the <strong>KRB5_TRACE</strong> environment variable -to a filename before running the program. On many operating systems, -the filename <code class="docutils literal notranslate"><span class="pre">/dev/stdout</span></code> can be used to send trace logging output -to standard output.</p> -<p>Some programs do not honor <strong>KRB5_TRACE</strong>, either because they use -secure library contexts (this generally applies to setuid programs and -parts of the login system) or because they take direct control of the -trace logging system using the API.</p> -<p>Here is a short example showing trace logging output for an invocation -of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno-1"><span class="std std-ref">kvno</span></a> command:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">env</span> <span class="n">KRB5_TRACE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">stdout</span> <span class="n">kvno</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span> -<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823276</span><span class="p">:</span> <span class="n">Getting</span> <span class="n">credentials</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span> - <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="n">using</span> <span class="n">ccache</span> - <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span> -<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823381</span><span class="p">:</span> <span class="n">Retrieving</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span> - <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="kn">from</span> - <span class="nn">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span> <span class="k">with</span> <span class="n">result</span><span class="p">:</span> <span class="mi">0</span><span class="o">/</span><span class="n">Unknown</span> <span class="n">code</span> <span class="mi">0</span> -<span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> <span class="n">kvno</span> <span class="o">=</span> <span class="mi">1</span> -</pre></div> -</div> -</section> -<section id="list-of-errors"> -<h2>List of errors<a class="headerlink" href="#list-of-errors" title="Link to this heading">¶</a></h2> -<section id="frequently-seen-errors"> -<h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Link to this heading">¶</a></h3> -<ol class="arabic simple"> -<li><p><a class="reference internal" href="#init-creds-etype-nosupp"><span class="std std-ref">KDC has no support for encryption type while getting initial credentials</span></a></p></li> -<li><p><a class="reference internal" href="#cert-chain-etype-nosupp"><span class="std std-ref">credential verification failed: KDC has no support for encryption type</span></a></p></li> -<li><p><a class="reference internal" href="#err-cert-chain-cert-expired"><span class="std std-ref">Cannot create cert chain: certificate has expired</span></a></p></li> -</ol> -</section> -<section id="errors-seen-by-admins"> -<h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Link to this heading">¶</a></h3> -<ol class="arabic simple" id="prop-failed-start"> -<li><p><a class="reference internal" href="#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></p></li> -<li><p><a class="reference internal" href="#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></p></li> -<li><p><a class="reference internal" href="#kprop-sendauth-exchange"><span class="std std-ref">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</span></a></p></li> -</ol> -<hr class="docutils" id="prop-failed-end" /> -<section id="kdc-has-no-support-for-encryption-type-while-getting-initial-credentials"> -<span id="init-creds-etype-nosupp"></span><h4>KDC has no support for encryption type while getting initial credentials<a class="headerlink" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials" title="Link to this heading">¶</a></h4> -</section> -<section id="credential-verification-failed-kdc-has-no-support-for-encryption-type"> -<span id="cert-chain-etype-nosupp"></span><h4>credential verification failed: KDC has no support for encryption type<a class="headerlink" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type" title="Link to this heading">¶</a></h4> -<p>This most commonly happens when trying to use a principal with only -DES keys, in a release (MIT krb5 1.7 or later) which disables DES by -default. DES encryption is considered weak due to its inadequate key -size. If you cannot migrate away from its use, you can re-enable DES -by adding <code class="docutils literal notranslate"><span class="pre">allow_weak_crypto</span> <span class="pre">=</span> <span class="pre">true</span></code> to the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> -section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> -</section> -<section id="cannot-create-cert-chain-certificate-has-expired"> -<span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Link to this heading">¶</a></h4> -<p>This error message indicates that PKINIT authentication failed because -the client certificate, KDC certificate, or one of the certificates in -the signing chain above them has expired.</p> -<p>If the KDC certificate has expired, this message appears in the KDC -log file, and the client will receive a “Preauthentication failed” -error. (Prior to release 1.11, the KDC log file message erroneously -appears as “Out of memory”. Prior to release 1.12, the client will -receive a “Generic error”.)</p> -<p>If the client or a signing certificate has expired, this message may -appear in <a class="reference internal" href="#trace-logging">trace_logging</a> output from <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or, starting in -release 1.12, as an error message from kinit or another program which -gets initial tickets. The error message is more likely to appear -properly on the client if the principal entry has no long-term keys.</p> -</section> -<section id="kprop-no-route-to-host-while-connecting-to-server"> -<span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Link to this heading">¶</a></h4> -<p>Make sure that the hostname of the replica KDC (as given to kprop) is -correct, and that any firewalls between the primary and the replica -allow a connection on port 754.