From e680b22460a9136a7dc1f54105da470ea8f608b7 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Thu, 12 Jan 2012 18:48:57 +0000 Subject: [PATCH] Updated domain_realm section of krb5.conf. Reformated files git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25649 dc483132-0cff-0310-8789-dd5450dbe970 --- .../krb_admins/conf_files/kdc_conf.rst | 274 +++++-- .../krb_admins/conf_files/krb5_conf.rst | 711 ++++++++++++++---- 2 files changed, 747 insertions(+), 238 deletions(-) diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index bdf56bf32..8f8550ad5 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -3,22 +3,28 @@ kdc.conf ============== -The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your kdc.conf file in the directory */usr/local/var/krb5kdc*. You can override the default location by setting the environment variable *KRB5_KDC_PROFILE*. +The kdc.conf file contains KDC configuration information, including defaults +used when issuing Kerberos tickets. Normally, you should install your kdc.conf +file in the directory */usr/local/var/krb5kdc*. +You can override the default location by setting the environment variable +*KRB5_KDC_PROFILE*. Structure -------------- -The kdc.conf file is set up in the same format as the :ref:`krb5.conf` file. The kdc.conf file may contain any or all of the following three sections: - -==================== ================================ -:ref:`kdcdefaults` Contains default values for overall behavior of the KDC. -:ref:`kdc_realms` Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. -:ref:`kdc_logging` Contains relations which determine how Kerberos programs are to perform logging. -==================== ================================ +The kdc.conf file is set up in the same format as the :ref:`krb5.conf` file. Sections ------------- +The kdc.conf file may contain any or all of the following three sections: + +==================== ================================ +:ref:`kdcdefaults` Contains default values for overall behavior of the KDC. +:ref:`kdc_realms` Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. +:ref:`kdc_logging` Contains relations which determine how Kerberos programs are to perform logging. +==================== ================================ + .. _kdcdefaults: @@ -28,19 +34,34 @@ Sections The following relation is defined in the [kdcdefaults] section: **host_based_services** - This relation lists the services that will get host-based referral processing even if the server principal is not marked as host-based by the client. + This relation lists the services that will get host-based referral processing + even if the server principal is not marked as host-based by the client. **kdc_max_dgram_reply_size** - Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. + Specifies the maximum packet size that can be sent over UDP. + The default value is 4096 bytes. **kdc_ports** - This relation lists the ports on which the Kerberos server should listen for UDP requests by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is 88,750, the first being the assigned Kerberos port and the second which was used by Kerberos V4. + This relation lists the ports on which the Kerberos server should listen + for UDP requests by default. This list is a comma separated list of integers. + If this relation is not specified, the compiled-in default is 88,750, + the first being the assigned Kerberos port and the second which was used + by Kerberos V4. **kdc_tcp_ports** - This relation lists the ports on which the Kerberos server should listen for TCP connections by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is not to listen for TCP connections at all. - - If you wish to change this (which we do not recommend, because the current implementation has little protection against denial-of-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88. + This relation lists the ports on which the Kerberos server should listen + for TCP connections by default. This list is a comma separated list of integers. + If this relation is not specified, the compiled-in default is not + to listen for TCP connections at all. + + If you wish to change this (which we do not recommend, because the current + implementation has little protection against denial-of-service attacks), + the standard port number assigned for Kerberos TCP traffic is port 88. **no_host_referral** - This relation blocks the specified services from host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in *host_based_services*. *no_host_referral* = \* will disable referral processing altogether. + This relation blocks the specified services from host-based referral processing, + even if the client marks the server principal as host-based or the service + is also listed in *host_based_services*. *no_host_referral* = \* will disable + referral processing altogether. **restrict_anonymous_to_tgt** - This flag determines the default value of restrict_anonymous_to_tgt for realms. The default value is false. + This flag determines the default value of *restrict_anonymous_to_tgt for realms*. + The default value is false. .. _kdc_realms: @@ -48,104 +69,178 @@ The following relation is defined in the [kdcdefaults] section: **[realms]** ~~~~~~~~~~~~~~~ -Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm. +Each tag in the [realms] section of the file names a Kerberos realm. +The value of the tag is a subsection where the relations in that subsection +define KDC parameters for that particular realm. For each realm, the following tags may be specified in the [realms] subsection: **acl_file** - (String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is */usr/local/var/krb5kdc/kadm5.acl*. + (String.) Location of the access control list (acl) file that + kadmin uses to determine which principals are allowed which permissions + on the database. The default is */usr/local/var/krb5kdc/kadm5.acl*. **admin_keytab** - (String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is */usr/local/var/krb5kdc/kadm5.keytab*. + (String.) Location of the keytab file that the legacy administration + daemons kadmind4 and v5passwdd use to authenticate to the database. + The default is */usr/local/var/krb5kdc/kadm5.keytab*. **database_name** This string specifies the location of the Kerberos database for this realm. **default_principal_expiration** - (Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is 0. + (Absolute time string.) Specifies the default expiration date of principals + created in this realm. The default value for this tag is 0. **default_principal_flags** - (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The default is *postdateable, forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets*, and *service enabled*. + (Flag string.) Specifies the default attributes of principals created + in this realm. The format for this string is a comma-separated list of flags, + with '+' before each flag that should be enabled and '-' before each flag + that should be disabled. The default is *postdateable, forwardable, tgt-based, + renewable, proxiable, dup-skey, allow-tickets*, and *service enabled*. There are a number of possible flags: *allow-tickets* - Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. + Enabling this flag means that the KDC will issue tickets for this principal. + Disabling this flag essentially deactivates the principal within this realm. *dup-skey* - Enabling this flag allows the principal to obtain a session key for another user, permitting user-to-user authentication for this principal. + Enabling this flag allows the principal to obtain a session key for another user, + permitting user-to-user authentication for this principal. *forwardable* Enabling this flag allows the principal to obtain forwardable tickets. *hwauth* - If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. + If this flag is enabled, then the principal is required to preauthenticate + using a hardware device before receiving any tickets. *no-auth-data-required* Enabling this flag prvents PAC data from being added to the service tickets. *ok-as-delegate* - If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. + If this flag is enabled, it hints the client that credentials can and + should be delegated when authenticating to the service. *ok-to-auth-as-delegate* Enabling this flag allows the principal to use S4USelf ticket. *postdateable* Enabling this flag allows the principal to obtain postdateable tickets. *preauth* - If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set. + If this flag is enabled on a client principal, then that principal + is required to preauthenticate to the KDC before receiving any tickets. + On a service principal, enabling this flag means that service tickets + for this principal will only be issued to clients with a TGT that has + the preauthenticated ticket set. *proxiable* Enabling this flag allows the principal to obtain proxy tickets. *pwchange* Enabling this flag forces a password change for this principal. *pwservice* - If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. + If this flag is enabled, it marks this principal as a password change service. + This should only be used in special cases, for example, + if a user's password has expired, then the user has to get tickets + for that principal without going through the normal password authentication + in order to be able to change the password. *renewable* Enabling this flag allows the principal to obtain renewable tickets. *service* Enabling this flag allows the the KDC to issue service tickets for this principal. *tgt-based* - Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT. - + Enabling this flag allows a principal to obtain tickets based + on a ticket-granting-ticket, rather than repeating the authentication + process that was used to obtain the TGT. **dict_file** - (String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. + (String.) Location of the dictionary file containing strings that + are not allowed as passwords. If none is specified or if there is + no policy assigned to the principal, no dictionary checks of passwords + will be performed. **host_based_services** - (Whitespace- or comma-separated list) This relation lists the services that will get host-based referral processing even if the server principal is not marked as host-based by the client. + (Whitespace- or comma-separated list) This relation lists the services + that will get host-based referral processing even if the server principal + is not marked as host-based by the client. **iprop_enable** - This boolean ("true" or "false") specifies whether incremental database propagation is enabled. The default is "false". + This boolean ("true" or "false") specifies whether incremental database + propagation is enabled. The default is "false". **iprop_master_ulogsize** - This numeric value specifies the maximum number of log entries to be retained for incremental propagation. The maximum value is 2500; default is 1000. + This numeric value specifies the maximum number of log entries to be + retained for incremental propagation. + The maximum value is 2500; default is 1000. **iprop_slave_poll** - This delta time string specfies how often the slave KDC polls for new updates from the master. Default is "2m" (that is, two minutes). + This delta time string specfies how often the slave KDC polls for new + updates from the master. Default is "2m" (that is, two minutes). **iprop_port** - (Port number.) This specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. + (Port number.) This specifies the port number to be used for incremental + propagation. This is required in both master and slave configuration files. **iprop_logfile** - (File name) This specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the krb5 config file, with *.ulog* appended. (NOTE: If *database_name* isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) + (File name) This specifies where the update log file for the realm database + is to be stored. The default is to use the *database_name* entry from the + realms section of the krb5 config file, with *.ulog* appended. + (NOTE: If *database_name* isn't specified in the realms section, + perhaps because the LDAP database back end is being used, or the file name + is specified in the *dbmodules* section, then the hard-coded default for + *database_name* is used. Determination of the *iprop_logfile* default value + will not use values from the *dbmodules* section.) **kadmind_port** - (Port number.) Specifies the port on which the kadmind daemon is to listen for this realm. The assigned port for kadmind is 749. + (Port number.) Specifies the port on which the kadmind daemon is to listen + for this realm. The assigned port for kadmind is 749. **key_stash_file** - (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, where REALM is the Kerberos realm. + (String.) Specifies the location where the master key has been stored + (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, + where REALM is the Kerberos realm. **kdc_ports** - (String.) Specifies the list of ports that the KDC is to listen to for UDP requests for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used. + (String.) Specifies the list of ports that the KDC is to listen to for + UDP requests for this realm. By default, the value of kdc_ports as specified + in the [kdcdefaults] section is used. **kdc_tcp_ports** - (String.) Specifies the list of ports that the KDC is to listen to for TCP requests for this realm. By default, the value of kdc_tcp_ports as specified in the [kdcdefaults] section is used. + (String.) Specifies the list of ports that the KDC is to listen to for TCP + requests for this realm. By default, the value of kdc_tcp_ports as specified + in the [kdcdefaults] section is used. **master_key_name** - (String.) Specifies the name of the principal associated with the master key. The default is K/M. + (String.) Specifies the name of the principal associated with the master key. + The default is K/M. **master_key_type** - (Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see :ref:`Supported_Encryption_Types_and_Salts`. + (Key type string.) Specifies the master key's key type. + The default value for this is des3-cbc-sha1. For a list of all possible values, + see :ref:`Supported_Encryption_Types_and_Salts`. **max_life** - (Delta time string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. + (Delta time string.) Specifies the maximum time period for which a ticket + may be valid in this realm. The default value is 24 hours. **max_renewable_life** - (Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. + (Delta time string.) Specifies the maximum time period during which a valid + ticket may be renewed in this realm. The default value is 0. **no_host_referral** - (Whitespace- or comma-separated list) This relation blocks the specified services from host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in *host_based_services*. *no_host_referral* = \* will disable referral processing altogether. + (Whitespace- or comma-separated list) This relation blocks the specified + services from host-based referral processing, even if the client marks + the server principal as host-based or the service is also listed in + *host_based_services*. + *no_host_referral* = \* will disable referral processing altogether. **reject_bad_transit** - A boolean value (true, false). If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its krb5.conf file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. - - If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the reject_bad_transit option will cause such ticket requests to be rejected always. + A boolean value (true, false). If set to true, the KDC will check the list + of transited realms for cross-realm tickets against the transit path + computed from the realm names and the capaths section of its krb5.conf file; + if the path in the ticket to be issued contains any realms not in the + computed path, the ticket will not be issued, and an error will be returned + to the client instead. If this value is set to false, such tickets will be + issued anyways, and it will be left up to the application server to validate + the realm transit path. + + If the disable-transited-check flag is set in the incoming request, + this check is not performed at all. Having the reject_bad_transit option + will cause such ticket requests to be rejected always. This transit path checking and config file option currently apply only to TGS requests. - Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don't want the KDC to do the validation. - - This is a per-realm option so that multiple-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not. + This is a per-realm option so that multiple-realm KDCs may control it + separately for each realm, in case (for example) one realm has had the + software on its application servers updated but another has not. This option defaults to true. **restrict_anonymous_to_tgt** - A boolean value (true, false). If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. By default, the value of restrict_anonymous_to_tgt as specified in the [kdcdefaults] section is used. - + A boolean value (true, false). If set to true, the KDC will reject ticket + requests from anonymous principals to service principals other than + the realm's ticket-granting service. This option allows anonymous PKINIT + to be enabled for use as FAST armor tickets without allowing anonymous + authentication to services. By default, the value of restrict_anonymous_to_tgt + as specified in the [kdcdefaults] section is used. **supported_enctypes** - List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. For lists of possible values, see :ref:`Supported_Encryption_Types_and_Salts` - + List of *key:salt* strings. Specifies the default key/salt combinations + of principals for this realm. Any principals created through kadmin will + have keys of these types. + The default value for this tag is aes256-cts-hmac-sha1-96:normal + aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. + For lists of possible values, see :ref:`Supported_Encryption_Types_and_Salts` @@ -160,7 +255,11 @@ See :ref:`logging` section in :ref:`krb5.conf` PKINIT options --------------- -.. note:: The following are pkinit-specific options. Note that these values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is: +.. note:: The following are pkinit-specific options. Note that these values + may be specified in [kdcdefaults] as global defaults, or within + a realm-specific subsection of [realms]. Also note that + a realm-specific value over-rides, does not add to, a generic + [kdcdefaults] specification. The search order is: 1. realm-specific subsection of [realms] @@ -178,52 +277,79 @@ PKINIT options -For information about the syntax of some of these options, see See pkinit identity syntax. +For information about the syntax of some of these options, see pkinit identity syntax. **pkinit_anchors** - Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. + Specifies the location of trusted anchor (root) certificates which the KDC + trusts to sign client certificates. This option is required if pkinit is + to be supported by the KDC. This option may be specified multiple times. **pkinit_dh_min_bits** - Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048. + Specifies the minimum number of bits the KDC is willing to accept for + a client's Diffie-Hellman key. The default is 2048. **pkinit_allow_upn** - Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. + Specifies that the KDC is willing to accept client certificates with + the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). + This means the KDC accepts the binding of the UPN in the certificate + to the Kerberos principal name. The default is *false*. - Without this option, the KDC will only accept certificates with the *id-pkinit-san* as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC. + Without this option, the KDC will only accept certificates with the + *id-pkinit-san* as defined in :rfc:`4556`. There is currently no option + to disable SAN checking in the KDC. **pkinit_eku_checking** - This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: + This option specifies what Extended Key Usage (EKU) values the KDC is + willing to accept in client certificates. The values recognized in + the kdc.conf file are: *kpClientAuth* - This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. + This is the default value and specifies that client certificates + must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. *scLogin* - If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. + If scLogin is specified, client certificates with + the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. *none* - If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. + If none is specified, then client certificates will not be checked + to verify they have an acceptable EKU. The use of this option + is not recommended. **pkinit_identity** - Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. + Specifies the location of the KDC's X.509 identity information. + This option is required if pkinit is to be supported by the KDC. **pkinit_kdc_ocsp** Specifies the location of the KDC's OCSP. **pkinit_mapping_file** - Specifies the name of the ACL pkinit mapping file. This file maps principals to the certificates that they can use. + Specifies the name of the ACL pkinit mapping file. + This file maps principals to the certificates that they can use. **pkinit_pool** - Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times. + Specifies