jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KDC.CONF" "5" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: kdc.conf \- Kerberos V5 KDC configuration file jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .sp jpayne@68: The kdc.conf file supplements krb5.conf(5) for programs which jpayne@68: are typically only used on a KDC, such as the krb5kdc(8) and jpayne@68: kadmind(8) daemons and the kdb5_util(8) program. jpayne@68: Relations documented here may also be specified in krb5.conf; for the jpayne@68: KDC programs mentioned, krb5.conf and kdc.conf will be merged into a jpayne@68: single configuration profile. jpayne@68: .sp jpayne@68: Normally, the kdc.conf file is found in the KDC state directory, jpayne@68: \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\&. You can override the default location by setting the jpayne@68: environment variable \fBKRB5_KDC_PROFILE\fP\&. jpayne@68: .sp jpayne@68: Please note that you need to restart the KDC daemon for any configuration jpayne@68: changes to take effect. jpayne@68: .SH STRUCTURE jpayne@68: .sp jpayne@68: The kdc.conf file is set up in the same format as the jpayne@68: krb5.conf(5) file. jpayne@68: .SH SECTIONS jpayne@68: .sp jpayne@68: The kdc.conf file may contain the following sections: jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[kdcdefaults]\fP jpayne@68: T} T{ jpayne@68: Default values for KDC behavior jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[realms]\fP jpayne@68: T} T{ jpayne@68: Realm\-specific database configuration and settings jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[dbdefaults]\fP jpayne@68: T} T{ jpayne@68: Default database settings jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[dbmodules]\fP jpayne@68: T} T{ jpayne@68: Per\-database settings jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[logging]\fP jpayne@68: T} T{ jpayne@68: Controls how Kerberos daemons perform logging jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .SS [kdcdefaults] jpayne@68: .sp jpayne@68: Some relations in the [kdcdefaults] section specify default values for jpayne@68: realm variables, to be used if the [realms] subsection does not jpayne@68: contain a relation for the tag. See the \fI\%[realms]\fP section for jpayne@68: the definitions of these relations. jpayne@68: .INDENT 0.0 jpayne@68: .IP \(bu 2 jpayne@68: \fBhost_based_services\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBkdc_listen\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBkdc_ports\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBkdc_tcp_listen\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBkdc_tcp_ports\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBno_host_referral\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBrestrict_anonymous_to_tgt\fP jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The following [kdcdefaults] variables have no per\-realm equivalent: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBkdc_max_dgram_reply_size\fP jpayne@68: Specifies the maximum packet size that can be sent over UDP. The jpayne@68: default value is 4096 bytes. jpayne@68: .TP jpayne@68: \fBkdc_tcp_listen_backlog\fP jpayne@68: (Integer.) Set the size of the listen queue length for the KDC jpayne@68: daemon. The value may be limited by OS settings. The default jpayne@68: value is 5. jpayne@68: .TP jpayne@68: \fBspake_preauth_kdc_challenge\fP jpayne@68: (String.) Specifies the group for a SPAKE optimistic challenge. jpayne@68: See the \fBspake_preauth_groups\fP variable in libdefaults jpayne@68: for possible values. The default is not to issue an optimistic jpayne@68: challenge. (New in release 1.17.) jpayne@68: .UNINDENT jpayne@68: .SS [realms] jpayne@68: .sp jpayne@68: Each tag in the [realms] section is the name of a Kerberos realm. The jpayne@68: value of the tag is a subsection where the relations define KDC jpayne@68: parameters for that particular realm. The following example shows how jpayne@68: to define one parameter for the ATHENA.MIT.EDU realm: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [realms] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: max_renewable_life = 7d 0h 0m 0s jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The following tags may be specified in a [realms] subsection: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBacl_file\fP jpayne@68: (String.) Location of the access control list file that jpayne@68: kadmind(8) uses to determine which principals are allowed jpayne@68: which permissions on the Kerberos database. To operate without an jpayne@68: ACL file, set this relation to the empty string with \fBacl_file = jpayne@68: ""\fP\&. The default value is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more jpayne@68: information on Kerberos ACL file see kadm5.acl(5)\&. jpayne@68: .TP jpayne@68: \fBdatabase_module\fP jpayne@68: (String.) This relation indicates the name of the configuration jpayne@68: section under \fI\%[dbmodules]\fP for database\-specific parameters jpayne@68: used by the loadable database library. The default value is the jpayne@68: realm name. If this configuration section does not exist, default jpayne@68: values will be used for all database parameters. jpayne@68: .TP jpayne@68: \fBdatabase_name\fP jpayne@68: (String, deprecated.) This relation specifies the location of the jpayne@68: Kerberos database for this realm, if the DB2 module is being used jpayne@68: and the \fI\%[dbmodules]\fP configuration section does not specify a jpayne@68: database name. The default value is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/principal\fP\&. jpayne@68: .TP jpayne@68: \fBdefault_principal_expiration\fP jpayne@68: (abstime string.) Specifies the default expiration date of jpayne@68: principals created in this realm. The default value is 0, which jpayne@68: means no expiration date. jpayne@68: .TP jpayne@68: \fBdefault_principal_flags\fP jpayne@68: (Flag string.) Specifies the default attributes of principals jpayne@68: created in this realm. The format for this string is a jpayne@68: comma\-separated list of flags, with \(aq+\(aq before each flag that jpayne@68: should be enabled and \(aq\-\(aq before each flag that should be jpayne@68: disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP, jpayne@68: \fBrenewable\fP, \fBproxiable\fP, \fBdup\-skey\fP, \fBallow\-tickets\fP, and jpayne@68: \fBservice\fP flags default to enabled. jpayne@68: .sp jpayne@68: There are a number of possible flags: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fBallow\-tickets\fP jpayne@68: Enabling this flag means that the KDC will issue tickets for jpayne@68: this principal. Disabling this flag essentially deactivates jpayne@68: the principal within this realm. jpayne@68: .TP jpayne@68: \fBdup\-skey\fP jpayne@68: Enabling this flag allows the KDC to issue user\-to\-user jpayne@68: service tickets for this principal. jpayne@68: .TP jpayne@68: \fBforwardable\fP jpayne@68: Enabling this flag allows the principal to obtain forwardable jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fBhwauth\fP jpayne@68: If this flag is enabled, then the principal is required to jpayne@68: preauthenticate using a hardware device before receiving any jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fBno\-auth\-data\-required\fP jpayne@68: Enabling this flag prevents PAC or AD\-SIGNEDPATH data from jpayne@68: being added to service tickets for the principal. jpayne@68: .TP jpayne@68: \fBok\-as\-delegate\fP jpayne@68: If this flag is enabled, it hints the client that credentials jpayne@68: can and should be delegated when authenticating to the jpayne@68: service. jpayne@68: .TP jpayne@68: \fBok\-to\-auth\-as\-delegate\fP jpayne@68: Enabling this flag allows the principal to use S4USelf tickets. jpayne@68: .TP jpayne@68: \fBpostdateable\fP jpayne@68: Enabling this flag allows the principal to obtain postdateable jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fBpreauth\fP jpayne@68: If this flag is enabled on a client principal, then that jpayne@68: principal is required to preauthenticate to the KDC before jpayne@68: receiving any tickets. On a service principal, enabling this jpayne@68: flag means that service tickets for this principal will only jpayne@68: be issued to clients with a TGT that has the preauthenticated jpayne@68: bit set. jpayne@68: .TP jpayne@68: \fBproxiable\fP jpayne@68: Enabling this flag allows the principal to obtain proxy jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fBpwchange\fP jpayne@68: Enabling this flag forces a password change for this jpayne@68: principal. jpayne@68: .TP jpayne@68: \fBpwservice\fP jpayne@68: If this flag is enabled, it marks this principal as a password jpayne@68: change service. This should only be used in special cases, jpayne@68: for example, if a user\(aqs password has expired, then the user jpayne@68: has to get tickets for that principal without going through jpayne@68: the normal password authentication in order to be able to jpayne@68: change the password. jpayne@68: .TP jpayne@68: \fBrenewable\fP jpayne@68: Enabling this flag allows the principal to obtain renewable jpayne@68: tickets. jpayne@68: .TP jpayne@68: \fBservice\fP jpayne@68: Enabling this flag allows the the KDC to issue service tickets jpayne@68: for this principal. In release 1.17 and later, user\-to\-user jpayne@68: service tickets are still allowed if the \fBdup\-skey\fP flag is jpayne@68: set. jpayne@68: .TP jpayne@68: \fBtgt\-based\fP jpayne@68: Enabling this flag allows a principal to obtain tickets based jpayne@68: on a ticket\-granting\-ticket, rather than repeating the jpayne@68: authentication process that was used to obtain the TGT. jpayne@68: .UNINDENT jpayne@68: .TP jpayne@68: \fBdict_file\fP jpayne@68: (String.) Location of the dictionary file containing strings that jpayne@68: are not allowed as passwords. The file should contain one string jpayne@68: per line, with no additional whitespace. If none is specified or jpayne@68: if there is no policy assigned to the principal, no dictionary jpayne@68: checks of passwords will be performed. jpayne@68: .TP jpayne@68: \fBdisable_pac\fP jpayne@68: (Boolean value.) If true, the KDC will not issue PACs for this jpayne@68: realm, and S4U2Self and S4U2Proxy operations will be disabled. jpayne@68: The default is false, which will permit the KDC to issue PACs. jpayne@68: New in release 1.20. jpayne@68: .TP jpayne@68: \fBencrypted_challenge_indicator\fP jpayne@68: (String.) Specifies the authentication indicator value that the KDC jpayne@68: asserts into tickets obtained using FAST encrypted challenge jpayne@68: pre\-authentication. New in 1.16. jpayne@68: .TP jpayne@68: \fBhost_based_services\fP jpayne@68: (Whitespace\- or comma\-separated list.) Lists services which will jpayne@68: get host\-based referral processing even if the server principal is jpayne@68: not marked as host\-based by the client. jpayne@68: .TP jpayne@68: \fBiprop_enable\fP jpayne@68: (Boolean value.) Specifies whether incremental database jpayne@68: propagation is enabled. The default value is false. jpayne@68: .TP jpayne@68: \fBiprop_ulogsize\fP jpayne@68: (Integer.) Specifies the maximum number of log entries to be jpayne@68: retained for incremental propagation. The default value is 1000. jpayne@68: Prior to release 1.11, the maximum value was 2500. New in release jpayne@68: 1.19. jpayne@68: .TP jpayne@68: \fBiprop_master_ulogsize\fP jpayne@68: The name for \fBiprop_ulogsize\fP prior to release 1.19. Its value is jpayne@68: used as a fallback if \fBiprop_ulogsize\fP is not specified. jpayne@68: .TP jpayne@68: \fBiprop_replica_poll\fP jpayne@68: (Delta time string.) Specifies how often the replica KDC polls jpayne@68: for new updates from the primary. The default value is \fB2m\fP jpayne@68: (that is, two minutes). New in release 1.17. jpayne@68: .TP jpayne@68: \fBiprop_slave_poll\fP jpayne@68: (Delta time string.) The name for \fBiprop_replica_poll\fP prior to jpayne@68: release 1.17. Its value is used as a fallback if jpayne@68: \fBiprop_replica_poll\fP is not specified. jpayne@68: .TP jpayne@68: \fBiprop_listen\fP jpayne@68: (Whitespace\- or comma\-separated list.) Specifies the iprop RPC jpayne@68: listening addresses and/or ports for the kadmind(8) daemon. jpayne@68: Each entry may be an interface address, a port number, or an jpayne@68: address and port number separated by a colon. If the address jpayne@68: contains colons, enclose it in square brackets. If no address is jpayne@68: specified, the wildcard