6 The krb5.conf file contains Kerberos configuration information,
7 including the locations of KDCs and admin servers for the Kerberos
8 realms of interest, defaults for the current realm and for Kerberos
9 applications, and mappings of hostnames onto Kerberos realms.
10 Normally, you should install your krb5.conf file in the directory
11 ``/etc``. You can override the default location by setting the
12 environment variable KRB5_CONFIG.
18 The krb5.conf file is set up in the style of a Windows INI file.
19 Sections are headed by the section name, in square brackets. Each
20 section may contain zero or more relations, of the form:
34 Placing a '\*' at the end of a line indicates that this is the *final*
35 value for the tag. This means that neither the remainder of this
36 configuration file nor any other configuration file will be checked
37 for any other values for this tag.
39 For example, if you have the following lines:
45 then the second value of ``foo`` (``baz``) would never be read.
47 The krb5.conf file can include other files using either of the
48 following directives at the beginning of a line:
55 *FILENAME* or *DIRNAME* should be an absolute path. The named file or
56 directory must exist and be readable. Including a directory includes
57 all files within the directory whose names consist solely of
58 alphanumeric characters, dashes, or underscores. Included profile
59 files are syntactically independent of their parents, so each included
60 file must begin with a section header.
62 The krb5.conf file can specify that configuration should be obtained
63 from a loadable module, rather than the file itself, using the
64 following directive at the beginning of a line before any section
69 module MODULEPATH:RESIDUAL
71 *MODULEPATH* may be relative to the library path of the krb5
72 installation, or it may be an absolute path. *RESIDUAL* is provided
73 to the module at initialization time. If krb5.conf uses a module
74 directive, :ref:`kdc.conf(5)` should also use one if it exists.
80 The krb5.conf file may contain any or all of the following sections:
82 ============== =======================================================
83 libdefaults_ Contains default values used by the Kerberos V5 library.
84 realms_ Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
85 domain_realm_ Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name.
86 logging_ Contains relations which determine how Kerberos programs are to perform logging.
87 capaths_ Contains the authentication paths used with direct (nonhierarchical) cross-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms.
88 plugins_ Contains tags to register dynamic plugin modules and to turn modules on and off.
89 appdefaults_ Contains default values that can be used by Kerberos V5 applications.
90 ============== =======================================================
98 The libdefaults section may contain any of the following relations:
100 **allow_weak_crypto**
101 If this is set to 0 (for false), then weak encryption types will
102 be filtered out of the previous three lists (as noted in
103 :ref:`Supported_Encryption_Types_and_Salts`). The default value
104 for this tag is false, which may cause authentication failures in
105 existing Kerberos infrastructures that do not support strong
106 crypto. Users in affected environments should set this tag to
107 true until their infrastructure adopts stronger ciphers.
109 **ap_req_checksum_type**
110 An integer which specifies the type of AP-REQ checksum to use in
111 authenticators. This variable should be unset so the appropriate
112 checksum for the encryption key in use will be used. This can be
113 set if backward compatibility requires a specific checksum type.
114 See the **kdc_req_checksum_type** configuration option for the
115 possible values and their meanings.
118 This flag indicates to the KDC that the client is prepared to
119 receive a reply that contains a principal name other than the one
120 requested. The client should expect, when sending names with the
121 "canonicalize" KDC option, that names in the KDC's reply will be
122 different than the name in the request. The default value for
123 this flag is not set.
126 Use this parameter on systems which are DCE clients, to specify
127 the type of cache to be created by :ref:`kinit(1)`, or when
128 forwarded tickets are received. DCE and Kerberos can share the
129 cache, but some versions of DCE do not support the default cache
130 as created by this version of Kerberos. Use a value of 1 on DCE
131 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default
135 Sets the maximum allowable amount of clockskew in seconds that the
136 library will tolerate before assuming that a Kerberos message is
137 invalid. The default value is 300 seconds, or five minutes.
139 **default_keytab_name**
140 This relation specifies the default keytab name to be used by
141 application servers such as telnetd and rlogind. The default is
142 ``/etc/krb5.keytab``.
145 Identifies the default Kerberos realm for the client. Set its
146 value to your Kerberos realm. If this is not specified and the
147 TXT record lookup is enabled (see :ref:`using_dns`), then that
148 information will be used to determine the default realm. If this
149 tag is not set in this configuration file and there is no DNS
150 information found, then an error will be returned.
152 **default_tgs_enctypes**
153 Identifies the supported list of session key encryption types that
154 should be returned by the KDC. The list may be delimited with
155 commas or whitespace. Kerberos supports many different encryption
156 types, and support for more is planned in the future. (see
157 :ref:`Supported_Encryption_Types_and_Salts` for a list of the
158 accepted values for this tag). The default value is
159 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
160 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``.
162 **default_tkt_enctypes**
163 Identifies the supported list of session key encryption types that
164 should be requested by the client. The format is the same as for
165 default_tgs_enctypes. The default value for this tag is
166 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
167 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``.
170 General flag controlling the use of DNS for Kerberos information.
171 If both of the preceding options are specified, this option has no
175 Indicate whether DNS SRV records should be used to locate the KDCs
176 and other servers for a realm, if they are not listed in the
177 information for the realm. (Note that the admin_server entry must
178 be in the file, because the DNS implementation for it is
181 Enabling this option does open up a type of denial-of-service
182 attack, if someone spoofs the DNS records and redirects you to
183 another server. However, it's no worse than a denial of service,
184 because that fake KDC will be unable to decode anything you send
185 it (besides the initial ticket request, which has no encrypted
186 data), and anything the fake KDC sends will not be trusted without
187 verification using some secret that it won't know.
189 If this option is not specified but dns_fallback is, that value
190 will be used instead. If neither option is specified, the
191 behavior depends on configure-time options; if none were given,
192 the default is to enable this option. If the DNS support is not
193 compiled in, this entry has no effect.
196 Indicate whether DNS TXT records should be used to determine the
197 Kerberos realm of a host.
199 Enabling this option may permit a redirection attack, where
200 spoofed DNS replies persuade a client to authenticate to the wrong
201 realm, when talking to the wrong host (either by spoofing yet more
202 DNS records or by intercepting the net traffic). Depending on how
203 the client software manages hostnames, however, it could already
204 be vulnerable to such attacks. We are looking at possible ways to
205 minimize or eliminate this exposure. For now, we encourage more
206 adventurous sites to try using Secure DNS.
208 If this option is not specified but dns_fallback is, that value
209 will be used instead. If neither option is specified, the
210 behavior depends on configure-time options; if none were given,
211 the default is to disable this option. If the DNS support is not
212 compiled in, this entry has no effect.
215 This allows a computer to use multiple local addresses, in order
216 to allow Kerberos to work in a network that uses NATs. The
217 addresses should be in a comma-separated list.
220 If this flag is set, initial tickets by default will be
221 forwardable. The default value for this flag is not set.
223 **ignore_acceptor_hostname**
224 When accepting GSSAPI or krb5 security contexts for host-based
225 service principals, ignore any hostname passed by the calling
226 application and allow any service principal present in the keytab
227 which matches the service name and realm name (if given). This
228 option can improve the administrative flexibility of server
229 applications on multihomed hosts, but can compromise the security
230 of virtual hosting environments. The default value is false.
232 **k5login_authoritative**
233 If the value of this relation is true (the default), principals
234 must be listed in a local user's k5login file to be granted login
235 access, if a :ref:`.k5login(5)` file exists. If the value of this
236 relation is false, a principal may still be granted login access
237 through other mechanisms even if a k5login file exists but does
238 not list the principal.
240 **k5login_directory**
241 If set, the library will look for a local user's k5login file
242 within the named directory, with a filename corresponding to the
243 local username. If not set, the library will look for k5login
244 files in the user's home directory, with the filename .k5login.
245 For security reasons, .k5login files must be owned by
246 the local user or by root.
248 **kdc_default_options**
249 Default KDC options (Xored for multiple values) when requesting
250 initial credentials. By default it is set to 0x00000010
251 (KDC_OPT_RENEWABLE_OK).
254 If this is set to 1 (for true), then client machines will compute
255 the difference between their time and the time returned by the KDC
256 in the timestamps in the tickets and use this value to correct for
257 an inaccurate system clock. This corrective factor is only used
258 by the Kerberos library. The default is 1.
260 **kdc_req_checksum_type**
261 An integer which specifies the type of checksum to use for the KDC
262 requests for compatibility with DCE security servers which do not
263 support the default RSA MD5 used by Kerberos V5. This applies to
264 DCE 1.1 and earlier. Use a value of 2 to use the RSA MD4 instead.
265 This value is only used for DES keys; other keys use the preferred
266 checksum type for those keys.
268 The possible values and their meanings are as follows.
270 ======== ===============================
279 -138 Microsoft MD5 HMAC checksum type
280 ======== ===============================
283 Setting this flag causes the initial Kerberos ticket to be
284 addressless. The default for the flag is set.
286 **permitted_enctypes**
287 Identifies all encryption types that are permitted for use in
288 session key encryption. The default value for this tag is
289 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
290 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``.
293 If set, determines the base directory where krb5 plugins are
294 located. The default value is the ``krb5/plugins`` subdirectory
295 of the krb5 library directory.