</p> -</section> -<section id="kprop-connection-refused-while-connecting-to-server"> -<span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Link to this heading">¶</a></h4> -<p>If the replica KDC is intended to run kpropd out of inetd, make sure -that inetd is configured to accept krb5_prop connections. inetd may -need to be restarted or sent a SIGHUP to recognize the new -configuration. If the replica is intended to run kpropd in standalone -mode, make sure that it is running.</p> -</section> -<section id="kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server"> -<span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Link to this heading">¶</a></h4> -<p>Make sure that:</p> -<ol class="arabic simple"> -<li><p>The time is synchronized between the primary and replica KDCs.</p></li> -<li><p>The master stash file was copied from the primary to the expected -location on the replica.</p></li> -<li><p>The replica has a keytab file in the default location containing a -<code class="docutils literal notranslate"><span class="pre">host</span></code> principal for the replica’s hostname.</p></li> -</ol> -</section> -</section> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Troubleshooting</a><ul> -<li><a class="reference internal" href="#trace-logging">Trace logging</a></li> -<li><a class="reference internal" href="#list-of-errors">List of errors</a><ul> -<li><a class="reference internal" href="#frequently-seen-errors">Frequently seen errors</a></li> -<li><a class="reference internal" href="#errors-seen-by-admins">Errors seen by admins</a><ul> -<li><a class="reference internal" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials">KDC has no support for encryption type while getting initial credentials</a></li> -<li><a class="reference internal" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type">credential verification failed: KDC has no support for encryption type</a></li> -<li><a class="reference internal" href="#cannot-create-cert-chain-certificate-has-expired">Cannot create cert chain: certificate has expired</a></li> -<li><a class="reference internal" href="#kprop-no-route-to-host-while-connecting-to-server">kprop: No route to host while connecting to server</a></li> -<li><a class="reference internal" href="#kprop-connection-refused-while-connecting-to-server">kprop: Connection refused while connecting to server</a></li> -<li><a class="reference internal" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</a></li> -</ul> -</li> -</ul> -</li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="env_variables.html" title="Environment variables" - >previous</a> | - <a href="advanced/index.html" title="Advanced topics" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/admin/various_envs.html b/crypto/krb5/doc/html/admin/various_envs.html deleted file mode 100644 index ce0e0a7a727d..000000000000 --- a/crypto/krb5/doc/html/admin/various_envs.html +++ /dev/null @@ -1,177 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Various links — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="For application developers" href="../appdev/index.html" /> - <link rel="prev" title="Retiring DES" href="advanced/retiring-des.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="advanced/retiring-des.html" title="Retiring DES" - accesskey="P">previous</a> | - <a href="../appdev/index.html" title="For application developers" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Various links">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="various-links"> -<h1>Various links<a class="headerlink" href="#various-links" title="Link to this heading">¶</a></h1> -<section id="whitepapers"> -<h2>Whitepapers<a class="headerlink" href="#whitepapers" title="Link to this heading">¶</a></h2> -<ol class="arabic simple"> -<li><p><a class="reference external" href="https://kerberos.org/software/whitepapers.html">https://kerberos.org/software/whitepapers.html</a></p></li> -</ol> -</section> -<section id="tutorials"> -<h2>Tutorials<a class="headerlink" href="#tutorials" title="Link to this heading">¶</a></h2> -<ol class="arabic simple"> -<li><p>Fulvio Ricciardi <<a class="reference external" href="https://www.kerberos.org/software/tutorial.html">https://www.kerberos.org/software/tutorial.html</a>>_</p></li> -</ol> -</section> -<section id="troubleshooting"> -<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Link to this heading">¶</a></h2> -<ol class="arabic simple"> -<li><p><a class="reference external" href="https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting">https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting</a></p></li> -<li><p><a class="reference external" href="https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html">https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html</a></p></li> -<li><p><a class="reference external" href="https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html">https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html</a></p></li> -<li><p><a class="reference external" href="https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10">https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10</a>)#EBAA</p></li> -<li><p><a class="reference external" href="https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528">https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528</a></p></li> -</ol> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Various links</a><ul> -<li><a class="reference internal" href="#whitepapers">Whitepapers</a></li> -<li><a class="reference internal" href="#tutorials">Tutorials</a></li> -<li><a class="reference internal" href="#troubleshooting">Troubleshooting</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> -<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> -<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="advanced/retiring-des.html" title="Retiring DES" - >previous</a> | - <a href="../appdev/index.html" title="For application developers" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Various links">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file |