Mercurial > repos > rliterman > csp2

annotate CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man5/kdc.conf.5 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
rev   line source
jpayne@68 1 .\" Man page generated from reStructuredText.
jpayne@68 2 .
jpayne@68 3 .TH "KDC.CONF" "5" " " "1.20.1" "MIT Kerberos"
jpayne@68 4 .SH NAME
jpayne@68 5 kdc.conf \- Kerberos V5 KDC configuration file
jpayne@68 6 .
jpayne@68 7 .nr rst2man-indent-level 0
jpayne@68 8 .
jpayne@68 9 .de1 rstReportMargin
jpayne@68 10 \\$1 \\n[an-margin]
jpayne@68 11 level \\n[rst2man-indent-level]
jpayne@68 12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 13 -
jpayne@68 14 \\n[rst2man-indent0]
jpayne@68 15 \\n[rst2man-indent1]
jpayne@68 16 \\n[rst2man-indent2]
jpayne@68 17 ..
jpayne@68 18 .de1 INDENT
jpayne@68 19 .\" .rstReportMargin pre:
jpayne@68 20 . RS \\$1
jpayne@68 21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
jpayne@68 22 . nr rst2man-indent-level +1
jpayne@68 23 .\" .rstReportMargin post:
jpayne@68 24 ..
jpayne@68 25 .de UNINDENT
jpayne@68 26 . RE
jpayne@68 27 .\" indent \\n[an-margin]
jpayne@68 28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 29 .nr rst2man-indent-level -1
jpayne@68 30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
jpayne@68 32 ..
jpayne@68 33 .sp
jpayne@68 34 The kdc.conf file supplements krb5.conf(5) for programs which
jpayne@68 35 are typically only used on a KDC, such as the krb5kdc(8) and
jpayne@68 36 kadmind(8) daemons and the kdb5_util(8) program.
jpayne@68 37 Relations documented here may also be specified in krb5.conf; for the
jpayne@68 38 KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
jpayne@68 39 single configuration profile.
jpayne@68 40 .sp
jpayne@68 41 Normally, the kdc.conf file is found in the KDC state directory,
jpayne@68 42 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\&. You can override the default location by setting the
jpayne@68 43 environment variable \fBKRB5_KDC_PROFILE\fP\&.
jpayne@68 44 .sp
jpayne@68 45 Please note that you need to restart the KDC daemon for any configuration
jpayne@68 46 changes to take effect.
jpayne@68 47 .SH STRUCTURE
jpayne@68 48 .sp
jpayne@68 49 The kdc.conf file is set up in the same format as the
jpayne@68 50 krb5.conf(5) file.
jpayne@68 51 .SH SECTIONS
jpayne@68 52 .sp
jpayne@68 53 The kdc.conf file may contain the following sections:
jpayne@68 54 .TS
jpayne@68 55 center;
jpayne@68 56 |l|l|.
jpayne@68 57 _
jpayne@68 58 T{
jpayne@68 59 \fI\%[kdcdefaults]\fP
jpayne@68 60 T} T{
jpayne@68 61 Default values for KDC behavior
jpayne@68 62 T}
jpayne@68 63 _
jpayne@68 64 T{
jpayne@68 65 \fI\%[realms]\fP
jpayne@68 66 T} T{
jpayne@68 67 Realm\-specific database configuration and settings
jpayne@68 68 T}
jpayne@68 69 _
jpayne@68 70 T{
jpayne@68 71 \fI\%[dbdefaults]\fP
jpayne@68 72 T} T{
jpayne@68 73 Default database settings
jpayne@68 74 T}
jpayne@68 75 _
jpayne@68 76 T{
jpayne@68 77 \fI\%[dbmodules]\fP
jpayne@68 78 T} T{
jpayne@68 79 Per\-database settings
jpayne@68 80 T}
jpayne@68 81 _
jpayne@68 82 T{
jpayne@68 83 \fI\%[logging]\fP
jpayne@68 84 T} T{
jpayne@68 85 Controls how Kerberos daemons perform logging
jpayne@68 86 T}
jpayne@68 87 _
jpayne@68 88 .TE
jpayne@68 89 .SS [kdcdefaults]
jpayne@68 90 .sp
jpayne@68 91 Some relations in the [kdcdefaults] section specify default values for
jpayne@68 92 realm variables, to be used if the [realms] subsection does not
jpayne@68 93 contain a relation for the tag. See the \fI\%[realms]\fP section for
jpayne@68 94 the definitions of these relations.
jpayne@68 95 .INDENT 0.0
jpayne@68 96 .IP \(bu 2
jpayne@68 97 \fBhost_based_services\fP
jpayne@68 98 .IP \(bu 2
jpayne@68 99 \fBkdc_listen\fP
jpayne@68 100 .IP \(bu 2
jpayne@68 101 \fBkdc_ports\fP
jpayne@68 102 .IP \(bu 2
jpayne@68 103 \fBkdc_tcp_listen\fP
jpayne@68 104 .IP \(bu 2
jpayne@68 105 \fBkdc_tcp_ports\fP
jpayne@68 106 .IP \(bu 2
jpayne@68 107 \fBno_host_referral\fP
jpayne@68 108 .IP \(bu 2
jpayne@68 109 \fBrestrict_anonymous_to_tgt\fP
jpayne@68 110 .UNINDENT
jpayne@68 111 .sp
jpayne@68 112 The following [kdcdefaults] variables have no per\-realm equivalent:
jpayne@68 113 .INDENT 0.0
jpayne@68 114 .TP
jpayne@68 115 \fBkdc_max_dgram_reply_size\fP
jpayne@68 116 Specifies the maximum packet size that can be sent over UDP. The
jpayne@68 117 default value is 4096 bytes.
jpayne@68 118 .TP
jpayne@68 119 \fBkdc_tcp_listen_backlog\fP
jpayne@68 120 (Integer.) Set the size of the listen queue length for the KDC
jpayne@68 121 daemon. The value may be limited by OS settings. The default
jpayne@68 122 value is 5.
jpayne@68 123 .TP
jpayne@68 124 \fBspake_preauth_kdc_challenge\fP
jpayne@68 125 (String.) Specifies the group for a SPAKE optimistic challenge.
jpayne@68 126 See the \fBspake_preauth_groups\fP variable in libdefaults
jpayne@68 127 for possible values. The default is not to issue an optimistic
jpayne@68 128 challenge. (New in release 1.17.)
jpayne@68 129 .UNINDENT
jpayne@68 130 .SS [realms]
jpayne@68 131 .sp
jpayne@68 132 Each tag in the [realms] section is the name of a Kerberos realm. The
jpayne@68 133 value of the tag is a subsection where the relations define KDC
jpayne@68 134 parameters for that particular realm. The following example shows how
jpayne@68 135 to define one parameter for the ATHENA.MIT.EDU realm:
jpayne@68 136 .INDENT 0.0
jpayne@68 137 .INDENT 3.5
jpayne@68 138 .sp
jpayne@68 139 .nf
jpayne@68 140 .ft C
jpayne@68 141 [realms]
jpayne@68 142 ATHENA.MIT.EDU = {
jpayne@68 143 max_renewable_life = 7d 0h 0m 0s
jpayne@68 144 }
jpayne@68 145 .ft P
jpayne@68 146 .fi
jpayne@68 147 .UNINDENT
jpayne@68 148 .UNINDENT
jpayne@68 149 .sp
jpayne@68 150 The following tags may be specified in a [realms] subsection:
jpayne@68 151 .INDENT 0.0
jpayne@68 152 .TP
jpayne@68 153 \fBacl_file\fP
jpayne@68 154 (String.) Location of the access control list file that
jpayne@68 155 kadmind(8) uses to determine which principals are allowed
jpayne@68 156 which permissions on the Kerberos database. To operate without an
jpayne@68 157 ACL file, set this relation to the empty string with \fBacl_file =
jpayne@68 158 ""\fP\&. The default value is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more
jpayne@68 159 information on Kerberos ACL file see kadm5.acl(5)\&.