297 **preferred_preauth_types**
298 This allows you to set the preferred preauthentication types which
299 the client will attempt before others which may be advertised by a
300 KDC. The default value for this setting is "17, 16, 15, 14",
301 which forces libkrb5 to attempt to use PKINIT if it is supported.
304 If this flag is set, initial tickets by default will be proxiable.
305 The default value for this flag is not set.
308 If set to false, prevent the use of reverse DNS resolution when
309 translating hostnames into service principal names. Defaults to
310 true. Setting this flag to false is more secure, but may force
311 users to exclusively use fully qualified domain names when
312 authenticating to services.
314 **realm_try_domains**
315 Indicate whether a host's domain components should be used to
316 determine the Kerberos realm of the host. The value of this
317 variable is an integer: -1 means not to search, 0 means to try the
318 host's domain itself, 1 means to also try the domain's immediate
319 parent, and so forth. The library's usual mechanism for locating
320 Kerberos realms is used to determine whether a domain is a valid
321 realm--which may involve consulting DNS if **dns_lookup_kdc** is
322 set. The default is not to search domain components.
325 The value of this tag is the default renewable lifetime for
326 initial tickets. The default value for the tag is 0.
328 **safe_checksum_type**
329 An integer which specifies the type of checksum to use for the
330 KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
331 compatibility with applications linked against DCE version 1.1 or
332 earlier Kerberos libraries, use a value of 3 to use the RSA MD4
333 DES instead. This field is ignored when its value is incompatible
334 with the session key type. See the **kdc_req_checksum_type**
335 configuration option for the possible values and their meanings.
338 The value of this tag is the default lifetime for initial tickets.
339 The default value for the tag is 1 day.
341 **udp_preference_limit**
342 When sending a message to the KDC, the library will try using TCP
343 before UDP if the size of the message is above
344 **udp_preference_list**. If the message is smaller than
345 **udp_preference_list**, then UDP will be tried before
346 TCP. Regardless of the size, both protocols will be tried if the
349 **verify_ap_req_nofail**
350 If this flag is set, then an attempt to get initial credentials
351 will fail if the client machine does not have a keytab. The
352 default for the flag is not set.
360 Each tag in the [realms] section of the file is the name of a Kerberos
361 realm. The value of the tag is a subsection with relations that
362 define the properties of that particular realm. For each realm, the
363 following tags may be specified in the realm's subsection:
366 Identifies the host where the administration server is running.
367 Typically, this is the master Kerberos server. This tag must be
368 given a value in order to communicate with the :ref:`kadmind(8)`
369 server for the realm.
372 This tag allows you to set a general rule for mapping principal
373 names to local user names. It will be used if there is not an
374 explicit mapping for the principal name that is being
375 translated. The possible values are:
378 The principal will be looked up in the database *filename*.
379 Support for this is not currently compiled in by default.
382 The local name will be formulated from *exp*.
384 The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\
385 *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**.
386 The integer *n* indicates how many components the target
387 principal should have. If this matches, then a string will be
388 formed from *string*, substituting the realm of the principal
389 for ``$0`` and the *n*'th component of the principal for
390 ``$n`` (e.g. if the principal was ``johndoe/admin`` then
391 ``[2:$2$1foo]`` would result in the string
392 ``adminjohndoefoo``). If this string matches *regexp*, then
393 the ``s//[g]`` substitution command will be run over the
394 string. The optional **g** will cause the substitution to be
395 global over the *string*, instead of replacing only the first
396 match in the *string*.
399 The principal name will be used as the local user name. If
400 the principal has more than one component or is not in the
401 default realm, this rule is not applicable and the conversion
409 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
410 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
411 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
412 auto_to_local = DEFAULT
415 would result in any principal without ``root`` or ``admin`` as the
416 second component to be translated with the default rule. A
417 principal with a second component of ``admin`` will become its
418 first component. ``root`` will be used as the local name for any
419 principal with a second component of ``root``. The exception to
420 these two rules are any principals ``johndoe/*``, which will
421 always get the local name ``guest``.
423 **auth_to_local_names**
424 This subsection allows you to set explicit mappings from principal
425 names to local user names. The tag is the mapping name, and the
426 value is the corresponding local user name.
429 This relation indicates the name of the configuration section
430 under dbmodules_ for database specific parameters used by the
431 loadable database library.
434 This tag is used for Kerberos 4 compatibility. Kerberos 4 does not
435 require the entire hostname of a server to be in its principal
436 like Kerberos 5 does. This tag provides the domain name needed to
437 produce a full hostname when translating V4 principal names into
438 V5 principal names. All servers in this realm are assumed to be
439 in the domain given as the value of this tag.