the location of intermediate certificates which may be used by + the KDC to complete the trust chain between a client's certificate and + a trusted anchor. This option may be specified multiple times. **pkinit_revoke** - Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. + Specifies the location of Certificate Revocation List (CRL) information + to be used by the KDC when verifying the validity of client certificates. + This option may be specified multiple times. **pkinit_require_crl_checking** - The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and pkinit_require_crl_checking is false, then verification succeeds. - - However, if pkinit_require_crl_checking is true and there is no CRL information available for the issuing CA, then verification fails. - - *pkinit_require_crl_checking* should be set to true if the policy is such that up-to-date CRLs must be present for every CA. + The default certificate verification process will always check the available + revocation information to see if a certificate has been revoked. + If a match is found for the certificate in a CRL, verification fails. + If the certificate being verified is not listed in a CRL, or there is no + CRL present for its issuing CA, and pkinit_require_crl_checking is false, + then verification succeeds. + + However, if pkinit_require_crl_checking is true and there is no CRL + information available for the issuing CA, then verification fails. + + *pkinit_require_crl_checking* should be set to true if the policy is such + that up-to-date CRLs must be present for every CA. Sample kdc.conf File diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst index 09fa12f20..736012560 100644 --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst @@ -3,25 +3,32 @@ krb5.conf ========== -The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG. +The *krb5.conf* file contains Kerberos configuration information, including +the locations of KDCs and admin servers for the Kerberos realms of interest, +defaults for the current realm and for Kerberos applications, +and mappings of hostnames onto Kerberos realms. +Normally, you should install your krb5.conf file in the directory /etc. +You can override the default location by setting the environment variable KRB5_CONFIG. Structure --------- -The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:: +The krb5.conf file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. +Each section may contain zero or more relations, of the form:: foo = bar - or :: fubar = { foo = bar baz = quux } - -Placing a '\*' at the end of a line indicates that this is the *final* value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. +Placing a '\*' at the end of a line indicates that this is the *final* value for the tag. +This means that neither the remainder of this configuration file nor any other +configuration file will be checked for any other values for this tag. For example, if you have the following lines:: @@ -31,19 +38,32 @@ For example, if you have the following lines:: then the second value of *foo* (baz) would never be read. -The krb5.conf file can include other files using either of the following directives at the beginning of a line:: +The krb5.conf file can include other files using either of the following +directives at the beginning of a line:: include FILENAME includedir DIRNAME -*FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Included profile files are syntactically independent of their parents, so each included file must begin with a section header. +*FILENAME* or *DIRNAME* should be an absolute path. The named file or directory +must exist and be readable. Including a directory includes all files within +the directory whose names consist solely of alphanumeric characters, dashes, +or underscores. Included profile files are syntactically independent of their +parents, so each included file must begin with a section header. -The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:: +The krb5.conf file can specify that configuration should be obtained from +a loadable module, rather than the file itself, using the following directive +at the beginning of a line before any section headers:: module MODULEPATH:RESIDUAL -*MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, kdc.conf should also use one if it exists. +*MODULEPATH* may be relative to the library path of the krb5 installation, +or it may be an absolute path. *RESIDUAL* is provided to the module at +initialization time. +If krb5.conf uses a module directive, kdc.conf should also use one if it exists. + +Sections +---------- The krb5.conf file may contain any or all of the following sections: @@ -57,9 +77,6 @@ plugins_ Contains tags to register dynamic plugin modules and to turn modu appdefaults_ Contains default values that can be used by Kerberos V5 applications. ============== ======================================================= -Sections ----------- - .. _libdefaults: @@ -69,86 +86,160 @@ Sections The libdefaults section may contain any of the following relations: **allow_weak_crypto** - If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in :ref:`Supported_Encryption_Types_and_Salts`). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. + If this is set to 0 (for false), then weak encryption types will be + filtered out of the previous three lists (as noted in + :ref:`Supported_Encryption_Types_and_Salts`). + The default value for this tag is false, which may cause authentication + failures in existing Kerberos infrastructures that do not support strong crypto. + Users in affected environments should set this tag to true until their + infrastructure adopts stronger ciphers. **ap_req_checksum_type** An integer which specifies the type of AP-REQ checksum to use in authenticators. - This variable should be unset so the appropriate checksum for the encryption key in use will be used. + This variable should be unset so the appropriate checksum for the encryption + key in use will be used. This can be set if backward compatibility requires a specific checksum type. - See the *kdc_req_checksum_type* configuration option for the possible values and their meanings. + See the *kdc_req_checksum_type* configuration option for the possible values + and their meanings. **canonicalize** - This flag indicates to the KDC that the client is prepared to receive a reply that contains a principal name other than the one requested. + This flag indicates to the KDC that the client is prepared to receive + a reply that contains a principal name other than the one requested. The client should expect, when sending names with the "canonicalize" KDC option, that names in the KDC's reply will be different than the name in the request. The default value for this flag is not set. **ccache_type** - Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4. + Use this parameter on systems which are DCE clients, to specify the type + of cache to be created by kinit, or when forwarded tickets are received. + DCE and Kerberos can share the cache, but some versions of DCE do not support + the default cache as created by this version of Kerberos. + Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. + The default value is 4. **clockskew** - Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. + Sets the maximum allowable amount of clockskew in seconds that the library + will tolerate before assuming that a Kerberos message is invalid. + The default value is 300 seconds, or five minutes. **default_keytab_name** - This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is */etc/krb5.keytab*. + This relation specifies the default keytab name to be used by application + servers such as telnetd and rlogind. The default is */etc/krb5.keytab*. **default_realm** - Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see :ref:`udns_label`), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned. + Identifies the default Kerberos realm for the client. + Set its value to your Kerberos realm. + If this is not specified and the TXT record lookup is enabled + (see :ref:`udns_label`), then that information will be used to determine + the default realm. If this tag is not set in this configuration file and + there is no DNS information found, then an error will be returned. **default_tgs_enctypes** - Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see :ref:`Supported_Encryption_Types_and_Salts` for a list of the accepted values for this tag). The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. + Identifies the supported list of session key encryption types that should be + returned by the KDC. The list may be delimited with commas or whitespace. + Kerberos supports many different encryption types, and support for more + is planned in the future. (see :ref:`Supported_Encryption_Types_and_Salts` + for a list of the accepted values for this tag). + The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 + des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. **default_tkt_enctypes** - Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. + Identifies the supported list of session key encryption types that should be + requested by the client. The format is the same as for default_tgs_enctypes. + The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 + des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. **dns_fallback** - General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. + General flag controlling the use of DNS for Kerberos information. + If both of the preceding options are specified, this option has no effect. **dns_lookup_kdc** - Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. (Note that the admin_server entry must be in the file, because the DNS implementation for it is incomplete.) - - Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. - - If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to enable this option. If the DNS support is not compiled in, this entry has no effect. + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for the realm. + (Note that the admin_server entry must be in the file, + because the DNS implementation for it is incomplete.) + + Enabling this option does open up a type of denial-of-service attack, + if someone spoofs the DNS records and redirects you to another server. + However, it's no worse than a denial of service, because that fake KDC + will be unable to decode anything you send it + (besides the initial ticket request, which has no encrypted data), + and anything the fake KDC sends will not be trusted without verification + using some secret that it won't know. + + If this option is not specified but dns_fallback is, that value will be used instead. + If neither option is specified, the behavior depends on configure-time options; + if