jpayne@68 160 .TP
jpayne@68 161 \fBdatabase_module\fP
jpayne@68 162 (String.) This relation indicates the name of the configuration
jpayne@68 163 section under \fI\%[dbmodules]\fP for database\-specific parameters
jpayne@68 164 used by the loadable database library. The default value is the
jpayne@68 165 realm name. If this configuration section does not exist, default
jpayne@68 166 values will be used for all database parameters.
jpayne@68 167 .TP
jpayne@68 168 \fBdatabase_name\fP
jpayne@68 169 (String, deprecated.) This relation specifies the location of the
jpayne@68 170 Kerberos database for this realm, if the DB2 module is being used
jpayne@68 171 and the \fI\%[dbmodules]\fP configuration section does not specify a
jpayne@68 172 database name. The default value is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/principal\fP\&.
jpayne@68 173 .TP
jpayne@68 174 \fBdefault_principal_expiration\fP
jpayne@68 175 (abstime string.) Specifies the default expiration date of
jpayne@68 176 principals created in this realm. The default value is 0, which
jpayne@68 177 means no expiration date.
jpayne@68 178 .TP
jpayne@68 179 \fBdefault_principal_flags\fP
jpayne@68 180 (Flag string.) Specifies the default attributes of principals
jpayne@68 181 created in this realm. The format for this string is a
jpayne@68 182 comma\-separated list of flags, with \(aq+\(aq before each flag that
jpayne@68 183 should be enabled and \(aq\-\(aq before each flag that should be
jpayne@68 184 disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP,
jpayne@68 185 \fBrenewable\fP, \fBproxiable\fP, \fBdup\-skey\fP, \fBallow\-tickets\fP, and
jpayne@68 186 \fBservice\fP flags default to enabled.
jpayne@68 187 .sp
jpayne@68 188 There are a number of possible flags:
jpayne@68 189 .INDENT 7.0
jpayne@68 190 .TP
jpayne@68 191 \fBallow\-tickets\fP
jpayne@68 192 Enabling this flag means that the KDC will issue tickets for
jpayne@68 193 this principal. Disabling this flag essentially deactivates
jpayne@68 194 the principal within this realm.
jpayne@68 195 .TP
jpayne@68 196 \fBdup\-skey\fP
jpayne@68 197 Enabling this flag allows the KDC to issue user\-to\-user
jpayne@68 198 service tickets for this principal.
jpayne@68 199 .TP
jpayne@68 200 \fBforwardable\fP
jpayne@68 201 Enabling this flag allows the principal to obtain forwardable
jpayne@68 202 tickets.
jpayne@68 203 .TP
jpayne@68 204 \fBhwauth\fP
jpayne@68 205 If this flag is enabled, then the principal is required to
jpayne@68 206 preauthenticate using a hardware device before receiving any
jpayne@68 207 tickets.
jpayne@68 208 .TP
jpayne@68 209 \fBno\-auth\-data\-required\fP
jpayne@68 210 Enabling this flag prevents PAC or AD\-SIGNEDPATH data from
jpayne@68 211 being added to service tickets for the principal.
jpayne@68 212 .TP
jpayne@68 213 \fBok\-as\-delegate\fP
jpayne@68 214 If this flag is enabled, it hints the client that credentials
jpayne@68 215 can and should be delegated when authenticating to the
jpayne@68 216 service.
jpayne@68 217 .TP
jpayne@68 218 \fBok\-to\-auth\-as\-delegate\fP
jpayne@68 219 Enabling this flag allows the principal to use S4USelf tickets.
jpayne@68 220 .TP
jpayne@68 221 \fBpostdateable\fP
jpayne@68 222 Enabling this flag allows the principal to obtain postdateable
jpayne@68 223 tickets.
jpayne@68 224 .TP
jpayne@68 225 \fBpreauth\fP
jpayne@68 226 If this flag is enabled on a client principal, then that
jpayne@68 227 principal is required to preauthenticate to the KDC before
jpayne@68 228 receiving any tickets. On a service principal, enabling this
jpayne@68 229 flag means that service tickets for this principal will only
jpayne@68 230 be issued to clients with a TGT that has the preauthenticated
jpayne@68 231 bit set.
jpayne@68 232 .TP
jpayne@68 233 \fBproxiable\fP
jpayne@68 234 Enabling this flag allows the principal to obtain proxy
jpayne@68 235 tickets.
jpayne@68 236 .TP
jpayne@68 237 \fBpwchange\fP
jpayne@68 238 Enabling this flag forces a password change for this
jpayne@68 239 principal.
jpayne@68 240 .TP
jpayne@68 241 \fBpwservice\fP
jpayne@68 242 If this flag is enabled, it marks this principal as a password
jpayne@68 243 change service. This should only be used in special cases,
jpayne@68 244 for example, if a user\(aqs password has expired, then the user
jpayne@68 245 has to get tickets for that principal without going through
jpayne@68 246 the normal password authentication in order to be able to
jpayne@68 247 change the password.
jpayne@68 248 .TP
jpayne@68 249 \fBrenewable\fP
jpayne@68 250 Enabling this flag allows the principal to obtain renewable
jpayne@68 251 tickets.
jpayne@68 252 .TP
jpayne@68 253 \fBservice\fP
jpayne@68 254 Enabling this flag allows the the KDC to issue service tickets
jpayne@68 255 for this principal. In release 1.17 and later, user\-to\-user
jpayne@68 256 service tickets are still allowed if the \fBdup\-skey\fP flag is
jpayne@68 257 set.
jpayne@68 258 .TP
jpayne@68 259 \fBtgt\-based\fP
jpayne@68 260 Enabling this flag allows a principal to obtain tickets based
jpayne@68 261 on a ticket\-granting\-ticket, rather than repeating the
jpayne@68 262 authentication process that was used to obtain the TGT.
jpayne@68 263 .UNINDENT
jpayne@68 264 .TP
jpayne@68 265 \fBdict_file\fP
jpayne@68 266 (String.) Location of the dictionary file containing strings that
jpayne@68 267 are not allowed as passwords. The file should contain one string
jpayne@68 268 per line, with no additional whitespace. If none is specified or
jpayne@68 269 if there is no policy assigned to the principal, no dictionary
jpayne@68 270 checks of passwords will be performed.
jpayne@68 271 .TP
jpayne@68 272 \fBdisable_pac\fP
jpayne@68 273 (Boolean value.) If true, the KDC will not issue PACs for this
jpayne@68 274 realm, and S4U2Self and S4U2Proxy operations will be disabled.
jpayne@68 275 The default is false, which will permit the KDC to issue PACs.
jpayne@68 276 New in release 1.20.
jpayne@68 277 .TP
jpayne@68 278 \fBencrypted_challenge_indicator\fP
jpayne@68 279 (String.) Specifies the authentication indicator value that the KDC
jpayne@68 280 asserts into tickets obtained using FAST encrypted challenge
jpayne@68 281 pre\-authentication. New in 1.16.
jpayne@68 282 .TP
jpayne@68 283 \fBhost_based_services\fP
jpayne@68 284 (Whitespace\- or comma\-separated list.) Lists services which will
jpayne@68 285 get host\-based referral processing even if the server principal is
jpayne@68 286 not marked as host\-based by the client.
jpayne@68 287 .TP
jpayne@68 288 \fBiprop_enable\fP
jpayne@68 289 (Boolean value.) Specifies whether incremental database
jpayne@68 290 propagation is enabled. The default value is false.
jpayne@68 291 .TP
jpayne@68 292 \fBiprop_ulogsize\fP
jpayne@68 293 (Integer.) Specifies the maximum number of log entries to be
jpayne@68 294 retained for incremental propagation. The default value is 1000.
jpayne@68 295 Prior to release 1.11, the maximum value was 2500. New in release
jpayne@68 296 1.19.
jpayne@68 297 .TP
jpayne@68 298 \fBiprop_master_ulogsize\fP
jpayne@68 299 The name for \fBiprop_ulogsize\fP prior to release 1.19. Its value is
jpayne@68 300 used as a fallback if \fBiprop_ulogsize\fP is not specified.
jpayne@68 301 .TP
jpayne@68 302 \fBiprop_replica_poll\fP
jpayne@68 303 (Delta time string.) Specifies how often the replica KDC polls
jpayne@68 304 for new updates from the primary. The default value is \fB2m\fP
jpayne@68 305 (that is, two minutes). New in release 1.17.
jpayne@68 306 .TP
jpayne@68 307 \fBiprop_slave_poll\fP
jpayne@68 308 (Delta time string.) The name for \fBiprop_replica_poll\fP prior to
jpayne@68 309 release 1.17. Its value is used as a fallback if
jpayne@68 310 \fBiprop_replica_poll\fP is not specified.
jpayne@68 311 .TP
jpayne@68 312 \fBiprop_listen\fP
jpayne@68 313 (Whitespace\- or comma\-separated list.) Specifies the iprop RPC
jpayne@68 314 listening addresses and/or ports for the kadmind(8) daemon.
jpayne@68 315 Each entry may be an interface address, a port number, or an
jpayne@68 316 address and port number separated by a colon. If the address
jpayne@68 317 contains colons, enclose it in square brackets. If no address is
jpayne@68 318 specified, the wildcard address is used. If kadmind fails to bind
jpayne@68 319 to any of the specified addresses, it will fail to start. The
jpayne@68 320 default (when \fBiprop_enable\fP is true) is to bind to the wildcard
jpayne@68 321 address at the port specified in \fBiprop_port\fP\&. New in release
jpayne@68 322 1.15.
jpayne@68 323 .TP
jpayne@68 324 \fBiprop_port\fP
jpayne@68 325 (Port number.) Specifies the port number to be used for
jpayne@68 326 incremental propagation. When \fBiprop_enable\fP is true, this
jpayne@68 327 relation is required in the replica KDC configuration file, and
jpayne@68 328 this relation or \fBiprop_listen\fP is required in the primary
jpayne@68 329 configuration file, as there is no default port number. Port
jpayne@68 330 numbers specified in \fBiprop_listen\fP entries will override this
jpayne@68 331 port number for the kadmind(8) daemon.
jpayne@68 332 .TP
jpayne@68 333 \fBiprop_resync_timeout\fP
jpayne@68 334 (Delta time string.) Specifies the amount of time to wait for a
jpayne@68 335 full propagation to complete. This is optional in configuration
jpayne@68 336 files, and is used by replica KDCs only. The default value is 5
jpayne@68 337 minutes (\fB5m\fP). New in release 1.11.
jpayne@68 338 .TP
jpayne@68 339 \fBiprop_logfile\fP
jpayne@68 340 (File name.) Specifies where the update log file for the realm
jpayne@68 341 database is to be stored. The default is to use the
jpayne@68 342 \fBdatabase_name\fP entry from the realms section of the krb5 config
jpayne@68 343 file, with \fB\&.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt
jpayne@68 344 specified in the realms section, perhaps because the LDAP database
jpayne@68 345 back end is being used, or the file name is specified in the
jpayne@68 346 [dbmodules] section, then the hard\-coded default for
jpayne@68 347 \fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP
jpayne@68 348 default value will not use values from the [dbmodules] section.)
jpayne@68 349 .TP
jpayne@68 350 \fBkadmind_listen\fP
jpayne@68 351 (Whitespace\- or comma\-separated list.) Specifies the kadmin RPC
jpayne@68 352 listening addresses and/or ports for the kadmind(8) daemon.
jpayne@68 353 Each entry may be an interface address, a port number, or an
jpayne@68 354 address and port number separated by a colon. If the address
jpayne@68 355 contains colons, enclose it in square brackets. If no address is
jpayne@68 356 specified, the wildcard address is used. If kadmind fails to bind
jpayne@68 357 to any of the specified addresses, it will fail to start. The
jpayne@68 358 default is to bind to the wildcard address at the port specified
jpayne@68 359 in \fBkadmind_port\fP, or the standard kadmin port (749). New in
jpayne@68 360 release 1.15.
jpayne@68 361 .TP
jpayne@68 362 \fBkadmind_port\fP
jpayne@68 363 (Port number.) Specifies the port on which the kadmind(8)
jpayne@68 364 daemon is to listen for this realm. Port numbers specified in
jpayne@68 365 \fBkadmind_listen\fP entries will override this port number. The
jpayne@68 366 assigned port for kadmind is 749, which is used by default.
jpayne@68 367 .TP
jpayne@68 368 \fBkey_stash_file\fP
jpayne@68 369 (String.) Specifies the location where the master key has been
jpayne@68 370 stored (via kdb5_util stash). The default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
jpayne@68 371 .TP
jpayne@68 372 \fBkdc_listen\fP
jpayne@68 373 (Whitespace\- or comma\-separated list.) Specifies the UDP
jpayne@68 374 listening addresses and/or ports for the krb5kdc(8) daemon.
jpayne@68 375 Each entry may be an interface address, a port number, or an
jpayne@68 376 address and port number separated by a colon. If the address
jpayne@68 377 contains colons, enclose it in square brackets. If no address is
jpayne@68 378 specified, the wildcard address is used. If no port is specified,
jpayne@68 379 the standard port (88) is used. If the KDC daemon fails to bind
jpayne@68 380 to any of the specified addresses, it will fail to start. The
jpayne@68 381 default is to bind to the wildcard address on the standard port.
jpayne@68 382 New in release 1.15.
jpayne@68 383 .TP
jpayne@68 384 \fBkdc_ports\fP
jpayne@68 385 (Whitespace\- or comma\-separated list, deprecated.) Prior to
jpayne@68 386 release 1.15, this relation lists the ports for the
jpayne@68 387 krb5kdc(8) daemon to listen on for UDP requests. In
jpayne@68 388 release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
jpayne@68 389 if that relation is not defined.
jpayne@68 390 .TP
jpayne@68 391 \fBkdc_tcp_listen\fP
jpayne@68 392 (Whitespace\- or comma\-separated list.) Specifies the TCP
jpayne@68 393 listening addresses and/or ports for the krb5kdc(8) daemon.
jpayne@68 394 Each entry may be an interface address, a port number, or an
jpayne@68 395 address and port number separated by a colon. If the address
jpayne@68 396 contains colons, enclose it in square brackets. If no address is
jpayne@68 397 specified, the wildcard address is used. If no port is specified,
jpayne@68 398 the standard port (88) is used. To disable listening on TCP, set
jpayne@68 399 this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&.
jpayne@68 400 If the KDC daemon fails to bind to any of the specified addresses,
jpayne@68 401 it will fail to start. The default is to bind to the wildcard
jpayne@68 402 address on the standard port. New in release 1.15.
jpayne@68 403 .TP
jpayne@68 404 \fBkdc_tcp_ports\fP
jpayne@68 405 (Whitespace\- or comma\-separated list, deprecated.) Prior to
jpayne@68 406 release 1.15, this relation lists the ports for the
jpayne@68 407 krb5kdc(8) daemon to listen on for UDP requests. In
jpayne@68 408 release 1.15 and later, it has the same meaning as
jpayne@68 409 \fBkdc_tcp_listen\fP if that relation is not defined.
jpayne@68 410 .TP
jpayne@68 411 \fBkpasswd_listen\fP
jpayne@68 412 (Comma\-separated list.) Specifies the kpasswd listening addresses
jpayne@68 413 and/or ports for the kadmind(8) daemon. Each entry may be
jpayne@68 414 an interface address, a port number, or an address and port number
jpayne@68 415 separated by a colon. If the address contains colons, enclose it
jpayne@68 416 in square brackets. If no address is specified, the wildcard
jpayne@68 417 address is used. If kadmind fails to bind to any of the specified
jpayne@68 418 addresses, it will fail to start. The default is to bind to the
jpayne@68 419 wildcard address at the port specified in \fBkpasswd_port\fP, or the
jpayne@68 420 standard kpasswd port (464). New in release 1.15.
jpayne@68 421 .TP
jpayne@68 422 \fBkpasswd_port\fP
jpayne@68 423 (Port number.) Specifies the port on which the kadmind(8)
jpayne@68 424 daemon is to listen for password change requests for this realm.
jpayne@68 425 Port numbers specified in \fBkpasswd_listen\fP entries will override
jpayne@68 426 this port number. The assigned port for password change requests
jpayne@68 427 is 464, which is used by default.
jpayne@68 428 .TP
jpayne@68 429 \fBmaster_key_name\fP
jpayne@68 430 (String.) Specifies the name of the principal associated with the
jpayne@68 431 master key. The default is \fBK/M\fP\&.
jpayne@68 432 .TP
jpayne@68 433 \fBmaster_key_type\fP
jpayne@68 434 (Key type string.) Specifies the master key\(aqs key type. The
jpayne@68 435 default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible
jpayne@68 436 values, see \fI\%Encryption types\fP\&.
jpayne@68 437 .TP
jpayne@68 438 \fBmax_life\fP
jpayne@68 439 (duration string.) Specifies the maximum time period for
jpayne@68 440 which a ticket may be valid in this realm. The default value is
jpayne@68 441 24 hours.
jpayne@68 442 .TP
jpayne@68 443 \fBmax_renewable_life\fP
jpayne@68 444 (duration string.) Specifies the maximum time period
jpayne@68 445 during which a valid ticket may be renewed in this realm.
jpayne@68 446 The default value is 0.
jpayne@68 447 .TP
jpayne@68 448 \fBno_host_referral\fP
jpayne@68 449 (Whitespace\- or comma\-separated list.) Lists services to block
jpayne@68 450 from getting host\-based referral processing, even if the client
jpayne@68 451 marks the server principal as host\-based or the service is also
jpayne@68 452 listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will
jpayne@68 453 disable referral processing altogether.
jpayne@68 454 .TP
jpayne@68 455 \fBreject_bad_transit\fP
jpayne@68 456 (Boolean value.) If set to true, the KDC will check the list of
jpayne@68 457 transited realms for cross\-realm tickets against the transit path
jpayne@68 458 computed from the realm names and the capaths section of its
jpayne@68 459 krb5.conf(5) file; if the path in the ticket to be issued
jpayne@68 460 contains any realms not in the computed path, the ticket will not
jpayne@68 461 be issued, and an error will be returned to the client instead.
jpayne@68 462 If this value is set to false, such tickets will be issued
jpayne@68 463 anyways, and it will be left up to the application server to
jpayne@68 464 validate the realm transit path.
jpayne@68 465 .sp
jpayne@68 466 If the disable\-transited\-check flag is set in the incoming
jpayne@68 467 request, this check is not performed at all. Having the
jpayne@68 468 \fBreject_bad_transit\fP option will cause such ticket requests to
jpayne@68 469 be rejected always.
jpayne@68 470 .sp
jpayne@68 471 This transit path checking and config file option currently apply
jpayne@68 472 only to TGS requests.
jpayne@68 473 .sp
jpayne@68 474 The default value is true.
jpayne@68 475 .TP
jpayne@68 476 \fBrestrict_anonymous_to_tgt\fP
jpayne@68 477 (Boolean value.) If set to true, the KDC will reject ticket
jpayne@68 478 requests from anonymous principals to service principals other
jpayne@68 479 than the realm\(aqs ticket\-granting service. This option allows
jpayne@68 480 anonymous PKINIT to be enabled for use as FAST armor tickets
jpayne@68 481 without allowing anonymous authentication to services. The
jpayne@68 482 default value is false. New in release 1.9.
jpayne@68 483 .TP
jpayne@68 484 \fBspake_preauth_indicator\fP
jpayne@68 485 (String.) Specifies an authentication indicator value that the
jpayne@68 486 KDC asserts into tickets obtained using SPAKE pre\-authentication.
jpayne@68 487 The default is not to add any indicators. This option may be
jpayne@68 488 specified multiple times. New in release 1.17.
jpayne@68 489 .TP
jpayne@68 490 \fBsupported_enctypes\fP
jpayne@68 491 (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt
jpayne@68 492 combinations of principals for this realm. Any principals created
jpayne@68 493 through kadmin(1) will have keys of these types. The
jpayne@68 494 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal\fP\&. For lists of
jpayne@68 495 possible values, see \fI\%Keysalt lists\fP\&.
jpayne@68 496 .UNINDENT
jpayne@68 497 .SS [dbdefaults]
jpayne@68 498 .sp
jpayne@68 499 The [dbdefaults] section specifies default values for some database
jpayne@68 500 parameters, to be used if the [dbmodules] subsection does not contain
jpayne@68 501 a relation for the tag. See the \fI\%[dbmodules]\fP section for the
jpayne@68 502 definitions of these relations.
jpayne@68 503 .INDENT 0.0
jpayne@68 504 .IP \(bu 2
jpayne@68 505 \fBldap_kerberos_container_dn\fP
jpayne@68 506 .IP \(bu 2
jpayne@68 507 \fBldap_kdc_dn\fP
jpayne@68 508 .IP \(bu 2
jpayne@68 509 \fBldap_kdc_sasl_authcid\fP
jpayne@68 510 .IP \(bu 2
jpayne@68 511 \fBldap_kdc_sasl_authzid\fP
jpayne@68 512 .IP \(bu 2
jpayne@68 513 \fBldap_kdc_sasl_mech\fP
jpayne@68 514 .IP \(bu 2
jpayne@68 515 \fBldap_kdc_sasl_realm\fP
jpayne@68 516 .IP \(bu 2
jpayne@68 517 \fBldap_kadmind_dn\fP
jpayne@68 518 .IP \(bu 2
jpayne@68 519 \fBldap_kadmind_sasl_authcid\fP
jpayne@68 520 .IP \(bu 2
jpayne@68 521 \fBldap_kadmind_sasl_authzid\fP
jpayne@68 522 .IP \(bu 2
jpayne@68 523 \fBldap_kadmind_sasl_mech\fP
jpayne@68 524 .IP \(bu 2
jpayne@68 525 \fBldap_kadmind_sasl_realm\fP
jpayne@68 526 .IP \(bu 2
jpayne@68 527 \fBldap_service_password_file\fP
jpayne@68 528 .IP \(bu 2
jpayne@68 529 \fBldap_conns_per_server\fP
jpayne@68 530 .UNINDENT
jpayne@68 531 .SS [dbmodules]
jpayne@68 532 .sp
jpayne@68 533 The [dbmodules] section contains parameters used by the KDC database
jpayne@68 534 library and database modules. Each tag in the [dbmodules] section is
jpayne@68 535 the name of a Kerberos realm or a section name specified by a realm\(aqs
jpayne@68 536 \fBdatabase_module\fP parameter. The following example shows how to
jpayne@68 537 define one database parameter for the ATHENA.MIT.EDU realm:
jpayne@68 538 .INDENT 0.0
jpayne@68 539 .INDENT 3.5
jpayne@68 540 .sp
jpayne@68 541 .nf
jpayne@68 542 .ft C
jpayne@68 543 [dbmodules]
jpayne@68 544 ATHENA.MIT.EDU = {
jpayne@68 545 disable_last_success = true
jpayne@68 546 }
jpayne@68 547 .ft P
jpayne@68 548 .fi
jpayne@68 549 .UNINDENT
jpayne@68 550 .UNINDENT
jpayne@68 551 .sp
jpayne@68 552 The following tags may be specified in a [dbmodules] subsection:
jpayne@68 553 .INDENT 0.0
jpayne@68 554 .TP
jpayne@68 555 \fBdatabase_name\fP
jpayne@68 556 This DB2\-specific tag indicates the location of the database in
jpayne@68 557 the filesystem. The default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/principal\fP\&.
jpayne@68 558 .TP
jpayne@68 559 \fBdb_library\fP
jpayne@68 560 This tag indicates the name of the loadable database module. The
jpayne@68 561 value should be \fBdb2\fP for the DB2 module, \fBklmdb\fP for the LMDB
jpayne@68 562 module, or \fBkldap\fP for the LDAP module.
jpayne@68 563 .TP
jpayne@68 564 \fBdisable_last_success\fP
jpayne@68 565 If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
jpayne@68 566 authentication" field of principal entries requiring
jpayne@68 567 preauthentication. Setting this flag may improve performance.
jpayne@68 568 (Principal entries which do not require preauthentication never
jpayne@68 569 update the "Last successful authentication" field.). First
jpayne@68 570 introduced in release 1.9.
jpayne@68 571 .TP
jpayne@68 572 \fBdisable_lockout\fP
jpayne@68 573 If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
jpayne@68 574 authentication" and "Failed password attempts" fields of principal
jpayne@68 575 entries requiring preauthentication. Setting this flag may
jpayne@68 576 improve performance, but also disables account lockout. First
jpayne@68 577 introduced in release 1.9.
jpayne@68 578 .TP
jpayne@68 579 \fBldap_conns_per_server\fP
jpayne@68 580 This LDAP\-specific tag indicates the number of connections to be
jpayne@68 581 maintained per LDAP server.
jpayne@68 582 .TP
jpayne@68 583 \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
jpayne@68 584 These LDAP\-specific tags indicate the default DN for binding to
jpayne@68 585 the LDAP server. The krb5kdc(8) daemon uses
jpayne@68 586 \fBldap_kdc_dn\fP, while the kadmind(8) daemon and other
jpayne@68 587 administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN
jpayne@68 588 must have the rights to read and write the Kerberos data in the
jpayne@68 589 LDAP database. The KDC DN must have the same rights, unless
jpayne@68 590 \fBdisable_lockout\fP and \fBdisable_last_success\fP are true, in
jpayne@68 591 which case it only needs to have rights to read the Kerberos data.
jpayne@68 592 These tags are ignored if a SASL mechanism is set with
jpayne@68 593 \fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&.
jpayne@68 594 .TP
jpayne@68 595 \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
jpayne@68 596 These LDAP\-specific tags specify the SASL mechanism (such as
jpayne@68 597 \fBEXTERNAL\fP) to use when binding to the LDAP server. New in
jpayne@68 598 release 1.13.
jpayne@68 599 .TP
jpayne@68 600 \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
jpayne@68 601 These LDAP\-specific tags specify the SASL authentication identity
jpayne@68 602 to use when binding to the LDAP server. Not all SASL mechanisms
jpayne@68 603 require an authentication identity. If the SASL mechanism
jpayne@68 604 requires a secret (such as the password for \fBDIGEST\-MD5\fP), these
jpayne@68 605 tags also determine the name within the
jpayne@68 606 \fBldap_service_password_file\fP where the secret is stashed. New
jpayne@68 607 in release 1.13.
jpayne@68 608 .TP
jpayne@68 609 \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
jpayne@68 610 These LDAP\-specific tags specify the SASL authorization identity
jpayne@68 611 to use when binding to the LDAP server. In most circumstances
jpayne@68 612 they do not need to be specified. New in release 1.13.
jpayne@68 613 .TP
jpayne@68 614 \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
jpayne@68 615 These LDAP\-specific tags specify the SASL realm to use when
jpayne@68 616 binding to the LDAP server. In most circumstances they do not
jpayne@68 617 need to be set. New in release 1.13.
jpayne@68 618 .TP
jpayne@68 619 \fBldap_kerberos_container_dn\fP
jpayne@68 620 This LDAP\-specific tag indicates the DN of the container object
jpayne@68 621 where the realm objects will be located.
jpayne@68 622 .TP
jpayne@68 623 \fBldap_servers\fP
jpayne@68 624 This LDAP\-specific tag indicates the list of LDAP servers that the
jpayne@68 625 Kerberos servers can connect to. The list of LDAP servers is
jpayne@68 626 whitespace\-separated. The LDAP server is specified by a LDAP URI.
jpayne@68 627 It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect
jpayne@68 628 to the LDAP server.
jpayne@68 629 .TP
jpayne@68 630 \fBldap_service_password_file\fP
jpayne@68 631 This LDAP\-specific tag indicates the file containing the stashed
jpayne@68 632 passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
jpayne@68 633 \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
jpayne@68 634 \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
jpayne@68 635 for SASL authentication. This file must be kept secure.
jpayne@68 636 .TP
jpayne@68 637 \fBmapsize\fP
jpayne@68 638 This LMDB\-specific tag indicates the maximum size of the two
jpayne@68 639 database environments in megabytes. The default value is 128.
jpayne@68 640 Increase this value to address "Environment mapsize limit reached"
jpayne@68 641 errors. New in release 1.17.
jpayne@68 642 .TP
jpayne@68 643 \fBmax_readers\fP
jpayne@68 644 This LMDB\-specific tag indicates the maximum number of concurrent
jpayne@68 645 reading processes for the databases. The default value is 128.
jpayne@68 646 New in release 1.17.
jpayne@68 647 .TP
jpayne@68 648 \fBnosync\fP
jpayne@68 649 This LMDB\-specific tag can be set to improve the throughput of
jpayne@68 650 kadmind and other administrative agents, at the expense of
jpayne@68 651 durability (recent database changes may not survive a power outage
jpayne@68 652 or other sudden reboot). It does not affect the throughput of the
jpayne@68 653 KDC. The default value is false. New in release 1.17.
jpayne@68 654 .TP
jpayne@68 655 \fBunlockiter\fP
jpayne@68 656 If set to \fBtrue\fP, this DB2\-specific tag causes iteration
jpayne@68 657 operations to release the database lock while processing each
jpayne@68 658 principal. Setting this flag to \fBtrue\fP can prevent extended
jpayne@68 659 blocking of KDC or kadmin operations when dumps of large databases
jpayne@68 660 are in progress. First introduced in release 1.13.
jpayne@68 661 .UNINDENT
jpayne@68 662 .sp
jpayne@68 663 The following tag may be specified directly in the [dbmodules]
jpayne@68 664 section to control where database modules are loaded from:
jpayne@68 665 .INDENT 0.0
jpayne@68 666 .TP
jpayne@68 667 \fBdb_module_dir\fP
jpayne@68 668 This tag controls where the plugin system looks for database
jpayne@68 669 modules. The value should be an absolute path.
jpayne@68 670 .UNINDENT
jpayne@68 671 .SS [logging]
jpayne@68 672 .sp
jpayne@68 673 The [logging] section indicates how krb5kdc(8) and
jpayne@68 674 kadmind(8) perform logging. It may contain the following
jpayne@68 675 relations:
jpayne@68 676 .INDENT 0.0
jpayne@68 677 .TP
jpayne@68 678 \fBadmin_server\fP
jpayne@68 679 Specifies how kadmind(8) performs logging.
jpayne@68 680 .TP
jpayne@68 681 \fBkdc\fP
jpayne@68 682 Specifies how krb5kdc(8) performs logging.
jpayne@68 683 .TP
jpayne@68 684 \fBdefault\fP
jpayne@68 685 Specifies how either daemon performs logging in the absence of
jpayne@68 686 relations specific to the daemon.
jpayne@68 687 .TP
jpayne@68 688 \fBdebug\fP
jpayne@68 689 (Boolean value.) Specifies whether debugging messages are
jpayne@68 690 included in log outputs other than SYSLOG. Debugging messages are
jpayne@68 691 always included in the system log output because syslog performs
jpayne@68 692 its own priority filtering. The default value is false. New in
jpayne@68 693 release 1.15.
jpayne@68 694 .UNINDENT
jpayne@68 695 .sp
jpayne@68 696 Logging specifications may have the following forms:
jpayne@68 697 .INDENT 0.0
jpayne@68 698 .TP
jpayne@68 699 \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
jpayne@68 700 This value causes the daemon\(aqs logging messages to go to the
jpayne@68 701 \fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten.
jpayne@68 702 If the \fB:\fP form is used, the file is appended to.
jpayne@68 703 .TP
jpayne@68 704 \fBSTDERR\fP
jpayne@68 705 This value causes the daemon\(aqs logging messages to go to its
jpayne@68 706 standard error stream.
jpayne@68 707 .TP
jpayne@68 708 \fBCONSOLE\fP
jpayne@68 709 This value causes the daemon\(aqs logging messages to go to the
jpayne@68 710 console, if the system supports it.
jpayne@68 711 .TP
jpayne@68 712 \fBDEVICE=\fP\fI<devicename>\fP
jpayne@68 713 This causes the daemon\(aqs logging messages to go to the specified
jpayne@68 714 device.
jpayne@68 715 .TP
jpayne@68 716 \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
jpayne@68 717 This causes the daemon\(aqs logging messages to go to the system log.
jpayne@68 718 .sp
jpayne@68 719 For backward compatibility, a severity argument may be specified,
jpayne@68 720 and must be specified in order to specify a facility. This
jpayne@68 721 argument will be ignored.
jpayne@68 722 .sp
jpayne@68 723 The facility argument specifies the facility under which the
jpayne@68 724 messages are logged. This may be any of the following facilities
jpayne@68 725 supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
jpayne@68 726 \fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
jpayne@68 727 \fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. If no
jpayne@68 728 facility is specified, the default is \fBAUTH\fP\&.
jpayne@68 729 .UNINDENT
jpayne@68 730 .sp
jpayne@68 731 In the following example, the logging messages from the KDC will go to
jpayne@68 732 the console and to the system log under the facility LOG_DAEMON, and
jpayne@68 733 the logging messages from the administrative server will be appended
jpayne@68 734 to the file \fB/var/adm/kadmin.log\fP and sent to the device
jpayne@68 735 \fB/dev/tty04\fP\&.
jpayne@68 736 .INDENT 0.0
jpayne@68 737 .INDENT 3.5
jpayne@68 738 .sp
jpayne@68 739 .nf
jpayne@68 740 .ft C
jpayne@68 741 [logging]
jpayne@68 742 kdc = CONSOLE
jpayne@68 743 kdc = SYSLOG:INFO:DAEMON
jpayne@68 744 admin_server = FILE:/var/adm/kadmin.log
jpayne@68 745 admin_server = DEVICE=/dev/tty04
jpayne@68 746 .ft P
jpayne@68 747 .fi
jpayne@68 748 .UNINDENT
jpayne@68 749 .UNINDENT
jpayne@68 750 .sp
jpayne@68 751 If no logging specification is given, the default is to use syslog.
jpayne@68 752 To disable logging entirely, specify \fBdefault = DEVICE=/dev/null\fP\&.
jpayne@68 753 .SS [otp]
jpayne@68 754 .sp
jpayne@68 755 Each subsection of [otp] is the name of an OTP token type. The tags
jpayne@68 756 within the subsection define the configuration required to forward a
jpayne@68 757 One Time Password request to a RADIUS server.
jpayne@68 758 .sp
jpayne@68 759 For each token type, the following tags may be specified:
jpayne@68 760 .INDENT 0.0
jpayne@68 761 .TP
jpayne@68 762 \fBserver\fP
jpayne@68 763 This is the server to send the RADIUS request to. It can be a
jpayne@68 764 hostname with optional port, an ip address with optional port, or
jpayne@68 765 a Unix domain socket address. The default is
jpayne@68 766 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&.
jpayne@68 767 .TP
jpayne@68 768 \fBsecret\fP
jpayne@68 769 This tag indicates a filename (which may be relative to \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP)
jpayne@68 770 containing the secret used to encrypt the RADIUS packets. The
jpayne@68 771 secret should appear in the first line of the file by itself;
jpayne@68 772 leading and trailing whitespace on the line will be removed. If
jpayne@68 773 the value of \fBserver\fP is a Unix domain socket address, this tag
jpayne@68 774 is optional, and an empty secret will be used if it is not
jpayne@68 775 specified. Otherwise, this tag is required.
jpayne@68 776 .TP
jpayne@68 777 \fBtimeout\fP
jpayne@68 778 An integer which specifies the time in seconds during which the
jpayne@68 779 KDC should attempt to contact the RADIUS server. This tag is the
jpayne@68 780 total time across all retries and should be less than the time
jpayne@68 781 which an OTP value remains valid for. The default is 5 seconds.
jpayne@68 782 .TP
jpayne@68 783 \fBretries\fP
jpayne@68 784 This tag specifies the number of retries to make to the RADIUS
jpayne@68 785 server. The default is 3 retries (4 tries).
jpayne@68 786 .TP
jpayne@68 787 \fBstrip_realm\fP
jpayne@68 788 If this tag is \fBtrue\fP, the principal without the realm will be
jpayne@68 789 passed to the RADIUS server. Otherwise, the realm will be
jpayne@68 790 included. The default value is \fBtrue\fP\&.
jpayne@68 791 .TP
jpayne@68 792 \fBindicator\fP
jpayne@68 793 This tag specifies an authentication indicator to be included in
jpayne@68 794 the ticket if this token type is used to authenticate. This
jpayne@68 795 option may be specified multiple times. (New in release 1.14.)
jpayne@68 796 .UNINDENT
jpayne@68 797 .sp
jpayne@68 798 In the following example, requests are sent to a remote server via UDP:
jpayne@68 799 .INDENT 0.0
jpayne@68 800 .INDENT 3.5
jpayne@68 801 .sp
jpayne@68 802 .nf
jpayne@68 803 .ft C
jpayne@68 804 [otp]
jpayne@68 805 MyRemoteTokenType = {
jpayne@68 806 server = radius.mydomain.com:1812
jpayne@68 807 secret = SEmfiajf42$
jpayne@68 808 timeout = 15
jpayne@68 809 retries = 5
jpayne@68 810 strip_realm = true
jpayne@68 811 }
jpayne@68 812 .ft P
jpayne@68 813 .fi
jpayne@68 814 .UNINDENT
jpayne@68 815 .UNINDENT
jpayne@68 816 .sp
jpayne@68 817 An implicit default token type named \fBDEFAULT\fP is defined for when
jpayne@68 818 the per\-principal configuration does not specify a token type. Its
jpayne@68 819 configuration is shown below. You may override this token type to
jpayne@68 820 something applicable for your situation:
jpayne@68 821 .INDENT 0.0
jpayne@68 822 .INDENT 3.5
jpayne@68 823 .sp
jpayne@68 824 .nf
jpayne@68 825 .ft C
jpayne@68 826 [otp]
jpayne@68 827 DEFAULT = {
jpayne@68 828 strip_realm = false
jpayne@68 829 }
jpayne@68 830 .ft P
jpayne@68 831 .fi
jpayne@68 832 .UNINDENT
jpayne@68 833 .UNINDENT
jpayne@68 834 .SH PKINIT OPTIONS
jpayne@68 835 .sp
jpayne@68 836 \fBNOTE:\fP
jpayne@68 837 .INDENT 0.0
jpayne@68 838 .INDENT 3.5
jpayne@68 839 The following are pkinit\-specific options. These values may
jpayne@68 840 be specified in [kdcdefaults] as global defaults, or within
jpayne@68 841 a realm\-specific subsection of [realms]. Also note that a
jpayne@68 842 realm\-specific value over\-rides, does not add to, a generic
jpayne@68 843 [kdcdefaults] specification. The search order is:
jpayne@68 844 .UNINDENT
jpayne@68 845 .UNINDENT
jpayne@68 846 .INDENT 0.0
jpayne@68 847 .IP 1. 3
jpayne@68 848 realm\-specific subsection of [realms]:
jpayne@68 849 .INDENT 3.0
jpayne@68 850 .INDENT 3.5
jpayne@68 851 .sp
jpayne@68 852 .nf
jpayne@68 853 .ft C
jpayne@68 854 [realms]
jpayne@68 855 EXAMPLE.COM = {
jpayne@68 856 pkinit_anchors = FILE:/usr/local/example.com.crt
jpayne@68 857 }
jpayne@68 858 .ft P
jpayne@68 859 .fi
jpayne@68 860 .UNINDENT
jpayne@68 861 .UNINDENT
jpayne@68 862 .IP 2. 3
jpayne@68 863 generic value in the [kdcdefaults] section:
jpayne@68 864 .INDENT 3.0
jpayne@68 865 .INDENT 3.5
jpayne@68 866 .sp
jpayne@68 867 .nf
jpayne@68 868 .ft C
jpayne@68 869 [kdcdefaults]
jpayne@68 870 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
jpayne@68 871 .ft P
jpayne@68 872 .fi
jpayne@68 873 .UNINDENT
jpayne@68 874 .UNINDENT
jpayne@68 875 .UNINDENT
jpayne@68 876 .sp
jpayne@68 877 For information about the syntax of some of these options, see
jpayne@68 878 Specifying PKINIT identity information in
jpayne@68 879 krb5.conf(5)\&.
jpayne@68 880 .INDENT 0.0
jpayne@68 881 .TP
jpayne@68 882 \fBpkinit_anchors\fP
jpayne@68 883 Specifies the location of trusted anchor (root) certificates which
jpayne@68 884 the KDC trusts to sign client certificates. This option is
jpayne@68 885 required if pkinit is to be supported by the KDC. This option may
jpayne@68 886 be specified multiple times.
jpayne@68 887 .TP
jpayne@68 888 \fBpkinit_dh_min_bits\fP
jpayne@68 889 Specifies the minimum number of bits the KDC is willing to accept
jpayne@68 890 for a client\(aqs Diffie\-Hellman key. The default is 2048.
jpayne@68 891 .TP
jpayne@68 892 \fBpkinit_allow_upn\fP
jpayne@68 893 Specifies that the KDC is willing to accept client certificates
jpayne@68 894 with the Microsoft UserPrincipalName (UPN) Subject Alternative
jpayne@68 895 Name (SAN). This means the KDC accepts the binding of the UPN in
jpayne@68 896 the certificate to the Kerberos principal name. The default value
jpayne@68 897 is false.
jpayne@68 898 .sp
jpayne@68 899 Without this option, the KDC will only accept certificates with
jpayne@68 900 the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently
jpayne@68 901 no option to disable SAN checking in the KDC.
jpayne@68 902 .TP
jpayne@68 903 \fBpkinit_eku_checking\fP
jpayne@68 904 This option specifies what Extended Key Usage (EKU) values the KDC
jpayne@68 905 is willing to accept in client certificates. The values
jpayne@68 906 recognized in the kdc.conf file are:
jpayne@68 907 .INDENT 7.0
jpayne@68 908 .TP
jpayne@68 909 \fBkpClientAuth\fP
jpayne@68 910 This is the default value and specifies that client
jpayne@68 911 certificates must have the id\-pkinit\-KPClientAuth EKU as
jpayne@68 912 defined in \fI\%RFC 4556\fP\&.
jpayne@68 913 .TP
jpayne@68 914 \fBscLogin\fP
jpayne@68 915 If scLogin is specified, client certificates with the
jpayne@68 916 Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be
jpayne@68 917 accepted.
jpayne@68 918 .TP
jpayne@68 919 \fBnone\fP
jpayne@68 920 If none is specified, then client certificates will not be
jpayne@68 921 checked to verify they have an acceptable EKU. The use of
jpayne@68 922 this option is not recommended.
jpayne@68 923 .UNINDENT
jpayne@68 924 .TP
jpayne@68 925 \fBpkinit_identity\fP
jpayne@68 926 Specifies the location of the KDC\(aqs X.509 identity information.
jpayne@68 927 This option is required if pkinit is to be supported by the KDC.
jpayne@68 928 .TP
jpayne@68 929 \fBpkinit_indicator\fP
jpayne@68 930 Specifies an authentication indicator to include in the ticket if
jpayne@68 931 pkinit is used to authenticate. This option may be specified
jpayne@68 932 multiple times. (New in release 1.14.)
jpayne@68 933 .TP
jpayne@68 934 \fBpkinit_pool\fP
jpayne@68 935 Specifies the location of intermediate certificates which may be
jpayne@68 936 used by the KDC to complete the trust chain between a client\(aqs
jpayne@68 937 certificate and a trusted anchor. This option may be specified
jpayne@68 938 multiple times.
jpayne@68 939 .TP
jpayne@68 940 \fBpkinit_revoke\fP
jpayne@68 941 Specifies the location of Certificate Revocation List (CRL)
jpayne@68 942 information to be used by the KDC when verifying the validity of
jpayne@68 943 client certificates. This option may be specified multiple times.
jpayne@68 944 .TP
jpayne@68 945 \fBpkinit_require_crl_checking\fP
jpayne@68 946 The default certificate verification process will always check the
jpayne@68 947 available revocation information to see if a certificate has been
jpayne@68 948 revoked. If a match is found for the certificate in a CRL,
jpayne@68 949 verification fails. If the certificate being verified is not
jpayne@68 950 listed in a CRL, or there is no CRL present for its issuing CA,
jpayne@68 951 and \fBpkinit_require_crl_checking\fP is false, then verification
jpayne@68 952 succeeds.
jpayne@68 953 .sp
jpayne@68 954 However, if \fBpkinit_require_crl_checking\fP is true and there is
jpayne@68 955 no CRL information available for the issuing CA, then verification
jpayne@68 956 fails.
jpayne@68 957 .sp
jpayne@68 958 \fBpkinit_require_crl_checking\fP should be set to true if the
jpayne@68 959 policy is such that up\-to\-date CRLs must be present for every CA.
jpayne@68 960 .TP
jpayne@68 961 \fBpkinit_require_freshness\fP
jpayne@68 962 Specifies whether to require clients to include a freshness token
jpayne@68 963 in PKINIT requests. The default value is false. (New in release
jpayne@68 964 1.17.)
jpayne@68 965 .UNINDENT
jpayne@68 966 .SH ENCRYPTION TYPES
jpayne@68 967 .sp
jpayne@68 968 Any tag in the configuration files which requires a list of encryption
jpayne@68 969 types can be set to some combination of the following strings.
jpayne@68 970 Encryption types marked as "weak" and "deprecated" are available for
jpayne@68 971 compatibility but not recommended for use.
jpayne@68 972 .TS
jpayne@68 973 center;
jpayne@68 974 |l|l|.
jpayne@68 975 _
jpayne@68 976 T{
jpayne@68 977 des3\-cbc\-raw
jpayne@68 978 T} T{
jpayne@68 979 Triple DES cbc mode raw (weak)
jpayne@68 980 T}
jpayne@68 981 _
jpayne@68 982 T{
jpayne@68 983 des3\-cbc\-sha1 des3\-hmac\-sha1 des3\-cbc\-sha1\-kd
jpayne@68 984 T} T{
jpayne@68 985 Triple DES cbc mode with HMAC/sha1 (deprecated)
jpayne@68 986 T}
jpayne@68 987 _
jpayne@68 988 T{
jpayne@68 989 aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
jpayne@68 990 T} T{
jpayne@68 991 AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
jpayne@68 992 T}
jpayne@68 993 _
jpayne@68 994 T{
jpayne@68 995 aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
jpayne@68 996 T} T{
jpayne@68 997 AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
jpayne@68 998 T}
jpayne@68 999 _
jpayne@68 1000 T{
jpayne@68 1001 aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
jpayne@68 1002 T} T{
jpayne@68 1003 AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
jpayne@68 1004 T}
jpayne@68 1005 _
jpayne@68 1006 T{
jpayne@68 1007 aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
jpayne@68 1008 T} T{
jpayne@68 1009 AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
jpayne@68 1010 T}
jpayne@68 1011 _
jpayne@68 1012 T{
jpayne@68 1013 arcfour\-hmac rc4\-hmac arcfour\-hmac\-md5
jpayne@68 1014 T} T{
jpayne@68 1015 RC4 with HMAC/MD5 (deprecated)
jpayne@68 1016 T}
jpayne@68 1017 _
jpayne@68 1018 T{
jpayne@68 1019 arcfour\-hmac\-exp rc4\-hmac\-exp arcfour\-hmac\-md5\-exp
jpayne@68 1020 T} T{
jpayne@68 1021 Exportable RC4 with HMAC/MD5 (weak)
jpayne@68 1022 T}
jpayne@68 1023 _
jpayne@68 1024 T{
jpayne@68 1025 camellia256\-cts\-cmac camellia256\-cts
jpayne@68 1026 T} T{
jpayne@68 1027 Camellia\-256 CTS mode with CMAC
jpayne@68 1028 T}
jpayne@68 1029 _
jpayne@68 1030 T{
jpayne@68 1031 camellia128\-cts\-cmac camellia128\-cts
jpayne@68 1032 T} T{
jpayne@68 1033 Camellia\-128 CTS mode with CMAC
jpayne@68 1034 T}
jpayne@68 1035 _
jpayne@68 1036 T{
jpayne@68 1037 des3
jpayne@68 1038 T} T{
jpayne@68 1039 The triple DES family: des3\-cbc\-sha1
jpayne@68 1040 T}
jpayne@68 1041 _
jpayne@68 1042 T{
jpayne@68 1043 aes
jpayne@68 1044 T} T{
jpayne@68 1045 The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
jpayne@68 1046 T}
jpayne@68 1047 _
jpayne@68 1048 T{
jpayne@68 1049 rc4
jpayne@68 1050 T} T{
jpayne@68 1051 The RC4 family: arcfour\-hmac
jpayne@68 1052 T}
jpayne@68 1053 _
jpayne@68 1054 T{
jpayne@68 1055 camellia
jpayne@68 1056 T} T{
jpayne@68 1057 The Camellia family: camellia256\-cts\-cmac and camellia128\-cts\-cmac
jpayne@68 1058 T}
jpayne@68 1059 _
jpayne@68 1060 .TE
jpayne@68 1061 .sp
jpayne@68 1062 The string \fBDEFAULT\fP can be used to refer to the default set of
jpayne@68 1063 types for the variable in question. Types or families can be removed
jpayne@68 1064 from the current list by prefixing them with a minus sign ("\-").
jpayne@68 1065 Types or families can be prefixed with a plus sign ("+") for symmetry;
jpayne@68 1066 it has the same meaning as just listing the type or family. For
jpayne@68 1067 example, "\fBDEFAULT \-rc4\fP" would be the default set of encryption
jpayne@68 1068 types with RC4 types removed, and "\fBdes3 DEFAULT\fP" would be the
jpayne@68 1069 default set of encryption types with triple DES types moved to the
jpayne@68 1070 front.
jpayne@68 1071 .sp
jpayne@68 1072 While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
jpayne@68 1073 operations, they are not supported by very old versions of our GSSAPI
jpayne@68 1074 implementation (krb5\-1.3.1 and earlier). Services running versions of
jpayne@68 1075 krb5 without AES support must not be given keys of these encryption
jpayne@68 1076 types in the KDC database.
jpayne@68 1077 .sp
jpayne@68 1078 The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
jpayne@68 1079 release 1.15. Services running versions of krb5 without support for
jpayne@68 1080 these newer encryption types must not be given keys of these
jpayne@68 1081 encryption types in the KDC database.
jpayne@68 1082 .SH KEYSALT LISTS
jpayne@68 1083 .sp
jpayne@68 1084 Kerberos keys for users are usually derived from passwords. Kerberos
jpayne@68 1085 commands and configuration parameters that affect generation of keys
jpayne@68 1086 take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
jpayne@68 1087 lists\fP\&. Each keysalt pair is an enctype name followed by a salttype
jpayne@68 1088 name, in the format \fIenc\fP:\fIsalt\fP\&. Individual keysalt list members are
jpayne@68 1089 separated by comma (",") characters or space characters. For example:
jpayne@68 1090 .INDENT 0.0
jpayne@68 1091 .INDENT 3.5
jpayne@68 1092 .sp
jpayne@68 1093 .nf
jpayne@68 1094 .ft C
jpayne@68 1095 kadmin \-e aes256\-cts:normal,aes128\-cts:normal
jpayne@68 1096 .ft P
jpayne@68 1097 .fi
jpayne@68 1098 .UNINDENT
jpayne@68 1099 .UNINDENT
jpayne@68 1100 .sp
jpayne@68 1101 would start up kadmin so that by default it would generate
jpayne@68 1102 password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP
jpayne@68 1103 encryption types, using a \fBnormal\fP salt.
jpayne@68 1104 .sp
jpayne@68 1105 To ensure that people who happen to pick the same password do not have
jpayne@68 1106 the same key, Kerberos 5 incorporates more information into the key
jpayne@68 1107 using something called a salt. The supported salt types are as
jpayne@68 1108 follows:
jpayne@68 1109 .TS
jpayne@68 1110 center;
jpayne@68 1111 |l|l|.
jpayne@68 1112 _
jpayne@68 1113 T{
jpayne@68 1114 normal
jpayne@68 1115 T} T{
jpayne@68 1116 default for Kerberos Version 5
jpayne@68 1117 T}
jpayne@68 1118 _
jpayne@68 1119 T{
jpayne@68 1120 norealm
jpayne@68 1121 T} T{
jpayne@68 1122 same as the default, without using realm information
jpayne@68 1123 T}
jpayne@68 1124 _
jpayne@68 1125 T{
jpayne@68 1126 onlyrealm
jpayne@68 1127 T} T{
jpayne@68 1128 uses only realm information as the salt
jpayne@68 1129 T}
jpayne@68 1130 _
jpayne@68 1131 T{
jpayne@68 1132 special
jpayne@68 1133 T} T{
jpayne@68 1134 generate a random salt
jpayne@68 1135 T}
jpayne@68 1136 _
jpayne@68 1137 .TE
jpayne@68 1138 .SH SAMPLE KDC.CONF FILE
jpayne@68 1139 .sp
jpayne@68 1140 Here\(aqs an example of a kdc.conf file:
jpayne@68 1141 .INDENT 0.0
jpayne@68 1142 .INDENT 3.5
jpayne@68 1143 .sp
jpayne@68 1144 .nf
jpayne@68 1145 .ft C
jpayne@68 1146 [kdcdefaults]
jpayne@68 1147 kdc_listen = 88
jpayne@68 1148 kdc_tcp_listen = 88
jpayne@68 1149 [realms]
jpayne@68 1150 ATHENA.MIT.EDU = {
jpayne@68 1151 kadmind_port = 749
jpayne@68 1152 max_life = 12h 0m 0s
jpayne@68 1153 max_renewable_life = 7d 0h 0m 0s
jpayne@68 1154 master_key_type = aes256\-cts\-hmac\-sha1\-96
jpayne@68 1155 supported_enctypes = aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal
jpayne@68 1156 database_module = openldap_ldapconf
jpayne@68 1157 }
jpayne@68 1158
jpayne@68 1159 [logging]
jpayne@68 1160 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
jpayne@68 1161 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
jpayne@68 1162
jpayne@68 1163 [dbdefaults]
jpayne@68 1164 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
jpayne@68 1165
jpayne@68 1166 [dbmodules]
jpayne@68 1167 openldap_ldapconf = {
jpayne@68 1168 db_library = kldap
jpayne@68 1169 disable_last_success = true
jpayne@68 1170 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
jpayne@68 1171 # this object needs to have read rights on
jpayne@68 1172 # the realm container and principal subtrees
jpayne@68 1173 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
jpayne@68 1174 # this object needs to have read and write rights on
jpayne@68 1175 # the realm container and principal subtrees
jpayne@68 1176 ldap_service_password_file = /etc/kerberos/service.keyfile
jpayne@68 1177 ldap_servers = ldaps://kerberos.mit.edu
jpayne@68 1178 ldap_conns_per_server = 5
jpayne@68 1179 }
jpayne@68 1180 .ft P
jpayne@68 1181 .fi
jpayne@68 1182 .UNINDENT
jpayne@68 1183 .UNINDENT
jpayne@68 1184 .SH FILES
jpayne@68 1185 .sp
jpayne@68 1186 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
jpayne@68 1187 .SH SEE ALSO
jpayne@68 1188 .sp
jpayne@68 1189 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
jpayne@68 1190 .SH AUTHOR
jpayne@68 1191 MIT
jpayne@68 1192 .SH COPYRIGHT
jpayne@68 1193 1985-2022, MIT
jpayne@68 1194 .\" Generated by docutils manpage writer.
jpayne@68 1195 .