442 The name or address of a host running a KDC for that realm. An
443 optional port number, separated from the hostname by a colon, may
444 be included. If the name or address contains colons (for example,
445 if it is an IPv6 address), enclose it in square brackets to
446 distinguish the colon from a port separator. For your computer to
447 be able to communicate with the KDC for each realm, this tag must
448 be given a value in each realm subsection in the configuration
449 file, or there must be DNS SRV records specifying the KDCs (see
453 Points to the server where all the password changes are performed.
454 If there is no such entry, the port 464 on the **admin_server**
458 Points to the server that does 524 conversions. If it is not
459 mentioned, the krb524 port 4444 on the kdc will be tried.
462 Identifies the master KDC(s). Currently, this tag is used in only
463 one case: If an attempt to get credentials fails because of an
464 invalid password, the client software will attempt to contact the
465 master KDC, in case the user's password has just been changed, and
466 the updated database has not been propagated to the slave servers
469 **v4_instance_convert**
470 This subsection allows the administrator to configure exceptions
471 to the **default_domain** mapping rule. It contains V4 instances
472 (the tag name) which should be translated to some specific
473 hostname (the tag value) as the second component in a Kerberos V5
477 This relation is used by the krb524 library routines when
478 converting a V5 principal name to a V4 principal name. It is used
479 when the V4 realm name and the V5 realm name are not the same, but
480 still share the same principal names and passwords. The tag value
481 is the Kerberos V4 realm name.
489 The [domain_realm] section provides a translation from a domain name
490 or hostname to a Kerberos realm name. The tag name can be a host
491 name, or a domain name, where domain names are indicated by a prefix
492 of a period (.). The value of the relation is the Kerberos realm name
493 for that particular host or domain. The Kerberos realm may be
494 identified either in the realms_ section or using DNS SRV records.
495 Host names and domain names should be in lower case.
497 If no translation entry applies, the host's realm is considered to be
498 the hostname's domain portion converted to upper case. For example,
499 the following [domain_realm] section:
504 crash.mit.edu = TEST.ATHENA.MIT.EDU
505 .mit.edu = ATHENA.MIT.EDU
506 mit.edu = ATHENA.MIT.EDU
507 example.com = EXAMPLE.COM
509 maps the host with the *exact* name ``crash.mit.edu`` into the
510 TEST.ATHENA.MIT.EDU realm. The period prefix in ``.mit.edu`` denotes
511 that *all* systems in the ``mit.edu`` domain belong to
512 ``ATHENA.MIT.EDU`` realm. Note the entries for the hosts ``mit.edu``
513 and ``example.com``. Without these entries, these hosts would be
514 mapped into the Kerberos realms EDU and COM, respectively.
521 The [logging] section indicates how a particular entity is to perform
522 its logging. The relations in this section assign one or more values
523 to the entity name. Currently, the following entities are used:
526 These entries specify how the administrative server is to perform
530 These entries specify how to perform logging in the absence of
531 explicit specifications otherwise.
534 These entries specify how the KDC is to perform its logging.
536 Values are of the following forms:
538 **FILE=**\ *filename* or **FILE:**\ *filename*
539 This value causes the entity's logging messages to go to the
540 *filename*. If the = form is used, the file is overwritten. If
541 the \: form is used, the file is appended to.
544 This value causes the entity's logging messages to go to its
545 standard error stream.
548 This value causes the entity's logging messages to go to the
549 console, if the system supports it.
551 **DEVICE=**\ *<devicename>*
552 This causes the entity's logging messages to go to the specified
555 **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]]
556 This causes the entity's logging messages to go to the system log.
558 The severity argument specifies the default severity of system log
559 messages. This may be any of the following severities supported
560 by the syslog(3) call, minus the LOG\_ prefix: LOG_EMERG,
561 LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO,
562 and LOG_DEBUG. For example, a value of CRIT would specify
565 The facility argument specifies the facility under which the
566 messages are logged. This may be any of the following facilities
567 supported by the syslog(3) call minus the LOG\_ prefix: LOG_KERN,
568 LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS,
569 LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
571 If no severity is specified, the default is ERR. If no facility
572 is specified, the default is AUTH.
574 In the following example, the logging messages from the KDC will go to
575 the console and to the system log under the facility LOG_DAEMON with
576 default severity of LOG_INFO; and the logging messages from the
577 administrative server will be appended to the file
578 ``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.
584 kdc = SYSLOG:INFO:DAEMON
585 admin_server = FILE:/var/adm/kadmin.log
586 admin_server = DEVICE=/dev/tty04
594 In order to perform direct (non-hierarchical) cross-realm
595 authentication, a database is needed to construct the authentication
596 paths between the realms. This section defines that database.
598 A client will use this section to find the authentication path between
599 its realm and the realm of the server. The server will use this
600 section to verify the authentication path used by the client, by
601 checking the transited field of the received ticket.
603 There is a tag for each participating realm, and each tag has subtags
604 for each of the realms. The value of the subtags is an intermediate
605 realm which may participate in the cross-realm authentication. The
606 subtags may be repeated if there is more then one intermediate realm.
607 A value of "." means that the two realms share keys directly, and no
608 intermediate realms should be allowed to participate.
610 There are n**2 possible entries in this table, but only those entries
611 which will be needed on the client or the server need to be present.
612 The client needs a tag for its local realm, with subtags for all the
613 realms of servers it will need to authenticate with. A server needs a
614 tag for each realm of the clients it will serve.
616 For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to
617 use the ``ES.NET`` realm as an intermediate realm. ``ANL`` has a sub
618 realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
619 but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
620 would look like this:
644 The [capaths] section of the configuration file used on ``NERSC.GOV``
645 systems would look like this:
652 TEST.ANL.GOV = ES.NET
653 TEST.ANL.GOV = ANL.GOV
671 In the above examples, the ordering is not important, except when the
672 same subtag name is used more then once. The client will use this to
673 determine the path. (It is not important to the server, since the
674 transited field is not sorted.)
676 This feature is not currently supported by DCE. DCE security servers
677 can be used with Kerberized clients and servers, but versions prior to
678 DCE 1.1 did not fill in the transited field, and should be used with
687 The [dbdefaults] section provides default values for the database
688 specific parameters. It can also specify the configuration section
689 under dbmodules_ section for database specific parameters used by the
692 The following tags are used in this section:
695 This relation indicates the name of the configuration section
696 under the dbmodules_ for database specific parameters used by the
697 loadable database library.
699 **ldap_kerberos_container_dn**
700 This LDAP specific tag indicates the DN of the container object
701 where the realm objects will be located. This value is used if
702 the container object is not mentioned in the configuration section
706 This LDAP specific tag indicates the default bind DN for the KDC
707 server. The KDC server does a login to the directory as this
708 object. This object should have the rights to read the Kerberos
709 data in the LDAP database. This value is used if the bind DN for
710 the KDC is not mentioned in the configuration section under
714 This LDAP specific tag indicates the default bind DN for the
715 Administration server. The administration server does a login to
716 the directory as this object. This object should have the rights
717 to read and write the Kerberos data in the LDAP database. This
718 value is used if the bind DN for the Administration server is not
719 mentioned in the configuration section under dbmodules_.
721 **ldap_service_password_file**
722 This LDAP specific tag indicates the file containing the stashed
723 passwords (created by ``kdb5_ldap_util stashsrvpw``) for the
724 objects used by the Kerberos servers to bind to the LDAP server.
725 This file must be kept secure. This value is used if no service
726 password file is mentioned in the configuration section under
730 This LDAP specific tag indicates the list of LDAP servers that the
731 Kerberos servers can connect to. The list of LDAP servers is
732 whitespace-separated. The LDAP server is specified by a LDAP URI.
733 This value is used if no LDAP servers are mentioned in the
734 configuration section under dbmodules_. It is recommended to use
735 the ``ldapi://`` or ``ldaps://`` interface and not to use
736 ``ldap://`` interface.
738 **ldap_conns_per_server**
739 This LDAP specific tag indicates the number of connections to be
740 maintained per LDAP server. This value is used if the number of
741 connections per LDAP server are not mentioned in the configuration
742 section under dbmodules_. The default value is 5.
750 Contains database specific parameters used by the database library.
751 Each tag in the [dbmodules] section of the file names a configuration
752 section for database specific parameters that can be referred to by a
753 realm. The value of the tag is a subsection where the relations in
754 that subsection define the database specific parameters.
756 For each section, the following tags may be specified in the
760 This DB2-specific tag indicates the location of the database in
761 the filesystem. The default is
762 ``/usr/local/var/krb5kdc/principal``.
765 This tag indicates the name of the loadable database library. The
766 value should be ``db2`` for DB2 database and ``kldap`` for LDAP
770 This tag controls where the plugin system looks for modules. The
771 value should be an absolute path.
773 **disable_last_success**
774 If set to ``true``, suppresses KDC updates to the "Last successful
775 authentication" field of principal entries requiring
776 preauthentication. Setting this flag may improve performance.
777 (Principal entries which do not require preauthentication never
778 update the "Last successful authentication" field.).
781 If set to ``true``, suppresses KDC updates to the "Last failed
782 authentication" and "Failed password attempts" fields of principal
783 entries requiring preauthentication. Setting this flag may
784 improve performance, but also disables account lockout.
786 **ldap_conns_per_server**
787 This LDAP specific tags indicates the number of connections to be
788 maintained per LDAP server.
791 This LDAP specific tag indicates the default bind DN for the
792 Administration server. The administration server does a login to
793 the directory as this object. This object should have the rights
794 to read and write the Kerberos data in the LDAP database.
797 This LDAP specific tag indicates the default bind DN for the KDC
798 server. The KDC server does a login to the directory as this
799 object. This object should have the rights to read the Kerberos
800 data in the LDAP database.
802 **ldap_kerberos_container_dn**
803 This LDAP specific tag indicates the DN of the container object
804 where the realm objects will be located.
807 This LDAP specific tag indicates the list of LDAP servers that the
808 Kerberos servers can connect to. The list of LDAP servers is
809 whitespace-separated. The LDAP server is specified by a LDAP URI.
810 It is recommended to use ``ldapi://`` or ``ldaps://`` interface to
811 connect to the LDAP server.
813 **ldap_service_password_file**
814 This LDAP specific tag indicates the file containing the stashed
815 passwords (created by ``kdb5_ldap_util stashsrvpw``) for the
816 objects used by the Kerberos servers to bind to the LDAP server.
817 This file must be kept secure.
825 Each tag in the [appdefaults] section names a Kerberos V5 application
826 or an option that is used by some Kerberos V5 application[s]. The
827 value of the tag defines the default behaviors for that application.
847 The above four ways of specifying the value of an option are shown in
848 order of decreasing precedence. In this example, if telnet is running
849 in the realm EXAMPLE.COM, it should, by default, have option1 and
850 option2 set to true. However, a telnet program in the realm
851 ``ATHENA.MIT.EDU`` should have ``option1`` set to false and
852 ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should
853 have ``option2`` set to false by default. Any programs running in
854 other realms should have ``option2`` set to true.
856 The list of specifiable options for each application may be found in
857 that application's man pages. The application defaults specified here
858 are overridden by those specified in the realms_ section.
867 * kadm5_hook_ interface
868 * clpreauth_ and kdcpreauth_ interfaces
870 Tags in the [plugins] section can be used to register dynamic plugin
871 modules and to turn modules on and off. Not every krb5 pluggable
872 interface uses the [plugins] section; the ones that do are documented
875 Each pluggable interface corresponds to a subsection of [plugins].
876 All subsections support the same tags:
879 This tag may have multiple values. If there are values for this
880 tag, then the named modules will be disabled for the pluggable
884 This tag may have multiple values. If there are values for this
885 tag, then only the named modules will be enabled for the pluggable
889 This tag may have multiple values. Each value is a string of the
890 form ``modulename:pathname``, which causes the shared object
891 located at *pathname* to be registered as a dynamic module named
892 *modulename* for the pluggable interface. If *pathname* is not an
893 absolute path, it will be treated as relative to the
894 ``krb5/plugins`` subdirectory of the krb5 library directory.
896 The following subsections are currently supported within the [plugins]
904 The pwqual subsection controls modules for the password quality
905 interface, which is used to reject weak passwords when passwords are
906 changed. In addition to any registered dynamic modules, the following
907 built-in modules exist (and may be disabled with the disable tag):
910 Checks against the realm dictionary file
913 Rejects empty passwords
916 Checks against user information stored in Hesiod (only if Kerberos
917 was built with Hesiod support)
920 Checks against components of the principal name
927 The kadm5_hook interface provides plugins with information on
928 principal creation, modification, password changes and deletion. This
929 interface can be used to write a plugin to synchronize MIT Kerberos
930 with another database such as Active Directory. No plugins are built
931 in for this interface.
937 clpreauth and kdcpreauth interfaces
938 ###################################
940 The clpreauth and kdcpreauth interfaces allow plugin modules to
941 provide client and KDC preauthentication mechanisms. The following
942 built-in modules exist for these interfaces:
945 This module implements the PKINIT preauthentication mechanism.
947 **encrypted_challenge**
948 This module implements the encrypted challenge FAST factor.
950 **encrypted_timestamp**
951 This module implements the encrypted timestamp mechanism.
957 * pkinit identity syntax
958 * pkinit krb5.conf options
960 .. note:: The following are pkinit-specific options. Note that these
961 values may be specified in [libdefaults] as global defaults,
962 or within a realm-specific subsection of [libdefaults], or
963 may be specified as realm-specific values in the [realms]
964 section. Also note that a realm-specific value over-rides,
965 does not add to, a generic [libdefaults] specification. The
968 1. realm-specific subsection of [libdefaults] :
973 pkinit_anchors = FILE\:/usr/local/example.com.crt
976 2. realm-specific value in the [realms] section,
981 pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
984 3. generic value in the [libdefaults] section.
988 pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
991 Specifying pkinit identity information
992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
994 The syntax for specifying Public Key identity, trust, and revocation
995 information for pkinit is as follows:
997 **FILE:**\ *filename*\ [**,**\ *keyfilename*]
998 This option has context-specific behavior.
1000 In **pkinit_identity** or **pkinit_identities**, *filename*
1001 specifies the name of a PEM-format file containing the user's
1002 certificate. If *keyfilename* is not specified, the user's
1003 private key is expected to be in file-name as well. Otherwise,
1004 *keyfilename* is the name of the file containing the private key.
1006 In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to
1007 be the name of an OpenSSL-style ca-bundle file.
1010 This option has context-specific behavior.
1012 In **pkinit_identity** or **pkinit_identities**, *directory-name*
1013 specifies a directory with files named ``*.crt`` and ``*.key``
1014 where the first part of the file name is the same for matching
1015 pairs of certificate and private key files. When a file with a
1016 name ending with ``.crt`` is found, a matching file ending with
1017 ``.key`` is assumed to contain the private key. If no such file
1018 is found, then the certificate in the ``.crt`` is not used.
1020 In **pkinit_anchors** or **pkinit_pool**, *directory-name* is
1021 assumed to be an OpenSSL-style hashed CA directory where each CA
1022 cert is stored in a file named ``hash-of-ca-cert.#``. This
1023 infrastructure is encouraged, but all files in the directory will
1024 be examined and if they contain certificates (in PEM format), they
1027 In **pkinit_revoke**, *directory-name* is assumed to be an
1028 OpenSSL-style hashed CA directory where each revocation list is
1029 stored in a file named ``hash-of-ca-cert.r#``. This
1030 infrastructure is encouraged, but all files in the directory will
1031 be examined and if they contain a revocation list (in PEM format),
1034 **PKCS12:**\ *pkcs12-file-name*
1035 *pkcs12-file-name* is the name of a PKCS #12 format file,
1036 containing the user's certificate and private key.
1038 **PKCS11:**\ [**module_name=**]\ *module-name*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*]
1039 All keyword/values are optional. *module-name* specifies the
1040 location of a library implementing PKCS #11. If a value is
1041 encountered with no keyword, it is assumed to be the
1042 *module-name*. If no module-name is specified, the default is
1043 ``opensc-pkcs11.so``. ``slotid=`` and/or ``token=`` may be
1044 specified to force the use of a particular smard card reader or
1045 token if there is more than one available. ``certid=`` and/or
1046 ``certlabel=`` may be specified to force the selection of a
1047 particular certificate on the device. See the
1048 **pkinit_cert_match** configuration option for more ways to select
1049 a particular certificate to use for pkinit.
1052 *envvar* specifies the name of an environment variable which has
1053 been set to a value conforming to one of the previous values. For
1054 example, ``ENV:X509_PROXY``, where environment variable
1055 ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``.
1058 PKINIT krb5.conf options
1059 ~~~~~~~~~~~~~~~~~~~~~~~~
1062 Specifies the location of trusted anchor (root) certificates which
1063 the client trusts to sign KDC certificates. This option may be
1064 specified multiple times. These values from the config file are
1065 not used if the user specifies X509_anchors on the command line.
1067 **pkinit_cert_match**
1068 Specifies matching rules that the client certificate must match
1069 before it is used to attempt pkinit authentication. If a user has
1070 multiple certificates available (on a smart card, or via other
1071 media), there must be exactly one certificate chosen before
1072 attempting pkinit authentication. This option may be specified
1073 multiple times. All the available certificates are checked
1074 against each rule in order until there is a match of exactly one
1077 The Subject and Issuer comparison strings are the :rfc:`2253`
1078 string representations from the certificate Subject DN and Issuer
1081 The syntax of the matching rules is:
1083 [*relation-operator*\ ]\ *component-rule* ...
1088 can be either ``&&``, meaning all component rules must match,
1089 or ``||``, meaning only one component rule must match. The
1093 can be one of the following. Note that there is no
1094 punctuation or whitespace between component rules.
1096 | **<SUBJECT>**\ *regular-expression*
1097 | **<ISSUER>**\ *regular-expression*
1098 | **<SAN>**\ *regular-expression*
1099 | **<EKU>**\ *extended-key-usage-list*
1100 | **<KU>**\ *key-usage-list*
1102 *extended-key-usage-list* is a comma-separated list of
1103 required Extended Key Usage values. All values in the list
1104 must be present in the certificate. Extended Key Usage values
1112 *key-usage-list* is a comma-separated list of required Key
1113 Usage values. All values in the list must be present in the
1114 certificate. Key Usage values can be:
1122 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1123 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1124 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1126 **pkinit_eku_checking**
1127 This option specifies what Extended Key Usage value the KDC
1128 certificate presented to the client must contain. (Note that if
1129 the KDC certificate has the pkinit SubjectAlternativeName encoded
1130 as the Kerberos TGS name, EKU checking is not necessary since the
1131 issuing CA has certified this as a KDC certificate.) The values
1132 recognized in the krb5.conf file are:
1135 This is the default value and specifies that the KDC must have
1136 the id-pkinit-KPKdc EKU as defined in :rfc:`4556`.
1139 If **kpServerAuth** is specified, a KDC certificate with the
1140 id-kp-serverAuth EKU as used by Microsoft will be accepted.
1143 If **none** is specified, then the KDC certificate will not be
1144 checked to verify it has an acceptable EKU. The use of this
1145 option is not recommended.
1147 **pkinit_dh_min_bits**
1148 Specifies the size of the Diffie-Hellman key the client will
1149 attempt to use. The acceptable values are currently 1024, 2048,
1150 and 4096. The default is 2048.
1152 **pkinit_identities**
1153 Specifies the location(s) to be used to find the user's X.509
1154 identity information. This option may be specified multiple
1155 times. Each value is attempted in order until identity
1156 information is found and authentication is attempted. Note that
1157 these values are not used if the user specifies
1158 **X509_user_identity** on the command line.
1160 **pkinit_kdc_hostname**
1161 The presense of this option indicates that the client is willing
1162 to accept a KDC certificate with a dNSName SAN (Subject
1163 Alternative Name) rather than requiring the id-pkinit-san as
1164 defined in :rfc:`4556`. This option may be specified multiple
1165 times. Its value should contain the acceptable hostname for the
1166 KDC (as contained in its certificate).
1169 If this flag is set to true, we are talking to the Longhorn KDC.
1172 Specifies the location of intermediate certificates which may be
1173 used by the client to complete the trust chain between a KDC
1174 certificate and a trusted anchor. This option may be specified
1177 **pkinit_require_crl_checking**
1178 The default certificate verification process will always check the
1179 available revocation information to see if a certificate has been
1180 revoked. If a match is found for the certificate in a CRL,
1181 verification fails. If the certificate being verified is not
1182 listed in a CRL, or there is no CRL present for its issuing CA,
1183 and **pkinit_require_crl_checking** is false, then verification
1186 However, if **pkinit_require_crl_checking** is true and there is
1187 no CRL information available for the issuing CA, then verification
1190 **pkinit_require_crl_checking** should be set to true if the
1191 policy is such that up-to-date CRLs must be present for every CA.
1194 Specifies the location of Certificate Revocation List (CRL)
1195 information to be used by the client when verifying the validity
1196 of the KDC certificate presented. This option may be specified
1200 This flag specifies whether the target realm is assumed to support
1201 only the old, pre-RFC version of the protocol. The default is
1204 **pkinit_win2k_require_binding**
1205 If this flag is set to true, it expects that the target KDC is
1206 patched to return a reply with a checksum rather than a nonce.
1207 The default is false.
1210 Sample krb5.conf file
1211 ---------------------
1213 Here is an example of a generic krb5.conf file:
1217 default_realm = ATHENA.MIT.EDU
1218 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
1219 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
1220 dns_lookup_kdc = true
1221 dns_lookup_realm = false
1225 kdc = kerberos.mit.edu
1226 kdc = kerberos-1.mit.edu
1227 kdc = kerberos-2.mit.edu:750
1228 admin_server = kerberos.mit.edu
1229 master_kdc = kerberos.mit.edu
1230 default_domain = mit.edu
1233 kdc = kerberos.example.com
1234 kdc = kerberos-1.example.com
1235 admin_server = kerberos.example.com
1237 OPENLDAP.MIT.EDU = {
1238 kdc = kerberos.mit.edu
1239 admin_server = kerberos.mit.edu
1240 database_module = openldap_ldapconf
1244 .mit.edu = ATHENA.MIT.EDU
1245 mit.edu = ATHENA.MIT.EDU
1257 admin_server = FILE=/var/kadm5.log
1259 ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
1261 openldap_ldapconf = {
1263 disable_last_success = true
1264 ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
1265 ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
1266 # this object needs to have read rights on
1267 # the realm container and principal subtrees
1268 ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
1269 # this object needs to have read and write rights on
1270 # the realm container and principal subtrees
1271 ldap_service_password_file = /etc/kerberos/service.keyfile
1272 ldap_servers = ldaps://kerberos.mit.edu
1273 ldap_conns_per_server = 5