none were given, the default is to enable this option. + If the DNS support is not compiled in, this entry has no effect. **dns_lookup_realm** - Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host. - - Enabling this option may permit a redirection attack, where spoofed DNS replies persuade a client to authenticate to the wrong realm, when talking to the wrong host (either by spoofing yet more DNS records or by intercepting the net traffic). Depending on how the client software manages hostnames, however, it could already be vulnerable to such attacks. We are looking at possible ways to minimize or eliminate this exposure. For now, we encourage more adventurous sites to try using Secure DNS. - - If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to disable this option. If the DNS support is not compiled in, this entry has no effect. + Indicate whether DNS TXT records should be used to determine + the Kerberos realm of a host. + + Enabling this option may permit a redirection attack, where spoofed DNS + replies persuade a client to authenticate to the wrong realm, + when talking to the wrong host (either by spoofing yet more DNS records + or by intercepting the net traffic). Depending on how the client software + manages hostnames, however, it could already be vulnerable to such attacks. + We are looking at possible ways to minimize or eliminate this exposure. + For now, we encourage more adventurous sites to try using Secure DNS. + + If this option is not specified but dns_fallback is, that value will be used instead. + If neither option is specified, the behavior depends on configure-time options; + if none were given, the default is to disable this option. + If the DNS support is not compiled in, this entry has no effect. **extra_addresses** - This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma-separated list. + This allows a computer to use multiple local addresses, in order to allow + Kerberos to work in a network that uses NATs. + The addresses should be in a comma-separated list. **forwardable** - If this flag is set, initial tickets by default will be forwardable. The default value for this flag is not set. + If this flag is set, initial tickets by default will be *forwardable*. + The default value for this flag is not set. **ignore_acceptor_hostname** - When accepting GSSAPI or krb5 security contexts for host-based service principals, - ignore any hostname passed by the calling application and allow any service principal present in the keytab - which matches the service name and realm name (if given). - This option can improve the administrative flexibility of server applications on multihomed hosts, - but can compromise the security of virtual hosting environments. The default value is false. + When accepting GSSAPI or krb5 security contexts for host-based service + principals, ignore any hostname passed by the calling application and + allow any service principal present in the keytab which matches + the service name and realm name (if given). + This option can improve the administrative flexibility of server + applications on multihomed hosts, but can compromise the security of + virtual hosting environments. The default value is false. **k5login_authoritative** - If the value of this relation is true (the default), principals must be listed in a local user's k5login file to be granted login access, if a k5login file exists. If the value of this relation is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. + If the value of this relation is true (the default), principals must be + listed in a local user's k5login file to be granted login access, + if a *.k5login* file exists. If the value of this relation is false, + a principal may still be granted login access through other mechanisms + even if a k5login file exists but does not list the principal. **k5login_directory** - If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, k5login files must be owned by the local user or by root. + If set, the library will look for a local user's k5login file within + the named directory, with a filename corresponding to the local username. + If not set, the library will look for k5login files in the user's home + directory, with the filename .k5login. For security reasons, + *.k5login* files must be owned by the local user or by root. **kdc_default_options** - Default KDC options (Xored for multiple values) when requesting initial credentials. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). + Default KDC options (Xored for multiple values) when requesting initial credentials. + By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). **kdc_timesync** - If this is set to 1 (for true), then client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock. This corrective factor is only used by the Kerberos library. The default is 1. + If this is set to 1 (for true), then client machines will compute + the difference between their time and the time returned by the KDC + in the timestamps in the tickets and use this value to correct for + an inaccurate system clock. This corrective factor is only used by + the Kerberos library. The default is 1. **kdc_req_checksum_type** - An integer which specifies the type of checksum to use for the KDC requests for compatibility with DCE security servers + An integer which specifies the type of checksum to use for + the KDC requests for compatibility with DCE security servers which do not support the default RSA MD5 used by Kerberos V5. This applies to DCE 1.1 and earlier. Use a value of 2 to use the RSA MD4 instead. - This value is only used for DES keys; other keys use the preferred checksum type for those keys. + This value is only used for DES keys; + other keys use the preferred checksum type for those keys. The possible values and their meanings are as follows. @@ -169,68 +260,112 @@ The libdefaults section may contain any of the following relations: Setting this flag causes the initial Kerberos ticket to be addressless. The default for the flag is set. **permitted_enctypes** - Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. + Identifies all encryption types that are permitted for use in session key encryption. + The default value for this tag is *aes256-cts-hmac-sha1-96 + aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 + des-cbc-crc des-cbc-md5 des-cbc-md4*. **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. - The default value is the "krb5/plugins" subdirectory of the krb5 library directory. + The default value is the "krb5/plugins" subdirectory of the krb5 library directory. **preferred_preauth_types** - This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. + This allows you to set the preferred preauthentication types which + the client will attempt before others which may be advertised by a KDC. + The default value for this setting is "17, 16, 15, 14", + which forces libkrb5 to attempt to use PKINIT if it is supported. **proxiable** - If this flag is set, initial tickets by default will be proxiable. The default value for this flag is not set. + If this flag is set, initial tickets by default will be proxiable. + The default value for this flag is not set. **rdns** - If set to false, prevent the use of reverse DNS resolution when translating hostnames into service principal names. Defaults to true. Setting this flag to false is more secure, but may force users to exclusively use fully qualified domain names when authenticating to services. + If set to false, prevent the use of reverse DNS resolution when translating + hostnames into service principal names. Defaults to true. + Setting this flag to false is more secure, but may force users to exclusively + use fully qualified domain names when authenticating to services. **realm_try_domains** - Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm--which may involve consulting DNS if *dns_lookup_kdc* is set. The default is not to search domain components. + Indicate whether a host's domain components should be used to determine + the Kerberos realm of the host. The value of this variable is + an integer: -1 means not to search, 0 means to try the host's domain itself, + 1 means to also try the domain's immediate parent, and so forth. + The library's usual mechanism for locating Kerberos realms is used + to determine whether a domain is a valid realm--which may involve consulting + DNS if *dns_lookup_kdc* is set. The default is not to search domain components. **renew_lifetime** - The value of this tag is the default renewable lifetime for initial tickets. The default value for the tag is 0. + The value of this tag is the default renewable lifetime for initial tickets. + The default value for the tag is 0. **safe_checksum_type** - An integer which specifies the type of checksum to use for the KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). - For compatibility with applications linked against DCE version 1.1 or earlier Kerberos libraries, - use a value of 3 to use the RSA MD4 DES instead. + An integer which specifies the type of checksum to use for the KRB-SAFE requests. + By default it is set to 8 (RSA MD5 DES). + For compatibility with applications linked against DCE version 1.1 or + earlier Kerberos libraries, use a value of 3 to use the RSA MD4 DES instead. This field is ignored when its value is incompatible with the session key type. - See the *kdc_req_checksum_type* configuration option for the possible values and their meanings. + See the *kdc_req_checksum_type* configuration option for the possible values + and their meanings. **ticket_lifetime** - The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day. + The value of this tag is the default lifetime for initial tickets. + The default value for the tag is 1 day. **udp_preference_limit** - When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above *udp_preference_list*. If the message is smaller than *udp_preference_list*, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. + When sending a message to the KDC, the library will try using TCP before UDP + if the size of the message is above *udp_preference_list*. + If the message is smaller than *udp_preference_list*, + then UDP will be tried before TCP. Regardless of the size, + both protocols will be tried if the first attempt fails. + **verify_ap_req_nofail** - If this flag is set, then an attempt to get initial credentials will fail if the client machine does not have a keytab. The default for the flag is not set. + If this flag is set, then an attempt to get initial credentials will fail + if the client machine does not have a keytab. + The default for the flag is not set. .. _realms: **[realms]** ~~~~~~~~~~~~~~~~~ -Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: - +Each tag in the [realms] section of the file is the name of a Kerberos realm. +The value of the tag is a subsection with relations that define the properties +of that particular realm. +For each realm, the following tags may be specified in the realm's subsection: **admin_server** - Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmin server for the realm. + Identifies the host where the administration server is running. + Typically, this is the master Kerberos server. This tag must be given + a value in order to communicate with the kadmin server for the realm. **auth_to_local** - This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: - + This tag allows you to set a general rule for mapping principal names + to local user names. It will be used if there is not an explicit mapping + for the principal name that is being translated. The possible values are: DB:filename - The principal will be looked up in the database filename. Support for this is not currently compiled in by default. + The principal will be looked up in the database filename. + Support for this is not currently compiled in by default. RULE:exp The local name will be formulated from exp. - The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n'th component of the principal for $n (e.g. if the principal was *johndoe/admin* then [2:$2$1foo] would result in the string "adminjohndoefoo"). If this string matches regexp, then the s//[g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string. + The format for exp is *[n:string](regexp)s/pattern/replacement/g*. + The integer *n* indicates how many components the target principal should have. + If this matches, then a string will be formed from string, + substituting the realm of the principal for $0 and the n'th component + of the principal for *$n* + (e.g. if the principal was *johndoe/admin* then [2:$2$1foo] would + result in the string "adminjohndoefoo"). If this string matches *regexp*, + then the *s//[g]* substitution command will be run over the string. + The optional *g* will cause the substitution to be global over the *string*, + instead of replacing only the first match in the *string*. DEFAULT - The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. + The principal name will be used as the local user name. + If the principal has more than one component or is not in the default realm, + this rule is not applicable and the conversion will fail. For example:: @@ -243,43 +378,81 @@ Each tag in the [realms] section of the file is the name of a Kerberos realm. Th } - would result in any principal without *root* or *admin* as the second component to be translated with the default rule. A principal with a second component of *admin* will become its first component. *root* will be used as the local name for any principal with a second component of *root*. The exception to these two rules are any principals *johndoe*/\*, which will always get the local name *guest*. + would result in any principal without *root* or *admin* as the second + component to be translated with the default rule. + A principal with a second component of *admin* will become its first component. + *root* will be used as the local name for any principal with a second component of *root*. + The exception to these two rules are any principals *johndoe*/\*, + which will always get the local name *guest*. **auth_to_local_names** - This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. + This subsection allows you to set explicit mappings from principal names + to local user names. The tag is the mapping name, and the value + is the corresponding local user name. **database_module** - This relation indicates the name of the configuration section under [dbmodules] for database specific parameters used by the loadable database library. + This relation indicates the name of the configuration section under dbmodules_ + for database specific parameters used by the loadable database library. **default_domain** - This tag is used for Kerberos 4 compatibility. Kerberos 4 does not require the entire hostname of a server to be in its principal like Kerberos 5 does. This tag provides the domain name needed to produce a full hostname when translating V4 principal names into V5 principal names. All servers in this realm are assumed to be in the domain given as the value of this tag + This tag is used for Kerberos 4 compatibility. Kerberos 4 does not require + the entire hostname of a server to be in its principal like Kerberos 5 does. + This tag provides the domain name needed to produce a full hostname when + translating V4 principal names into V5 principal names. All servers in this + realm are assumed to be in the domain given as the value of this tag. **kdc** - The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs (see :ref:`udns_label`). + The name or address of a host running a KDC for that realm. + An optional port number, separated from the hostname by a colon, may be included. + If the name or address contains colons (for example, if it is an IPv6 address), + enclose it in square brackets to distinguish the colon from a port separator. + For your computer to be able to communicate with the KDC for each realm, + this tag must be given a value in each realm subsection in the configuration file, + or there must be DNS SRV records specifying the KDCs (see :ref:`udns_label`). **kpasswd_server** - Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the *admin_server* host will be tried. + Points to the server where all the password changes are performed. + If there is no such entry, the port 464 on the *admin_server* host will be tried. **krb524_server** - Points to the server that does 524 conversions. If it is not mentioned, the krb524 port 4444 on the kdc will be tried. + Points to the server that does 524 conversions. + If it is not mentioned, the krb524 port 4444 on the kdc will be tried. **master_kdc** - Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and the updated database has not been propagated to the slave servers yet. + Identifies the master KDC(s). Currently, this tag is used in only one case: + If an attempt to get credentials fails because of an invalid password, + the client software will attempt to contact the master KDC, + in case the user's password has just been changed, and the updated database + has not been propagated to the slave servers yet. **v4_instance_convert** - This subsection allows the administrator to configure exceptions to the default_domain mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. + This subsection allows the administrator to configure exceptions to the + *default_domain* mapping rule. It contains V4 instances (the tag name) + which should be translated to some specific hostname (the tag value) + as the second component in a Kerberos V5 principal name. **v4_realm** - This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. + This relation is used by the krb524 library routines when converting + a V5 principal name to a V4 principal name. It is used when the V4 realm name + and the V5 realm name are not the same, but still share the same + principal names and passwords. The tag value is the Kerberos V4 realm name. .. _domain_realm: **[domain_realm]** ~~~~~~~~~~~~~~~~~~~~~ -The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name, or a domain name, where domain names are indicated by a prefix of a period (.). The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case. +The [domain_realm] section provides a translation from a domain name or hostname +to a Kerberos realm name. The tag name can be a host name, or a domain name, +where domain names are indicated by a prefix of a period (.). +The value of the relation is the Kerberos realm name for that particular +host or domain. The Kerberos realm may be identified either in the realms_ +section or using DNS SRV records. +Host names and domain names should be in lower case. -If no translation entry applies, the host's realm is considered to be the hostname's domain portion converted to upper case. For example, the following [domain_realm] section:: +If no translation entry applies, the host's realm is considered to be the +hostname's domain portion converted to upper case. +For example, the following [domain_realm] section:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU @@ -288,20 +461,27 @@ If no translation entry applies, the host's realm is considered to be the hostna example.com = EXAMPLE.COM -maps the host with the *exact* name *crash.mit.edu* into the TEST.ATHENA.MIT.EDU realm. The period prefix in *.mit.edu* denotes that *all* systems in the *mit.edu* domain belong to ATHENA.MIT.EDU realm. -Note the entries for the hosts *mit.edu* and *example.com*. Without these entries, these hosts would be mapped into the Kerberos realms EDU and COM, respectively. +maps the host with the *exact* name *crash.mit.edu* into the TEST.ATHENA.MIT.EDU realm. +The period prefix in *.mit.edu* denotes that *all* systems in the *mit.edu* +domain belong to ATHENA.MIT.EDU realm. +Note the entries for the hosts *mit.edu* and *example.com*. +Without these entries, these hosts would be mapped into the Kerberos realms +EDU and COM, respectively. .. _logging: **[logging]** ~~~~~~~~~~~~~~~~~~~~~~~ -The [logging] section indicates how a particular entity is to perform its logging. The relations in this section assign one or more values to the entity name. Currently, the following entities are used: +The [logging] section indicates how a particular entity is to perform its logging. +The relations in this section assign one or more values to the entity name. +Currently, the following entities are used: **admin_server** These entries specify how the administrative server is to perform its logging. **default** - These entries specify how to perform logging in the absence of explicit specifications otherwise. + These entries specify how to perform logging in the absence of explicit + specifications otherwise. **kdc** These entries specify how the KDC is to perform its logging. @@ -310,24 +490,38 @@ Values are of the following forms: | FILE= | FILE: - This value causes the entity's logging messages to go to the specified file. If the = form is used, the file is overwritten. If the \: form is used, the file is appended to. + This value causes the entity's logging messages to go to the specified file. + If the = form is used, the file is overwritten. + If the \: form is used, the file is appended to. STDERR This value causes the entity's logging messages to go to its standard error stream. CONSOLE - This value causes the entity's logging messages to go to the console, if the system supports it. + This value causes the entity's logging messages to go to the console, + if the system supports it. DEVICE= This causes the entity's logging messages to go to the specified device. SYSLOG[:[:]] This causes the entity's logging messages to go to the system log. - The severity argument specifies the default severity of system log messages. This may be any of the following severities supported by the syslog(3) call, minus the LOG\_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity. + The severity argument specifies the default severity of system log messages. + This may be any of the following severities supported by the syslog(3) call, + minus the LOG\_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, + LOG_NOTICE, LOG_INFO, and LOG_DEBUG. + For example, a value of CRIT would specify LOG_CRIT severity. - The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7. + The facility argument specifies the facility under which the messages are logged. + This may be any of the following facilities supported by the syslog(3) + call minus the LOG\_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, + LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7. - If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH. + If no severity is specified, the default is ERR. + If no facility is specified, the default is AUTH. -In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file */var/adm/kadmin.log* and sent to the device */dev/tty04*.:: +In the following example, the logging messages from the KDC will go to the console +and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; +and the logging messages from the administrative server will be appended +to the file */var/adm/kadmin.log* and sent to the device */dev/tty04*.:: [logging] kdc = CONSOLE @@ -341,15 +535,32 @@ In the following example, the logging messages from the KDC will go to the conso **[capaths]** ~~~~~~~~~~~~~~~~~~~~~~ -In order to perform direct (non-hierarchical) cross-realm authentication, a database is needed to construct the authentication paths between the realms. This section defines that database. - -A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. - -There is a tag for each participating realm, and each tag has subtags for each of the realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. - -There are n**2 possible entries in this table, but only those entries which will be needed on the client or the server need to be present. The client needs a tag for its local realm, with subtags for all the realms of servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve. - -For example, *ANL.GOV, PNL.GOV*, and *NERSC.GOV* all wish to use the *ES.NET* realm as an intermediate realm. *ANL* has a sub realm of *TEST.ANL.GOV* which will authenticate with *NERSC.GOV* but not *PNL.GOV*. The [capaths] section for *ANL.GOV* systems would look like this:: +In order to perform direct (non-hierarchical) cross-realm authentication, +a database is needed to construct the authentication paths between the realms. +This section defines that database. + +A client will use this section to find the authentication path between +its realm and the realm of the server. The server will use this section +to verify the authentication path used by the client, +by checking the transited field of the received ticket. + +There is a tag for each participating realm, and each tag has subtags +for each of the realms. The value of the subtags is an intermediate realm +which may participate in the cross-realm authentication. +The subtags may be repeated if there is more then one intermediate realm. +A value of "." means that the two realms share keys directly, +and no intermediate realms should be allowed to participate. + +There are n**2 possible entries in this table, but only those entries which +will be needed on the client or the server need to be present. +The client needs a tag for its local realm, with subtags for all the realms +of servers it will need to authenticate with. +A server needs a tag for each realm of the clients it will serve. + +For example, *ANL.GOV, PNL.GOV*, and *NERSC.GOV* all wish to use the *ES.NET* +realm as an intermediate realm. *ANL* has a sub realm of *TEST.ANL.GOV* +which will authenticate with *NERSC.GOV* but not *PNL.GOV*. +The [capaths] section for *ANL.GOV* systems would look like this:: [capaths] ANL.GOV = { @@ -397,81 +608,139 @@ The [capaths] section of the configuration file used on *NERSC.GOV* systems woul } -In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to determine the path. (It is not important to the server, since the transited field is not sorted.) +In the above examples, the ordering is not important, except when the same +subtag name is used more then once. +The client will use this to determine the path. +(It is not important to the server, since the transited field is not sorted.) -This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE 1.1 did not fill in the transited field, and should be used with caution. +This feature is not currently supported by DCE. +DCE security servers can be used with Kerberized clients and servers, +but versions prior to DCE 1.1 did not fill in the transited field, +and should be used with caution. .. _dbdefaults: **[dbdefaults]** ~~~~~~~~~~~~~~~~~~~~~~~~ -The [dbdefaults] section provides default values for the database specific parameters. It can also specify the configuration section under dbmodules_ section for database specific parameters used by the database library. +The [dbdefaults] section provides default values for the database specific parameters. +It can also specify the configuration section under dbmodules_ section +for database specific parameters used by the database library. The following tags are used in this section: **database_module** - This relation indicates the name of the configuration section under the dbmodules_ for database specific parameters used by the loadable database library. + This relation indicates the name of the configuration section under + the dbmodules_ for database specific parameters used by the + loadable database library. **ldap_kerberos_container_dn** - This LDAP specific tag indicates the DN of the container object where the realm objects will be located. This value is used if the container object is not mentioned in the configuration section under dbmodules_. + This LDAP specific tag indicates the DN of the container object where + the realm objects will be located. This value is used if the container + object is not mentioned in the configuration section under dbmodules_. **ldap_kdc_dn** - This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database. This value is used if the bind DN for the KDC is not mentioned in the configuration section under dbmodules_. + This LDAP specific tag indicates the default bind DN for the KDC server. + The KDC server does a login to the directory as this object. + This object should have the rights to read the Kerberos data in the LDAP database. + This value is used if the bind DN for the KDC is not mentioned in + the configuration section under dbmodules_. **ldap_kadmind_dn** - This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. This value is used if the bind DN for the Administration server is not mentioned in the configuration section under dbmodules_. + This LDAP specific tag indicates the default bind DN for the Administration server. + The administration server does a login to the directory as this object. + This object should have the rights to read and write the Kerberos data + in the LDAP database. This value is used if the bind DN for + the Administration server is not mentioned in the configuration section under dbmodules_. **ldap_service_password_file** - This LDAP specific tag indicates the file containing the stashed passwords (created by kdb5_ldap_util stashsrvpw) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under dbmodules_. + This LDAP specific tag indicates the file containing the stashed passwords + (created by kdb5_ldap_util stashsrvpw) for the objects used by the Kerberos + servers to bind to the LDAP server. This file must be kept secure. + This value is used if no service password file is mentioned + in the configuration section under dbmodules_. **ldap_servers** - This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. This value is used if no LDAP servers are mentioned in the configuration section under dbmodules_. It is recommended to use the *ldapi://* or *ldaps://* interface and not to use *ldap://* interface. + This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers + can connect to. The list of LDAP servers is whitespace-separated. + The LDAP server is specified by a LDAP URI. + This value is used if no LDAP servers are mentioned in the configuration section + under dbmodules_. It is recommended to use the *ldapi://* or *ldaps://* interface + and not to use *ldap://* interface. **ldap_conns_per_server** - This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under dbmodules_. The default value is 5. + This LDAP specific tag indicates the number of connections to be maintained per LDAP server. + This value is used if the number of connections per LDAP server are not mentioned + in the configuration section under dbmodules_. The default value is 5. .. _dbmodules: **[dbmodules]** ~~~~~~~~~~~~~~~~~~ -Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters. +Contains database specific parameters used by the database library. +Each tag in the [dbmodules] section of the file names a configuration section +for database specific parameters that can be referred to by a realm. +The value of the tag is a subsection where the relations in +that subsection define the database specific parameters. For each section, the following tags may be specified in the subsection: **database_name** - This DB2-specific tag indicates the location of the database in the filesystem. The default is */usr/local/var/krb5kdc/principal*. + This DB2-specific tag indicates the location of the database + in the filesystem. The default is */usr/local/var/krb5kdc/principal*. **db_library** - This tag indicates the name of the loadable database library. The value should be *db2* for DB2 database and *kldap* for LDAP database. + This tag indicates the name of the loadable database library. + The value should be *db2* for DB2 database and *kldap* for LDAP database. **db_module_dir** - This tag controls where the plugin system looks for modules. The value should be an absolute path. + This tag controls where the plugin system looks for modules. + The value should be an absolute path. **disable_last_success** - If set to *true*, suppresses KDC updates to the *"Last successful authentication"* field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). + If set to *true*, suppresses KDC updates to the + *"Last successful authentication"* field of principal entries requiring + preauthentication. Setting this flag may improve performance. + (Principal entries which do not require preauthentication + never update the "Last successful authentication" field.). **disable_lockout** - If set to *true*, suppresses KDC updates to the *"Last failed authentication"* and *"Failed password attempts"* fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. + If set to *true*, suppresses KDC updates to the + *"Last failed authentication"* and *"Failed password attempts"* fields + of principal entries requiring preauthentication. + Setting this flag may improve performance, but also disables account lockout. **ldap_conns_per_server** - This LDAP specific tags indicates the number of connections to be maintained per LDAP server. + This LDAP specific tags indicates the number of connections + to be maintained per LDAP server. **ldap_kadmind_dn** - This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. + This LDAP specific tag indicates the default bind DN for the Administration server. + The administration server does a login to the directory as this object. + This object should have the rights to read and write the Kerberos data + in the LDAP database. **ldap_kdc_dn** - This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database. + This LDAP specific tag indicates the default bind DN for the KDC server. + The KDC server does a login to the directory as this object. + This object should have the rights to read the Kerberos data in the LDAP database. **ldap_kerberos_container_dn** - This LDAP specific tag indicates the DN of the container object where the realm objects will be located. + This LDAP specific tag indicates the DN of the container object where + the realm objects will be located. **ldap_servers** - This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use *ldapi://* or *ldaps://* interface to connect to the LDAP server. + This LDAP specific tag indicates the list of LDAP servers that the + Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. + The LDAP server is specified by a LDAP URI. + It is recommended to use *ldapi://* or *ldaps://* interface + to connect to the LDAP server. **ldap_service_password_file** - This LDAP specific tag indicates the file containing the stashed passwords (created by *kdb5_ldap_util stashsrvpw*) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. + This LDAP specific tag indicates the file containing the stashed passwords + (created by *kdb5_ldap_util stashsrvpw*) for the objects used by + the Kerberos servers to bind to the LDAP server. This file must be kept secure. .. _appdefaults: @@ -479,7 +748,9 @@ For each section, the following tags may be specified in the subsection: **[appdefaults]** ~~~~~~~~~~~~~~~~~~~~~~~~~ -Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. +Each tag in the [appdefaults] section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application[s]. +The value of the tag defines the default behaviors for that application. For example:: @@ -499,9 +770,17 @@ For example:: option2 = true -The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ATHENA.MIT.EDU should have option1 set to false and option2 set to true. Any other programs in ATHENA.MIT.EDU should have option2 set to false by default. Any programs running in other realms should have option2 set to true. +The above four ways of specifying the value of an option are shown in order +of decreasing precedence. In this example, if telnet is running in the +realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. +However, a telnet program in the realm ATHENA.MIT.EDU should have *option1* +set to false and *option2* set to true. +Any other programs in ATHENA.MIT.EDU should have *option2* set to false by default. +Any programs running in other realms should have *option2* set to true. -The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the realms_ section. +The list of specifiable options for each application may be found in that +application's man pages. The application defaults specified here +are overridden by those specified in the realms_ section. .. _plugins: @@ -512,18 +791,29 @@ Plugins * kadm5_hook_ interface * clpreauth_ and kdcpreauth_ interfaces -Tags in the **[plugins]** section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. +Tags in the **[plugins]** section can be used to register *dynamic plugin modules* +and to turn modules on and off. +Not every krb5 pluggable interface uses the [plugins] section; +the ones that do are documented here. -Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: +Each pluggable interface corresponds to a subsection of [plugins]. +All subsections support the same tags: **disable** - This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. + This tag may have multiple values. If there are values for this tag, + then the named modules will be disabled for the pluggable interface. **enable_only** - This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. + This tag may have multiple values. If there are values for this tag, + then only the named modules will be enabled for the pluggable interface. **module** - This tag may have multiple values. Each value is a string of the form "modulename:pathname", which causes the shared object located at pathname to be registered as a dynamic module named modulename for the pluggable interface. If pathname is not an absolute path, it will be treated as relative to the "krb5/plugins" subdirectory of the krb5 library directory. + This tag may have multiple values. + Each value is a string of the form "modulename:pathname", + which causes the shared object located at *pathname* to be registered as + a dynamic module named *modulename* for the pluggable interface. + If *pathname* is not an absolute path, it will be treated as relative + to the "krb5/plugins" subdirectory of the krb5 library directory. The following subsections are currently supported within the [plugins] section: @@ -532,7 +822,10 @@ The following subsections are currently supported within the [plugins] section: pwqual interface ~~~~~~~~~~~~~~~~~~~~~~~ -The **pwqual** subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. In addition to any registered dynamic modules, the following built-in modules exist (and may be disabled with the disable tag): +The **pwqual** subsection controls modules for the password quality interface, +which is used to reject weak passwords when passwords are changed. +In addition to any registered dynamic modules, the following built-in modules +exist (and may be disabled with the disable tag): **dict** Checks against the realm dictionary file @@ -541,7 +834,8 @@ The **pwqual** subsection controls modules for the password quality interface, w Rejects empty passwords **hesiod** - Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) + Checks against user information stored in Hesiod + (only if Kerberos was built with Hesiod support) **princ** Checks against components of the principal name @@ -551,7 +845,11 @@ The **pwqual** subsection controls modules for the password quality interface, w kadm5_hook interface ~~~~~~~~~~~~~~~~~~~~~~~~ -The **kadm5_hook** interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. +The **kadm5_hook** interface provides plugins with information on principal +creation, modification, password changes and deletion. +This interface can be used to write a plugin to synchronize MIT Kerberos +with another database such as Active Directory. +No plugins are built in for this interface. .. _clpreauth: @@ -560,7 +858,9 @@ The **kadm5_hook** interface provides plugins with information on principal crea clpreauth and kdcpreauth interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The **clpreauth** and **kdcpreauth** interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces: +The **clpreauth** and **kdcpreauth** interfaces allow plugin modules to provide +client and KDC preauthentication mechanisms. +The following built-in modules exist for these interfaces: **pkinit** This module implements the PKINIT preauthentication mechanism. @@ -577,7 +877,13 @@ PKINIT options * pkinit identity syntax * pkinit krb5.conf options -.. note:: The following are pkinit-specific options. Note that these values may be specified in *[libdefaults]* as global defaults, or within a realm-specific subsection of *[libdefaults]*, or may be specified as realm-specific values in the *[realms]* section. Also note that a realm-specific value over-rides, does not add to, a generic *[libdefaults]* specification. The search order is: +.. note:: The following are pkinit-specific options. + Note that these values may be specified in *[libdefaults]* as + global defaults, or within a realm-specific subsection of + *[libdefaults]*, or may be specified as realm-specific values + in the *[realms]* section. Also note that a realm-specific value + over-rides, does not add to, a generic *[libdefaults]* specification. + The search order is: 1. realm-specific subsection of [libdefaults] @@ -607,7 +913,8 @@ PKINIT options Specifying pkinit identity information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The syntax for specifying Public Key identity, trust, and revocation information for pkinit is as follows: +The syntax for specifying Public Key identity, trust, and revocation information +for pkinit is as follows: FILE\:file-name\[,key-file-name] @@ -616,7 +923,10 @@ FILE\:file-name\[,key-file-name] | pkinit_identity | pkinit_identities - *file-name* specifies the name of a PEM-format file containing the user's certificate. If *key-file-name* is not specified, the user's private key is expected to be in file-name as well. Otherwise, *key-file-name* is the name of the file containing the private key. + *file-name* specifies the name of a PEM-format file containing + the user's certificate. If *key-file-name* is not specified, + the user's private key is expected to be in file-name as well. + Otherwise, *key-file-name* is the name of the file containing the private key. | pkinit_anchors | pkinit_pool @@ -630,23 +940,49 @@ DIR:directory-name | pkinit_identity | pkinit_identities - *directory-name* specifies a directory with files named \*.crt and \*.key, where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with .crt is found, a matching file ending with .key is assumed to contain the private key. If no such file is found, then the certificate in the .crt is not used. + *directory-name* specifies a directory with files named \*.crt and \*.key, + where the first part of the file name is the same for matching pairs + of certificate and private key files. When a file with a name ending + with .crt is found, a matching file ending with .key is assumed + to contain the private key. + If no such file is found, then the certificate in the .crt is not used. | pkinit_anchors | pkinit_pool - *directory-name* is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named *hash-of-ca-cert.#*. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. + *directory-name* is assumed to be an OpenSSL-style hashed CA directory + where each CA cert is stored in a file named *hash-of-ca-cert.#*. + This infrastructure is encouraged, but all files in the directory + will be examined and if they contain certificates (in PEM format), they will be used. pkinit_revoke - *directory-name* is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file named *hash-of-ca-cert.r#*. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. + *directory-name* is assumed to be an OpenSSL-style hashed CA directory + where each revocation list is stored in a file named *hash-of-ca-cert.r#*. + This infrastructure is encouraged, but all files in the directory + will be examined and if they contain a revocation list (in PEM format), + they will be used. PKCS12:pkcs12-file-name - *pkcs12-file-name* is the name of a PKCS #12 format file, containing the user's certificate and private key. + *pkcs12-file-name* is the name of a PKCS #12 format file, + containing the user's certificate and private key. + PKCS11:[module_name=]module-name[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label] - All keyword/values are optional. module-name specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the *module-name*. If no module-name is specified, the default is *opensc-pkcs11.so*. *slotid=* and/or *token=* may be specified to force the use of a particular smard card reader or token if there is more than one available. *certid=* and/or *certlabel=* may be specified to force the selection of a particular certificate on the device. See the *pkinit_cert_match* configuration option for more ways to select a particular certificate to use for pkinit. + All keyword/values are optional. *module-name* specifies the location + of a library implementing PKCS #11. If a value is encountered with no keyword, + it is assumed to be the *module-name*. If no module-name is specified, + the default is *opensc-pkcs11.so*. *slotid=* and/or *token=* may be + specified to force the use of a particular smard card reader or token + if there is more than one available. *certid=* and/or *certlabel=* may be + specified to force the selection of a particular certificate on the device. + See the *pkinit_cert_match* configuration option for more ways to select + a particular certificate to use for pkinit. + ENV:environment-variable-name - environment-variable-name specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, *ENV:X509_PROXY*, where environment variable *X509_PROXY* has been set to *FILE:/tmp/my_proxy.pem*. + *environment-variable-name* specifies the name of an environment variable + which has been set to a value conforming to one of the previous values. + For example, *ENV:X509_PROXY*, where environment variable *X509_PROXY* + has been set to *FILE:/tmp/my_proxy.pem*. @@ -655,12 +991,24 @@ PKINIT krb5.conf options **pkinit_anchors** - Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. + Specifies the location of trusted anchor (root) certificates which + the client trusts to sign KDC certificates. + This option may be specified multiple times. + These values from the config file are not used if the user specifies + X509_anchors on the command line. **pkinit_cert_match** - Specifies matching rules that the client certificate must match before it is used to attempt pkinit authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting pkinit authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. - - The Subject and Issuer comparison strings are the :rfc:`2253` string representations from the certificate Subject DN and Issuer DN values. + Specifies matching rules that the client certificate must match before + it is used to attempt pkinit authentication. + If a user has multiple certificates available + (on a smart card, or via other media), there must be exactly one certificate + chosen before attempting pkinit authentication. + This option may be specified multiple times. + All the available certificates are checked against each rule in order + until there is a match of exactly one certificate. + + The Subject and Issuer comparison strings are the :rfc:`2253` string + representations from the certificate Subject DN and Issuer DN values. The syntax of the matching rules is:: @@ -670,9 +1018,12 @@ PKINIT krb5.conf options where *relation-operator* - can be either **&&**, meaning all component rules must match, or **||**, meaning only one component rule must match. The default is &&. + can be either **&&**, meaning all component rules must match, + or **||**, meaning only one component rule must match. The default is &&. + *component-rule* - can be one of the following. Note that there is no punctuation or whitespace between component rules. + can be one of the following. + Note that there is no punctuation or whitespace between component rules. *regular-expression* @@ -681,7 +1032,8 @@ PKINIT krb5.conf options *regular-expression* *extended-key-usage-list* - where *extended-key-usage-list* is a comma-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. + where *extended-key-usage-list* is a comma-separated list of required + Extended Key Usage values. All values in the list must be present in the certificate. - pkinit - msScLogin @@ -691,7 +1043,8 @@ PKINIT krb5.conf options *key-usage-list* - where *key-usage-list* is a comma-separated list of required Key Usage values. All values in the list must be present in the certificate. + where *key-usage-list* is a comma-separated list of required Key Usage values. + All values in the list must be present in the certificate. - digitalSignature - keyEncipherment @@ -704,45 +1057,75 @@ PKINIT krb5.conf options pkinit_cert_match = msScLogin,clientAuthdigitalSignature **pkinit_eku_checking** - This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: + This option specifies what Extended Key Usage value the KDC certificate + presented to the client must contain. (Note that if the KDC certificate + has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, + EKU checking is not necessary since the issuing CA has certified this + as a KDC certificate.) The values recognized in the krb5.conf file are: *kpKDC* - This is the default value and specifies that the KDC must have the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. + This is the default value and specifies that the KDC must have + the *id-pkinit-KPKdc* EKU as defined in :rfc:`4556`. *kpServerAuth* - If kpServerAuth is specified, a KDC certificate with the id-kp-serverAuth EKU as used by Microsoft will be accepted. + If kpServerAuth is specified, a KDC certificate with + the *id-kp-serverAuth* EKU as used by Microsoft will be accepted. *none* - If none is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. + If none is specified, then the KDC certificate will not be checked to + verify it has an acceptable EKU. The use of this option is not recommended. **pkinit_dh_min_bits** - Specifies the size of the Diffie-Hellman key the client will attempt to use. The acceptable values are currently 1024, 2048, and 4096. The default is 2048. + Specifies the size of the Diffie-Hellman key the client will attempt to use. + The acceptable values are currently 1024, 2048, and 4096. The default is 2048. **pkinit_identities** - Specifies the location(s) to be used to find the user's X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity information is found and authentication is attempted. Note that these values are not used if the user specifies X509_user_identity on the command line. + Specifies the location(s) to be used to find the user's X.509 identity + information. This option may be specified multiple times. + Each value is attempted in order until identity information is found and + authentication is attempted. Note that these values are not used + if the user specifies X509_user_identity on the command line. **pkinit_kdc_hostname** - The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as defined in :rfc:`4556`. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). + The presense of this option indicates that the client is willing to accept + a KDC certificate with a dNSName SAN (Subject Alternative Name) + rather than requiring the id-pkinit-san as defined in :rfc:`4556`. + This option may be specified multiple times. + Its value should contain the acceptable hostname for the KDC + (as contained in its certificate). **pkinit_longhorn** If this flag is set to true, we are talking to the Longhorn KDC. **pkinit_pool** - Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. + Specifies the location of intermediate certificates which may be used + by the client to complete the trust chain between a KDC certificate + and a trusted anchor. This option may be specified multiple times. **pkinit_require_crl_checking** - The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and *pkinit_require_crl_checking* is false, then verification succeeds. + The default certificate verification process will always check the + available revocation information to see if a certificate has been revoked. + If a match is found for the certificate in a CRL, verification fails. + If the certificate being verified is not listed in a CRL, + or there is no CRL present for its issuing CA, and + *pkinit_require_crl_checking* is false, then verification succeeds. - However, if *pkinit_require_crl_checking* is true and there is no CRL information available for the issuing CA, then verification fails. + However, if *pkinit_require_crl_checking* is true and there is no + CRL information available for the issuing CA, then verification fails. - *pkinit_require_crl_checking* should be set to true if the policy is such that up-to-date CRLs must be present for every CA. + *pkinit_require_crl_checking* should be set to true if the policy + is such that up-to-date CRLs must be present for every CA. **pkinit_revoke** - Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. + Specifies the location of Certificate Revocation List (CRL) information + to be used by the client when verifying the validity of the KDC certificate + presented. This option may be specified multiple times. **pkinit_win2k** - This flag specifies whether the target realm is assumed to support only the old, pre-RFC version of the protocol. The default is false. + This flag specifies whether the target realm is assumed to support only + the old, pre-RFC version of the protocol. The default is false. **pkinit_win2k_require_binding** - If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. The default is false. + If this flag is set to true, it expects that the target KDC is patched + to return a reply with a checksum rather than a nonce. The default is false. -- 2.26.2