jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KRB5.CONF" "5" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: krb5.conf \- Kerberos configuration file jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .sp jpayne@68: The krb5.conf file contains Kerberos configuration information, jpayne@68: including the locations of KDCs and admin servers for the Kerberos jpayne@68: realms of interest, defaults for the current realm and for Kerberos jpayne@68: applications, and mappings of hostnames onto Kerberos realms. jpayne@68: Normally, you should install your krb5.conf file in the directory jpayne@68: \fB/etc\fP\&. You can override the default location by setting the jpayne@68: environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated jpayne@68: filenames may be specified in \fBKRB5_CONFIG\fP; all files which are jpayne@68: present will be read. Starting in release 1.14, directory names can jpayne@68: also be specified in \fBKRB5_CONFIG\fP; all files within the directory jpayne@68: whose names consist solely of alphanumeric characters, dashes, or jpayne@68: underscores will be read. jpayne@68: .SH STRUCTURE jpayne@68: .sp jpayne@68: The krb5.conf file is set up in the style of a Windows INI file. jpayne@68: Lines beginning with \(aq#\(aq or \(aq;\(aq (possibly after initial whitespace) jpayne@68: are ignored as comments. Sections are headed by the section name, in jpayne@68: square brackets. Each section may contain zero or more relations, of jpayne@68: the form: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: foo = bar jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: or: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: fubar = { jpayne@68: foo = bar jpayne@68: baz = quux jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Placing a \(aq*\(aq after the closing bracket of a section name indicates jpayne@68: that the section is \fIfinal\fP, meaning that if the same section appears jpayne@68: within a later file specified in \fBKRB5_CONFIG\fP, it will be ignored. jpayne@68: A subsection can be marked as final by placing a \(aq*\(aq after either the jpayne@68: tag name or the closing brace. jpayne@68: .sp jpayne@68: The krb5.conf file can include other files using either of the jpayne@68: following directives at the beginning of a line: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: include FILENAME jpayne@68: includedir DIRNAME jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or jpayne@68: directory must exist and be readable. Including a directory includes jpayne@68: all files within the directory whose names consist solely of jpayne@68: alphanumeric characters, dashes, or underscores. Starting in release jpayne@68: 1.15, files with names ending in ".conf" are also included, unless the jpayne@68: name begins with ".". Included profile files are syntactically jpayne@68: independent of their parents, so each included file must begin with a jpayne@68: section header. Starting in release 1.17, files are read in jpayne@68: alphanumeric order; in previous releases, they may be read in any jpayne@68: order. jpayne@68: .sp jpayne@68: The krb5.conf file can specify that configuration should be obtained jpayne@68: from a loadable module, rather than the file itself, using the jpayne@68: following directive at the beginning of a line before any section jpayne@68: headers: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: module MODULEPATH:RESIDUAL jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fIMODULEPATH\fP may be relative to the library path of the krb5 jpayne@68: installation, or it may be an absolute path. \fIRESIDUAL\fP is provided jpayne@68: to the module at initialization time. If krb5.conf uses a module jpayne@68: directive, kdc.conf(5) should also use one if it exists. jpayne@68: .SH SECTIONS jpayne@68: .sp jpayne@68: The krb5.conf file may contain the following sections: jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[libdefaults]\fP jpayne@68: T} T{ jpayne@68: Settings used by the Kerberos V5 library jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[realms]\fP jpayne@68: T} T{ jpayne@68: Realm\-specific contact information and settings jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[domain_realm]\fP jpayne@68: T} T{ jpayne@68: Maps server hostnames to Kerberos realms jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[capaths]\fP jpayne@68: T} T{ jpayne@68: Authentication paths for non\-hierarchical cross\-realm jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[appdefaults]\fP jpayne@68: T} T{ jpayne@68: Settings used by some Kerberos V5 applications jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: \fI\%[plugins]\fP jpayne@68: T} T{ jpayne@68: Controls plugin module registration jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .sp jpayne@68: Additionally, krb5.conf may include any of the relations described in jpayne@68: kdc.conf(5), but it is not a recommended practice. jpayne@68: .SS [libdefaults] jpayne@68: .sp jpayne@68: The libdefaults section may contain any of the following relations: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBallow_weak_crypto\fP jpayne@68: If this flag is set to false, then weak encryption types (as noted jpayne@68: in Encryption_types in kdc.conf(5)) will be filtered jpayne@68: out of the lists \fBdefault_tgs_enctypes\fP, jpayne@68: \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default jpayne@68: value for this tag is false. jpayne@68: .TP jpayne@68: \fBcanonicalize\fP jpayne@68: If this flag is set to true, initial ticket requests to the KDC jpayne@68: will request canonicalization of the client principal name, and jpayne@68: answers with different client principals than the requested jpayne@68: principal will be accepted. The default value is false. jpayne@68: .TP jpayne@68: \fBccache_type\fP jpayne@68: This parameter determines the format of credential cache types jpayne@68: created by kinit(1) or other programs. The default value jpayne@68: is 4, which represents the most current format. Smaller values jpayne@68: can be used for compatibility with very old implementations of jpayne@68: Kerberos which interact with credential caches on the same host. jpayne@68: .TP jpayne@68: \fBclockskew\fP jpayne@68: Sets the maximum allowable amount of clockskew in seconds that the jpayne@68: library will tolerate before assuming that a Kerberos message is jpayne@68: invalid. The default value is 300 seconds, or five minutes. jpayne@68: .sp jpayne@68: The clockskew setting is also used when evaluating ticket start jpayne@68: and expiration times. For example, tickets that have reached jpayne@68: their expiration time can still be used (and renewed if they are jpayne@68: renewable tickets) if they have been expired for a shorter jpayne@68: duration than the \fBclockskew\fP setting. jpayne@68: .TP jpayne@68: \fBdefault_ccache_name\fP jpayne@68: This relation specifies the name of the default credential cache. jpayne@68: The default is \fBFILE:/tmp/krb5cc_%{uid}\fP\&. This relation is subject to parameter jpayne@68: expansion (see below). New in release 1.11. jpayne@68: .TP jpayne@68: \fBdefault_client_keytab_name\fP jpayne@68: This relation specifies the name of the default keytab for jpayne@68: obtaining client credentials. The default is \fBFILE:/opt/conda/var/krb5/user/%{euid}/client.keytab\fP\&. This jpayne@68: relation is subject to parameter expansion (see below). jpayne@68: New in release 1.11. jpayne@68: .TP jpayne@68: \fBdefault_keytab_name\fP jpayne@68: This relation specifies the default keytab name to be used by jpayne@68: application servers such as sshd. The default is \fBFILE:/etc/krb5.keytab\fP\&. This jpayne@68: relation is subject to parameter expansion (see below). jpayne@68: .TP jpayne@68: \fBdefault_rcache_name\fP jpayne@68: This relation specifies the name of the default replay cache. jpayne@68: The default is \fBdfl:\fP\&. This relation is subject to parameter jpayne@68: expansion (see below). New in release 1.18. jpayne@68: .TP jpayne@68: \fBdefault_realm\fP jpayne@68: Identifies the default Kerberos realm for the client. Set its jpayne@68: value to your Kerberos realm. If this value is not set, then a jpayne@68: realm must be specified with every Kerberos principal when jpayne@68: invoking programs such as kinit(1)\&. jpayne@68: .TP jpayne@68: \fBdefault_tgs_enctypes\fP jpayne@68: Identifies the supported list of session key encryption types that jpayne@68: the client should request when making a TGS\-REQ, in order of jpayne@68: preference from highest to lowest. The list may be delimited with jpayne@68: commas or whitespace. See Encryption_types in jpayne@68: kdc.conf(5) for a list of the accepted values for this tag. jpayne@68: Starting in release 1.18, the default value is the value of jpayne@68: \fBpermitted_enctypes\fP\&. For previous releases or if jpayne@68: \fBpermitted_enctypes\fP is not set, the default value is jpayne@68: \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&. jpayne@68: .sp jpayne@68: Do not set this unless required for specific backward jpayne@68: compatibility purposes; stale values of this setting can prevent jpayne@68: clients from taking advantage of new stronger enctypes when the jpayne@68: libraries are upgraded. jpayne@68: .TP jpayne@68: \fBdefault_tkt_enctypes\fP jpayne@68: Identifies the supported list of session key encryption types that jpayne@68: the client should request when making an AS\-REQ, in order of jpayne@68: preference from highest to lowest. The format is the same as for jpayne@68: default_tgs_enctypes. Starting in release 1.18, the default jpayne@68: value is the value of \fBpermitted_enctypes\fP\&. For previous jpayne@68: releases or if \fBpermitted_enctypes\fP is not set, the default jpayne@68: value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&. jpayne@68: .sp jpayne@68: Do not set this unless required for specific backward jpayne@68: compatibility purposes; stale values of this setting can prevent jpayne@68: clients from taking advantage of new stronger enctypes when the jpayne@68: libraries are upgraded. jpayne@68: .TP jpayne@68: \fBdns_canonicalize_hostname\fP jpayne@68: Indicate whether name lookups will be used to canonicalize jpayne@68: hostnames for use in service principal names. Setting this flag jpayne@68: to false can improve security by reducing reliance on DNS, but jpayne@68: means that short hostnames will not be canonicalized to jpayne@68: fully\-qualified hostnames. If this option is set to \fBfallback\fP (new jpayne@68: in release 1.18), DNS canonicalization will only be performed the jpayne@68: server hostname is not found with the original name when jpayne@68: requesting credentials. The default value is true. jpayne@68: .TP jpayne@68: \fBdns_lookup_kdc\fP jpayne@68: Indicate whether DNS SRV records should be used to locate the KDCs jpayne@68: and other servers for a realm, if they are not listed in the jpayne@68: krb5.conf information for the realm. (Note that the admin_server jpayne@68: entry must be in the krb5.conf realm information in order to jpayne@68: contact kadmind, because the DNS implementation for kadmin is jpayne@68: incomplete.) jpayne@68: .sp jpayne@68: Enabling this option does open up a type of denial\-of\-service jpayne@68: attack, if someone spoofs the DNS records and redirects you to jpayne@68: another server. However, it\(aqs no worse than a denial of service, jpayne@68: because that fake KDC will be unable to decode anything you send jpayne@68: it (besides the initial ticket request, which has no encrypted jpayne@68: data), and anything the fake KDC sends will not be trusted without jpayne@68: verification using some secret that it won\(aqt know. jpayne@68: .TP jpayne@68: \fBdns_uri_lookup\fP jpayne@68: Indicate whether DNS URI records should be used to locate the KDCs jpayne@68: and other servers for a realm, if they are not listed in the jpayne@68: krb5.conf information for the realm. SRV records are used as a jpayne@68: fallback if no URI records were found. The default value is true. jpayne@68: New in release 1.15. jpayne@68: .TP jpayne@68: \fBenforce_ok_as_delegate\fP jpayne@68: If this flag to true, GSSAPI credential delegation will be jpayne@68: disabled when the \fBok\-as\-delegate\fP flag is not set in the jpayne@68: service ticket. If this flag is false, the \fBok\-as\-delegate\fP jpayne@68: ticket flag is only enforced when an application specifically jpayne@68: requests enforcement. The default value is false. jpayne@68: .TP jpayne@68: \fBerr_fmt\fP jpayne@68: This relation allows for custom error message formatting. If a jpayne@68: value is set, error messages will be formatted by substituting a jpayne@68: normal error message for %M and an error code for %C in the value. jpayne@68: .TP jpayne@68: \fBextra_addresses\fP jpayne@68: This allows a computer to use multiple local addresses, in order jpayne@68: to allow Kerberos to work in a network that uses NATs while still jpayne@68: using address\-restricted tickets. The addresses should be in a jpayne@68: comma\-separated list. This option has no effect if jpayne@68: \fBnoaddresses\fP is true. jpayne@68: .TP jpayne@68: \fBforwardable\fP jpayne@68: If this flag is true, initial tickets will be forwardable by jpayne@68: default, if allowed by the KDC. The default value is false. jpayne@68: .TP jpayne@68: \fBignore_acceptor_hostname\fP jpayne@68: When accepting GSSAPI or krb5 security contexts for host\-based jpayne@68: service principals, ignore any hostname passed by the calling jpayne@68: application, and allow clients to authenticate to any service jpayne@68: principal in the keytab matching the service name and realm name jpayne@68: (if given). This option can improve the administrative jpayne@68: flexibility of server applications on multihomed hosts, but could jpayne@68: compromise the security of virtual hosting environments. The jpayne@68: default value is false. New in release 1.10. jpayne@68: .TP jpayne@68: \fBk5login_authoritative\fP jpayne@68: If this flag is true, principals must be listed in a local user\(aqs jpayne@68: k5login file to be granted login access, if a \&.k5login(5) jpayne@68: file exists. If this flag is false, a principal may still be jpayne@68: granted login access through other mechanisms even if a k5login jpayne@68: file exists but does not list the principal. The default value is jpayne@68: true. jpayne@68: .TP jpayne@68: \fBk5login_directory\fP jpayne@68: If set, the library will look for a local user\(aqs k5login file jpayne@68: within the named directory, with a filename corresponding to the jpayne@68: local username. If not set, the library will look for k5login jpayne@68: files in the user\(aqs home directory, with the filename .k5login. jpayne@68: For security reasons, .k5login files must be owned by jpayne@68: the local user or by root. jpayne@68: .TP jpayne@68: \fBkcm_mach_service\fP jpayne@68: On macOS only, determines the name of the bootstrap service used to jpayne@68: contact the KCM daemon for the KCM credential cache type. If the jpayne@68: value is \fB\-\fP, Mach RPC will not be used to contact the KCM jpayne@68: daemon. The default value is \fBorg.h5l.kcm\fP\&. jpayne@68: .TP jpayne@68: \fBkcm_socket\fP jpayne@68: Determines the path to the Unix domain socket used to access the jpayne@68: KCM daemon for the KCM credential cache type. If the value is jpayne@68: \fB\-\fP, Unix domain sockets will not be used to contact the KCM jpayne@68: daemon. The default value is jpayne@68: \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&. jpayne@68: .TP jpayne@68: \fBkdc_default_options\fP jpayne@68: Default KDC options (Xored for multiple values) when requesting jpayne@68: initial tickets. By default it is set to 0x00000010 jpayne@68: (KDC_OPT_RENEWABLE_OK). jpayne@68: .TP jpayne@68: \fBkdc_timesync\fP jpayne@68: Accepted values for this relation are 1 or 0. If it is nonzero, jpayne@68: client machines will compute the difference between their time and jpayne@68: the time returned by the KDC in the timestamps in the tickets and jpayne@68: use this value to correct for an inaccurate system clock when jpayne@68: requesting service tickets or authenticating to services. This jpayne@68: corrective factor is only used by the Kerberos library; it is not jpayne@68: used to change the system clock. The default value is 1. jpayne@68: .TP jpayne@68: \fBnoaddresses\fP jpayne@68: If this flag is true, requests for initial tickets will not be jpayne@68: made with address restrictions set, allowing the tickets to be jpayne@68: used across NATs. The default value is true. jpayne@68: .TP jpayne@68: \fBpermitted_enctypes\fP jpayne@68: Identifies the encryption types that servers will permit for jpayne@68: session keys and for ticket and authenticator encryption, ordered jpayne@68: by preference from highest to lowest. Starting in release 1.18, jpayne@68: this tag also acts as the default value for jpayne@68: \fBdefault_tgs_enctypes\fP and \fBdefault_tkt_enctypes\fP\&. The jpayne@68: default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&. jpayne@68: .TP jpayne@68: \fBplugin_base_dir\fP jpayne@68: If set, determines the base directory where krb5 plugins are jpayne@68: located. The default value is the \fBkrb5/plugins\fP subdirectory jpayne@68: of the krb5 library directory. This relation is subject to jpayne@68: parameter expansion (see below) in release 1.17 and later. jpayne@68: .TP jpayne@68: \fBpreferred_preauth_types\fP jpayne@68: This allows you to set the preferred preauthentication types which jpayne@68: the client will attempt before others which may be advertised by a jpayne@68: KDC. The default value for this setting is "17, 16, 15, 14", jpayne@68: which forces libkrb5 to attempt to use PKINIT if it is supported. jpayne@68: .TP jpayne@68: \fBproxiable\fP jpayne@68: If this flag is true, initial tickets will be proxiable by jpayne@68: default, if allowed by the KDC. The default value is false. jpayne@68: .TP jpayne@68: \fBqualify_shortname\fP jpayne@68: If this string is set, it determines the domain suffix for jpayne@68: single\-component hostnames when DNS canonicalization is not used jpayne@68: (either because \fBdns_canonicalize_hostname\fP is false or because jpayne@68: forward canonicalization failed). The default value is the first jpayne@68: search domain of the system\(aqs DNS configuration. To disable jpayne@68: qualification of shortnames, set this relation to the empty string jpayne@68: with \fBqualify_shortname = ""\fP\&. (New in release 1.18.) jpayne@68: .TP jpayne@68: \fBrdns\fP jpayne@68: If this flag is true, reverse name lookup will be used in addition jpayne@68: to forward name lookup to canonicalizing hostnames for use in jpayne@68: service principal names. If \fBdns_canonicalize_hostname\fP is set jpayne@68: to false, this flag has no effect. The default value is true. jpayne@68: .TP jpayne@68: \fBrealm_try_domains\fP jpayne@68: Indicate whether a host\(aqs domain components should be used to jpayne@68: determine the Kerberos realm of the host. The value of this jpayne@68: variable is an integer: \-1 means not to search, 0 means to try the jpayne@68: host\(aqs domain itself, 1 means to also try the domain\(aqs immediate jpayne@68: parent, and so forth. The library\(aqs usual mechanism for locating jpayne@68: Kerberos realms is used to determine whether a domain is a valid jpayne@68: realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is jpayne@68: set. The default is not to search domain components. jpayne@68: .TP jpayne@68: \fBrenew_lifetime\fP jpayne@68: (duration string.) Sets the default renewable lifetime jpayne@68: for initial ticket requests. The default value is 0. jpayne@68: .TP jpayne@68: \fBspake_preauth_groups\fP jpayne@68: A whitespace or comma\-separated list of words which specifies the jpayne@68: groups allowed for SPAKE preauthentication. The possible values jpayne@68: are: jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: edwards25519 jpayne@68: T} T{ jpayne@68: Edwards25519 curve (\fI\%RFC 7748\fP) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: P\-256 jpayne@68: T} T{ jpayne@68: NIST P\-256 curve (\fI\%RFC 5480\fP) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: P\-384 jpayne@68: T} T{ jpayne@68: NIST P\-384 curve (\fI\%RFC 5480\fP) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: P\-521 jpayne@68: T} T{ jpayne@68: NIST P\-521 curve (\fI\%RFC 5480\fP) jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .sp jpayne@68: The default value for the client is \fBedwards25519\fP\&. The default jpayne@68: value for the KDC is empty. New in release 1.17. jpayne@68: .TP jpayne@68: \fBticket_lifetime\fP jpayne@68: (duration string.) Sets the default lifetime for initial jpayne@68: ticket requests. The default value is 1 day. jpayne@68: .TP jpayne@68: \fBudp_preference_limit\fP jpayne@68: When sending a message to the KDC, the library will try using TCP jpayne@68: before UDP if the size of the message is above jpayne@68: \fBudp_preference_limit\fP\&. If the message is smaller than jpayne@68: \fBudp_preference_limit\fP, then UDP will be tried before TCP. jpayne@68: Regardless of the size, both protocols will be tried if the first jpayne@68: attempt fails. jpayne@68: .TP jpayne@68: \fBverify_ap_req_nofail\fP jpayne@68: If this flag is true, then an attempt to verify initial jpayne@68: credentials will fail if the client machine does not have a jpayne@68: keytab. The default value is false. jpayne@68: .TP jpayne@68: \fBclient_aware_channel_bindings\fP jpayne@68: If this flag is true, then all application protocol authentication jpayne@68: requests will be flagged to indicate that the application supports jpayne@68: channel bindings when operating over a secure channel. The jpayne@68: default value is false. jpayne@68: .UNINDENT jpayne@68: .SS [realms] jpayne@68: .sp jpayne@68: Each tag in the [realms] section of the file is the name of a Kerberos jpayne@68: realm. The value of the tag is a subsection with relations that jpayne@68: define the properties of that particular realm. For each realm, the jpayne@68: following tags may be specified in the realm\(aqs subsection: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBadmin_server\fP jpayne@68: Identifies the host where the administration server is running. jpayne@68: Typically, this is the primary Kerberos server. This tag must be jpayne@68: given a value in order to communicate with the kadmind(8) jpayne@68: server for the realm. jpayne@68: .TP jpayne@68: \fBauth_to_local\fP jpayne@68: This tag allows you to set a general rule for mapping principal jpayne@68: names to local user names. It will be used if there is not an jpayne@68: explicit mapping for the principal name that is being jpayne@68: translated. The possible values are: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fBRULE:\fP\fIexp\fP jpayne@68: The local