address is used. If kadmind fails to bind jpayne@68: to any of the specified addresses, it will fail to start. The jpayne@68: default (when \fBiprop_enable\fP is true) is to bind to the wildcard jpayne@68: address at the port specified in \fBiprop_port\fP\&. New in release jpayne@68: 1.15. jpayne@68: .TP jpayne@68: \fBiprop_port\fP jpayne@68: (Port number.) Specifies the port number to be used for jpayne@68: incremental propagation. When \fBiprop_enable\fP is true, this jpayne@68: relation is required in the replica KDC configuration file, and jpayne@68: this relation or \fBiprop_listen\fP is required in the primary jpayne@68: configuration file, as there is no default port number. Port jpayne@68: numbers specified in \fBiprop_listen\fP entries will override this jpayne@68: port number for the kadmind(8) daemon. jpayne@68: .TP jpayne@68: \fBiprop_resync_timeout\fP jpayne@68: (Delta time string.) Specifies the amount of time to wait for a jpayne@68: full propagation to complete. This is optional in configuration jpayne@68: files, and is used by replica KDCs only. The default value is 5 jpayne@68: minutes (\fB5m\fP). New in release 1.11. jpayne@68: .TP jpayne@68: \fBiprop_logfile\fP jpayne@68: (File name.) Specifies where the update log file for the realm jpayne@68: database is to be stored. The default is to use the jpayne@68: \fBdatabase_name\fP entry from the realms section of the krb5 config jpayne@68: file, with \fB\&.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt jpayne@68: specified in the realms section, perhaps because the LDAP database jpayne@68: back end is being used, or the file name is specified in the jpayne@68: [dbmodules] section, then the hard\-coded default for jpayne@68: \fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP jpayne@68: default value will not use values from the [dbmodules] section.) jpayne@68: .TP jpayne@68: \fBkadmind_listen\fP jpayne@68: (Whitespace\- or comma\-separated list.) Specifies the kadmin RPC jpayne@68: listening addresses and/or ports for the kadmind(8) daemon. jpayne@68: Each entry may be an interface address, a port number, or an jpayne@68: address and port number separated by a colon. If the address jpayne@68: contains colons, enclose it in square brackets. If no address is jpayne@68: specified, the wildcard address is used. If kadmind fails to bind jpayne@68: to any of the specified addresses, it will fail to start. The jpayne@68: default is to bind to the wildcard address at the port specified jpayne@68: in \fBkadmind_port\fP, or the standard kadmin port (749). New in jpayne@68: release 1.15. jpayne@68: .TP jpayne@68: \fBkadmind_port\fP jpayne@68: (Port number.) Specifies the port on which the kadmind(8) jpayne@68: daemon is to listen for this realm. Port numbers specified in jpayne@68: \fBkadmind_listen\fP entries will override this port number. The jpayne@68: assigned port for kadmind is 749, which is used by default. jpayne@68: .TP jpayne@68: \fBkey_stash_file\fP jpayne@68: (String.) Specifies the location where the master key has been jpayne@68: stored (via kdb5_util stash). The default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. jpayne@68: .TP jpayne@68: \fBkdc_listen\fP jpayne@68: (Whitespace\- or comma\-separated list.) Specifies the UDP jpayne@68: listening addresses and/or ports for the krb5kdc(8) daemon. jpayne@68: Each entry may be an interface address, a port number, or an jpayne@68: address and port number separated by a colon. If the address jpayne@68: contains colons, enclose it in square brackets. If no address is jpayne@68: specified, the wildcard address is used. If no port is specified, jpayne@68: the standard port (88) is used. If the KDC daemon fails to bind jpayne@68: to any of the specified addresses, it will fail to start. The jpayne@68: default is to bind to the wildcard address on the standard port. jpayne@68: New in release 1.15. jpayne@68: .TP jpayne@68: \fBkdc_ports\fP jpayne@68: (Whitespace\- or comma\-separated list, deprecated.) Prior to jpayne@68: release 1.15, this relation lists the ports for the jpayne@68: krb5kdc(8) daemon to listen on for UDP requests. In jpayne@68: release 1.15 and later, it has the same meaning as \fBkdc_listen\fP jpayne@68: if that relation is not defined. jpayne@68: .TP jpayne@68: \fBkdc_tcp_listen\fP jpayne@68: (Whitespace\- or comma\-separated list.) Specifies the TCP jpayne@68: listening addresses and/or ports for the krb5kdc(8) daemon. jpayne@68: Each entry may be an interface address, a port number, or an jpayne@68: address and port number separated by a colon. If the address jpayne@68: contains colons, enclose it in square brackets. If no address is jpayne@68: specified, the wildcard address is used. If no port is specified, jpayne@68: the standard port (88) is used. To disable listening on TCP, set jpayne@68: this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&. jpayne@68: If the KDC daemon fails to bind to any of the specified addresses, jpayne@68: it will fail to start. The default is to bind to the wildcard jpayne@68: address on the standard port. New in release 1.15. jpayne@68: .TP jpayne@68: \fBkdc_tcp_ports\fP jpayne@68: (Whitespace\- or comma\-separated list, deprecated.) Prior to jpayne@68: release 1.15, this relation lists the ports for the jpayne@68: krb5kdc(8) daemon to listen on for UDP requests. In jpayne@68: release 1.15 and later, it has the same meaning as jpayne@68: \fBkdc_tcp_listen\fP if that relation is not defined. jpayne@68: .TP jpayne@68: \fBkpasswd_listen\fP jpayne@68: (Comma\-separated list.) Specifies the kpasswd listening addresses jpayne@68: and/or ports for the kadmind(8) daemon. Each entry may be jpayne@68: an interface address, a port number, or an address and port number jpayne@68: separated by a colon. If the address contains colons, enclose it jpayne@68: in square brackets. If no address is specified, the wildcard jpayne@68: address is used. If kadmind fails to bind to any of the specified jpayne@68: addresses, it will fail to start. The default is to bind to the jpayne@68: wildcard address at the port specified in \fBkpasswd_port\fP, or the jpayne@68: standard kpasswd port (464). New in release 1.15. jpayne@68: .TP jpayne@68: \fBkpasswd_port\fP jpayne@68: (Port number.) Specifies the port on which the kadmind(8) jpayne@68: daemon is to listen for password change requests for this realm. jpayne@68: Port numbers specified in \fBkpasswd_listen\fP entries will override jpayne@68: this port number. The assigned port for password change requests jpayne@68: is 464, which is used by default. jpayne@68: .TP jpayne@68: \fBmaster_key_name\fP jpayne@68: (String.) Specifies the name of the principal associated with the jpayne@68: master key. The default is \fBK/M\fP\&. jpayne@68: .TP jpayne@68: \fBmaster_key_type\fP jpayne@68: (Key type string.) Specifies the master key\(aqs key type. The jpayne@68: default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible jpayne@68: values, see \fI\%Encryption types\fP\&. jpayne@68: .TP jpayne@68: \fBmax_life\fP jpayne@68: (duration string.) Specifies the maximum time period for jpayne@68: which a ticket may be valid in this realm. The default value is jpayne@68: 24 hours. jpayne@68: .TP jpayne@68: \fBmax_renewable_life\fP jpayne@68: (duration string.) Specifies the maximum time period jpayne@68: during which a valid ticket may be renewed in this realm. jpayne@68: The default value is 0. jpayne@68: .TP jpayne@68: \fBno_host_referral\fP jpayne@68: (Whitespace\- or comma\-separated list.) Lists services to block jpayne@68: from getting host\-based referral processing, even if the client jpayne@68: marks the server principal as host\-based or the service is also jpayne@68: listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will jpayne@68: disable referral processing altogether. jpayne@68: .TP jpayne@68: \fBreject_bad_transit\fP jpayne@68: (Boolean value.) If set to true, the KDC will check the list of jpayne@68: transited realms for cross\-realm tickets against the transit path jpayne@68: computed from the realm names and the capaths section of its jpayne@68: krb5.conf(5) file; if the path in the ticket to be issued jpayne@68: contains any realms not in the computed path, the ticket will not jpayne@68: be issued, and an error will be returned to the client instead. jpayne@68: If this value is set to false, such tickets will be issued jpayne@68: anyways, and it will be left up to the application server to jpayne@68: validate the realm transit path. jpayne@68: .sp jpayne@68: If the disable\-transited\-check flag is set in the incoming jpayne@68: request, this check is not performed at all. Having the jpayne@68: \fBreject_bad_transit\fP option will cause such ticket requests to jpayne@68: be rejected always. jpayne@68: .sp jpayne@68: This transit path checking and config file option currently apply jpayne@68: only to TGS requests. jpayne@68: .sp jpayne@68: The default value is true. jpayne@68: .TP jpayne@68: \fBrestrict_anonymous_to_tgt\fP jpayne@68: (Boolean value.) If set to true, the KDC will reject ticket jpayne@68: requests from anonymous principals to service principals other jpayne@68: than the realm\(aqs ticket\-granting service. This option allows jpayne@68: anonymous PKINIT to be enabled for use as FAST armor tickets jpayne@68: without allowing anonymous authentication to services. The jpayne@68: default value is false. New in release 1.9. jpayne@68: .TP jpayne@68: \fBspake_preauth_indicator\fP jpayne@68: (String.) Specifies an authentication indicator value that the jpayne@68: KDC asserts into tickets obtained using SPAKE pre\-authentication. jpayne@68: The default is not to add any indicators. This option may be jpayne@68: specified multiple times. New in release 1.17. jpayne@68: .TP jpayne@68: \fBsupported_enctypes\fP jpayne@68: (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt jpayne@68: combinations of principals for this realm. Any principals created jpayne@68: through kadmin(1) will have keys of these types. The jpayne@68: default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal\fP\&. For lists of jpayne@68: possible values, see \fI\%Keysalt lists\fP\&. jpayne@68: .UNINDENT jpayne@68: .SS [dbdefaults] jpayne@68: .sp jpayne@68: The [dbdefaults] section specifies default values for some database jpayne@68: parameters, to be used if the [dbmodules] subsection does not contain jpayne@68: a relation for the tag. See the \fI\%[dbmodules]\fP section for the jpayne@68: definitions of these relations. jpayne@68: .INDENT 0.0 jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kerberos_container_dn\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kdc_dn\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kdc_sasl_authcid\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kdc_sasl_authzid\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kdc_sasl_mech\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kdc_sasl_realm\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kadmind_dn\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kadmind_sasl_authcid\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kadmind_sasl_authzid\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kadmind_sasl_mech\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_kadmind_sasl_realm\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_service_password_file\fP jpayne@68: .IP \(bu 2 jpayne@68: \fBldap_conns_per_server\fP jpayne@68: .UNINDENT jpayne@68: .SS [dbmodules] jpayne@68: .sp jpayne@68: The [dbmodules] section contains parameters used by the KDC database jpayne@68: library and database modules. Each tag in the [dbmodules] section is jpayne@68: the name of a Kerberos realm or a section name specified by a realm\(aqs jpayne@68: \fBdatabase_module\fP parameter. The following example shows how to jpayne@68: define one database parameter for the ATHENA.MIT.EDU realm: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [dbmodules] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: disable_last_success = true jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The following tags may be specified in a [dbmodules] subsection: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBdatabase_name\fP jpayne@68: This DB2\-specific tag indicates the location of the database in jpayne@68: the filesystem. The default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/principal\fP\&. jpayne@68: .TP jpayne@68: \fBdb_library\fP jpayne@68: This tag indicates the name of the loadable database module. The jpayne@68: value should be \fBdb2\fP for the DB2 module, \fBklmdb\fP for the LMDB jpayne@68: module, or \fBkldap\fP for the LDAP module. jpayne@68: .TP jpayne@68: \fBdisable_last_success\fP jpayne@68: If set to \fBtrue\fP, suppresses KDC updates to the "Last successful jpayne@68: authentication" field of principal entries requiring jpayne@68: preauthentication. Setting this flag may improve performance. jpayne@68: (Principal entries which do not require preauthentication never jpayne@68: update the "Last successful authentication" field.). First jpayne@68: introduced in release 1.9. jpayne@68: .TP jpayne@68: \fBdisable_lockout\fP jpayne@68: If set to \fBtrue\fP, suppresses KDC updates to the "Last failed jpayne@68: authentication" and "Failed password attempts" fields of principal jpayne@68: entries requiring preauthentication. Setting this flag may jpayne@68: improve performance, but also disables account lockout. First jpayne@68: introduced in release 1.9. jpayne@68: .TP jpayne@68: \fBldap_conns_per_server\fP jpayne@68: This LDAP\-specific tag indicates the number of connections to be jpayne@68: maintained per LDAP server. jpayne@68: .TP jpayne@68: \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP jpayne@68: These LDAP\-specific tags indicate the default DN for binding to jpayne@68: the LDAP server. The krb5kdc(8) daemon uses jpayne@68: \fBldap_kdc_dn\fP, while the kadmind(8) daemon and other jpayne@68: administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN jpayne@68: must have the rights to read and write the Kerberos data in the jpayne@68: LDAP database. The KDC DN must have the same rights, unless jpayne@68: \fBdisable_lockout\fP and \fBdisable_last_success\fP are true, in jpayne@68: which case it only needs to have rights to read the Kerberos data. jpayne@68: These tags are ignored if a SASL mechanism is set with jpayne@68: \fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&. jpayne@68: .TP jpayne@68: \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP jpayne@68: These LDAP\-specific tags specify the SASL mechanism (such as jpayne@68: \fBEXTERNAL\fP) to use when binding to the LDAP server. New in jpayne@68: release 1.13. jpayne@68: .TP jpayne@68: \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP jpayne@68: These LDAP\-specific tags specify the SASL authentication identity jpayne@68: to use when binding to the LDAP server. Not all SASL mechanisms jpayne@68: require an authentication identity. If the SASL mechanism jpayne@68: requires a secret (such as the password for \fBDIGEST\-MD5\fP), these jpayne@68: tags also determine the name within the jpayne@68: \fBldap_service_password_file\fP where the secret is stashed. New jpayne@68: in release 1.13. jpayne@68: .TP jpayne@68: \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP jpayne@68: These LDAP\-specific tags specify the SASL authorization identity jpayne@68: to use when binding to the LDAP server. In most circumstances jpayne@68: they do not need to be specified. New in release 1.13. jpayne@68: .TP jpayne@68: \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP jpayne@68: These LDAP\-specific tags specify the SASL realm to use when jpayne@68: binding to the LDAP server. In most circumstances they do not jpayne@68: need to be set. New in release 1.13. jpayne@68: .TP jpayne@68: \fBldap_kerberos_container_dn\fP jpayne@68: This LDAP\-specific tag indicates the DN of the container object jpayne@68: where the realm objects will be located. jpayne@68: .TP jpayne@68: \fBldap_servers\fP jpayne@68: This LDAP\-specific tag indicates the list of LDAP servers that the jpayne@68: Kerberos servers can connect to. The list of LDAP servers is jpayne@68: whitespace\-separated. The LDAP server is specified by a LDAP URI. jpayne@68: It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect jpayne@68: to the LDAP server. jpayne@68: .TP jpayne@68: \fBldap_service_password_file\fP jpayne@68: This LDAP\-specific tag indicates the file containing the stashed jpayne@68: passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the jpayne@68: \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the jpayne@68: \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names jpayne@68: for SASL authentication. This file must be kept secure. jpayne@68: .TP jpayne@68: \fBmapsize\fP jpayne@68: This LMDB\-specific tag indicates the maximum size of the two jpayne@68: database environments in megabytes. The default value is 128. jpayne@68: Increase this value to address "Environment mapsize limit reached" jpayne@68: errors. New in release 1.17. jpayne@68: .TP jpayne@68: \fBmax_readers\fP jpayne@68: This LMDB\-specific tag indicates the maximum number of concurrent jpayne@68: reading processes for the databases. The default value is 128. jpayne@68: New in release 1.17. jpayne@68: .TP jpayne@68: \fBnosync\fP jpayne@68: This LMDB\-specific tag can be set to improve the throughput of jpayne@68: kadmind and other administrative agents, at the expense of jpayne@68: durability (recent database changes may not survive a power outage jpayne@68: or other sudden reboot). It does not affect the throughput of the jpayne@68: KDC. The default value is false. New in release 1.17. jpayne@68: .TP jpayne@68: \fBunlockiter\fP jpayne@68: If set to \fBtrue\fP, this DB2\-specific tag causes iteration jpayne@68: operations to release the database lock while processing each jpayne@68: principal. Setting this flag to \fBtrue\fP can prevent extended jpayne@68: blocking of KDC or kadmin operations when dumps of large databases jpayne@68: are in progress. First introduced in release 1.13. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The following tag may be specified directly in the [dbmodules] jpayne@68: section to control where database modules are loaded from: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBdb_module_dir\fP jpayne@68: This tag controls where the plugin system looks for database jpayne@68: modules. The value should be an absolute path. jpayne@68: .UNINDENT jpayne@68: .SS [logging] jpayne@68: .sp jpayne@68: The [logging] section indicates how krb5kdc(8) and jpayne@68: kadmind(8) perform logging. It may contain the following jpayne@68: relations: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBadmin_server\fP jpayne@68: Specifies how kadmind(8) performs logging. jpayne@68: .TP jpayne@68: \fBkdc\fP jpayne@68: Specifies how krb5kdc(8) performs logging. jpayne@68: .TP jpayne@68: \fBdefault\fP jpayne@68: Specifies how either daemon performs logging in the absence of jpayne@68: relations specific to the daemon. jpayne@68: .TP jpayne@68: \fBdebug\fP jpayne@68: (Boolean value.) Specifies whether debugging messages are jpayne@68: included in log outputs other than SYSLOG. Debugging messages are jpayne@68: always included in the system log output because syslog performs jpayne@68: its own priority filtering. The default value is false. New in jpayne@68: release 1.15. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Logging specifications may have the following forms: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP jpayne@68: This value causes the daemon\(aqs logging messages to go to the jpayne@68: \fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten. jpayne@68: If the \fB:\fP form is used, the file is appended to. jpayne@68: .TP jpayne@68: \fBSTDERR\fP jpayne@68: This value causes the daemon\(aqs logging messages to go to its jpayne@68: standard error stream. jpayne@68: .TP jpayne@68: \fBCONSOLE\fP jpayne@68: This value causes the daemon\(aqs logging messages to go to the jpayne@68: console, if the system supports it. jpayne@68: .TP jpayne@68: \fBDEVICE=\fP\fI\fP jpayne@68: This causes the daemon\(aqs logging messages to go to the specified jpayne@68: device. jpayne@68: .TP jpayne@68: \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] jpayne@68: This causes the daemon\(aqs logging messages to go to the system log. jpayne@68: .sp jpayne@68: For backward compatibility, a severity argument may be specified, jpayne@68: and must be specified in order to specify a facility. This jpayne@68: argument will be ignored. jpayne@68: .sp jpayne@68: The facility argument specifies the facility under which the jpayne@68: messages are logged. This may be any of the following facilities jpayne@68: supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, jpayne@68: \fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, jpayne@68: \fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. If no jpayne@68: facility is specified, the default is \fBAUTH\fP\&. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: In the following example, the logging messages from the KDC will go to jpayne@68: the console and to the system log under the facility LOG_DAEMON, and jpayne@68: the logging messages from the administrative server will be appended jpayne@68: to the file \fB/var/adm/kadmin.log\fP and sent to the device jpayne@68: \fB/dev/tty04\fP\&. jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [logging] jpayne@68: kdc = CONSOLE jpayne@68: kdc = SYSLOG:INFO:DAEMON jpayne@68: admin_server = FILE:/var/adm/kadmin.log jpayne@68: admin_server = DEVICE=/dev/tty04 jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: If no logging specification is given, the default is to use syslog. jpayne@68: To disable logging entirely, specify \fBdefault = DEVICE=/dev/null\fP\&. jpayne@68: .SS [otp] jpayne@68: .sp jpayne@68: Each subsection of [otp] is the name of an OTP token type. The tags jpayne@68: within the subsection define the configuration required to forward a jpayne@68: One Time Password request to a RADIUS server. jpayne@68: .sp jpayne@68: For each token type, the following tags may be specified: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBserver\fP jpayne@68: This is the server to send the RADIUS request to. It can be a jpayne@68: hostname with optional port, an ip address with optional port, or jpayne@68: a Unix domain socket address. The default is jpayne@68: \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/.socket\fP\&. jpayne@68: .TP jpayne@68: \fBsecret\fP jpayne@68: This tag indicates a filename (which may be relative to \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP) jpayne@68: containing the secret used to encrypt the RADIUS packets. The jpayne@68: secret should appear in the first line of the file by itself; jpayne@68: leading and trailing whitespace on the line will be removed. If jpayne@68: the value of \fBserver\fP is a Unix domain socket address, this tag jpayne@68: is optional, and an empty secret will be used if it is not jpayne@68: specified. Otherwise, this tag is required. jpayne@68: .TP jpayne@68: \fBtimeout\fP jpayne@68: An integer which specifies the time in seconds during which the jpayne@68: KDC should attempt to contact the RADIUS server. This tag is the jpayne@68: total time across all retries and should be less than the time jpayne@68: which an OTP value remains valid for. The default is 5 seconds. jpayne@68: .TP jpayne@68: \fBretries\fP jpayne@68: This tag specifies the number of retries to make to the RADIUS jpayne@68: server. The default is 3 retries (4 tries). jpayne@68: .TP jpayne@68: \fBstrip_realm\fP jpayne@68: If this tag is \fBtrue\fP, the principal without the realm will be jpayne@68: passed to the RADIUS server. Otherwise, the realm will be jpayne@68: included. The default value is \fBtrue\fP\&. jpayne@68: .TP jpayne@68: \fBindicator\fP jpayne@68: This tag specifies an authentication indicator to be included in jpayne@68: the ticket if this token type is used to authenticate. This jpayne@68: option may be specified multiple times. (New in release 1.14.) jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: In the following example, requests are sent to a remote server via UDP: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [otp] jpayne@68: MyRemoteTokenType = { jpayne@68: server = radius.mydomain.com:1812 jpayne@68: secret = SEmfiajf42$ jpayne@68: timeout = 15 jpayne@68: retries = 5 jpayne@68: strip_realm = true jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: An implicit default token type named \fBDEFAULT\fP is defined for when jpayne@68: the per\-principal configuration does not specify a token type. Its jpayne@68: configuration is shown below. You may override this token type to jpayne@68: something applicable for your situation: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [otp] jpayne@68: DEFAULT = { jpayne@68: strip_realm = false jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH PKINIT OPTIONS jpayne@68: .sp jpayne@68: \fBNOTE:\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: The following are pkinit\-specific options. These values may jpayne@68: be specified in [kdcdefaults] as global defaults, or within jpayne@68: a realm\-specific subsection of [realms]. Also note that a jpayne@68: realm\-specific value over\-rides, does not add to, a generic jpayne@68: [kdcdefaults] specification. The search order is: jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .IP 1. 3 jpayne@68: realm\-specific subsection of [realms]: jpayne@68: .INDENT 3.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [realms] jpayne@68: EXAMPLE.COM = { jpayne@68: pkinit_anchors = FILE:/usr/local/example.com.crt jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .IP 2. 3 jpayne@68: generic value in the [kdcdefaults] section: jpayne@68: .INDENT 3.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [kdcdefaults] jpayne@68: pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: For information about the syntax of some of these options, see jpayne@68: Specifying PKINIT identity information in jpayne@68: krb5.conf(5)\&. jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBpkinit_anchors\fP jpayne@68: Specifies the location of trusted anchor (root) certificates which jpayne@68: the KDC trusts to sign client certificates. This option is jpayne@68: required if pkinit is to be supported by the KDC. This option may jpayne@68: be specified multiple times. jpayne@68: .TP jpayne@68: \fBpkinit_dh_min_bits\fP jpayne@68: Specifies the minimum number of bits the KDC is willing to accept jpayne@68: for a client\(aqs Diffie\-Hellman key. The default is 2048. jpayne@68: .TP jpayne@68: \fBpkinit_allow_upn\fP jpayne@68: Specifies that the KDC is willing to accept client certificates jpayne@68: with the Microsoft UserPrincipalName (UPN) Subject Alternative jpayne@68: Name (SAN). This means the KDC accepts the binding of the UPN in jpayne@68: the certificate to the Kerberos principal name. The default value jpayne@68: is false. jpayne@68: .sp jpayne@68: Without this option, the KDC will only accept certificates with jpayne@68: the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently jpayne@68: no option to disable SAN checking in the KDC. jpayne@68: .TP jpayne@68: \fBpkinit_eku_checking\fP jpayne@68: This option specifies what Extended Key Usage (EKU) values the KDC jpayne@68: is willing to accept in client certificates. The values jpayne@68: recognized in the kdc.conf file are: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fBkpClientAuth\fP jpayne@68: This is the default value and specifies that client jpayne@68: certificates must have the id\-pkinit\-KPClientAuth EKU as jpayne@68: defined in \fI\%RFC 4556\fP\&. jpayne@68: .TP jpayne@68: \fBscLogin\fP jpayne@68: If scLogin is specified, client certificates with the jpayne@68: Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be jpayne@68: accepted. jpayne@68: .TP jpayne@68: \fBnone\fP jpayne@68: If none is specified, then client certificates will not be jpayne@68: checked to verify they have an acceptable EKU. The use of jpayne@68: this option is not recommended. jpayne@68: .UNINDENT jpayne@68: .TP jpayne@68: \fBpkinit_identity\fP jpayne@68: Specifies the location of the KDC\(aqs X.509 identity information. jpayne@68: This option is required if pkinit is to be supported by the KDC. jpayne@68: .TP jpayne@68: \fBpkinit_indicator\fP jpayne@68: Specifies an authentication indicator to include in the ticket if jpayne@68: pkinit is used to authenticate. This option may be specified jpayne@68: multiple times. (New in release 1.14.) jpayne@68: .TP jpayne@68: \fBpkinit_pool\fP jpayne@68: Specifies the location of intermediate certificates which may be jpayne@68: used by the KDC to complete the trust chain between a client\(aqs jpayne@68: certificate and a trusted anchor. This option may be specified jpayne@68: multiple times. jpayne@68: .TP jpayne@68: \fBpkinit_revoke\fP jpayne@68: Specifies the location of Certificate Revocation List (CRL) jpayne@68: information to be used by the KDC when verifying the validity of jpayne@68: client certificates. This option may be specified multiple times. jpayne@68: .TP jpayne@68: \fBpkinit_require_crl_checking\fP jpayne@68: The default certificate verification process will always check the jpayne@68: available revocation information to see if a certificate has been jpayne@68: revoked. If a match is found for the certificate in a CRL, jpayne@68: verification fails. If the certificate being verified is not jpayne@68: listed in a CRL, or there is no CRL present for its issuing CA, jpayne@68: and \fBpkinit_require_crl_checking\fP is false, then verification jpayne@68: succeeds. jpayne@68: .sp jpayne@68: However, if \fBpkinit_require_crl_checking\fP is true and there is jpayne@68: no CRL information available for the issuing CA, then verification jpayne@68: fails. jpayne@68: .sp jpayne@68: \fBpkinit_require_crl_checking\fP should be set to true if the jpayne@68: policy is such that up\-to\-date CRLs must be present for every CA. jpayne@68: .TP jpayne@68: \fBpkinit_require_freshness\fP jpayne@68: Specifies whether to require clients to include a freshness token jpayne@68: in PKINIT requests. The default value is false. (New in release jpayne@68: 1.17.) jpayne@68: .UNINDENT jpayne@68: .SH ENCRYPTION TYPES jpayne@68: .sp jpayne@68: Any tag in the configuration files which requires a list of encryption jpayne@68: types can be set to some combination of the following strings. jpayne@68: Encryption types marked as "weak" and "deprecated" are available for jpayne@68: compatibility but not recommended for use. jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: des3\-cbc\-raw jpayne@68: T} T{ jpayne@68: Triple DES cbc mode raw (weak) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: des3\-cbc\-sha1 des3\-hmac\-sha1 des3\-cbc\-sha1\-kd jpayne@68: T} T{ jpayne@68: Triple DES cbc mode with HMAC/sha1 (deprecated) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1 jpayne@68: T} T{ jpayne@68: AES\-256 CTS mode with 96\-bit SHA\-1 HMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1 jpayne@68: T} T{ jpayne@68: AES\-128 CTS mode with 96\-bit SHA\-1 HMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: aes256\-cts\-hmac\-sha384\-192 aes256\-sha2 jpayne@68: T} T{ jpayne@68: AES\-256 CTS mode with 192\-bit SHA\-384 HMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: aes128\-cts\-hmac\-sha256\-128 aes128\-sha2 jpayne@68: T} T{ jpayne@68: AES\-128 CTS mode with 128\-bit SHA\-256 HMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: arcfour\-hmac rc4\-hmac arcfour\-hmac\-md5 jpayne@68: T} T{ jpayne@68: RC4 with HMAC/MD5 (deprecated) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: arcfour\-hmac\-exp rc4\-hmac\-exp arcfour\-hmac\-md5\-exp jpayne@68: T} T{ jpayne@68: Exportable RC4 with HMAC/MD5 (weak) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: camellia256\-cts\-cmac camellia256\-cts jpayne@68: T} T{ jpayne@68: Camellia\-256 CTS mode with CMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: camellia128\-cts\-cmac camellia128\-cts jpayne@68: T} T{ jpayne@68: Camellia\-128 CTS mode with CMAC jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: des3 jpayne@68: T} T{ jpayne@68: The triple DES family: des3\-cbc\-sha1 jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: aes jpayne@68: T} T{ jpayne@68: The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128 jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: rc4 jpayne@68: T} T{ jpayne@68: The RC4 family: arcfour\-hmac jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: camellia jpayne@68: T} T{ jpayne@68: The Camellia family: camellia256\-cts\-cmac and camellia128\-cts\-cmac jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .sp jpayne@68: The string \fBDEFAULT\fP can be used to refer to the default set of jpayne@68: types for the variable in question. Types or families can be removed jpayne@68: from the current list by prefixing them with a minus sign ("\-"). jpayne@68: Types or families can be prefixed with a plus sign ("+") for symmetry; jpayne@68: it has the same meaning as just listing the type or family. For jpayne@68: example, "\fBDEFAULT \-rc4\fP" would be the default set of encryption jpayne@68: types with RC4 types removed, and "\fBdes3 DEFAULT\fP" would be the jpayne@68: default set of encryption types with triple DES types moved to the jpayne@68: front. jpayne@68: .sp jpayne@68: While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos jpayne@68: operations, they are not supported by very old versions of our GSSAPI jpayne@68: implementation (krb5\-1.3.1 and earlier). Services running versions of jpayne@68: krb5 without AES support must not be given keys of these encryption jpayne@68: types in the KDC database. jpayne@68: .sp jpayne@68: The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in jpayne@68: release 1.15. Services running versions of krb5 without support for jpayne@68: these newer encryption types must not be given keys of these jpayne@68: encryption types in the KDC database. jpayne@68: .SH KEYSALT LISTS jpayne@68: .sp jpayne@68: Kerberos keys for users are usually derived from passwords. Kerberos jpayne@68: commands and configuration parameters that affect generation of keys jpayne@68: take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt jpayne@68: lists\fP\&. Each keysalt pair is an enctype name followed by a salttype jpayne@68: name, in the format \fIenc\fP:\fIsalt\fP\&. Individual keysalt list members are jpayne@68: separated by comma (",") characters or space characters. For example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin \-e aes256\-cts:normal,aes128\-cts:normal jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: would start up kadmin so that by default it would generate jpayne@68: password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP jpayne@68: encryption types, using a \fBnormal\fP salt. jpayne@68: .sp jpayne@68: To ensure that people who happen to pick the same password do not have jpayne@68: the same key, Kerberos 5 incorporates more information into the key jpayne@68: using something called a salt. The supported salt types are as jpayne@68: follows: jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: normal jpayne@68: T} T{ jpayne@68: default for Kerberos Version 5 jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: norealm jpayne@68: T} T{ jpayne@68: same as the default, without using realm information jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: onlyrealm jpayne@68: T} T{ jpayne@68: uses only realm information as the salt jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: special jpayne@68: T} T{ jpayne@68: generate a random salt jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .SH SAMPLE KDC.CONF FILE jpayne@68: .sp jpayne@68: Here\(aqs an example of a kdc.conf file: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [kdcdefaults] jpayne@68: kdc_listen = 88 jpayne@68: kdc_tcp_listen = 88 jpayne@68: [realms] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: kadmind_port = 749 jpayne@68: max_life = 12h 0m 0s jpayne@68: max_renewable_life = 7d 0h 0m 0s jpayne@68: master_key_type = aes256\-cts\-hmac\-sha1\-96 jpayne@68: supported_enctypes = aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal jpayne@68: database_module = openldap_ldapconf jpayne@68: } jpayne@68: jpayne@68: [logging] jpayne@68: kdc = FILE:/usr/local/var/krb5kdc/kdc.log jpayne@68: admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log jpayne@68: jpayne@68: [dbdefaults] jpayne@68: ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu jpayne@68: jpayne@68: [dbmodules] jpayne@68: openldap_ldapconf = { jpayne@68: db_library = kldap jpayne@68: disable_last_success = true jpayne@68: ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" jpayne@68: # this object needs to have read rights on jpayne@68: # the realm container and principal subtrees jpayne@68: ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" jpayne@68: # this object needs to have read and write rights on jpayne@68: # the realm container and principal subtrees jpayne@68: ldap_service_password_file = /etc/kerberos/service.keyfile jpayne@68: ldap_servers = ldaps://kerberos.mit.edu jpayne@68: ldap_conns_per_server = 5 jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH FILES jpayne@68: .sp jpayne@68: \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: krb5.conf(5), krb5kdc(8), kadm5.acl(5) jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .