From 33814e962a0af9fcdfc0c120d593684302324f30 Mon Sep 17 00:00:00 2001 From: Jen Selby Date: Mon, 22 Jul 2002 17:11:31 +0000 Subject: [PATCH] * kdc.conf.M: added descriptions of some tags * krb5.conf.M: added a description of the [login] section and some tags. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14664 dc483132-0cff-0310-8789-dd5450dbe970 --- src/config-files/ChangeLog | 6 ++ src/config-files/kdc.conf.M | 142 +++++++++++++++++++++++++++++------ src/config-files/krb5.conf.M | 88 ++++++++++++++++++++++ 3 files changed, 213 insertions(+), 23 deletions(-) diff --git a/src/config-files/ChangeLog b/src/config-files/ChangeLog index 9dc91f27b..9ee2c3af7 100644 --- a/src/config-files/ChangeLog +++ b/src/config-files/ChangeLog @@ -1,3 +1,9 @@ +2002-07-22 Jen Selby + + * kdc.conf.M: added descriptions of some tags + * krb5.conf.M: added a description of the [login] section and some + tags. + 2001-04-04 Tom Yu * krb5.conf.M: Update description of safe_checksum_type for recent diff --git a/src/config-files/kdc.conf.M b/src/config-files/kdc.conf.M index 81ce6047a..103be2a0f 100644 --- a/src/config-files/kdc.conf.M +++ b/src/config-files/kdc.conf.M @@ -72,25 +72,114 @@ that particular realm. For each realm, the following tags may be specified in the .I [realms] subsection: + +.IP acl_file +This +.B string +specifies the location of the access control list (acl) file that +kadmin uses to determine which principals are allowed which permissions +on the database. The default value is @LOCALSTATEDIR/krb5kdc/kadm5.acl. + +.IP admin_keytab +This +.B string +Specifies the location of the keytab file that kadmin uses to +authenticate to the database. The default value is +@LOCALSTATEDIR/krb5kdc/kadm5.keytab. + .IP database_name This .B string specifies the location of the Kerberos database for this realm. -.IP master_key_name +.IP default_principal_expiration +This +.B absolute time string +specifies the default expiration date of principals created in this realm. + +.IP default_principal_flags +This +.B flag string +specifies the default attributes of principals created in this realm. +The format for the string is a comma-separated list of flags, with '+' +before each flag to be enabled and '-' before each flag to be +disabled. The default is for postdateable, forwardable, tgt-based, +renewable, proxiable, dup-skey, allow-tickets, and service to be +enabled, and all others to be disabled. + +There are a number of possible flags: +.RS +.TP +.B postdateable +Enabling this flag allows the principal to obtain postdateable tickets. +.TP +.B forwardable +Enabling this flag allows the principal to obtain forwardable tickets. +.TP +.B tgt-based +Enabling this flag allows a principal to obtain tickets based on a +ticket-granting-ticket, rather than repeating the authentication +process that was used to obtain the TGT. +.TP +.B renewable +Enabling this flag allows the principal to obtain renewable tickets. +.TP +.B proxiable +Enabling this flag allows the principal to obtain proxy tickets. +.TP +.B dup-skey +Enabling this flag allows the principal to obtain a session key for +another user, permitting user-to-user authentication for this principal. +.TP +.B allow-tickets +Enabling this flag means that the KDC will issue tickets for this +principal. Disabling this flag essentially deactivates the principal +within this realm. +.TP +.B preauth +If this flag is enabled on a client principal, then that principal is +required to preauthenticate to the KDC before receiving any tickets. +On a service principal, enabling this flag means that service tickets +for this principal will only be issued to clients with a TGT that has +the preauthenticated ticket set. +.TP +.B hwauth +If this flag is enabled, then the principal is required to +preauthenticate using a hardware device before receiving any tickets. +.TP +.B pwchange +Enabling this flag forces a password change for this principal. +.TP +.B service +Enabling this flag allows the the KDC to issue service tickets for this +principal. +.TP +.B pwservice +If this flag is enabled, it marks this principal as a password change +service. This should only be used in special cases, for example, if a +user's password has expired, the user has to get tickets for that +principal to be able to change it without going through the normal +password authentication. +.RE + +.IP dict_file This .B string -specifies the name of the master key. +location of the dictionary file containing strings that are not allowed +as passwords. If this tag is not set or if there is no policy assigned +to the principal, then no check will be done. -.IP master_key_type +.IP kadmind_port This -.B key type string -represents the master key's key type. +.B port number +specifies the port on which the kadmind daemon is to listen for this +realm. -.IP encryption_type +.IP kpasswd_port This -.B encryption type string -represents the encryption type used for this realm. +.B port number +specifies the port on which the kadmind daemon is to listen for this +realm. .IP key_stash_file This @@ -108,6 +197,17 @@ as specified in the .I [kdcdefaults] section is used. +.IP master_key_name +This +.B string +specifies the name of the principal associated with the master key. +The default value is K/M. + +.IP master_key_type +This +.B key type string +represents the master key's key type. + .IP max_life This .B delta time string @@ -120,23 +220,19 @@ This specifies the maximum time period that a ticket may be renewed for in this realm. -.IP default_principal_expiration -This -.B absolute time string -specifies the default expiration date of principals created in this realm. +.IP supported_enctypes +list of key:salt strings that specifies the default key/salt +combinations of principals for this realm -.IP default_principal_flags -This -.B flag string -specifies the default attributes of principals created in this realm. +.IP kdc_supported_enctypes +specifies the permitted key-salt combinations of principals for this realm -.IP supported_keytypes -This list of -.B key -: -.B salt -strings specifies the default key/salt combinations of principals for this -realm. +.IP reject_bad_transit +this +.B boolean +specifies whether or not the list of transited realms for cross-realm +tickets should be checked against the transit path computed from the +realm names and the [capaths] section of its krb5.conf file .SH FILES /usr/local/lib/krb5kdc/kdc.conf diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 3ca1a6ade..61545f302 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -70,6 +70,9 @@ Contains various default values used by the Kerberos V5 library. Contains default values used by the Kerberos V5 login program, .IR login.krb5 (8). +.IP [appdefaults] +Contains default values that can be used by Kerberos V5 applications. + .IP [realms] Contains subsections keyed by Kerberos realm names which describe where to find the Kerberos servers for a particular realm, and other @@ -115,6 +118,10 @@ commas or whitespace. This relation identifies the supported list of session key encryption types that should be requested by the client, in the same format. +.IP permitted_enctypes +This relation identifies the permitted list of session key encryption +types. + .IP clockskew This relation sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message @@ -156,6 +163,59 @@ received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. + +.IP dns_lookup_kdc +Indicate whether DNS SRV records shoud be used to locate the KDCs and +other servers for a realm, if they are not listed in the information +for the realm. The default is to use these records. + +.IP dns_lookup_realm +Indicate whether DNS TXT records should be used to determine the Kerberos +realm of a host. The default is not to use these records. + +.IP dns_fallback +General flag controlling the use of DNS for Kerberos information. If both +of the preceding options are specified, this option has no effect. + +.IP extra_addresses +This allows a computer to use multiple local addresses, in order to +allow Kerberos to work in a network that uses NATs. The addresses should +be in a comma-separated list. + +.SH APPDEFAULTS SECTION + +Each tag in the [appdefaults] section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application[s]. The +four ways that you can set values for options are as follows, in +decreasing order of precedence: + +.sp +.nf +.in +1i +#1) + application = { + realm1 = { + option = value + } + realm2 = { + option = value + } + } +#2) + application = { + option1 = value + option2 = value + } +#3) + realm = { + option = value + } +#4) + option = value +.in -1in +.fi +.sp + .SH LOGIN SECTION The [login] section is used to configure the behavior of the Kerberos V5 login program, @@ -219,6 +279,34 @@ name and the V5 realm are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. +.IP auth_to_local_names +This subsection allows you to set explicit mappings from principal +names to local user names. The tag is the mapping name, and the value +is the corresponding local user name. + +.IP auth_to_local +This tag allows you to set a general rule for mapping principal names +to local user names. It will be used if there is not an explicit +mapping for the principal name that is being translated. The possible +values are: + +.in +.5i +DB: +.in +.5i +The principal will be looked up in the database . +Support for this is not currently compiled in by default. +.in -.5in +RULE: +.in +.5i +The local name will be formulated from . +.in -.5i +DEFAULT +.in +.5i +The principal name will be used as the local name. If the +principal has more than one component or is not in the default +realm, this rule is not applicable and the conversion will fail. +.in -1i + .SH DOMAIN_REALM SECTION The [domain_realm] section provides a translation from a hostname to the -- 2.26.2