+.TH "KRB5.CONF" "5" " " "0.0.1" "MIT Kerberos"
+.SH NAME
+krb5.conf \- Kerberos configuration file
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.sp
+The krb5.conf file contains Kerberos configuration information,
+including the locations of KDCs and admin servers for the Kerberos
+realms of interest, defaults for the current realm and for Kerberos
+applications, and mappings of hostnames onto Kerberos realms.
+Normally, you should install your krb5.conf file in the directory
+\fB/etc\fP. You can override the default location by setting the
+environment variable \fBKRB5_CONFIG\fP.
+.SH STRUCTURE
+.sp
+The krb5.conf file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets. Each
+section may contain zero or more relations, of the form:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+foo = bar
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B or
+.sp
+.nf
+.ft C
+fubar = {
+ foo = bar
+ baz = quux
+}
+.ft P
+.fi
+.UNINDENT
+.sp
+Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP
+value for the tag. This means that neither the remainder of this
+configuration file nor any other configuration file will be checked
+for any other values for this tag.
+.INDENT 0.0
+.TP
+.B For example, if you have the following lines:
+.sp
+.nf
+.ft C
+foo = bar*
+foo = baz
+.ft P
+.fi
+.UNINDENT
+.sp
+then the second value of \fBfoo\fP (\fBbaz\fP) would never be read.
+.sp
+The krb5.conf file can include other files using either of the
+following directives at the beginning of a line:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+include FILENAME
+includedir DIRNAME
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
+directory must exist and be readable. Including a directory includes
+all files within the directory whose names consist solely of
+alphanumeric characters, dashes, or underscores. Included profile
+files are syntactically independent of their parents, so each included
+file must begin with a section header.
+.sp
+The krb5.conf file can specify that configuration should be obtained
+from a loadable module, rather than the file itself, using the
+following directive at the beginning of a line before any section
+headers:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+module MODULEPATH:RESIDUAL
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fIMODULEPATH\fP may be relative to the library path of the krb5
+installation, or it may be an absolute path. \fIRESIDUAL\fP is provided
+to the module at initialization time. If krb5.conf uses a module
+directive, \fIkdc.conf(5)\fP should also use one if it exists.
+.SH SECTIONS
+.sp
+The krb5.conf file may contain the following sections:
+.TS
+center;
+|l|l|.
+_
+T{
+\fI\%[libdefaults]\fP
+T} T{
+Settings used by the Kerberos V5 library
+T}
+_
+T{
+\fI\%[realms]\fP
+T} T{
+Realm\-specific contact information and settings
+T}
+_
+T{
+\fI\%[domain_realm]\fP
+T} T{
+Maps server hostnames to Kerberos realms
+T}
+_
+T{
+\fI\%[capaths]\fP
+T} T{
+Authentication paths for non\-hierarchical cross\-realm
+T}
+_
+T{
+\fI\%[appdefaults]\fP
+T} T{
+Settings used by some Kerberos V5 applications
+T}
+_
+T{
+\fI\%[plugins]\fP
+T} T{
+Controls plugin module registration
+T}
+_
+.TE
+.SS [libdefaults]
+.sp
+The libdefaults section may contain any of the following relations:
+.INDENT 0.0
+.TP
+.B \fBallow_weak_crypto\fP
+.sp
+If this flag is set to false, then weak encryption types will be
+filtered out of the previous three lists (as noted in
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The
+default value for this tag is false, which may cause
+authentication failures in existing Kerberos infrastructures that
+do not support strong crypto. Users in affected environments
+should set this tag to true until their infrastructure adopts
+stronger ciphers.
+.TP
+.B \fBap_req_checksum_type\fP
+.sp
+An integer which specifies the type of AP\-REQ checksum to use in
+authenticators. This variable should be unset so the appropriate
+checksum for the encryption key in use will be used. This can be
+set if backward compatibility requires a specific checksum type.
+See the \fBkdc_req_checksum_type\fP configuration option for the
+possible values and their meanings.
+.TP
+.B \fBcanonicalize\fP
+.sp
+If this flag is set to true, initial ticket requests to the KDC
+will request canonicalization of the client principal name, and
+answers with different client principals than the requested
+principal will be accepted. The default value is false.
+.TP
+.B \fBccache_type\fP
+.sp
+This parameter determines the format of credential cache types
+created by \fIkinit(1)\fP or other programs. The default value
+is 4, which represents the most current format. Smaller values
+can be used for compatibility with very old implementations of
+Kerberos which interact with credential caches on the same host.
+.TP
+.B \fBclockskew\fP
+.sp
+Sets the maximum allowable amount of clockskew in seconds that the
+library will tolerate before assuming that a Kerberos message is
+invalid. The default value is 300 seconds, or five minutes.
+.TP
+.B \fBdefault_keytab_name\fP
+.sp
+This relation specifies the default keytab name to be used by
+application servers such as telnetd and rlogind. The default is
+\fB/etc/krb5.keytab\fP.
+.TP
+.B \fBdefault_realm\fP
+.sp
+Identifies the default Kerberos realm for the client. Set its
+value to your Kerberos realm. If this value is not set, then a
+realm must be specified with every Kerberos principal when
+invoking programs such as \fIkinit(1)\fP.
+.TP
+.B \fBdefault_tgs_enctypes\fP
+.sp
+Identifies the supported list of session key encryption types that
+should be returned by the KDC. The list may be delimited with
+commas or whitespace. See \fIEncryption_and_salt_types\fP in
+\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
+will be implicitly removed from this list if the value of
+\fBallow_weak_crypto\fP is false.
+.TP
+.B \fBdefault_tkt_enctypes\fP
+.sp
+Identifies the supported list of session key encryption types that
+should be requested by the client. The format is the same as for
+default_tgs_enctypes. The default value for this tag is
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+removed from this list if the value of \fBallow_weak_crypto\fP is
+false.
+.TP
+.B \fBdns_lookup_kdc\fP
+.sp
+Indicate whether DNS SRV records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. (Note that the admin_server
+entry must be in the krb5.conf realm information in order to
+contact kadmind, because the DNS implementation for kadmin is
+incomplete.)
+.sp
+Enabling this option does open up a type of denial\-of\-service
+attack, if someone spoofs the DNS records and redirects you to
+another server. However, it\(aqs no worse than a denial of service,
+because that fake KDC will be unable to decode anything you send
+it (besides the initial ticket request, which has no encrypted
+data), and anything the fake KDC sends will not be trusted without
+verification using some secret that it won\(aqt know.
+.TP
+.B \fBextra_addresses\fP
+.sp
+This allows a computer to use multiple local addresses, in order
+to allow Kerberos to work in a network that uses NATs while still
+using address\-restricted tickets. The addresses should be in a
+comma\-separated list. This option has no effect if
+\fBnoaddresses\fP is true.
+.TP
+.B \fBforwardable\fP
+.sp
+If this flag is true, initial tickets will be forwardable by
+default, if allowed by the KDC. The default value is false.
+.TP
+.B \fBignore_acceptor_hostname\fP
+.sp
+When accepting GSSAPI or krb5 security contexts for host\-based
+service principals, ignore any hostname passed by the calling
+application, and allow clients to authenticate to any service
+principal in the keytab matching the service name and realm name
+(if given). This option can improve the administrative
+flexibility of server applications on multihomed hosts, but could
+compromise the security of virtual hosting environments. The
+default value is false.
+.TP
+.B \fBk5login_authoritative\fP
+.sp
+If this flag is true, principals must be listed in a local user\(aqs
+k5login file to be granted login access, if a \fI.k5login(5)\fP
+file exists. If this flag is false, a principal may still be
+granted login access through other mechanisms even if a k5login
+file exists but does not list the principal. The default value is
+true.
+.TP
+.B \fBk5login_directory\fP
+.sp
+If set, the library will look for a local user\(aqs k5login file
+within the named directory, with a filename corresponding to the
+local username. If not set, the library will look for k5login
+files in the user\(aqs home directory, with the filename .k5login.
+For security reasons, .k5login files must be owned by
+the local user or by root.
+.TP
+.B \fBkdc_default_options\fP
+.sp
+Default KDC options (Xored for multiple values) when requesting
+initial tickets. By default it is set to 0x00000010
+(KDC_OPT_RENEWABLE_OK).
+.TP
+.B \fBkdc_timesync\fP
+.sp
+If this flag is true, client machines will compute the difference
+between their time and the time returned by the KDC in the
+timestamps in the tickets and use this value to correct for an
+inaccurate system clock when requesting service tickets or
+authenticating to services. This corrective factor is only used
+by the Kerberos library; it is not used to change the system
+clock. The default value is true.
+.TP
+.B \fBkdc_req_checksum_type\fP
+.sp
+An integer which specifies the type of checksum to use for the KDC
+requests, for compatibility with very old KDC implementations.
+This value is only used for DES keys; other keys use the preferred
+checksum type for those keys.
+.sp
+The possible values and their meanings are as follows.
+.TS
+center;
+|l|l|.
+_
+T{
+1
+T} T{
+CRC32
+T}
+_
+T{
+2
+T} T{
+RSA MD4
+T}
+_
+T{
+3
+T} T{
+RSA MD4 DES
+T}
+_
+T{
+4
+T} T{
+DES CBC
+T}
+_
+T{
+7
+T} T{
+RSA MD5
+T}
+_
+T{
+8
+T} T{
+RSA MD5 DES
+T}
+_
+T{
+9
+T} T{
+NIST SHA
+T}
+_
+T{
+12
+T} T{
+HMAC SHA1 DES3
+T}
+_
+T{
+\-138
+T} T{
+Microsoft MD5 HMAC checksum type
+T}
+_
+.TE
+.TP
+.B \fBnoaddresses\fP
+.sp
+If this flag is true, requests for initial tickets will not be
+made with address restrictions set, allowing the tickets to be
+used across NATs. The default value is true.
+.TP
+.B \fBpermitted_enctypes\fP
+.sp
+Identifies all encryption types that are permitted for use in
+session key encryption. The default value for this tag is
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+removed from this list if the value of \fBallow_weak_crypto\fP is
+false.
+.TP
+.B \fBplugin_base_dir\fP
+.sp
+If set, determines the base directory where krb5 plugins are
+located. The default value is the \fBkrb5/plugins\fP subdirectory
+of the krb5 library directory.
+.TP
+.B \fBpreferred_preauth_types\fP
+.sp
+This allows you to set the preferred preauthentication types which
+the client will attempt before others which may be advertised by a
+KDC. The default value for this setting is "17, 16, 15, 14",
+which forces libkrb5 to attempt to use PKINIT if it is supported.
+.TP
+.B \fBproxiable\fP
+.sp
+If this flag is true, initial tickets will be proxiable by
+default, if allowed by the KDC. The default value is false.
+.TP
+.B \fBrdns\fP
+.sp
+If this flag is true, reverse name lookup will be used in addition
+to forward name lookup to canonicalizing hostnames for use in
+service principal names. The default value is true.
+.TP
+.B \fBrealm_try_domains\fP
+.sp
+Indicate whether a host\(aqs domain components should be used to
+determine the Kerberos realm of the host. The value of this
+variable is an integer: \-1 means not to search, 0 means to try the
+host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
+parent, and so forth. The library\(aqs usual mechanism for locating
+Kerberos realms is used to determine whether a domain is a valid
+realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is
+set. The default is not to search domain components.
+.TP
+.B \fBrenew_lifetime\fP
+.sp
+Sets the default renewable lifetime for initial ticket requests.
+The default value is 0.
+.TP
+.B \fBsafe_checksum_type\fP
+.sp
+An integer which specifies the type of checksum to use for the
+KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
+compatibility with applications linked against DCE version 1.1 or
+earlier Kerberos libraries, use a value of 3 to use the RSA MD4
+DES instead. This field is ignored when its value is incompatible
+with the session key type. See the \fBkdc_req_checksum_type\fP
+configuration option for the possible values and their meanings.
+.TP
+.B \fBticket_lifetime\fP
+.sp
+Sets the default lifetime for initial ticket requests. The
+default value is 1 day.
+.TP
+.B \fBudp_preference_limit\fP
+.sp
+When sending a message to the KDC, the library will try using TCP
+before UDP if the size of the message is above
+\fBudp_preference_limit\fP. If the message is smaller than
+\fBudp_preference_limit\fP, then UDP will be tried before TCP.
+Regardless of the size, both protocols will be tried if the first
+attempt fails.
+.TP
+.B \fBverify_ap_req_nofail\fP
+.sp
+If this flag is true, then an attempt to verify initial
+credentials will fail if the client machine does not have a
+keytab. The default value is false.
+.UNINDENT
+.SS [realms]
+.sp
+Each tag in the [realms] section of the file is the name of a Kerberos
+realm. The value of the tag is a subsection with relations that
+define the properties of that particular realm. For each realm, the
+following tags may be specified in the realm\(aqs subsection:
+.INDENT 0.0
+.TP
+.B \fBadmin_server\fP
+.sp
+Identifies the host where the administration server is running.
+Typically, this is the master Kerberos server. This tag must be
+given a value in order to communicate with the \fIkadmind(8)\fP
+server for the realm.
+.TP
+.B \fBauth_to_local\fP
+.sp
+This tag allows you to set a general rule for mapping principal
+names to local user names. It will be used if there is not an
+explicit mapping for the principal name that is being
+translated. The possible values are:
+.INDENT 7.0
+.TP
+.B \fBRULE:\fP\fIexp\fP
+.sp
+The local name will be formulated from \fIexp\fP.
+.sp
+The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
+The integer \fIn\fP indicates how many components the target
+principal should have. If this matches, then a string will be
+formed from \fIstring\fP, substituting the realm of the principal
+for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
+\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then
+\fB[2:$2$1foo]\fP would result in the string
+\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then
+the \fBs//[g]\fP substitution command will be run over the
+string. The optional \fBg\fP will cause the substitution to be
+global over the \fIstring\fP, instead of replacing only the first
+match in the \fIstring\fP.
+.TP
+.B \fBDEFAULT\fP
+.sp
+The principal name will be used as the local user name. If
+the principal has more than one component or is not in the
+default realm, this rule is not applicable and the conversion
+will fail.
+.TP
+.B For example:
+.sp
+.nf
+.ft C
+[realms]
+ ATHENA.MIT.EDU = {
+ auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
+ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
+ auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
+ auto_to_local = DEFAULT
+ }
+.ft P
+.fi
+.UNINDENT
+.sp
+would result in any principal without \fBroot\fP or \fBadmin\fP as the
+second component to be translated with the default rule. A
+principal with a second component of \fBadmin\fP will become its
+first component. \fBroot\fP will be used as the local name for any
+principal with a second component of \fBroot\fP. The exception to
+these two rules are any principals \fBjohndoe/*\fP, which will
+always get the local name \fBguest\fP.
+.TP
+.B \fBauth_to_local_names\fP
+.sp
+This subsection allows you to set explicit mappings from principal
+names to local user names. The tag is the mapping name, and the
+value is the corresponding local user name.
+.TP
+.B \fBdefault_domain\fP
+.sp
+This tag specifies the domain used to expand hostnames when
+translating Kerberos 4 service principals to Kerberos 5 principals
+(for example, when converting \fBrcmd.hostname\fP to
+\fBhost/hostname.domain\fP).
+.TP
+.B \fBkdc\fP
+.sp
+The name or address of a host running a KDC for that realm. An
+optional port number, separated from the hostname by a colon, may
+be included. If the name or address contains colons (for example,
+if it is an IPv6 address), enclose it in square brackets to
+distinguish the colon from a port separator. For your computer to
+be able to communicate with the KDC for each realm, this tag must
+be given a value in each realm subsection in the configuration
+file, or there must be DNS SRV records specifying the KDCs.
+.TP
+.B \fBkpasswd_server\fP
+.sp
+Points to the server where all the password changes are performed.
+If there is no such entry, the port 464 on the \fBadmin_server\fP
+host will be tried.
+.TP
+.B \fBmaster_kdc\fP
+.sp
+Identifies the master KDC(s). Currently, this tag is used in only
+one case: If an attempt to get credentials fails because of an
+invalid password, the client software will attempt to contact the
+master KDC, in case the user\(aqs password has just been changed, and
+the updated database has not been propagated to the slave servers
+yet.
+.TP
+.B \fBv4_instance_convert\fP
+.sp
+This subsection allows the administrator to configure exceptions
+to the \fBdefault_domain\fP mapping rule. It contains V4 instances
+(the tag name) which should be translated to some specific
+hostname (the tag value) as the second component in a Kerberos V5
+principal name.
+.TP
+.B \fBv4_realm\fP
+.sp
+This relation is used by the krb524 library routines when
+converting a V5 principal name to a V4 principal name. It is used
+when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords. The tag value
+is the Kerberos V4 realm name.
+.UNINDENT
+.SS [domain_realm]
+.sp
+The [domain_realm] section provides a translation from a domain name
+or hostname to a Kerberos realm name. The tag name can be a host name
+or domain name, where domain names are indicated by a prefix of a
+period (\fB.\fP). The value of the relation is the Kerberos realm name
+for that particular host or domain. The Kerberos realm may be
+identified either in the \fI\%realms\fP section or using DNS SRV records.
+Host names and domain names should be in lower case. For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[domain_realm]
+ crash.mit.edu = TEST.ATHENA.MIT.EDU
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+maps the host with the exact name \fBcrash.mit.edu\fP into the
+TEST.ATHENA.MIT.EDU realm. The period prefix in \fB.mit.edu\fP denotes
+that all systems in the \fBmit.edu\fP domain belong to
+\fBATHENA.MIT.EDU\fP realm. The third entry maps the host \fBmit.edu\fP
+itself to the \fBATHENA.MIT.EDU\fP realm.
+.sp
+If no translation entry applies to a hostname used for a service
+principal for a service ticket request, the library will try to get a
+referral to the appropriate realm from the client realm\(aqs KDC. If
+that does not succeed, the host\(aqs realm is considered to be the
+hostname\(aqs domain portion converted to uppercase, unless the
+\fBrealm_try_domains\fP setting in [libdefaults] causes a different
+parent domain to be used.
+.SS [capaths]
+.sp
+In order to perform direct (non\-hierarchical) cross\-realm
+authentication, configuration is needed to determine the
+authentication paths between realms.
+.sp
+A client will use this section to find the authentication path between
+its realm and the realm of the server. The server will use this
+section to verify the authentication path used by the client, by
+checking the transited field of the received ticket.
+.sp
+There is a tag for each participating client realm, and each tag has
+subtags for each of the server realms. The value of the subtags is an
+intermediate realm which may participate in the cross\-realm
+authentication. The subtags may be repeated if there is more then one
+intermediate realm. A value of "." means that the two realms share
+keys directly, and no intermediate realms should be allowed to
+participate.
+.sp
+Only those entries which will be needed on the client or the server
+need to be present. A client needs a tag for its local realm with
+subtags for all the realms of servers it will need to authenticate to.
+A server needs a tag for each realm of the clients it will serve, with
+a subtag of the server realm.
+.sp
+For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
+use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub
+realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
+but not \fBPNL.GOV\fP. The [capaths] section for \fBANL.GOV\fP systems
+would look like this:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[capaths]
+ ANL.GOV = {
+ TEST.ANL.GOV = .
+ PNL.GOV = ES.NET
+ NERSC.GOV = ES.NET
+ ES.NET = .
+ }
+ TEST.ANL.GOV = {
+ ANL.GOV = .
+ }
+ PNL.GOV = {
+ ANL.GOV = ES.NET
+ }
+ NERSC.GOV = {
+ ANL.GOV = ES.NET
+ }
+ ES.NET = {
+ ANL.GOV = .
+ }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The [capaths] section of the configuration file used on \fBNERSC.GOV\fP
+systems would look like this:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[capaths]
+ NERSC.GOV = {
+ ANL.GOV = ES.NET
+ TEST.ANL.GOV = ES.NET
+ TEST.ANL.GOV = ANL.GOV
+ PNL.GOV = ES.NET
+ ES.NET = .
+ }
+ ANL.GOV = {
+ NERSC.GOV = ES.NET
+ }
+ PNL.GOV = {
+ NERSC.GOV = ES.NET
+ }
+ ES.NET = {
+ NERSC.GOV = .
+ }
+ TEST.ANL.GOV = {
+ NERSC.GOV = ANL.GOV
+ NERSC.GOV = ES.NET
+ }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When a subtag is used more than once within a tag, clients will use
+the order of values to determine the path. The order of values is not
+important to servers.
+.SS [appdefaults]
+.sp
+Each tag in the [appdefaults] section names a Kerberos V5 application
+or an option that is used by some Kerberos V5 application[s]. The
+value of the tag defines the default behaviors for that application.
+.INDENT 0.0
+.TP
+.B For example:
+.sp
+.nf
+.ft C
+[appdefaults]
+ telnet = {
+ ATHENA.MIT.EDU = {
+ option1 = false
+ }
+ }
+ telnet = {
+ option1 = true
+ option2 = true
+ }
+ ATHENA.MIT.EDU = {
+ option2 = false
+ }
+ option2 = true
+.ft P
+.fi
+.UNINDENT
+.sp
+The above four ways of specifying the value of an option are shown in
+order of decreasing precedence. In this example, if telnet is running
+in the realm EXAMPLE.COM, it should, by default, have option1 and
+option2 set to true. However, a telnet program in the realm
+\fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and
+\fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should
+have \fBoption2\fP set to false by default. Any programs running in
+other realms should have \fBoption2\fP set to true.
+.sp
+The list of specifiable options for each application may be found in
+that application\(aqs man pages. The application defaults specified here
+are overridden by those specified in the \fI\%realms\fP section.
+.SS [plugins]
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fI\%pwqual\fP interface
+.IP \(bu 2
+.
+\fI\%kadm5_hook\fP interface
+.IP \(bu 2
+.
+\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off. Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.
+.sp
+Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:
+.INDENT 0.0
+.TP
+.B \fBdisable\fP
+.sp
+This tag may have multiple values. If there are values for this
+tag, then the named modules will be disabled for the pluggable
+interface.
+.TP
+.B \fBenable_only\fP
+.sp
+This tag may have multiple values. If there are values for this
+tag, then only the named modules will be enabled for the pluggable
+interface.
+.TP
+.B \fBmodule\fP
+.sp
+This tag may have multiple values. Each value is a string of the
+form \fBmodulename:pathname\fP, which causes the shared object
+located at \fIpathname\fP to be registered as a dynamic module named
+\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an
+absolute path, it will be treated as relative to the
+\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP.
+.UNINDENT
+.sp
+The following subsections are currently supported within the [plugins]
+section:
+.SS ccselect interface
+.sp
+The ccselect subsection controls modules for credential cache
+selection within a cache collection. In addition to any registered
+dynamic modules, the following built\-in modules exist (and may be
+disabled with the disable tag):
+.INDENT 0.0
+.TP
+.B \fBk5identity\fP
+.sp
+Uses a .k5identity file in the user\(aqs home directory to select a
+client principal
+.TP
+.B \fBrealm\fP
+.sp
+Uses the service realm to guess an appropriate cache from the
+collection
+.UNINDENT
+.SS pwqual interface
+.sp
+The pwqual subsection controls modules for the password quality
+interface, which is used to reject weak passwords when passwords are
+changed. The following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBdict\fP
+.sp
+Checks against the realm dictionary file
+.TP
+.B \fBempty\fP
+.sp
+Rejects empty passwords
+.TP
+.B \fBhesiod\fP
+.sp
+Checks against user information stored in Hesiod (only if Kerberos
+was built with Hesiod support)
+.TP
+.B \fBprinc\fP
+.sp
+Checks against components of the principal name
+.UNINDENT
+.SS kadm5_hook interface
+.sp
+The kadm5_hook interface provides plugins with information on
+principal creation, modification, password changes and deletion. This
+interface can be used to write a plugin to synchronize MIT Kerberos
+with another database such as Active Directory. No plugins are built
+in for this interface.
+.SS clpreauth and kdcpreauth interfaces
+.sp
+The clpreauth and kdcpreauth interfaces allow plugin modules to
+provide client and KDC preauthentication mechanisms. The following
+built\-in modules exist for these interfaces:
+.INDENT 0.0
+.TP
+.B \fBpkinit\fP
+.sp
+This module implements the PKINIT preauthentication mechanism.
+.TP
+.B \fBencrypted_challenge\fP
+.sp
+This module implements the encrypted challenge FAST factor.
+.TP
+.B \fBencrypted_timestamp\fP
+.sp
+This module implements the encrypted timestamp mechanism.
+.UNINDENT
+.SH PKINIT OPTIONS
+.IP Note
+.
+The following are PKINIT\-specific options. These values may
+be specified in [libdefaults] as global defaults, or within
+a realm\-specific subsection of [libdefaults], or may be
+specified as realm\-specific values in the [realms] section.
+A realm\-specific value overrides, not adds to, a generic
+[libdefaults] specification. The search order is:
+.RE
+.INDENT 0.0
+.IP 1. 3
+.
+realm\-specific subsection of [libdefaults]:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[libdefaults]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE\e:/usr/local/example.com.crt
+ }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+.
+realm\-specific value in the [realms] section,
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[realms]
+ OTHERREALM.ORG = {
+ pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt
+ }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+.
+generic value in the [libdefaults] section.
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[libdefaults]
+ pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Specifying PKINIT identity information
+.sp
+The syntax for specifying Public Key identity, trust, and revocation
+information for PKINIT is as follows:
+.INDENT 0.0
+.TP
+.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
+.sp
+This option has context\-specific behavior.
+.sp
+In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
+specifies the name of a PEM\-format file containing the user\(aqs
+certificate. If \fIkeyfilename\fP is not specified, the user\(aqs
+private key is expected to be in \fIfilename\fP as well. Otherwise,
+\fIkeyfilename\fP is the name of the file containing the private key.
+.sp
+In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
+be the name of an OpenSSL\-style ca\-bundle file.
+.TP
+.B \fBDIR:\fP\fIdirname\fP
+.sp
+This option has context\-specific behavior.
+.sp
+In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
+specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
+where the first part of the file name is the same for matching
+pairs of certificate and private key files. When a file with a
+name ending with \fB.crt\fP is found, a matching file ending with
+\fB.key\fP is assumed to contain the private key. If no such file
+is found, then the certificate in the \fB.crt\fP is not used.
+.sp
+In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
+be an OpenSSL\-style hashed CA directory where each CA cert is
+stored in a file named \fBhash\-of\-ca\-cert.#\fP. This infrastructure
+is encouraged, but all files in the directory will be examined and
+if they contain certificates (in PEM format), they will be used.
+.sp
+In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
+hashed CA directory where each revocation list is stored in a file
+named \fBhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged,
+but all files in the directory will be examined and if they
+contain a revocation list (in PEM format), they will be used.
+.TP
+.B \fBPKCS12:\fP\fIfilename\fP
+.sp
+\fIfilename\fP is the name of a PKCS #12 format file, containing the
+user\(aqs certificate and private key.
+.TP
+.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
+.sp
+All keyword/values are optional. \fImodname\fP specifies the location
+of a library implementing PKCS #11. If a value is encountered
+with no keyword, it is assumed to be the \fImodname\fP. If no
+module\-name is specified, the default is \fBopensc\-pkcs11.so\fP.
+\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
+a particular smard card reader or token if there is more than one
+available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
+force the selection of a particular certificate on the device.
+See the \fBpkinit_cert_match\fP configuration option for more ways
+to select a particular certificate to use for PKINIT.
+.TP
+.B \fBENV:\fP\fIenvvar\fP
+.sp
+\fIenvvar\fP specifies the name of an environment variable which has
+been set to a value conforming to one of the previous values. For
+example, \fBENV:X509_PROXY\fP, where environment variable
+\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP.
+.UNINDENT
+.SS PKINIT krb5.conf options
+.INDENT 0.0
+.TP
+.B \fBpkinit_anchors\fP
+.sp
+Specifies the location of trusted anchor (root) certificates which
+the client trusts to sign KDC certificates. This option may be
+specified multiple times. These values from the config file are
+not used if the user specifies X509_anchors on the command line.
+.TP
+.B \fBpkinit_cert_match\fP
+.sp
+Specifies matching rules that the client certificate must match
+before it is used to attempt PKINIT authentication. If a user has
+multiple certificates available (on a smart card, or via other
+media), there must be exactly one certificate chosen before
+attempting PKINIT authentication. This option may be specified
+multiple times. All the available certificates are checked
+against each rule in order until there is a match of exactly one
+certificate.
+.sp
+The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP
+string representations from the certificate Subject DN and Issuer
+DN values.
+.sp
+The syntax of the matching rules is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
+.UNINDENT
+.UNINDENT
+.sp
+where:
+.INDENT 7.0
+.TP
+.B \fIrelation\-operator\fP
+.sp
+can be either \fB&&\fP, meaning all component rules must match,
+or \fB||\fP, meaning only one component rule must match. The
+default is \fB&&\fP.
+.TP
+.B \fIcomponent\-rule\fP
+.sp
+can be one of the following. Note that there is no
+punctuation or whitespace between component rules.
+.INDENT 7.0
+.INDENT 3.5
+.nf
+\fB<SUBJECT>\fP\fIregular\-expression\fP
+\fB<ISSUER>\fP\fIregular\-expression\fP
+\fB<SAN>\fP\fIregular\-expression\fP
+\fB<EKU>\fP\fIextended\-key\-usage\-list\fP
+\fB<KU>\fP\fIkey\-usage\-list\fP
+.fi
+.sp
+.UNINDENT
+.UNINDENT
+.sp
+\fIextended\-key\-usage\-list\fP is a comma\-separated list of
+required Extended Key Usage values. All values in the list
+must be present in the certificate. Extended Key Usage values
+can be:
+.INDENT 7.0
+.IP \(bu 2
+.
+pkinit
+.IP \(bu 2
+.
+msScLogin
+.IP \(bu 2
+.
+clientAuth
+.IP \(bu 2
+.
+emailProtection
+.UNINDENT
+.sp
+\fIkey\-usage\-list\fP is a comma\-separated list of required Key
+Usage values. All values in the list must be present in the
+certificate. Key Usage values can be:
+.INDENT 7.0
+.IP \(bu 2
+.
+digitalSignature
+.IP \(bu 2
+.
+keyEncipherment
+.UNINDENT
+.UNINDENT
+.sp
+Examples:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
+pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
+pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.TP
+.B \fBpkinit_eku_checking\fP
+.sp
+This option specifies what Extended Key Usage value the KDC
+certificate presented to the client must contain. (Note that if
+the KDC certificate has the pkinit SubjectAlternativeName encoded
+as the Kerberos TGS name, EKU checking is not necessary since the
+issuing CA has certified this as a KDC certificate.) The values
+recognized in the krb5.conf file are:
+.INDENT 7.0
+.TP
+.B \fBkpKDC\fP
+.sp
+This is the default value and specifies that the KDC must have
+the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
+.TP
+.B \fBkpServerAuth\fP
+.sp
+If \fBkpServerAuth\fP is specified, a KDC certificate with the
+id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
+.TP
+.B \fBnone\fP
+.sp
+If \fBnone\fP is specified, then the KDC certificate will not be
+checked to verify it has an acceptable EKU. The use of this
+option is not recommended.
+.UNINDENT
+.TP
+.B \fBpkinit_dh_min_bits\fP
+.sp
+Specifies the size of the Diffie\-Hellman key the client will
+attempt to use. The acceptable values are 1024, 2048, and 4096.
+The default is 2048.
+.TP
+.B \fBpkinit_identities\fP
+.sp
+Specifies the location(s) to be used to find the user\(aqs X.509
+identity information. This option may be specified multiple
+times. Each value is attempted in order until identity
+information is found and authentication is attempted. Note that
+these values are not used if the user specifies
+\fBX509_user_identity\fP on the command line.
+.TP
+.B \fBpkinit_kdc_hostname\fP
+.sp
+The presense of this option indicates that the client is willing
+to accept a KDC certificate with a dNSName SAN (Subject
+Alternative Name) rather than requiring the id\-pkinit\-san as
+defined in \fI\%RFC 4556\fP. This option may be specified multiple
+times. Its value should contain the acceptable hostname for the
+KDC (as contained in its certificate).
+.TP
+.B \fBpkinit_longhorn\fP
+.sp
+If this flag is set to true, we are talking to the Longhorn KDC.
+.TP
+.B \fBpkinit_pool\fP
+.sp
+Specifies the location of intermediate certificates which may be
+used by the client to complete the trust chain between a KDC
+certificate and a trusted anchor. This option may be specified
+multiple times.
+.TP
+.B \fBpkinit_require_crl_checking\fP
+.sp
+The default certificate verification process will always check the
+available revocation information to see if a certificate has been
+revoked. If a match is found for the certificate in a CRL,
+verification fails. If the certificate being verified is not
+listed in a CRL, or there is no CRL present for its issuing CA,
+and \fBpkinit_require_crl_checking\fP is false, then verification
+succeeds.
+.sp
+However, if \fBpkinit_require_crl_checking\fP is true and there is
+no CRL information available for the issuing CA, then verification
+fails.
+.sp
+\fBpkinit_require_crl_checking\fP should be set to true if the
+policy is such that up\-to\-date CRLs must be present for every CA.
+.TP
+.B \fBpkinit_revoke\fP
+.sp
+Specifies the location of Certificate Revocation List (CRL)
+information to be used by the client when verifying the validity
+of the KDC certificate presented. This option may be specified
+multiple times.
+.TP
+.B \fBpkinit_win2k\fP
+.sp
+This flag specifies whether the target realm is assumed to support
+only the old, pre\-RFC version of the protocol. The default is
+false.
+.TP
+.B \fBpkinit_win2k_require_binding\fP
+.sp
+If this flag is set to true, it expects that the target KDC is
+patched to return a reply with a checksum rather than a nonce.
+The default is false.
+.UNINDENT
+.SH SAMPLE KRB5.CONF FILE
+.sp
+Here is an example of a generic krb5.conf file:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[libdefaults]
+ default_realm = ATHENA.MIT.EDU
+ default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
+ default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
+ dns_lookup_kdc = true
+ dns_lookup_realm = false
+
+[realms]
+ ATHENA.MIT.EDU = {
+ kdc = kerberos.mit.edu
+ kdc = kerberos\-1.mit.edu
+ kdc = kerberos\-2.mit.edu:750
+ admin_server = kerberos.mit.edu
+ master_kdc = kerberos.mit.edu
+ default_domain = mit.edu
+ }
+ EXAMPLE.COM = {
+ kdc = kerberos.example.com
+ kdc = kerberos\-1.example.com
+ admin_server = kerberos.example.com
+ }
+ OPENLDAP.MIT.EDU = {
+ kdc = kerberos.mit.edu
+ admin_server = kerberos.mit.edu
+ database_module = openldap_ldapconf
+ }
+
+[domain_realm]
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+
+[capaths]
+ ATHENA.MIT.EDU = {
+ EXAMPLE.COM = .
+ }
+ EXAMPLE.COM = {
+ ATHENA.MIT.EDU = .
+ }
+
+[logging]
+ kdc = SYSLOG:INFO
+ admin_server = FILE=/var/kadm5.log
+[dbdefaults]
+ ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
+[dbmodules]
+ openldap_ldapconf = {
+ db_library = kldap
+ disable_last_success = true
+ ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
+ ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
+ # this object needs to have read rights on
+ # the realm container and principal subtrees
+ ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
+ # this object needs to have read and write rights on
+ # the realm container and principal subtrees
+ ldap_service_password_file = /etc/kerberos/service.keyfile
+ ldap_servers = ldaps://kerberos.mit.edu
+ ldap_conns_per_server = 5
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/krb5.conf\fP
+.SH SEE ALSO
+.sp
+syslog(3)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.