name will be formulated from \fIexp\fP\&. jpayne@68: .sp jpayne@68: The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. jpayne@68: The integer \fIn\fP indicates how many components the target jpayne@68: principal should have. If this matches, then a string will be jpayne@68: formed from \fIstring\fP, substituting the realm of the principal jpayne@68: for \fB$0\fP and the \fIn\fP\(aqth component of the principal for jpayne@68: \fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then jpayne@68: \fB[2:$2$1foo]\fP would result in the string jpayne@68: \fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then jpayne@68: the \fBs//[g]\fP substitution command will be run over the jpayne@68: string. The optional \fBg\fP will cause the substitution to be jpayne@68: global over the \fIstring\fP, instead of replacing only the first jpayne@68: match in the \fIstring\fP\&. jpayne@68: .TP jpayne@68: \fBDEFAULT\fP jpayne@68: The principal name will be used as the local user name. If jpayne@68: the principal has more than one component or is not in the jpayne@68: default realm, this rule is not applicable and the conversion jpayne@68: will fail. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: For example: jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [realms] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ jpayne@68: auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// jpayne@68: auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ jpayne@68: auth_to_local = DEFAULT jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: would result in any principal without \fBroot\fP or \fBadmin\fP as the jpayne@68: second component to be translated with the default rule. A jpayne@68: principal with a second component of \fBadmin\fP will become its jpayne@68: first component. \fBroot\fP will be used as the local name for any jpayne@68: principal with a second component of \fBroot\fP\&. The exception to jpayne@68: these two rules are any principals \fBjohndoe/*\fP, which will jpayne@68: always get the local name \fBguest\fP\&. jpayne@68: .TP jpayne@68: \fBauth_to_local_names\fP jpayne@68: This subsection allows you to set explicit mappings from principal jpayne@68: names to local user names. The tag is the mapping name, and the jpayne@68: value is the corresponding local user name. jpayne@68: .TP jpayne@68: \fBdefault_domain\fP jpayne@68: This tag specifies the domain used to expand hostnames when jpayne@68: translating Kerberos 4 service principals to Kerberos 5 principals jpayne@68: (for example, when converting \fBrcmd.hostname\fP to jpayne@68: \fBhost/hostname.domain\fP). jpayne@68: .TP jpayne@68: \fBdisable_encrypted_timestamp\fP jpayne@68: If this flag is true, the client will not perform encrypted jpayne@68: timestamp preauthentication if requested by the KDC. Setting this jpayne@68: flag can help to prevent dictionary attacks by active attackers, jpayne@68: if the realm\(aqs KDCs support SPAKE preauthentication or if initial jpayne@68: authentication always uses another mechanism or always uses FAST. jpayne@68: This flag persists across client referrals during initial jpayne@68: authentication. This flag does not prevent the KDC from offering jpayne@68: encrypted timestamp. New in release 1.17. jpayne@68: .TP jpayne@68: \fBhttp_anchors\fP jpayne@68: When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag jpayne@68: can be used to specify the location of the CA certificate which should be jpayne@68: trusted to issue the certificate for a proxy server. If left unspecified, jpayne@68: the system\-wide default set of CA certificates is used. jpayne@68: .sp jpayne@68: The syntax for values is similar to that of values for the jpayne@68: \fBpkinit_anchors\fP tag: jpayne@68: .sp jpayne@68: \fBFILE:\fP \fIfilename\fP jpayne@68: .sp jpayne@68: \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. jpayne@68: .sp jpayne@68: \fBDIR:\fP \fIdirname\fP jpayne@68: .sp jpayne@68: \fIdirname\fP is assumed to be an directory which contains CA certificates. jpayne@68: All files in the directory will be examined; if they contain certificates jpayne@68: (in PEM format), they will be used. jpayne@68: .sp jpayne@68: \fBENV:\fP \fIenvvar\fP jpayne@68: .sp jpayne@68: \fIenvvar\fP specifies the name of an environment variable which has been set jpayne@68: to a value conforming to one of the previous values. For example, jpayne@68: \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has jpayne@68: been set to \fBFILE:/tmp/my_proxy.pem\fP\&. jpayne@68: .TP jpayne@68: \fBkdc\fP jpayne@68: The name or address of a host running a KDC for that realm. An jpayne@68: optional port number, separated from the hostname by a colon, may jpayne@68: be included. If the name or address contains colons (for example, jpayne@68: if it is an IPv6 address), enclose it in square brackets to jpayne@68: distinguish the colon from a port separator. For your computer to jpayne@68: be able to communicate with the KDC for each realm, this tag must jpayne@68: be given a value in each realm subsection in the configuration jpayne@68: file, or there must be DNS SRV records specifying the KDCs. jpayne@68: .TP jpayne@68: \fBkpasswd_server\fP jpayne@68: Points to the server where all the password changes are performed. jpayne@68: If there is no such entry, DNS will be queried (unless forbidden jpayne@68: by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP jpayne@68: host will be tried. jpayne@68: .TP jpayne@68: \fBmaster_kdc\fP jpayne@68: The name for \fBprimary_kdc\fP prior to release 1.19. Its value is jpayne@68: used as a fallback if \fBprimary_kdc\fP is not specified. jpayne@68: .TP jpayne@68: \fBprimary_kdc\fP jpayne@68: Identifies the primary KDC(s). Currently, this tag is used in only jpayne@68: one case: If an attempt to get credentials fails because of an jpayne@68: invalid password, the client software will attempt to contact the jpayne@68: primary KDC, in case the user\(aqs password has just been changed, and jpayne@68: the updated database has not been propagated to the replica jpayne@68: servers yet. New in release 1.19. jpayne@68: .TP jpayne@68: \fBv4_instance_convert\fP jpayne@68: This subsection allows the administrator to configure exceptions jpayne@68: to the \fBdefault_domain\fP mapping rule. It contains V4 instances jpayne@68: (the tag name) which should be translated to some specific jpayne@68: hostname (the tag value) as the second component in a Kerberos V5 jpayne@68: principal name. jpayne@68: .TP jpayne@68: \fBv4_realm\fP jpayne@68: This relation is used by the krb524 library routines when jpayne@68: converting a V5 principal name to a V4 principal name. It is used jpayne@68: when the V4 realm name and the V5 realm name are not the same, but jpayne@68: still share the same principal names and passwords. The tag value jpayne@68: is the Kerberos V4 realm name. jpayne@68: .UNINDENT jpayne@68: .SS [domain_realm] jpayne@68: .sp jpayne@68: The [domain_realm] section provides a translation from hostnames to jpayne@68: Kerberos realms. Each tag is a domain name, providing the mapping for jpayne@68: that domain and all subdomains. If the tag begins with a period jpayne@68: (\fB\&.\fP) then it applies only to subdomains. The Kerberos realm may be jpayne@68: identified either in the \fI\%realms\fP section or using DNS SRV records. jpayne@68: Tag names should be in lower case. For example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [domain_realm] jpayne@68: crash.mit.edu = TEST.ATHENA.MIT.EDU jpayne@68: .dev.mit.edu = TEST.ATHENA.MIT.EDU jpayne@68: mit.edu = ATHENA.MIT.EDU jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: maps the host with the name \fBcrash.mit.edu\fP into the jpayne@68: \fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the jpayne@68: domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not jpayne@68: the host with the name \fBdev.mit.edu\fP\&. That host is matched jpayne@68: by the third entry, which maps the host \fBmit.edu\fP and all hosts jpayne@68: under the domain \fBmit.edu\fP that do not match a preceding rule jpayne@68: into the realm \fBATHENA.MIT.EDU\fP\&. jpayne@68: .sp jpayne@68: If no translation entry applies to a hostname used for a service jpayne@68: principal for a service ticket request, the library will try to get a jpayne@68: referral to the appropriate realm from the client realm\(aqs KDC. If jpayne@68: that does not succeed, the host\(aqs realm is considered to be the jpayne@68: hostname\(aqs domain portion converted to uppercase, unless the jpayne@68: \fBrealm_try_domains\fP setting in [libdefaults] causes a different jpayne@68: parent domain to be used. jpayne@68: .SS [capaths] jpayne@68: .sp jpayne@68: In order to perform direct (non\-hierarchical) cross\-realm jpayne@68: authentication, configuration is needed to determine the jpayne@68: authentication paths between realms. jpayne@68: .sp jpayne@68: A client will use this section to find the authentication path between jpayne@68: its realm and the realm of the server. The server will use this jpayne@68: section to verify the authentication path used by the client, by jpayne@68: checking the transited field of the received ticket. jpayne@68: .sp jpayne@68: There is a tag for each participating client realm, and each tag has jpayne@68: subtags for each of the server realms. The value of the subtags is an jpayne@68: intermediate realm which may participate in the cross\-realm jpayne@68: authentication. The subtags may be repeated if there is more then one jpayne@68: intermediate realm. A value of "." means that the two realms share jpayne@68: keys directly, and no intermediate realms should be allowed to jpayne@68: participate. jpayne@68: .sp jpayne@68: Only those entries which will be needed on the client or the server jpayne@68: need to be present. A client needs a tag for its local realm with jpayne@68: subtags for all the realms of servers it will need to authenticate to. jpayne@68: A server needs a tag for each realm of the clients it will serve, with jpayne@68: a subtag of the server realm. jpayne@68: .sp jpayne@68: For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to jpayne@68: use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub jpayne@68: realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP jpayne@68: but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems jpayne@68: would look like this: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [capaths] jpayne@68: ANL.GOV = { jpayne@68: TEST.ANL.GOV = . jpayne@68: PNL.GOV = ES.NET jpayne@68: NERSC.GOV = ES.NET jpayne@68: ES.NET = . jpayne@68: } jpayne@68: TEST.ANL.GOV = { jpayne@68: ANL.GOV = . jpayne@68: } jpayne@68: PNL.GOV = { jpayne@68: ANL.GOV = ES.NET jpayne@68: } jpayne@68: NERSC.GOV = { jpayne@68: ANL.GOV = ES.NET jpayne@68: } jpayne@68: ES.NET = { jpayne@68: ANL.GOV = . jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The [capaths] section of the configuration file used on \fBNERSC.GOV\fP jpayne@68: systems would look like this: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [capaths] jpayne@68: NERSC.GOV = { jpayne@68: ANL.GOV = ES.NET jpayne@68: TEST.ANL.GOV = ES.NET jpayne@68: TEST.ANL.GOV = ANL.GOV jpayne@68: PNL.GOV = ES.NET jpayne@68: ES.NET = . jpayne@68: } jpayne@68: ANL.GOV = { jpayne@68: NERSC.GOV = ES.NET jpayne@68: } jpayne@68: PNL.GOV = { jpayne@68: NERSC.GOV = ES.NET jpayne@68: } jpayne@68: ES.NET = { jpayne@68: NERSC.GOV = . jpayne@68: } jpayne@68: TEST.ANL.GOV = { jpayne@68: NERSC.GOV = ANL.GOV jpayne@68: NERSC.GOV = ES.NET jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: When a subtag is used more than once within a tag, clients will use jpayne@68: the order of values to determine the path. The order of values is not jpayne@68: important to servers. jpayne@68: .SS [appdefaults] jpayne@68: .sp jpayne@68: Each tag in the [appdefaults] section names a Kerberos V5 application jpayne@68: or an option that is used by some Kerberos V5 application[s]. The jpayne@68: value of the tag defines the default behaviors for that application. jpayne@68: .sp jpayne@68: For example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [appdefaults] jpayne@68: telnet = { jpayne@68: ATHENA.MIT.EDU = { jpayne@68: option1 = false jpayne@68: } jpayne@68: } jpayne@68: telnet = { jpayne@68: option1 = true jpayne@68: option2 = true jpayne@68: } jpayne@68: ATHENA.MIT.EDU = { jpayne@68: option2 = false jpayne@68: } jpayne@68: option2 = true jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The above four ways of specifying the value of an option are shown in jpayne@68: order of decreasing precedence. In this example, if telnet is running jpayne@68: in the realm EXAMPLE.COM, it should, by default, have option1 and jpayne@68: option2 set to true. However, a telnet program in the realm jpayne@68: \fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and jpayne@68: \fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should jpayne@68: have \fBoption2\fP set to false by default. Any programs running in jpayne@68: other realms should have \fBoption2\fP set to true. jpayne@68: .sp jpayne@68: The list of specifiable options for each application may be found in jpayne@68: that application\(aqs man pages. The application defaults specified here jpayne@68: are overridden by those specified in the \fI\%realms\fP section. jpayne@68: .SS [plugins] jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .INDENT 0.0 jpayne@68: .IP \(bu 2 jpayne@68: \fI\%pwqual\fP interface jpayne@68: .IP \(bu 2 jpayne@68: \fI\%kadm5_hook\fP interface jpayne@68: .IP \(bu 2 jpayne@68: \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Tags in the [plugins] section can be used to register dynamic plugin jpayne@68: modules and to turn modules on and off. Not every krb5 pluggable jpayne@68: interface uses the [plugins] section; the ones that do are documented jpayne@68: here. jpayne@68: .sp jpayne@68: New in release 1.9. jpayne@68: .sp jpayne@68: Each pluggable interface corresponds to a subsection of [plugins]. jpayne@68: All subsections support the same tags: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBdisable\fP jpayne@68: This tag may have multiple values. If there are values for this jpayne@68: tag, then the named modules will be disabled for the pluggable jpayne@68: interface. jpayne@68: .TP jpayne@68: \fBenable_only\fP jpayne@68: This tag may have multiple values. If there are values for this jpayne@68: tag, then only the named modules will be enabled for the pluggable jpayne@68: interface. jpayne@68: .TP jpayne@68: \fBmodule\fP jpayne@68: This tag may have multiple values. Each value is a string of the jpayne@68: form \fBmodulename:pathname\fP, which causes the shared object jpayne@68: located at \fIpathname\fP to be registered as a dynamic module named jpayne@68: \fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an jpayne@68: absolute path, it will be treated as relative to the jpayne@68: \fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: For pluggable interfaces where module order matters, modules jpayne@68: registered with a \fBmodule\fP tag normally come first, in the order jpayne@68: they are registered, followed by built\-in modules in the order they jpayne@68: are documented below. If \fBenable_only\fP tags are used, then the jpayne@68: order of those tags overrides the normal module order. jpayne@68: .sp jpayne@68: The following subsections are currently supported within the [plugins] jpayne@68: section: jpayne@68: .SS ccselect interface jpayne@68: .sp jpayne@68: The ccselect subsection controls modules for credential cache jpayne@68: selection within a cache collection. In addition to any registered jpayne@68: dynamic modules, the following built\-in modules exist (and may be jpayne@68: disabled with the disable tag): jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBk5identity\fP jpayne@68: Uses a .k5identity file in the user\(aqs home directory to select a jpayne@68: client principal jpayne@68: .TP jpayne@68: \fBrealm\fP jpayne@68: Uses the service realm to guess an appropriate cache from the jpayne@68: collection jpayne@68: .TP jpayne@68: \fBhostname\fP jpayne@68: If the service principal is host\-based, uses the service hostname jpayne@68: to guess an appropriate cache from the collection jpayne@68: .UNINDENT jpayne@68: .SS pwqual interface jpayne@68: .sp jpayne@68: The pwqual subsection controls modules for the password quality jpayne@68: interface, which is used to reject weak passwords when passwords are jpayne@68: changed. The following built\-in modules exist for this interface: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBdict\fP jpayne@68: Checks against the realm dictionary file jpayne@68: .TP jpayne@68: \fBempty\fP jpayne@68: Rejects empty passwords jpayne@68: .TP jpayne@68: \fBhesiod\fP jpayne@68: Checks against user information stored in Hesiod (only if Kerberos jpayne@68: was built with Hesiod support) jpayne@68: .TP jpayne@68: \fBprinc\fP jpayne@68: Checks against components of the principal name jpayne@68: .UNINDENT jpayne@68: .SS kadm5_hook interface jpayne@68: .sp jpayne@68: The kadm5_hook interface provides plugins with information on jpayne@68: principal creation, modification, password changes and deletion. This jpayne@68: interface can be used to write a plugin to synchronize MIT Kerberos jpayne@68: with another database such as Active Directory. No plugins are built jpayne@68: in for this interface. jpayne@68: .SS kadm5_auth interface jpayne@68: .sp jpayne@68: The kadm5_auth section (introduced in release 1.16) controls modules jpayne@68: for the kadmin authorization interface, which determines whether a jpayne@68: client principal is allowed to perform a kadmin operation. The jpayne@68: following built\-in modules exist for this interface: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBacl\fP jpayne@68: This module reads the kadm5.acl(5) file, and authorizes jpayne@68: operations which are allowed according to the rules in the file. jpayne@68: .TP jpayne@68: \fBself\fP jpayne@68: This module authorizes self\-service operations including password jpayne@68: changes, creation of new random keys, fetching the client\(aqs jpayne@68: principal record or string attributes, and fetching the policy jpayne@68: record associated with the client principal. jpayne@68: .UNINDENT jpayne@68: .SS clpreauth and kdcpreauth interfaces jpayne@68: .sp jpayne@68: The clpreauth and kdcpreauth interfaces allow plugin modules to jpayne@68: provide client and KDC preauthentication mechanisms. The following jpayne@68: built\-in modules exist for these interfaces: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBpkinit\fP jpayne@68: This module implements the PKINIT preauthentication mechanism. jpayne@68: .TP jpayne@68: \fBencrypted_challenge\fP jpayne@68: This module implements the encrypted challenge FAST factor. jpayne@68: .TP jpayne@68: \fBencrypted_timestamp\fP jpayne@68: This module implements the encrypted timestamp mechanism. jpayne@68: .UNINDENT jpayne@68: .SS hostrealm interface jpayne@68: .sp jpayne@68: The hostrealm section (introduced in release 1.12) controls modules jpayne@68: for the host\-to\-realm interface, which affects the local mapping of jpayne@68: hostnames to realm names and the choice of default realm. The following jpayne@68: built\-in modules exist for this interface: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBprofile\fP jpayne@68: This module consults the [domain_realm] section of the profile for jpayne@68: authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP jpayne@68: variable for the default realm. jpayne@68: .TP jpayne@68: \fBdns\fP jpayne@68: This module looks for DNS records for fallback host\-to\-realm jpayne@68: mappings and the default realm. It only operates if the jpayne@68: \fBdns_lookup_realm\fP variable is set to true. jpayne@68: .TP jpayne@68: \fBdomain\fP jpayne@68: This module applies heuristics for fallback host\-to\-realm jpayne@68: mappings. It implements the \fBrealm_try_domains\fP variable, and jpayne@68: uses the uppercased parent domain of the hostname if that does not jpayne@68: produce a result. jpayne@68: .UNINDENT jpayne@68: .SS localauth interface jpayne@68: .sp jpayne@68: The localauth section (introduced in release 1.12) controls modules jpayne@68: for the local authorization interface, which affects the relationship jpayne@68: between Kerberos principals and local system accounts. The following jpayne@68: built\-in modules exist for this interface: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBdefault\fP jpayne@68: This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP jpayne@68: values. jpayne@68: .TP jpayne@68: \fBrule\fP jpayne@68: This module implements the \fBRULE\fP type for \fBauth_to_local\fP jpayne@68: values. jpayne@68: .TP jpayne@68: \fBnames\fP jpayne@68: This module looks for an \fBauth_to_local_names\fP mapping for the jpayne@68: principal name. jpayne@68: .TP jpayne@68: \fBauth_to_local\fP jpayne@68: This module processes \fBauth_to_local\fP values in the default jpayne@68: realm\(aqs section, and applies the default method if no jpayne@68: \fBauth_to_local\fP values exist. jpayne@68: .TP jpayne@68: \fBk5login\fP jpayne@68: This module authorizes a principal to a local account according to jpayne@68: the account\(aqs \&.k5login(5) file. jpayne@68: .TP jpayne@68: \fBan2ln\fP jpayne@68: This module authorizes a principal to a local account if the jpayne@68: principal name maps to the local account name. jpayne@68: .UNINDENT jpayne@68: .SS certauth interface jpayne@68: .sp jpayne@68: The certauth section (introduced in release 1.16) controls modules for jpayne@68: the certificate authorization interface, which determines whether a jpayne@68: certificate is allowed to preauthenticate a user via PKINIT. The jpayne@68: following built\-in modules exist for this interface: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBpkinit_san\fP jpayne@68: This module authorizes the certificate if it contains a PKINIT jpayne@68: Subject Alternative Name for the requested client principal, or a jpayne@68: Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP jpayne@68: is set to true for the realm. jpayne@68: .TP jpayne@68: \fBpkinit_eku\fP jpayne@68: This module rejects the certificate if it does not contain an jpayne@68: Extended Key Usage attribute consistent with the jpayne@68: \fBpkinit_eku_checking\fP value for the realm. jpayne@68: .TP jpayne@68: \fBdbmatch\fP jpayne@68: This module authorizes or rejects the certificate according to jpayne@68: whether it matches the \fBpkinit_cert_match\fP string attribute on jpayne@68: the client principal, if that attribute is present. jpayne@68: .UNINDENT jpayne@68: .SH PKINIT OPTIONS jpayne@68: .sp jpayne@68: \fBNOTE:\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: The following are PKINIT\-specific options. These values may jpayne@68: be specified in [libdefaults] as global defaults, or within jpayne@68: a realm\-specific subsection of [libdefaults], or may be jpayne@68: specified as realm\-specific values in the [realms] section. jpayne@68: A realm\-specific value overrides, not adds to, a generic jpayne@68: [libdefaults] specification. The search order is: jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .IP 1. 3 jpayne@68: realm\-specific subsection of [libdefaults]: jpayne@68: .INDENT 3.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [libdefaults] jpayne@68: EXAMPLE.COM = { jpayne@68: pkinit_anchors = FILE:/usr/local/example.com.crt jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .IP 2. 3 jpayne@68: realm\-specific value in the [realms] section: jpayne@68: .INDENT 3.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [realms] jpayne@68: OTHERREALM.ORG = { jpayne@68: pkinit_anchors = FILE:/usr/local/otherrealm.org.crt jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .IP 3. 3 jpayne@68: generic value in the [libdefaults] section: jpayne@68: .INDENT 3.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [libdefaults] jpayne@68: pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS Specifying PKINIT identity information jpayne@68: .sp jpayne@68: The syntax for specifying Public Key identity, trust, and revocation jpayne@68: information for PKINIT is as follows: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] jpayne@68: This option has context\-specific behavior. jpayne@68: .sp jpayne@68: In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP jpayne@68: specifies the name of a PEM\-format file containing the user\(aqs jpayne@68: certificate. If \fIkeyfilename\fP is not specified, the user\(aqs jpayne@68: private key is expected to be in \fIfilename\fP as well. Otherwise, jpayne@68: \fIkeyfilename\fP is the name of the file containing the private key. jpayne@68: .sp jpayne@68: In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to jpayne@68: be the name of an OpenSSL\-style ca\-bundle file. jpayne@68: .TP jpayne@68: \fBDIR:\fP\fIdirname\fP jpayne@68: This option has context\-specific behavior. jpayne@68: .sp jpayne@68: In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP jpayne@68: specifies a directory with files named \fB*.crt\fP and \fB*.key\fP jpayne@68: where the first part of the file name is the same for matching jpayne@68: pairs of certificate and private key files. When a file with a jpayne@68: name ending with \fB\&.crt\fP is found, a matching file ending with jpayne@68: \fB\&.key\fP is assumed to contain the private key. If no such file jpayne@68: is found, then the certificate in the \fB\&.crt\fP is not used. jpayne@68: .sp jpayne@68: In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to jpayne@68: be an OpenSSL\-style hashed CA directory where each CA cert is jpayne@68: stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure jpayne@68: is encouraged, but all files in the directory will be examined and jpayne@68: if they contain certificates (in PEM format), they will be used. jpayne@68: .sp jpayne@68: In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style jpayne@68: hashed CA directory where each revocation list is stored in a file jpayne@68: named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, jpayne@68: but all files in the directory will be examined and if they jpayne@68: contain a revocation list (in PEM format), they will be used. jpayne@68: .TP jpayne@68: \fBPKCS12:\fP\fIfilename\fP jpayne@68: \fIfilename\fP is the name of a PKCS #12 format file, containing the jpayne@68: user\(aqs certificate and private key. jpayne@68: .TP jpayne@68: \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] jpayne@68: All keyword/values are optional. \fImodname\fP specifies the location jpayne@68: of a library implementing PKCS #11. If a value is encountered jpayne@68: with no keyword, it is assumed to be the \fImodname\fP\&. If no jpayne@68: module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. jpayne@68: \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of jpayne@68: a particular smard card reader or token if there is more than one jpayne@68: available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to jpayne@68: force the selection of a particular certificate on the device. jpayne@68: See the \fBpkinit_cert_match\fP configuration option for more ways jpayne@68: to select a particular certificate to use for PKINIT. jpayne@68: .TP jpayne@68: \fBENV:\fP\fIenvvar\fP jpayne@68: \fIenvvar\fP specifies the name of an environment variable which has jpayne@68: been set to a value conforming to one of the previous values. For jpayne@68: example, \fBENV:X509_PROXY\fP, where environment variable jpayne@68: \fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. jpayne@68: .UNINDENT jpayne@68: .SS PKINIT krb5.conf options jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBpkinit_anchors\fP jpayne@68: Specifies the location of trusted anchor (root) certificates which jpayne@68: the client trusts to sign KDC certificates. This option may be jpayne@68: specified multiple times. These values from the config file are jpayne@68: not used if the user specifies X509_anchors on the command line. jpayne@68: .TP jpayne@68: \fBpkinit_cert_match\fP jpayne@68: Specifies matching rules that the client certificate must match jpayne@68: before it is used to attempt PKINIT authentication. If a user has jpayne@68: multiple certificates available (on a smart card, or via other jpayne@68: media), there must be exactly one certificate chosen before jpayne@68: attempting PKINIT authentication. This option may be specified jpayne@68: multiple times. All the available certificates are checked jpayne@68: against each rule in order until there is a match of exactly one jpayne@68: certificate. jpayne@68: .sp jpayne@68: The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP jpayne@68: string representations from the certificate Subject DN and Issuer jpayne@68: DN values. jpayne@68: .sp jpayne@68: The syntax of the matching rules is: jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: where: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: .B \fIrelation\-operator\fP jpayne@68: can be either \fB&&\fP, meaning all component rules must match, jpayne@68: or \fB||\fP, meaning only one component rule must match. The jpayne@68: default is \fB&&\fP\&. jpayne@68: .TP jpayne@68: .B \fIcomponent\-rule\fP jpayne@68: can be one of the following. Note that there is no jpayne@68: punctuation or whitespace between component rules. jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: .nf jpayne@68: \fB\fP\fIregular\-expression\fP jpayne@68: \fB\fP\fIregular\-expression\fP jpayne@68: \fB\fP\fIregular\-expression\fP jpayne@68: \fB\fP\fIextended\-key\-usage\-list\fP jpayne@68: \fB\fP\fIkey\-usage\-list\fP jpayne@68: .fi jpayne@68: .sp jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fIextended\-key\-usage\-list\fP is a comma\-separated list of jpayne@68: required Extended Key Usage values. All values in the list jpayne@68: must be present in the certificate. Extended Key Usage values jpayne@68: can be: jpayne@68: .INDENT 7.0 jpayne@68: .IP \(bu 2 jpayne@68: pkinit jpayne@68: .IP \(bu 2 jpayne@68: msScLogin jpayne@68: .IP \(bu 2 jpayne@68: clientAuth jpayne@68: .IP \(bu 2 jpayne@68: emailProtection jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fIkey\-usage\-list\fP is a comma\-separated list of required Key jpayne@68: Usage values. All values in the list must be present in the jpayne@68: certificate. Key Usage values can be: jpayne@68: .INDENT 7.0 jpayne@68: .IP \(bu 2 jpayne@68: digitalSignature jpayne@68: .IP \(bu 2 jpayne@68: keyEncipherment jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Examples: jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM jpayne@68: pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* jpayne@68: pkinit_cert_match = msScLogin,clientAuthdigitalSignature jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .TP jpayne@68: \fBpkinit_eku_checking\fP jpayne@68: This option specifies what Extended Key Usage value the KDC jpayne@68: certificate presented to the client must contain. (Note that if jpayne@68: the KDC certificate has the pkinit SubjectAlternativeName encoded jpayne@68: as the Kerberos TGS name, EKU checking is not necessary since the jpayne@68: issuing CA has certified this as a KDC certificate.) The values jpayne@68: recognized in the krb5.conf file are: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fBkpKDC\fP jpayne@68: This is the default value and specifies that the KDC must have jpayne@68: the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. jpayne@68: .TP jpayne@68: \fBkpServerAuth\fP jpayne@68: If \fBkpServerAuth\fP is specified, a KDC certificate with the jpayne@68: id\-kp\-serverAuth EKU will be accepted. This key usage value jpayne@68: is used in most commercially issued server certificates. jpayne@68: .TP jpayne@68: \fBnone\fP jpayne@68: If \fBnone\fP is specified, then the KDC certificate will not be jpayne@68: checked to verify it has an acceptable EKU. The use of this jpayne@68: option is not recommended. jpayne@68: .UNINDENT jpayne@68: .TP jpayne@68: \fBpkinit_dh_min_bits\fP jpayne@68: Specifies the size of the Diffie\-Hellman key the client will jpayne@68: attempt to use. The acceptable values are 1024, 2048, and 4096. jpayne@68: The default is 2048. jpayne@68: .TP jpayne@68: \fBpkinit_identities\fP jpayne@68: Specifies the location(s) to be used to find the user\(aqs X.509 jpayne@68: identity information. If this option is specified multiple times, jpayne@68: each value is attempted in order until certificates are found. jpayne@68: Note that these values are not used if the user specifies jpayne@68: \fBX509_user_identity\fP on the command line. jpayne@68: .TP jpayne@68: \fBpkinit_kdc_hostname\fP jpayne@68: The presence of this option indicates that the client is willing jpayne@68: to accept a KDC certificate with a dNSName SAN (Subject jpayne@68: Alternative Name) rather than requiring the id\-pkinit\-san as jpayne@68: defined in \fI\%RFC 4556\fP\&. This option may be specified multiple jpayne@68: times. Its value should contain the acceptable hostname for the jpayne@68: KDC (as contained in its certificate). jpayne@68: .TP jpayne@68: \fBpkinit_pool\fP jpayne@68: Specifies the location of intermediate certificates which may be jpayne@68: used by the client to complete the trust chain between a KDC jpayne@68: certificate and a trusted anchor. This option may be specified jpayne@68: multiple times. jpayne@68: .TP jpayne@68: \fBpkinit_require_crl_checking\fP jpayne@68: The default certificate verification process will always check the jpayne@68: available revocation information to see if a certificate has been jpayne@68: revoked. If a match is found for the certificate in a CRL, jpayne@68: verification fails. If the certificate being verified is not jpayne@68: listed in a CRL, or there is no CRL present for its issuing CA, jpayne@68: and \fBpkinit_require_crl_checking\fP is false, then verification jpayne@68: succeeds. jpayne@68: .sp jpayne@68: However, if \fBpkinit_require_crl_checking\fP is true and there is jpayne@68: no CRL information available for the issuing CA, then verification jpayne@68: fails. jpayne@68: .sp jpayne@68: \fBpkinit_require_crl_checking\fP should be set to true if the jpayne@68: policy is such that up\-to\-date CRLs must be present for every CA. jpayne@68: .TP jpayne@68: \fBpkinit_revoke\fP jpayne@68: Specifies the location of Certificate Revocation List (CRL) jpayne@68: information to be used by the client when verifying the validity jpayne@68: of the KDC certificate presented. This option may be specified jpayne@68: multiple times. jpayne@68: .UNINDENT jpayne@68: .SH PARAMETER EXPANSION jpayne@68: .sp jpayne@68: Starting with release 1.11, several variables, such as jpayne@68: \fBdefault_keytab_name\fP, allow parameters to be expanded. jpayne@68: Valid parameters are: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: %{TEMP} jpayne@68: T} T{ jpayne@68: Temporary directory jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{uid} jpayne@68: T} T{ jpayne@68: Unix real UID or Windows SID jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{euid} jpayne@68: T} T{ jpayne@68: Unix effective user ID or Windows SID jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{USERID} jpayne@68: T} T{ jpayne@68: Same as %{uid} jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{null} jpayne@68: T} T{ jpayne@68: Empty string jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{LIBDIR} jpayne@68: T} T{ jpayne@68: Installation library directory jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{BINDIR} jpayne@68: T} T{ jpayne@68: Installation binary directory jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{SBINDIR} jpayne@68: T} T{ jpayne@68: Installation admin binary directory jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{username} jpayne@68: T} T{ jpayne@68: (Unix) Username of effective user ID jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{APPDATA} jpayne@68: T} T{ jpayne@68: (Windows) Roaming application data for current user jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{COMMON_APPDATA} jpayne@68: T} T{ jpayne@68: (Windows) Application data for all users jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{LOCAL_APPDATA} jpayne@68: T} T{ jpayne@68: (Windows) Local application data for current user jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{SYSTEM} jpayne@68: T} T{ jpayne@68: (Windows) Windows system folder jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{WINDOWS} jpayne@68: T} T{ jpayne@68: (Windows) Windows folder jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{USERCONFIG} jpayne@68: T} T{ jpayne@68: (Windows) Per\-user MIT krb5 config file directory jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: %{COMMONCONFIG} jpayne@68: T} T{ jpayne@68: (Windows) Common MIT krb5 config file directory jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH SAMPLE KRB5.CONF FILE jpayne@68: .sp jpayne@68: Here is an example of a generic krb5.conf file: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: [libdefaults] jpayne@68: default_realm = ATHENA.MIT.EDU jpayne@68: dns_lookup_kdc = true jpayne@68: dns_lookup_realm = false jpayne@68: jpayne@68: [realms] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: kdc = kerberos.mit.edu jpayne@68: kdc = kerberos\-1.mit.edu jpayne@68: kdc = kerberos\-2.mit.edu jpayne@68: admin_server = kerberos.mit.edu jpayne@68: primary_kdc = kerberos.mit.edu jpayne@68: } jpayne@68: EXAMPLE.COM = { jpayne@68: kdc = kerberos.example.com jpayne@68: kdc = kerberos\-1.example.com jpayne@68: admin_server = kerberos.example.com jpayne@68: } jpayne@68: jpayne@68: [domain_realm] jpayne@68: mit.edu = ATHENA.MIT.EDU jpayne@68: jpayne@68: [capaths] jpayne@68: ATHENA.MIT.EDU = { jpayne@68: EXAMPLE.COM = . jpayne@68: } jpayne@68: EXAMPLE.COM = { jpayne@68: ATHENA.MIT.EDU = . jpayne@68: } jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH FILES jpayne@68: .sp jpayne@68: \fB/etc/krb5.conf\fP jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: syslog(3) jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .