Mercurial > repos > rliterman > csp2

annotate CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man5/krb5.conf.5 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
rev   line source
jpayne@68 1 .\" Man page generated from reStructuredText.
jpayne@68 2 .
jpayne@68 3 .TH "KRB5.CONF" "5" " " "1.20.1" "MIT Kerberos"
jpayne@68 4 .SH NAME
jpayne@68 5 krb5.conf \- Kerberos configuration file
jpayne@68 6 .
jpayne@68 7 .nr rst2man-indent-level 0
jpayne@68 8 .
jpayne@68 9 .de1 rstReportMargin
jpayne@68 10 \\$1 \\n[an-margin]
jpayne@68 11 level \\n[rst2man-indent-level]
jpayne@68 12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 13 -
jpayne@68 14 \\n[rst2man-indent0]
jpayne@68 15 \\n[rst2man-indent1]
jpayne@68 16 \\n[rst2man-indent2]
jpayne@68 17 ..
jpayne@68 18 .de1 INDENT
jpayne@68 19 .\" .rstReportMargin pre:
jpayne@68 20 . RS \\$1
jpayne@68 21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
jpayne@68 22 . nr rst2man-indent-level +1
jpayne@68 23 .\" .rstReportMargin post:
jpayne@68 24 ..
jpayne@68 25 .de UNINDENT
jpayne@68 26 . RE
jpayne@68 27 .\" indent \\n[an-margin]
jpayne@68 28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 29 .nr rst2man-indent-level -1
jpayne@68 30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
jpayne@68 32 ..
jpayne@68 33 .sp
jpayne@68 34 The krb5.conf file contains Kerberos configuration information,
jpayne@68 35 including the locations of KDCs and admin servers for the Kerberos
jpayne@68 36 realms of interest, defaults for the current realm and for Kerberos
jpayne@68 37 applications, and mappings of hostnames onto Kerberos realms.
jpayne@68 38 Normally, you should install your krb5.conf file in the directory
jpayne@68 39 \fB/etc\fP\&. You can override the default location by setting the
jpayne@68 40 environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated
jpayne@68 41 filenames may be specified in \fBKRB5_CONFIG\fP; all files which are
jpayne@68 42 present will be read. Starting in release 1.14, directory names can
jpayne@68 43 also be specified in \fBKRB5_CONFIG\fP; all files within the directory
jpayne@68 44 whose names consist solely of alphanumeric characters, dashes, or
jpayne@68 45 underscores will be read.
jpayne@68 46 .SH STRUCTURE
jpayne@68 47 .sp
jpayne@68 48 The krb5.conf file is set up in the style of a Windows INI file.
jpayne@68 49 Lines beginning with \(aq#\(aq or \(aq;\(aq (possibly after initial whitespace)
jpayne@68 50 are ignored as comments. Sections are headed by the section name, in
jpayne@68 51 square brackets. Each section may contain zero or more relations, of
jpayne@68 52 the form:
jpayne@68 53 .INDENT 0.0
jpayne@68 54 .INDENT 3.5
jpayne@68 55 .sp
jpayne@68 56 .nf
jpayne@68 57 .ft C
jpayne@68 58 foo = bar
jpayne@68 59 .ft P
jpayne@68 60 .fi
jpayne@68 61 .UNINDENT
jpayne@68 62 .UNINDENT
jpayne@68 63 .sp
jpayne@68 64 or:
jpayne@68 65 .INDENT 0.0
jpayne@68 66 .INDENT 3.5
jpayne@68 67 .sp
jpayne@68 68 .nf
jpayne@68 69 .ft C
jpayne@68 70 fubar = {
jpayne@68 71 foo = bar
jpayne@68 72 baz = quux
jpayne@68 73 }
jpayne@68 74 .ft P
jpayne@68 75 .fi
jpayne@68 76 .UNINDENT
jpayne@68 77 .UNINDENT
jpayne@68 78 .sp
jpayne@68 79 Placing a \(aq*\(aq after the closing bracket of a section name indicates
jpayne@68 80 that the section is \fIfinal\fP, meaning that if the same section appears
jpayne@68 81 within a later file specified in \fBKRB5_CONFIG\fP, it will be ignored.
jpayne@68 82 A subsection can be marked as final by placing a \(aq*\(aq after either the
jpayne@68 83 tag name or the closing brace.
jpayne@68 84 .sp
jpayne@68 85 The krb5.conf file can include other files using either of the
jpayne@68 86 following directives at the beginning of a line:
jpayne@68 87 .INDENT 0.0
jpayne@68 88 .INDENT 3.5
jpayne@68 89 .sp
jpayne@68 90 .nf
jpayne@68 91 .ft C
jpayne@68 92 include FILENAME
jpayne@68 93 includedir DIRNAME
jpayne@68 94 .ft P
jpayne@68 95 .fi
jpayne@68 96 .UNINDENT
jpayne@68 97 .UNINDENT
jpayne@68 98 .sp
jpayne@68 99 \fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
jpayne@68 100 directory must exist and be readable. Including a directory includes
jpayne@68 101 all files within the directory whose names consist solely of
jpayne@68 102 alphanumeric characters, dashes, or underscores. Starting in release
jpayne@68 103 1.15, files with names ending in ".conf" are also included, unless the
jpayne@68 104 name begins with ".". Included profile files are syntactically
jpayne@68 105 independent of their parents, so each included file must begin with a
jpayne@68 106 section header. Starting in release 1.17, files are read in
jpayne@68 107 alphanumeric order; in previous releases, they may be read in any
jpayne@68 108 order.
jpayne@68 109 .sp
jpayne@68 110 The krb5.conf file can specify that configuration should be obtained
jpayne@68 111 from a loadable module, rather than the file itself, using the
jpayne@68 112 following directive at the beginning of a line before any section
jpayne@68 113 headers:
jpayne@68 114 .INDENT 0.0
jpayne@68 115 .INDENT 3.5
jpayne@68 116 .sp
jpayne@68 117 .nf
jpayne@68 118 .ft C
jpayne@68 119 module MODULEPATH:RESIDUAL
jpayne@68 120 .ft P
jpayne@68 121 .fi
jpayne@68 122 .UNINDENT
jpayne@68 123 .UNINDENT
jpayne@68 124 .sp
jpayne@68 125 \fIMODULEPATH\fP may be relative to the library path of the krb5
jpayne@68 126 installation, or it may be an absolute path. \fIRESIDUAL\fP is provided
jpayne@68 127 to the module at initialization time. If krb5.conf uses a module
jpayne@68 128 directive, kdc.conf(5) should also use one if it exists.
jpayne@68 129 .SH SECTIONS
jpayne@68 130 .sp
jpayne@68 131 The krb5.conf file may contain the following sections:
jpayne@68 132 .TS
jpayne@68 133 center;
jpayne@68 134 |l|l|.
jpayne@68 135 _
jpayne@68 136 T{
jpayne@68 137 \fI\%[libdefaults]\fP
jpayne@68 138 T} T{
jpayne@68 139 Settings used by the Kerberos V5 library
jpayne@68 140 T}
jpayne@68 141 _
jpayne@68 142 T{
jpayne@68 143 \fI\%[realms]\fP
jpayne@68 144 T} T{
jpayne@68 145 Realm\-specific contact information and settings
jpayne@68 146 T}
jpayne@68 147 _
jpayne@68 148 T{
jpayne@68 149 \fI\%[domain_realm]\fP
jpayne@68 150 T} T{
jpayne@68 151 Maps server hostnames to Kerberos realms
jpayne@68 152 T}
jpayne@68 153 _
jpayne@68 154 T{
jpayne@68 155 \fI\%[capaths]\fP
jpayne@68 156 T} T{
jpayne@68 157 Authentication paths for non\-hierarchical cross\-realm
jpayne@68 158 T}
jpayne@68 159 _
jpayne@68 160 T{
jpayne@68 161 \fI\%[appdefaults]\fP
jpayne@68 162 T} T{
jpayne@68 163 Settings used by some Kerberos V5 applications
jpayne@68 164 T}
jpayne@68 165 _
jpayne@68 166 T{
jpayne@68 167 \fI\%[plugins]\fP
jpayne@68 168 T} T{
jpayne@68 169 Controls plugin module registration
jpayne@68 170 T}
jpayne@68 171 _
jpayne@68 172 .TE
jpayne@68 173 .sp
jpayne@68 174 Additionally, krb5.conf may include any of the relations described in
jpayne@68 175 kdc.conf(5), but it is not a recommended practice.
jpayne@68 176 .SS [libdefaults]
jpayne@68 177 .sp
jpayne@68 178 The libdefaults section may contain any of the following relations:
jpayne@68 179 .INDENT 0.0
jpayne@68 180 .TP
jpayne@68 181 \fBallow_weak_crypto\fP
jpayne@68 182 If this flag is set to false, then weak encryption types (as noted
jpayne@68 183 in Encryption_types in kdc.conf(5)) will be filtered
jpayne@68 184 out of the lists \fBdefault_tgs_enctypes\fP,
jpayne@68 185 \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default
jpayne@68 186 value for this tag is false.
jpayne@68 187 .TP
jpayne@68 188 \fBcanonicalize\fP
jpayne@68 189 If this flag is set to true, initial ticket requests to the KDC
jpayne@68 190 will request canonicalization of the client principal name, and
jpayne@68 191 answers with different client principals than the requested
jpayne@68 192 principal will be accepted. The default value is false.
jpayne@68 193 .TP
jpayne@68 194 \fBccache_type\fP
jpayne@68 195 This parameter determines the format of credential cache types
jpayne@68 196 created by kinit(1) or other programs. The default value
jpayne@68 197 is 4, which represents the most current format. Smaller values
jpayne@68 198 can be used for compatibility with very old implementations of
jpayne@68 199 Kerberos which interact with credential caches on the same host.
jpayne@68 200 .TP
jpayne@68 201 \fBclockskew\fP
jpayne@68 202 Sets the maximum allowable amount of clockskew in seconds that the
jpayne@68 203 library will tolerate before assuming that a Kerberos message is
jpayne@68 204 invalid. The default value is 300 seconds, or five minutes.
jpayne@68 205 .sp
jpayne@68 206 The clockskew setting is also used when evaluating ticket start
jpayne@68 207 and expiration times. For example, tickets that have reached
jpayne@68 208 their expiration time can still be used (and renewed if they are
jpayne@68 209 renewable tickets) if they have been expired for a shorter
jpayne@68 210 duration than the \fBclockskew\fP setting.
jpayne@68 211 .TP
jpayne@68 212 \fBdefault_ccache_name\fP
jpayne@68 213 This relation specifies the name of the default credential cache.
jpayne@68 214 The default is \fBFILE:/tmp/krb5cc_%{uid}\fP\&. This relation is subject to parameter
jpayne@68 215 expansion (see below). New in release 1.11.
jpayne@68 216 .TP
jpayne@68 217 \fBdefault_client_keytab_name\fP
jpayne@68 218 This relation specifies the name of the default keytab for
jpayne@68 219 obtaining client credentials. The default is \fBFILE:/opt/conda/var/krb5/user/%{euid}/client.keytab\fP\&. This
jpayne@68 220 relation is subject to parameter expansion (see below).
jpayne@68 221 New in release 1.11.
jpayne@68 222 .TP
jpayne@68 223 \fBdefault_keytab_name\fP
jpayne@68 224 This relation specifies the default keytab name to be used by
jpayne@68 225 application servers such as sshd. The default is \fBFILE:/etc/krb5.keytab\fP\&. This
jpayne@68 226 relation is subject to parameter expansion (see below).
jpayne@68 227 .TP
jpayne@68 228 \fBdefault_rcache_name\fP
jpayne@68 229 This relation specifies the name of the default replay cache.
jpayne@68 230 The default is \fBdfl:\fP\&. This relation is subject to parameter
jpayne@68 231 expansion (see below). New in release 1.18.
jpayne@68 232 .TP
jpayne@68 233 \fBdefault_realm\fP
jpayne@68 234 Identifies the default Kerberos realm for the client. Set its
jpayne@68 235 value to your Kerberos realm. If this value is not set, then a
jpayne@68 236 realm must be specified with every Kerberos principal when
jpayne@68 237 invoking programs such as kinit(1)\&.
jpayne@68 238 .TP
jpayne@68 239 \fBdefault_tgs_enctypes\fP
jpayne@68 240 Identifies the supported list of session key encryption types that
jpayne@68 241 the client should request when making a TGS\-REQ, in order of
jpayne@68 242 preference from highest to lowest. The list may be delimited with
jpayne@68 243 commas or whitespace. See Encryption_types in
jpayne@68 244 kdc.conf(5) for a list of the accepted values for this tag.
jpayne@68 245 Starting in release 1.18, the default value is the value of
jpayne@68 246 \fBpermitted_enctypes\fP\&. For previous releases or if
jpayne@68 247 \fBpermitted_enctypes\fP is not set, the default value is
jpayne@68 248 \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
jpayne@68 249 .sp
jpayne@68 250 Do not set this unless required for specific backward
jpayne@68 251 compatibility purposes; stale values of this setting can prevent
jpayne@68 252 clients from taking advantage of new stronger enctypes when the
jpayne@68 253 libraries are upgraded.
jpayne@68 254 .TP
jpayne@68 255 \fBdefault_tkt_enctypes\fP
jpayne@68 256 Identifies the supported list of session key encryption types that
jpayne@68 257 the client should request when making an AS\-REQ, in order of
jpayne@68 258 preference from highest to lowest. The format is the same as for
jpayne@68 259 default_tgs_enctypes. Starting in release 1.18, the default
jpayne@68 260 value is the value of \fBpermitted_enctypes\fP\&. For previous
jpayne@68 261 releases or if \fBpermitted_enctypes\fP is not set, the default
jpayne@68 262 value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
jpayne@68 263 .sp
jpayne@68 264 Do not set this unless required for specific backward
jpayne@68 265 compatibility purposes; stale values of this setting can prevent
jpayne@68 266 clients from taking advantage of new stronger enctypes when the
jpayne@68 267 libraries are upgraded.
jpayne@68 268 .TP
jpayne@68 269 \fBdns_canonicalize_hostname\fP
jpayne@68 270 Indicate whether name lookups will be used to canonicalize
jpayne@68 271 hostnames for use in service principal names. Setting this flag
jpayne@68 272 to false can improve security by reducing reliance on DNS, but
jpayne@68 273 means that short hostnames will not be canonicalized to
jpayne@68 274 fully\-qualified hostnames. If this option is set to \fBfallback\fP (new
jpayne@68 275 in release 1.18), DNS canonicalization will only be performed the
jpayne@68 276 server hostname is not found with the original name when
jpayne@68 277 requesting credentials. The default value is true.
jpayne@68 278 .TP
jpayne@68 279 \fBdns_lookup_kdc\fP
jpayne@68 280 Indicate whether DNS SRV records should be used to locate the KDCs
jpayne@68 281 and other servers for a realm, if they are not listed in the
jpayne@68 282 krb5.conf information for the realm. (Note that the admin_server
jpayne@68 283 entry must be in the krb5.conf realm information in order to
jpayne@68 284 contact kadmind, because the DNS implementation for kadmin is
jpayne@68 285 incomplete.)
jpayne@68 286 .sp
jpayne@68 287 Enabling this option does open up a type of denial\-of\-service
jpayne@68 288 attack, if someone spoofs the DNS records and redirects you to
jpayne@68 289 another server. However, it\(aqs no worse than a denial of service,
jpayne@68 290 because that fake KDC will be unable to decode anything you send
jpayne@68 291 it (besides the initial ticket request, which has no encrypted
jpayne@68 292 data), and anything the fake KDC sends will not be trusted without
jpayne@68 293 verification using some secret that it won\(aqt know.
jpayne@68 294 .TP
jpayne@68 295 \fBdns_uri_lookup\fP
jpayne@68 296 Indicate whether DNS URI records should be used to locate the KDCs
jpayne@68 297 and other servers for a realm, if they are not listed in the
jpayne@68 298 krb5.conf information for the realm. SRV records are used as a
jpayne@68 299 fallback if no URI records were found. The default value is true.
jpayne@68 300 New in release 1.15.
jpayne@68 301 .TP
jpayne@68 302 \fBenforce_ok_as_delegate\fP
jpayne@68 303 If this flag to true, GSSAPI credential delegation will be
jpayne@68 304 disabled when the \fBok\-as\-delegate\fP flag is not set in the
jpayne@68 305 service ticket. If this flag is false, the \fBok\-as\-delegate\fP
jpayne@68 306 ticket flag is only enforced when an application specifically
jpayne@68 307 requests enforcement. The default value is false.
jpayne@68 308 .TP
jpayne@68 309 \fBerr_fmt\fP
jpayne@68 310 This relation allows for custom error message formatting. If a
jpayne@68 311 value is set, error messages will be formatted by substituting a
jpayne@68 312 normal error message for %M and an error code for %C in the value.
jpayne@68 313 .TP
jpayne@68 314 \fBextra_addresses\fP
jpayne@68 315 This allows a computer to use multiple local addresses, in order
jpayne@68 316 to allow Kerberos to work in a network that uses NATs while still
jpayne@68 317 using address\-restricted tickets. The addresses should be in a
jpayne@68 318 comma\-separated list. This option has no effect if
jpayne@68 319 \fBnoaddresses\fP is true.
jpayne@68 320 .TP
jpayne@68 321 \fBforwardable\fP
jpayne@68 322 If this flag is true, initial tickets will be forwardable by
jpayne@68 323 default, if allowed by the KDC. The default value is false.
jpayne@68 324 .TP
jpayne@68 325 \fBignore_acceptor_hostname\fP
jpayne@68 326 When accepting GSSAPI or krb5 security contexts for host\-based
jpayne@68 327 service principals, ignore any hostname passed by the calling
jpayne@68 328 application, and allow clients to authenticate to any service
jpayne@68 329 principal in the keytab matching the service name and realm name
jpayne@68 330 (if given). This option can improve the administrative
jpayne@68 331 flexibility of server applications on multihomed hosts, but could
jpayne@68 332 compromise the security of virtual hosting environments. The
jpayne@68 333 default value is false. New in release 1.10.
jpayne@68 334 .TP
jpayne@68 335 \fBk5login_authoritative\fP
jpayne@68 336 If this flag is true, principals must be listed in a local user\(aqs
jpayne@68 337 k5login file to be granted login access, if a \&.k5login(5)
jpayne@68 338 file exists. If this flag is false, a principal may still be
jpayne@68 339 granted login access through other mechanisms even if a k5login
jpayne@68 340 file exists but does not list the principal. The default value is
jpayne@68 341 true.
jpayne@68 342 .TP
jpayne@68 343 \fBk5login_directory\fP
jpayne@68 344 If set, the library will look for a local user\(aqs k5login file
jpayne@68 345 within the named directory, with a filename corresponding to the
jpayne@68 346 local username. If not set, the library will look for k5login
jpayne@68 347 files in the user\(aqs home directory, with the filename .k5login.
jpayne@68 348 For security reasons, .k5login files must be owned by
jpayne@68 349 the local user or by root.
jpayne@68 350 .TP
jpayne@68 351 \fBkcm_mach_service\fP
jpayne@68 352 On macOS only, determines the name of the bootstrap service used to
jpayne@68 353 contact the KCM daemon for the KCM credential cache type. If the
jpayne@68 354 value is \fB\-\fP, Mach RPC will not be used to contact the KCM
jpayne@68 355 daemon. The default value is \fBorg.h5l.kcm\fP\&.
jpayne@68 356 .TP
jpayne@68 357 \fBkcm_socket\fP
jpayne@68 358 Determines the path to the Unix domain socket used to access the
jpayne@68 359 KCM daemon for the KCM credential cache type. If the value is
jpayne@68 360 \fB\-\fP, Unix domain sockets will not be used to contact the KCM
jpayne@68 361 daemon. The default value is
jpayne@68 362 \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
jpayne@68 363 .TP
jpayne@68 364 \fBkdc_default_options\fP
jpayne@68 365 Default KDC options (Xored for multiple values) when requesting
jpayne@68 366 initial tickets. By default it is set to 0x00000010
jpayne@68 367 (KDC_OPT_RENEWABLE_OK).
jpayne@68 368 .TP
jpayne@68 369 \fBkdc_timesync\fP
jpayne@68 370 Accepted values for this relation are 1 or 0. If it is nonzero,
jpayne@68 371 client machines will compute the difference between their time and
jpayne@68 372 the time returned by the KDC in the timestamps in the tickets and
jpayne@68 373 use this value to correct for an inaccurate system clock when
jpayne@68 374 requesting service tickets or authenticating to services. This
jpayne@68 375 corrective factor is only used by the Kerberos library; it is not
jpayne@68 376 used to change the system clock. The default value is 1.
jpayne@68 377 .TP
jpayne@68 378 \fBnoaddresses\fP
jpayne@68 379 If this flag is true, requests for initial tickets will not be
jpayne@68 380 made with address restrictions set, allowing the tickets to be
jpayne@68 381 used across NATs. The default value is true.
jpayne@68 382 .TP
jpayne@68 383 \fBpermitted_enctypes\fP
jpayne@68 384 Identifies the encryption types that servers will permit for
jpayne@68 385 session keys and for ticket and authenticator encryption, ordered
jpayne@68 386 by preference from highest to lowest. Starting in release 1.18,
jpayne@68 387 this tag also acts as the default value for
jpayne@68 388 \fBdefault_tgs_enctypes\fP and \fBdefault_tkt_enctypes\fP\&. The
jpayne@68 389 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
jpayne@68 390 .TP
jpayne@68 391 \fBplugin_base_dir\fP
jpayne@68 392 If set, determines the base directory where krb5 plugins are
jpayne@68 393 located. The default value is the \fBkrb5/plugins\fP subdirectory
jpayne@68 394 of the krb5 library directory. This relation is subject to
jpayne@68 395 parameter expansion (see below) in release 1.17 and later.
jpayne@68 396 .TP
jpayne@68 397 \fBpreferred_preauth_types\fP
jpayne@68 398 This allows you to set the preferred preauthentication types which
jpayne@68 399 the client will attempt before others which may be advertised by a
jpayne@68 400 KDC. The default value for this setting is "17, 16, 15, 14",
jpayne@68 401 which forces libkrb5 to attempt to use PKINIT if it is supported.
jpayne@68 402 .TP
jpayne@68 403 \fBproxiable\fP
jpayne@68 404 If this flag is true, initial tickets will be proxiable by
jpayne@68 405 default, if allowed by the KDC. The default value is false.
jpayne@68 406 .TP
jpayne@68 407 \fBqualify_shortname\fP
jpayne@68 408 If this string is set, it determines the domain suffix for
jpayne@68 409 single\-component hostnames when DNS canonicalization is not used
jpayne@68 410 (either because \fBdns_canonicalize_hostname\fP is false or because
jpayne@68 411 forward canonicalization failed). The default value is the first
jpayne@68 412 search domain of the system\(aqs DNS configuration. To disable
jpayne@68 413 qualification of shortnames, set this relation to the empty string
jpayne@68 414 with \fBqualify_shortname = ""\fP\&. (New in release 1.18.)
jpayne@68 415 .TP
jpayne@68 416 \fBrdns\fP
jpayne@68 417 If this flag is true, reverse name lookup will be used in addition
jpayne@68 418 to forward name lookup to canonicalizing hostnames for use in
jpayne@68 419 service principal names. If \fBdns_canonicalize_hostname\fP is set
jpayne@68 420 to false, this flag has no effect. The default value is true.
jpayne@68 421 .TP
jpayne@68 422 \fBrealm_try_domains\fP
jpayne@68 423 Indicate whether a host\(aqs domain components should be used to
jpayne@68 424 determine the Kerberos realm of the host. The value of this
jpayne@68 425 variable is an integer: \-1 means not to search, 0 means to try the
jpayne@68 426 host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
jpayne@68 427 parent, and so forth. The library\(aqs usual mechanism for locating
jpayne@68 428 Kerberos realms is used to determine whether a domain is a valid
jpayne@68 429 realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
jpayne@68 430 set. The default is not to search domain components.
jpayne@68 431 .TP
jpayne@68 432 \fBrenew_lifetime\fP
jpayne@68 433 (duration string.) Sets the default renewable lifetime
jpayne@68 434 for initial ticket requests. The default value is 0.
jpayne@68 435 .TP
jpayne@68 436 \fBspake_preauth_groups\fP
jpayne@68 437 A whitespace or comma\-separated list of words which specifies the
jpayne@68 438 groups allowed for SPAKE preauthentication. The possible values
jpayne@68 439 are:
jpayne@68 440 .TS
jpayne@68 441 center;
jpayne@68 442 |l|l|.
jpayne@68 443 _
jpayne@68 444 T{
jpayne@68 445 edwards25519
jpayne@68 446 T} T{
jpayne@68 447 Edwards25519 curve (\fI\%RFC 7748\fP)
jpayne@68 448 T}
jpayne@68 449 _
jpayne@68 450 T{
jpayne@68 451 P\-256
jpayne@68 452 T} T{
jpayne@68 453 NIST P\-256 curve (\fI\%RFC 5480\fP)
jpayne@68 454 T}
jpayne@68 455 _
jpayne@68 456 T{
jpayne@68 457 P\-384
jpayne@68 458 T} T{
jpayne@68 459 NIST P\-384 curve (\fI\%RFC 5480\fP)
jpayne@68 460 T}
jpayne@68 461 _
jpayne@68 462 T{
jpayne@68 463 P\-521
jpayne@68 464 T} T{
jpayne@68 465 NIST P\-521 curve (\fI\%RFC 5480\fP)
jpayne@68 466 T}
jpayne@68 467 _
jpayne@68 468 .TE
jpayne@68 469 .sp
jpayne@68 470 The default value for the client is \fBedwards25519\fP\&. The default
jpayne@68 471 value for the KDC is empty. New in release 1.17.
jpayne@68 472 .TP
jpayne@68 473 \fBticket_lifetime\fP
jpayne@68 474 (duration string.) Sets the default lifetime for initial
jpayne@68 475 ticket requests. The default value is 1 day.
jpayne@68 476 .TP
jpayne@68 477 \fBudp_preference_limit\fP
jpayne@68 478 When sending a message to the KDC, the library will try using TCP
jpayne@68 479 before UDP if the size of the message is above
jpayne@68 480 \fBudp_preference_limit\fP\&. If the message is smaller than
jpayne@68 481 \fBudp_preference_limit\fP, then UDP will be tried before TCP.
jpayne@68 482 Regardless of the size, both protocols will be tried if the first
jpayne@68 483 attempt fails.
jpayne@68 484 .TP
jpayne@68 485 \fBverify_ap_req_nofail\fP
jpayne@68 486 If this flag is true, then an attempt to verify initial
jpayne@68 487 credentials will fail if the client machine does not have a
jpayne@68 488 keytab. The default value is false.
jpayne@68 489 .TP
jpayne@68 490 \fBclient_aware_channel_bindings\fP
jpayne@68 491 If this flag is true, then all application protocol authentication
jpayne@68 492 requests will be flagged to indicate that the application supports
jpayne@68 493 channel bindings when operating over a secure channel. The
jpayne@68 494 default value is false.
jpayne@68 495 .UNINDENT
jpayne@68 496 .SS [realms]
jpayne@68 497 .sp
jpayne@68 498 Each tag in the [realms] section of the file is the name of a Kerberos
jpayne@68 499 realm. The value of the tag is a subsection with relations that
jpayne@68 500 define the properties of that particular realm. For each realm, the
jpayne@68 501 following tags may be specified in the realm\(aqs subsection:
jpayne@68 502 .INDENT 0.0
jpayne@68 503 .TP
jpayne@68 504 \fBadmin_server\fP
jpayne@68 505 Identifies the host where the administration server is running.
jpayne@68 506 Typically, this is the primary Kerberos server. This tag must be
jpayne@68 507 given a value in order to communicate with the kadmind(8)
jpayne@68 508 server for the realm.
jpayne@68 509 .TP
jpayne@68 510 \fBauth_to_local\fP
jpayne@68 511 This tag allows you to set a general rule for mapping principal
jpayne@68 512 names to local user names. It will be used if there is not an
jpayne@68 513 explicit mapping for the principal name that is being
jpayne@68 514 translated. The possible values are:
jpayne@68 515 .INDENT 7.0
jpayne@68 516 .TP
jpayne@68 517 \fBRULE:\fP\fIexp\fP
jpayne@68 518 The local name will be formulated from \fIexp\fP\&.
jpayne@68 519 .sp
jpayne@68 520 The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
jpayne@68 521 The integer \fIn\fP indicates how many components the target
jpayne@68 522 principal should have. If this matches, then a string will be
jpayne@68 523 formed from \fIstring\fP, substituting the realm of the principal
jpayne@68 524 for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
jpayne@68 525 \fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then
jpayne@68 526 \fB[2:$2$1foo]\fP would result in the string
jpayne@68 527 \fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then
jpayne@68 528 the \fBs//[g]\fP substitution command will be run over the
jpayne@68 529 string. The optional \fBg\fP will cause the substitution to be
jpayne@68 530 global over the \fIstring\fP, instead of replacing only the first
jpayne@68 531 match in the \fIstring\fP\&.
jpayne@68 532 .TP
jpayne@68 533 \fBDEFAULT\fP
jpayne@68 534 The principal name will be used as the local user name. If
jpayne@68 535 the principal has more than one component or is not in the
jpayne@68 536 default realm, this rule is not applicable and the conversion
jpayne@68 537 will fail.
jpayne@68 538 .UNINDENT
jpayne@68 539 .sp
jpayne@68 540 For example:
jpayne@68 541 .INDENT 7.0
jpayne@68 542 .INDENT 3.5
jpayne@68 543 .sp
jpayne@68 544 .nf
jpayne@68 545 .ft C
jpayne@68 546 [realms]
jpayne@68 547 ATHENA.MIT.EDU = {
jpayne@68 548 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
jpayne@68 549 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
jpayne@68 550 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
jpayne@68 551 auth_to_local = DEFAULT
jpayne@68 552 }
jpayne@68 553 .ft P
jpayne@68 554 .fi
jpayne@68 555 .UNINDENT
jpayne@68 556 .UNINDENT
jpayne@68 557 .sp
jpayne@68 558 would result in any principal without \fBroot\fP or \fBadmin\fP as the
jpayne@68 559 second component to be translated with the default rule. A
jpayne@68 560 principal with a second component of \fBadmin\fP will become its
jpayne@68 561 first component. \fBroot\fP will be used as the local name for any
jpayne@68 562 principal with a second component of \fBroot\fP\&. The exception to
jpayne@68 563 these two rules are any principals \fBjohndoe/*\fP, which will
jpayne@68 564 always get the local name \fBguest\fP\&.
jpayne@68 565 .TP
jpayne@68 566 \fBauth_to_local_names\fP
jpayne@68 567 This subsection allows you to set explicit mappings from principal
jpayne@68 568 names to local user names. The tag is the mapping name, and the
jpayne@68 569 value is the corresponding local user name.
jpayne@68 570 .TP
jpayne@68 571 \fBdefault_domain\fP
jpayne@68 572 This tag specifies the domain used to expand hostnames when
jpayne@68 573 translating Kerberos 4 service principals to Kerberos 5 principals
jpayne@68 574 (for example, when converting \fBrcmd.hostname\fP to
jpayne@68 575 \fBhost/hostname.domain\fP).
jpayne@68 576 .TP
jpayne@68 577 \fBdisable_encrypted_timestamp\fP
jpayne@68 578 If this flag is true, the client will not perform encrypted
jpayne@68 579 timestamp preauthentication if requested by the KDC. Setting this
jpayne@68 580 flag can help to prevent dictionary attacks by active attackers,
jpayne@68 581 if the realm\(aqs KDCs support SPAKE preauthentication or if initial
jpayne@68 582 authentication always uses another mechanism or always uses FAST.
jpayne@68 583 This flag persists across client referrals during initial
jpayne@68 584 authentication. This flag does not prevent the KDC from offering
jpayne@68 585 encrypted timestamp. New in release 1.17.
jpayne@68 586 .TP
jpayne@68 587 \fBhttp_anchors\fP
jpayne@68 588 When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
jpayne@68 589 can be used to specify the location of the CA certificate which should be
jpayne@68 590 trusted to issue the certificate for a proxy server. If left unspecified,
jpayne@68 591 the system\-wide default set of CA certificates is used.
jpayne@68 592 .sp
jpayne@68 593 The syntax for values is similar to that of values for the
jpayne@68 594 \fBpkinit_anchors\fP tag:
jpayne@68 595 .sp
jpayne@68 596 \fBFILE:\fP \fIfilename\fP
jpayne@68 597 .sp
jpayne@68 598 \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file.
jpayne@68 599 .sp
jpayne@68 600 \fBDIR:\fP \fIdirname\fP
jpayne@68 601 .sp
jpayne@68 602 \fIdirname\fP is assumed to be an directory which contains CA certificates.
jpayne@68 603 All files in the directory will be examined; if they contain certificates
jpayne@68 604 (in PEM format), they will be used.
jpayne@68 605 .sp
jpayne@68 606 \fBENV:\fP \fIenvvar\fP
jpayne@68 607 .sp
jpayne@68 608 \fIenvvar\fP specifies the name of an environment variable which has been set
jpayne@68 609 to a value conforming to one of the previous values. For example,
jpayne@68 610 \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
jpayne@68 611 been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
jpayne@68 612 .TP
jpayne@68 613 \fBkdc\fP
jpayne@68 614 The name or address of a host running a KDC for that realm. An
jpayne@68 615 optional port number, separated from the hostname by a colon, may
jpayne@68 616 be included. If the name or address contains colons (for example,
jpayne@68 617 if it is an IPv6 address), enclose it in square brackets to
jpayne@68 618 distinguish the colon from a port separator. For your computer to
jpayne@68 619 be able to communicate with the KDC for each realm, this tag must
jpayne@68 620 be given a value in each realm subsection in the configuration
jpayne@68 621 file, or there must be DNS SRV records specifying the KDCs.
jpayne@68 622 .TP
jpayne@68 623 \fBkpasswd_server\fP
jpayne@68 624 Points to the server where all the password changes are performed.
jpayne@68 625 If there is no such entry, DNS will be queried (unless forbidden
jpayne@68 626 by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP
jpayne@68 627 host will be tried.
jpayne@68 628 .TP
jpayne@68 629 \fBmaster_kdc\fP
jpayne@68 630 The name for \fBprimary_kdc\fP prior to release 1.19. Its value is
jpayne@68 631 used as a fallback if \fBprimary_kdc\fP is not specified.
jpayne@68 632 .TP
jpayne@68 633 \fBprimary_kdc\fP
jpayne@68 634 Identifies the primary KDC(s). Currently, this tag is used in only
jpayne@68 635 one case: If an attempt to get credentials fails because of an
jpayne@68 636 invalid password, the client software will attempt to contact the
jpayne@68 637 primary KDC, in case the user\(aqs password has just been changed, and
jpayne@68 638 the updated database has not been propagated to the replica
jpayne@68 639 servers yet. New in release 1.19.
jpayne@68 640 .TP
jpayne@68 641 \fBv4_instance_convert\fP
jpayne@68 642 This subsection allows the administrator to configure exceptions
jpayne@68 643 to the \fBdefault_domain\fP mapping rule. It contains V4 instances
jpayne@68 644 (the tag name) which should be translated to some specific
jpayne@68 645 hostname (the tag value) as the second component in a Kerberos V5
jpayne@68 646 principal name.
jpayne@68 647 .TP
jpayne@68 648 \fBv4_realm\fP
jpayne@68 649 This relation is used by the krb524 library routines when
jpayne@68 650 converting a V5 principal name to a V4 principal name. It is used
jpayne@68 651 when the V4 realm name and the V5 realm name are not the same, but
jpayne@68 652 still share the same principal names and passwords. The tag value
jpayne@68 653 is the Kerberos V4 realm name.
jpayne@68 654 .UNINDENT
jpayne@68 655 .SS [domain_realm]
jpayne@68 656 .sp
jpayne@68 657 The [domain_realm] section provides a translation from hostnames to
jpayne@68 658 Kerberos realms. Each tag is a domain name, providing the mapping for
jpayne@68 659 that domain and all subdomains. If the tag begins with a period
jpayne@68 660 (\fB\&.\fP) then it applies only to subdomains. The Kerberos realm may be
jpayne@68 661 identified either in the \fI\%realms\fP section or using DNS SRV records.
jpayne@68 662 Tag names should be in lower case. For example:
jpayne@68 663 .INDENT 0.0
jpayne@68 664 .INDENT 3.5
jpayne@68 665 .sp
jpayne@68 666 .nf
jpayne@68 667 .ft C
jpayne@68 668 [domain_realm]
jpayne@68 669 crash.mit.edu = TEST.ATHENA.MIT.EDU
jpayne@68 670 .dev.mit.edu = TEST.ATHENA.MIT.EDU
jpayne@68 671 mit.edu = ATHENA.MIT.EDU
jpayne@68 672 .ft P
jpayne@68 673 .fi
jpayne@68 674 .UNINDENT
jpayne@68 675 .UNINDENT
jpayne@68 676 .sp
jpayne@68 677 maps the host with the name \fBcrash.mit.edu\fP into the
jpayne@68 678 \fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the
jpayne@68 679 domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not
jpayne@68 680 the host with the name \fBdev.mit.edu\fP\&. That host is matched
jpayne@68 681 by the third entry, which maps the host \fBmit.edu\fP and all hosts
jpayne@68 682 under the domain \fBmit.edu\fP that do not match a preceding rule
jpayne@68 683 into the realm \fBATHENA.MIT.EDU\fP\&.
jpayne@68 684 .sp
jpayne@68 685 If no translation entry applies to a hostname used for a service
jpayne@68 686 principal for a service ticket request, the library will try to get a
jpayne@68 687 referral to the appropriate realm from the client realm\(aqs KDC. If
jpayne@68 688 that does not succeed, the host\(aqs realm is considered to be the
jpayne@68 689 hostname\(aqs domain portion converted to uppercase, unless the
jpayne@68 690 \fBrealm_try_domains\fP setting in [libdefaults] causes a different
jpayne@68 691 parent domain to be used.
jpayne@68 692 .SS [capaths]
jpayne@68 693 .sp
jpayne@68 694 In order to perform direct (non\-hierarchical) cross\-realm
jpayne@68 695 authentication, configuration is needed to determine the
jpayne@68 696 authentication paths between realms.
jpayne@68 697 .sp
jpayne@68 698 A client will use this section to find the authentication path between
jpayne@68 699 its realm and the realm of the server. The server will use this
jpayne@68 700 section to verify the authentication path used by the client, by
jpayne@68 701 checking the transited field of the received ticket.
jpayne@68 702 .sp
jpayne@68 703 There is a tag for each participating client realm, and each tag has
jpayne@68 704 subtags for each of the server realms. The value of the subtags is an
jpayne@68 705 intermediate realm which may participate in the cross\-realm
jpayne@68 706 authentication. The subtags may be repeated if there is more then one
jpayne@68 707 intermediate realm. A value of "." means that the two realms share
jpayne@68 708 keys directly, and no intermediate realms should be allowed to
jpayne@68 709 participate.
jpayne@68 710 .sp
jpayne@68 711 Only those entries which will be needed on the client or the server
jpayne@68 712 need to be present. A client needs a tag for its local realm with
jpayne@68 713 subtags for all the realms of servers it will need to authenticate to.
jpayne@68 714 A server needs a tag for each realm of the clients it will serve, with
jpayne@68 715 a subtag of the server realm.
jpayne@68 716 .sp
jpayne@68 717 For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
jpayne@68 718 use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub
jpayne@68 719 realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
jpayne@68 720 but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems
jpayne@68 721 would look like this:
jpayne@68 722 .INDENT 0.0
jpayne@68 723 .INDENT 3.5
jpayne@68 724 .sp
jpayne@68 725 .nf
jpayne@68 726 .ft C
jpayne@68 727 [capaths]
jpayne@68 728 ANL.GOV = {
jpayne@68 729 TEST.ANL.GOV = .
jpayne@68 730 PNL.GOV = ES.NET
jpayne@68 731 NERSC.GOV = ES.NET
jpayne@68 732 ES.NET = .
jpayne@68 733 }
jpayne@68 734 TEST.ANL.GOV = {
jpayne@68 735 ANL.GOV = .
jpayne@68 736 }
jpayne@68 737 PNL.GOV = {
jpayne@68 738 ANL.GOV = ES.NET
jpayne@68 739 }
jpayne@68 740 NERSC.GOV = {
jpayne@68 741 ANL.GOV = ES.NET
jpayne@68 742 }
jpayne@68 743 ES.NET = {
jpayne@68 744 ANL.GOV = .
jpayne@68 745 }
jpayne@68 746 .ft P
jpayne@68 747 .fi
jpayne@68 748 .UNINDENT
jpayne@68 749 .UNINDENT
jpayne@68 750 .sp
jpayne@68 751 The [capaths] section of the configuration file used on \fBNERSC.GOV\fP
jpayne@68 752 systems would look like this:
jpayne@68 753 .INDENT 0.0
jpayne@68 754 .INDENT 3.5
jpayne@68 755 .sp
jpayne@68 756 .nf
jpayne@68 757 .ft C
jpayne@68 758 [capaths]
jpayne@68 759 NERSC.GOV = {
jpayne@68 760 ANL.GOV = ES.NET
jpayne@68 761 TEST.ANL.GOV = ES.NET
jpayne@68 762 TEST.ANL.GOV = ANL.GOV
jpayne@68 763 PNL.GOV = ES.NET
jpayne@68 764 ES.NET = .
jpayne@68 765 }
jpayne@68 766 ANL.GOV = {
jpayne@68 767 NERSC.GOV = ES.NET
jpayne@68 768 }
jpayne@68 769 PNL.GOV = {
jpayne@68 770 NERSC.GOV = ES.NET
jpayne@68 771 }
jpayne@68 772 ES.NET = {
jpayne@68 773 NERSC.GOV = .
jpayne@68 774 }
jpayne@68 775 TEST.ANL.GOV = {
jpayne@68 776 NERSC.GOV = ANL.GOV
jpayne@68 777 NERSC.GOV = ES.NET
jpayne@68 778 }
jpayne@68 779 .ft P
jpayne@68 780 .fi
jpayne@68 781 .UNINDENT
jpayne@68 782 .UNINDENT
jpayne@68 783 .sp
jpayne@68 784 When a subtag is used more than once within a tag, clients will use
jpayne@68 785 the order of values to determine the path. The order of values is not
jpayne@68 786 important to servers.
jpayne@68 787 .SS [appdefaults]
jpayne@68 788 .sp
jpayne@68 789 Each tag in the [appdefaults] section names a Kerberos V5 application
jpayne@68 790 or an option that is used by some Kerberos V5 application[s]. The
jpayne@68 791 value of the tag defines the default behaviors for that application.
jpayne@68 792 .sp
jpayne@68 793 For example:
jpayne@68 794 .INDENT 0.0
jpayne@68 795 .INDENT 3.5
jpayne@68 796 .sp
jpayne@68 797 .nf
jpayne@68 798 .ft C
jpayne@68 799 [appdefaults]
jpayne@68 800 telnet = {
jpayne@68 801 ATHENA.MIT.EDU = {
jpayne@68 802 option1 = false
jpayne@68 803 }
jpayne@68 804 }
jpayne@68 805 telnet = {
jpayne@68 806 option1 = true
jpayne@68 807 option2 = true
jpayne@68 808 }
jpayne@68 809 ATHENA.MIT.EDU = {
jpayne@68 810 option2 = false
jpayne@68 811 }
jpayne@68 812 option2 = true
jpayne@68 813 .ft P
jpayne@68 814 .fi
jpayne@68 815 .UNINDENT
jpayne@68 816 .UNINDENT
jpayne@68 817 .sp
jpayne@68 818 The above four ways of specifying the value of an option are shown in
jpayne@68 819 order of decreasing precedence. In this example, if telnet is running
jpayne@68 820 in the realm EXAMPLE.COM, it should, by default, have option1 and
jpayne@68 821 option2 set to true. However, a telnet program in the realm
jpayne@68 822 \fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and
jpayne@68 823 \fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should
jpayne@68 824 have \fBoption2\fP set to false by default. Any programs running in
jpayne@68 825 other realms should have \fBoption2\fP set to true.
jpayne@68 826 .sp
jpayne@68 827 The list of specifiable options for each application may be found in
jpayne@68 828 that application\(aqs man pages. The application defaults specified here
jpayne@68 829 are overridden by those specified in the \fI\%realms\fP section.
jpayne@68 830 .SS [plugins]
jpayne@68 831 .INDENT 0.0
jpayne@68 832 .INDENT 3.5
jpayne@68 833 .INDENT 0.0
jpayne@68 834 .IP \(bu 2
jpayne@68 835 \fI\%pwqual\fP interface
jpayne@68 836 .IP \(bu 2
jpayne@68 837 \fI\%kadm5_hook\fP interface
jpayne@68 838 .IP \(bu 2
jpayne@68 839 \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
jpayne@68 840 .UNINDENT
jpayne@68 841 .UNINDENT
jpayne@68 842 .UNINDENT
jpayne@68 843 .sp
jpayne@68 844 Tags in the [plugins] section can be used to register dynamic plugin
jpayne@68 845 modules and to turn modules on and off. Not every krb5 pluggable
jpayne@68 846 interface uses the [plugins] section; the ones that do are documented
jpayne@68 847 here.
jpayne@68 848 .sp
jpayne@68 849 New in release 1.9.
jpayne@68 850 .sp
jpayne@68 851 Each pluggable interface corresponds to a subsection of [plugins].
jpayne@68 852 All subsections support the same tags:
jpayne@68 853 .INDENT 0.0
jpayne@68 854 .TP
jpayne@68 855 \fBdisable\fP
jpayne@68 856 This tag may have multiple values. If there are values for this
jpayne@68 857 tag, then the named modules will be disabled for the pluggable
jpayne@68 858 interface.
jpayne@68 859 .TP
jpayne@68 860 \fBenable_only\fP
jpayne@68 861 This tag may have multiple values. If there are values for this
jpayne@68 862 tag, then only the named modules will be enabled for the pluggable
jpayne@68 863 interface.
jpayne@68 864 .TP
jpayne@68 865 \fBmodule\fP
jpayne@68 866 This tag may have multiple values. Each value is a string of the
jpayne@68 867 form \fBmodulename:pathname\fP, which causes the shared object
jpayne@68 868 located at \fIpathname\fP to be registered as a dynamic module named
jpayne@68 869 \fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an
jpayne@68 870 absolute path, it will be treated as relative to the
jpayne@68 871 \fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&.
jpayne@68 872 .UNINDENT
jpayne@68 873 .sp
jpayne@68 874 For pluggable interfaces where module order matters, modules
jpayne@68 875 registered with a \fBmodule\fP tag normally come first, in the order
jpayne@68 876 they are registered, followed by built\-in modules in the order they
jpayne@68 877 are documented below. If \fBenable_only\fP tags are used, then the
jpayne@68 878 order of those tags overrides the normal module order.
jpayne@68 879 .sp
jpayne@68 880 The following subsections are currently supported within the [plugins]
jpayne@68 881 section:
jpayne@68 882 .SS ccselect interface
jpayne@68 883 .sp
jpayne@68 884 The ccselect subsection controls modules for credential cache
jpayne@68 885 selection within a cache collection. In addition to any registered
jpayne@68 886 dynamic modules, the following built\-in modules exist (and may be
jpayne@68 887 disabled with the disable tag):
jpayne@68 888 .INDENT 0.0
jpayne@68 889 .TP
jpayne@68 890 \fBk5identity\fP
jpayne@68 891 Uses a .k5identity file in the user\(aqs home directory to select a
jpayne@68 892 client principal
jpayne@68 893 .TP
jpayne@68 894 \fBrealm\fP
jpayne@68 895 Uses the service realm to guess an appropriate cache from the
jpayne@68 896 collection
jpayne@68 897 .TP
jpayne@68 898 \fBhostname\fP
jpayne@68 899 If the service principal is host\-based, uses the service hostname
jpayne@68 900 to guess an appropriate cache from the collection
jpayne@68 901 .UNINDENT
jpayne@68 902 .SS pwqual interface
jpayne@68 903 .sp
jpayne@68 904 The pwqual subsection controls modules for the password quality
jpayne@68 905 interface, which is used to reject weak passwords when passwords are
jpayne@68 906 changed. The following built\-in modules exist for this interface:
jpayne@68 907 .INDENT 0.0
jpayne@68 908 .TP
jpayne@68 909 \fBdict\fP
jpayne@68 910 Checks against the realm dictionary file
jpayne@68 911 .TP
jpayne@68 912 \fBempty\fP
jpayne@68 913 Rejects empty passwords
jpayne@68 914 .TP
jpayne@68 915 \fBhesiod\fP
jpayne@68 916 Checks against user information stored in Hesiod (only if Kerberos
jpayne@68 917 was built with Hesiod support)
jpayne@68 918 .TP
jpayne@68 919 \fBprinc\fP
jpayne@68 920 Checks against components of the principal name
jpayne@68 921 .UNINDENT
jpayne@68 922 .SS kadm5_hook interface
jpayne@68 923 .sp
jpayne@68 924 The kadm5_hook interface provides plugins with information on
jpayne@68 925 principal creation, modification, password changes and deletion. This
jpayne@68 926 interface can be used to write a plugin to synchronize MIT Kerberos
jpayne@68 927 with another database such as Active Directory. No plugins are built
jpayne@68 928 in for this interface.
jpayne@68 929 .SS kadm5_auth interface
jpayne@68 930 .sp
jpayne@68 931 The kadm5_auth section (introduced in release 1.16) controls modules
jpayne@68 932 for the kadmin authorization interface, which determines whether a
jpayne@68 933 client principal is allowed to perform a kadmin operation. The
jpayne@68 934 following built\-in modules exist for this interface:
jpayne@68 935 .INDENT 0.0
jpayne@68 936 .TP
jpayne@68 937 \fBacl\fP
jpayne@68 938 This module reads the kadm5.acl(5) file, and authorizes
jpayne@68 939 operations which are allowed according to the rules in the file.
jpayne@68 940 .TP
jpayne@68 941 \fBself\fP
jpayne@68 942 This module authorizes self\-service operations including password
jpayne@68 943 changes, creation of new random keys, fetching the client\(aqs
jpayne@68 944 principal record or string attributes, and fetching the policy
jpayne@68 945 record associated with the client principal.
jpayne@68 946 .UNINDENT
jpayne@68 947 .SS clpreauth and kdcpreauth interfaces
jpayne@68 948 .sp
jpayne@68 949 The clpreauth and kdcpreauth interfaces allow plugin modules to
jpayne@68 950 provide client and KDC preauthentication mechanisms. The following
jpayne@68 951 built\-in modules exist for these interfaces:
jpayne@68 952 .INDENT 0.0
jpayne@68 953 .TP
jpayne@68 954 \fBpkinit\fP
jpayne@68 955 This module implements the PKINIT preauthentication mechanism.
jpayne@68 956 .TP
jpayne@68 957 \fBencrypted_challenge\fP
jpayne@68 958 This module implements the encrypted challenge FAST factor.
jpayne@68 959 .TP
jpayne@68 960 \fBencrypted_timestamp\fP
jpayne@68 961 This module implements the encrypted timestamp mechanism.
jpayne@68 962 .UNINDENT
jpayne@68 963 .SS hostrealm interface
jpayne@68 964 .sp
jpayne@68 965 The hostrealm section (introduced in release 1.12) controls modules
jpayne@68 966 for the host\-to\-realm interface, which affects the local mapping of
jpayne@68 967 hostnames to realm names and the choice of default realm. The following
jpayne@68 968 built\-in modules exist for this interface:
jpayne@68 969 .INDENT 0.0
jpayne@68 970 .TP
jpayne@68 971 \fBprofile\fP
jpayne@68 972 This module consults the [domain_realm] section of the profile for
jpayne@68 973 authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
jpayne@68 974 variable for the default realm.
jpayne@68 975 .TP
jpayne@68 976 \fBdns\fP
jpayne@68 977 This module looks for DNS records for fallback host\-to\-realm
jpayne@68 978 mappings and the default realm. It only operates if the
jpayne@68 979 \fBdns_lookup_realm\fP variable is set to true.
jpayne@68 980 .TP
jpayne@68 981 \fBdomain\fP
jpayne@68 982 This module applies heuristics for fallback host\-to\-realm
jpayne@68 983 mappings. It implements the \fBrealm_try_domains\fP variable, and
jpayne@68 984 uses the uppercased parent domain of the hostname if that does not
jpayne@68 985 produce a result.
jpayne@68 986 .UNINDENT
jpayne@68 987 .SS localauth interface
jpayne@68 988 .sp
jpayne@68 989 The localauth section (introduced in release 1.12) controls modules
jpayne@68 990 for the local authorization interface, which affects the relationship
jpayne@68 991 between Kerberos principals and local system accounts. The following
jpayne@68 992 built\-in modules exist for this interface:
jpayne@68 993 .INDENT 0.0
jpayne@68 994 .TP
jpayne@68 995 \fBdefault\fP
jpayne@68 996 This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
jpayne@68 997 values.
jpayne@68 998 .TP
jpayne@68 999 \fBrule\fP
jpayne@68 1000 This module implements the \fBRULE\fP type for \fBauth_to_local\fP
jpayne@68 1001 values.
jpayne@68 1002 .TP
jpayne@68 1003 \fBnames\fP
jpayne@68 1004 This module looks for an \fBauth_to_local_names\fP mapping for the
jpayne@68 1005 principal name.
jpayne@68 1006 .TP
jpayne@68 1007 \fBauth_to_local\fP
jpayne@68 1008 This module processes \fBauth_to_local\fP values in the default
jpayne@68 1009 realm\(aqs section, and applies the default method if no
jpayne@68 1010 \fBauth_to_local\fP values exist.
jpayne@68 1011 .TP
jpayne@68 1012 \fBk5login\fP
jpayne@68 1013 This module authorizes a principal to a local account according to
jpayne@68 1014 the account\(aqs \&.k5login(5) file.
jpayne@68 1015 .TP
jpayne@68 1016 \fBan2ln\fP
jpayne@68 1017 This module authorizes a principal to a local account if the
jpayne@68 1018 principal name maps to the local account name.
jpayne@68 1019 .UNINDENT
jpayne@68 1020 .SS certauth interface
jpayne@68 1021 .sp
jpayne@68 1022 The certauth section (introduced in release 1.16) controls modules for
jpayne@68 1023 the certificate authorization interface, which determines whether a
jpayne@68 1024 certificate is allowed to preauthenticate a user via PKINIT. The
jpayne@68 1025 following built\-in modules exist for this interface:
jpayne@68 1026 .INDENT 0.0
jpayne@68 1027 .TP
jpayne@68 1028 \fBpkinit_san\fP
jpayne@68 1029 This module authorizes the certificate if it contains a PKINIT
jpayne@68 1030 Subject Alternative Name for the requested client principal, or a
jpayne@68 1031 Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
jpayne@68 1032 is set to true for the realm.
jpayne@68 1033 .TP
jpayne@68 1034 \fBpkinit_eku\fP
jpayne@68 1035 This module rejects the certificate if it does not contain an
jpayne@68 1036 Extended Key Usage attribute consistent with the
jpayne@68 1037 \fBpkinit_eku_checking\fP value for the realm.
jpayne@68 1038 .TP
jpayne@68 1039 \fBdbmatch\fP
jpayne@68 1040 This module authorizes or rejects the certificate according to
jpayne@68 1041 whether it matches the \fBpkinit_cert_match\fP string attribute on
jpayne@68 1042 the client principal, if that attribute is present.
jpayne@68 1043 .UNINDENT
jpayne@68 1044 .SH PKINIT OPTIONS
jpayne@68 1045 .sp
jpayne@68 1046 \fBNOTE:\fP
jpayne@68 1047 .INDENT 0.0
jpayne@68 1048 .INDENT 3.5
jpayne@68 1049 The following are PKINIT\-specific options. These values may
jpayne@68 1050 be specified in [libdefaults] as global defaults, or within
jpayne@68 1051 a realm\-specific subsection of [libdefaults], or may be
jpayne@68 1052 specified as realm\-specific values in the [realms] section.
jpayne@68 1053 A realm\-specific value overrides, not adds to, a generic
jpayne@68 1054 [libdefaults] specification. The search order is:
jpayne@68 1055 .UNINDENT
jpayne@68 1056 .UNINDENT
jpayne@68 1057 .INDENT 0.0
jpayne@68 1058 .IP 1. 3
jpayne@68 1059 realm\-specific subsection of [libdefaults]:
jpayne@68 1060 .INDENT 3.0
jpayne@68 1061 .INDENT 3.5
jpayne@68 1062 .sp
jpayne@68 1063 .nf
jpayne@68 1064 .ft C
jpayne@68 1065 [libdefaults]
jpayne@68 1066 EXAMPLE.COM = {
jpayne@68 1067 pkinit_anchors = FILE:/usr/local/example.com.crt
jpayne@68 1068 }
jpayne@68 1069 .ft P
jpayne@68 1070 .fi
jpayne@68 1071 .UNINDENT
jpayne@68 1072 .UNINDENT
jpayne@68 1073 .IP 2. 3
jpayne@68 1074 realm\-specific value in the [realms] section:
jpayne@68 1075 .INDENT 3.0
jpayne@68 1076 .INDENT 3.5
jpayne@68 1077 .sp
jpayne@68 1078 .nf
jpayne@68 1079 .ft C
jpayne@68 1080 [realms]
jpayne@68 1081 OTHERREALM.ORG = {
jpayne@68 1082 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
jpayne@68 1083 }
jpayne@68 1084 .ft P
jpayne@68 1085 .fi
jpayne@68 1086 .UNINDENT
jpayne@68 1087 .UNINDENT
jpayne@68 1088 .IP 3. 3
jpayne@68 1089 generic value in the [libdefaults] section:
jpayne@68 1090 .INDENT 3.0
jpayne@68 1091 .INDENT 3.5
jpayne@68 1092 .sp
jpayne@68 1093 .nf
jpayne@68 1094 .ft C
jpayne@68 1095 [libdefaults]
jpayne@68 1096 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
jpayne@68 1097 .ft P
jpayne@68 1098 .fi
jpayne@68 1099 .UNINDENT
jpayne@68 1100 .UNINDENT
jpayne@68 1101 .UNINDENT
jpayne@68 1102 .SS Specifying PKINIT identity information
jpayne@68 1103 .sp
jpayne@68 1104 The syntax for specifying Public Key identity, trust, and revocation
jpayne@68 1105 information for PKINIT is as follows:
jpayne@68 1106 .INDENT 0.0
jpayne@68 1107 .TP
jpayne@68 1108 \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
jpayne@68 1109 This option has context\-specific behavior.
jpayne@68 1110 .sp
jpayne@68 1111 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
jpayne@68 1112 specifies the name of a PEM\-format file containing the user\(aqs
jpayne@68 1113 certificate. If \fIkeyfilename\fP is not specified, the user\(aqs
jpayne@68 1114 private key is expected to be in \fIfilename\fP as well. Otherwise,
jpayne@68 1115 \fIkeyfilename\fP is the name of the file containing the private key.
jpayne@68 1116 .sp
jpayne@68 1117 In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
jpayne@68 1118 be the name of an OpenSSL\-style ca\-bundle file.
jpayne@68 1119 .TP
jpayne@68 1120 \fBDIR:\fP\fIdirname\fP
jpayne@68 1121 This option has context\-specific behavior.
jpayne@68 1122 .sp
jpayne@68 1123 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
jpayne@68 1124 specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
jpayne@68 1125 where the first part of the file name is the same for matching
jpayne@68 1126 pairs of certificate and private key files. When a file with a
jpayne@68 1127 name ending with \fB\&.crt\fP is found, a matching file ending with
jpayne@68 1128 \fB\&.key\fP is assumed to contain the private key. If no such file
jpayne@68 1129 is found, then the certificate in the \fB\&.crt\fP is not used.
jpayne@68 1130 .sp
jpayne@68 1131 In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
jpayne@68 1132 be an OpenSSL\-style hashed CA directory where each CA cert is
jpayne@68 1133 stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure
jpayne@68 1134 is encouraged, but all files in the directory will be examined and
jpayne@68 1135 if they contain certificates (in PEM format), they will be used.
jpayne@68 1136 .sp
jpayne@68 1137 In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
jpayne@68 1138 hashed CA directory where each revocation list is stored in a file
jpayne@68 1139 named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged,
jpayne@68 1140 but all files in the directory will be examined and if they
jpayne@68 1141 contain a revocation list (in PEM format), they will be used.
jpayne@68 1142 .TP
jpayne@68 1143 \fBPKCS12:\fP\fIfilename\fP
jpayne@68 1144 \fIfilename\fP is the name of a PKCS #12 format file, containing the
jpayne@68 1145 user\(aqs certificate and private key.
jpayne@68 1146 .TP
jpayne@68 1147 \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
jpayne@68 1148 All keyword/values are optional. \fImodname\fP specifies the location
jpayne@68 1149 of a library implementing PKCS #11. If a value is encountered
jpayne@68 1150 with no keyword, it is assumed to be the \fImodname\fP\&. If no
jpayne@68 1151 module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
jpayne@68 1152 \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
jpayne@68 1153 a particular smard card reader or token if there is more than one
jpayne@68 1154 available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
jpayne@68 1155 force the selection of a particular certificate on the device.
jpayne@68 1156 See the \fBpkinit_cert_match\fP configuration option for more ways
jpayne@68 1157 to select a particular certificate to use for PKINIT.
jpayne@68 1158 .TP
jpayne@68 1159 \fBENV:\fP\fIenvvar\fP
jpayne@68 1160 \fIenvvar\fP specifies the name of an environment variable which has
jpayne@68 1161 been set to a value conforming to one of the previous values. For
jpayne@68 1162 example, \fBENV:X509_PROXY\fP, where environment variable
jpayne@68 1163 \fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
jpayne@68 1164 .UNINDENT
jpayne@68 1165 .SS PKINIT krb5.conf options
jpayne@68 1166 .INDENT 0.0
jpayne@68 1167 .TP
jpayne@68 1168 \fBpkinit_anchors\fP
jpayne@68 1169 Specifies the location of trusted anchor (root) certificates which
jpayne@68 1170 the client trusts to sign KDC certificates. This option may be
jpayne@68 1171 specified multiple times. These values from the config file are
jpayne@68 1172 not used if the user specifies X509_anchors on the command line.
jpayne@68 1173 .TP
jpayne@68 1174 \fBpkinit_cert_match\fP
jpayne@68 1175 Specifies matching rules that the client certificate must match
jpayne@68 1176 before it is used to attempt PKINIT authentication. If a user has
jpayne@68 1177 multiple certificates available (on a smart card, or via other
jpayne@68 1178 media), there must be exactly one certificate chosen before
jpayne@68 1179 attempting PKINIT authentication. This option may be specified
jpayne@68 1180 multiple times. All the available certificates are checked
jpayne@68 1181 against each rule in order until there is a match of exactly one
jpayne@68 1182 certificate.
jpayne@68 1183 .sp
jpayne@68 1184 The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP
jpayne@68 1185 string representations from the certificate Subject DN and Issuer
jpayne@68 1186 DN values.
jpayne@68 1187 .sp
jpayne@68 1188 The syntax of the matching rules is:
jpayne@68 1189 .INDENT 7.0
jpayne@68 1190 .INDENT 3.5
jpayne@68 1191 [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
jpayne@68 1192 .UNINDENT
jpayne@68 1193 .UNINDENT
jpayne@68 1194 .sp
jpayne@68 1195 where:
jpayne@68 1196 .INDENT 7.0
jpayne@68 1197 .TP
jpayne@68 1198 .B \fIrelation\-operator\fP
jpayne@68 1199 can be either \fB&&\fP, meaning all component rules must match,
jpayne@68 1200 or \fB||\fP, meaning only one component rule must match. The
jpayne@68 1201 default is \fB&&\fP\&.
jpayne@68 1202 .TP
jpayne@68 1203 .B \fIcomponent\-rule\fP
jpayne@68 1204 can be one of the following. Note that there is no
jpayne@68 1205 punctuation or whitespace between component rules.
jpayne@68 1206 .INDENT 7.0
jpayne@68 1207 .INDENT 3.5
jpayne@68 1208 .nf
jpayne@68 1209 \fB<SUBJECT>\fP\fIregular\-expression\fP
jpayne@68 1210 \fB<ISSUER>\fP\fIregular\-expression\fP
jpayne@68 1211 \fB<SAN>\fP\fIregular\-expression\fP
jpayne@68 1212 \fB<EKU>\fP\fIextended\-key\-usage\-list\fP
jpayne@68 1213 \fB<KU>\fP\fIkey\-usage\-list\fP
jpayne@68 1214 .fi
jpayne@68 1215 .sp
jpayne@68 1216 .UNINDENT
jpayne@68 1217 .UNINDENT
jpayne@68 1218 .sp
jpayne@68 1219 \fIextended\-key\-usage\-list\fP is a comma\-separated list of
jpayne@68 1220 required Extended Key Usage values. All values in the list
jpayne@68 1221 must be present in the certificate. Extended Key Usage values
jpayne@68 1222 can be:
jpayne@68 1223 .INDENT 7.0
jpayne@68 1224 .IP \(bu 2
jpayne@68 1225 pkinit
jpayne@68 1226 .IP \(bu 2
jpayne@68 1227 msScLogin
jpayne@68 1228 .IP \(bu 2
jpayne@68 1229 clientAuth
jpayne@68 1230 .IP \(bu 2
jpayne@68 1231 emailProtection
jpayne@68 1232 .UNINDENT
jpayne@68 1233 .sp
jpayne@68 1234 \fIkey\-usage\-list\fP is a comma\-separated list of required Key
jpayne@68 1235 Usage values. All values in the list must be present in the
jpayne@68 1236 certificate. Key Usage values can be:
jpayne@68 1237 .INDENT 7.0
jpayne@68 1238 .IP \(bu 2
jpayne@68 1239 digitalSignature
jpayne@68 1240 .IP \(bu 2
jpayne@68 1241 keyEncipherment
jpayne@68 1242 .UNINDENT
jpayne@68 1243 .UNINDENT
jpayne@68 1244 .sp
jpayne@68 1245 Examples:
jpayne@68 1246 .INDENT 7.0
jpayne@68 1247 .INDENT 3.5
jpayne@68 1248 .sp
jpayne@68 1249 .nf
jpayne@68 1250 .ft C
jpayne@68 1251 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
jpayne@68 1252 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
jpayne@68 1253 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
jpayne@68 1254 .ft P
jpayne@68 1255 .fi
jpayne@68 1256 .UNINDENT
jpayne@68 1257 .UNINDENT
jpayne@68 1258 .TP
jpayne@68 1259 \fBpkinit_eku_checking\fP
jpayne@68 1260 This option specifies what Extended Key Usage value the KDC
jpayne@68 1261 certificate presented to the client must contain. (Note that if
jpayne@68 1262 the KDC certificate has the pkinit SubjectAlternativeName encoded
jpayne@68 1263 as the Kerberos TGS name, EKU checking is not necessary since the
jpayne@68 1264 issuing CA has certified this as a KDC certificate.) The values
jpayne@68 1265 recognized in the krb5.conf file are:
jpayne@68 1266 .INDENT 7.0
jpayne@68 1267 .TP
jpayne@68 1268 \fBkpKDC\fP
jpayne@68 1269 This is the default value and specifies that the KDC must have
jpayne@68 1270 the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
jpayne@68 1271 .TP
jpayne@68 1272 \fBkpServerAuth\fP
jpayne@68 1273 If \fBkpServerAuth\fP is specified, a KDC certificate with the
jpayne@68 1274 id\-kp\-serverAuth EKU will be accepted. This key usage value
jpayne@68 1275 is used in most commercially issued server certificates.
jpayne@68 1276 .TP
jpayne@68 1277 \fBnone\fP
jpayne@68 1278 If \fBnone\fP is specified, then the KDC certificate will not be
jpayne@68 1279 checked to verify it has an acceptable EKU. The use of this
jpayne@68 1280 option is not recommended.
jpayne@68 1281 .UNINDENT
jpayne@68 1282 .TP
jpayne@68 1283 \fBpkinit_dh_min_bits\fP
jpayne@68 1284 Specifies the size of the Diffie\-Hellman key the client will
jpayne@68 1285 attempt to use. The acceptable values are 1024, 2048, and 4096.
jpayne@68 1286 The default is 2048.
jpayne@68 1287 .TP
jpayne@68 1288 \fBpkinit_identities\fP
jpayne@68 1289 Specifies the location(s) to be used to find the user\(aqs X.509
jpayne@68 1290 identity information. If this option is specified multiple times,
jpayne@68 1291 each value is attempted in order until certificates are found.
jpayne@68 1292 Note that these values are not used if the user specifies
jpayne@68 1293 \fBX509_user_identity\fP on the command line.
jpayne@68 1294 .TP
jpayne@68 1295 \fBpkinit_kdc_hostname\fP
jpayne@68 1296 The presence of this option indicates that the client is willing
jpayne@68 1297 to accept a KDC certificate with a dNSName SAN (Subject
jpayne@68 1298 Alternative Name) rather than requiring the id\-pkinit\-san as
jpayne@68 1299 defined in \fI\%RFC 4556\fP\&. This option may be specified multiple
jpayne@68 1300 times. Its value should contain the acceptable hostname for the
jpayne@68 1301 KDC (as contained in its certificate).
jpayne@68 1302 .TP
jpayne@68 1303 \fBpkinit_pool\fP
jpayne@68 1304 Specifies the location of intermediate certificates which may be
jpayne@68 1305 used by the client to complete the trust chain between a KDC
jpayne@68 1306 certificate and a trusted anchor. This option may be specified
jpayne@68 1307 multiple times.
jpayne@68 1308 .TP
jpayne@68 1309 \fBpkinit_require_crl_checking\fP
jpayne@68 1310 The default certificate verification process will always check the
jpayne@68 1311 available revocation information to see if a certificate has been
jpayne@68 1312 revoked. If a match is found for the certificate in a CRL,
jpayne@68 1313 verification fails. If the certificate being verified is not
jpayne@68 1314 listed in a CRL, or there is no CRL present for its issuing CA,
jpayne@68 1315 and \fBpkinit_require_crl_checking\fP is false, then verification
jpayne@68 1316 succeeds.
jpayne@68 1317 .sp
jpayne@68 1318 However, if \fBpkinit_require_crl_checking\fP is true and there is
jpayne@68 1319 no CRL information available for the issuing CA, then verification
jpayne@68 1320 fails.
jpayne@68 1321 .sp
jpayne@68 1322 \fBpkinit_require_crl_checking\fP should be set to true if the
jpayne@68 1323 policy is such that up\-to\-date CRLs must be present for every CA.
jpayne@68 1324 .TP
jpayne@68 1325 \fBpkinit_revoke\fP
jpayne@68 1326 Specifies the location of Certificate Revocation List (CRL)
jpayne@68 1327 information to be used by the client when verifying the validity
jpayne@68 1328 of the KDC certificate presented. This option may be specified
jpayne@68 1329 multiple times.
jpayne@68 1330 .UNINDENT
jpayne@68 1331 .SH PARAMETER EXPANSION
jpayne@68 1332 .sp
jpayne@68 1333 Starting with release 1.11, several variables, such as
jpayne@68 1334 \fBdefault_keytab_name\fP, allow parameters to be expanded.
jpayne@68 1335 Valid parameters are:
jpayne@68 1336 .INDENT 0.0
jpayne@68 1337 .INDENT 3.5
jpayne@68 1338 .TS
jpayne@68 1339 center;
jpayne@68 1340 |l|l|.
jpayne@68 1341 _
jpayne@68 1342 T{
jpayne@68 1343 %{TEMP}
jpayne@68 1344 T} T{
jpayne@68 1345 Temporary directory
jpayne@68 1346 T}
jpayne@68 1347 _
jpayne@68 1348 T{
jpayne@68 1349 %{uid}
jpayne@68 1350 T} T{
jpayne@68 1351 Unix real UID or Windows SID
jpayne@68 1352 T}
jpayne@68 1353 _
jpayne@68 1354 T{
jpayne@68 1355 %{euid}
jpayne@68 1356 T} T{
jpayne@68 1357 Unix effective user ID or Windows SID
jpayne@68 1358 T}
jpayne@68 1359 _
jpayne@68 1360 T{
jpayne@68 1361 %{USERID}
jpayne@68 1362 T} T{
jpayne@68 1363 Same as %{uid}
jpayne@68 1364 T}
jpayne@68 1365 _
jpayne@68 1366 T{
jpayne@68 1367 %{null}
jpayne@68 1368 T} T{
jpayne@68 1369 Empty string
jpayne@68 1370 T}
jpayne@68 1371 _
jpayne@68 1372 T{
jpayne@68 1373 %{LIBDIR}
jpayne@68 1374 T} T{
jpayne@68 1375 Installation library directory
jpayne@68 1376 T}
jpayne@68 1377 _
jpayne@68 1378 T{
jpayne@68 1379 %{BINDIR}
jpayne@68 1380 T} T{
jpayne@68 1381 Installation binary directory
jpayne@68 1382 T}
jpayne@68 1383 _
jpayne@68 1384 T{
jpayne@68 1385 %{SBINDIR}
jpayne@68 1386 T} T{
jpayne@68 1387 Installation admin binary directory
jpayne@68 1388 T}
jpayne@68 1389 _
jpayne@68 1390 T{
jpayne@68 1391 %{username}
jpayne@68 1392 T} T{
jpayne@68 1393 (Unix) Username of effective user ID
jpayne@68 1394 T}
jpayne@68 1395 _
jpayne@68 1396 T{
jpayne@68 1397 %{APPDATA}
jpayne@68 1398 T} T{
jpayne@68 1399 (Windows) Roaming application data for current user
jpayne@68 1400 T}
jpayne@68 1401 _
jpayne@68 1402 T{
jpayne@68 1403 %{COMMON_APPDATA}
jpayne@68 1404 T} T{
jpayne@68 1405 (Windows) Application data for all users
jpayne@68 1406 T}
jpayne@68 1407 _
jpayne@68 1408 T{
jpayne@68 1409 %{LOCAL_APPDATA}
jpayne@68 1410 T} T{
jpayne@68 1411 (Windows) Local application data for current user
jpayne@68 1412 T}
jpayne@68 1413 _
jpayne@68 1414 T{
jpayne@68 1415 %{SYSTEM}
jpayne@68 1416 T} T{
jpayne@68 1417 (Windows) Windows system folder
jpayne@68 1418 T}
jpayne@68 1419 _
jpayne@68 1420 T{
jpayne@68 1421 %{WINDOWS}
jpayne@68 1422 T} T{
jpayne@68 1423 (Windows) Windows folder
jpayne@68 1424 T}
jpayne@68 1425 _
jpayne@68 1426 T{
jpayne@68 1427 %{USERCONFIG}
jpayne@68 1428 T} T{
jpayne@68 1429 (Windows) Per\-user MIT krb5 config file directory
jpayne@68 1430 T}
jpayne@68 1431 _
jpayne@68 1432 T{
jpayne@68 1433 %{COMMONCONFIG}
jpayne@68 1434 T} T{
jpayne@68 1435 (Windows) Common MIT krb5 config file directory
jpayne@68 1436 T}
jpayne@68 1437 _
jpayne@68 1438 .TE
jpayne@68 1439 .UNINDENT
jpayne@68 1440 .UNINDENT
jpayne@68 1441 .SH SAMPLE KRB5.CONF FILE
jpayne@68 1442 .sp
jpayne@68 1443 Here is an example of a generic krb5.conf file:
jpayne@68 1444 .INDENT 0.0
jpayne@68 1445 .INDENT 3.5
jpayne@68 1446 .sp
jpayne@68 1447 .nf
jpayne@68 1448 .ft C
jpayne@68 1449 [libdefaults]
jpayne@68 1450 default_realm = ATHENA.MIT.EDU
jpayne@68 1451 dns_lookup_kdc = true
jpayne@68 1452 dns_lookup_realm = false
jpayne@68 1453
jpayne@68 1454 [realms]
jpayne@68 1455 ATHENA.MIT.EDU = {
jpayne@68 1456 kdc = kerberos.mit.edu
jpayne@68 1457 kdc = kerberos\-1.mit.edu
jpayne@68 1458 kdc = kerberos\-2.mit.edu
jpayne@68 1459 admin_server = kerberos.mit.edu
jpayne@68 1460 primary_kdc = kerberos.mit.edu
jpayne@68 1461 }
jpayne@68 1462 EXAMPLE.COM = {
jpayne@68 1463 kdc = kerberos.example.com
jpayne@68 1464 kdc = kerberos\-1.example.com
jpayne@68 1465 admin_server = kerberos.example.com
jpayne@68 1466 }
jpayne@68 1467
jpayne@68 1468 [domain_realm]
jpayne@68 1469 mit.edu = ATHENA.MIT.EDU
jpayne@68 1470
jpayne@68 1471 [capaths]
jpayne@68 1472 ATHENA.MIT.EDU = {
jpayne@68 1473 EXAMPLE.COM = .
jpayne@68 1474 }
jpayne@68 1475 EXAMPLE.COM = {
jpayne@68 1476 ATHENA.MIT.EDU = .
jpayne@68 1477 }
jpayne@68 1478 .ft P
jpayne@68 1479 .fi
jpayne@68 1480 .UNINDENT
jpayne@68 1481 .UNINDENT
jpayne@68 1482 .SH FILES
jpayne@68 1483 .sp
jpayne@68 1484 \fB/etc/krb5.conf\fP
jpayne@68 1485 .SH SEE ALSO
jpayne@68 1486 .sp
jpayne@68 1487 syslog(3)
jpayne@68 1488 .SH AUTHOR
jpayne@68 1489 MIT
jpayne@68 1490 .SH COPYRIGHT
jpayne@68 1491 1985-2022, MIT
jpayne@68 1492 .\" Generated by docutils manpage writer.
jpayne@68 1493 .