6 The krb5.conf file contains Kerberos configuration information,
7 including the locations of KDCs and admin servers for the Kerberos
8 realms of interest, defaults for the current realm and for Kerberos
9 applications, and mappings of hostnames onto Kerberos realms.
10 Normally, you should install your krb5.conf file in the directory
11 ``/etc``. You can override the default location by setting the
12 environment variable **KRB5_CONFIG**.
18 The krb5.conf file is set up in the style of a Windows INI file.
19 Sections are headed by the section name, in square brackets. Each
20 section may contain zero or more relations, of the form:
34 Placing a '\*' at the end of a line indicates that this is the *final*
35 value for the tag. This means that neither the remainder of this
36 configuration file nor any other configuration file will be checked
37 for any other values for this tag.
39 For example, if you have the following lines:
45 then the second value of ``foo`` (``baz``) would never be read.
47 The krb5.conf file can include other files using either of the
48 following directives at the beginning of a line:
55 *FILENAME* or *DIRNAME* should be an absolute path. The named file or
56 directory must exist and be readable. Including a directory includes
57 all files within the directory whose names consist solely of
58 alphanumeric characters, dashes, or underscores. Included profile
59 files are syntactically independent of their parents, so each included
60 file must begin with a section header.
62 The krb5.conf file can specify that configuration should be obtained
63 from a loadable module, rather than the file itself, using the
64 following directive at the beginning of a line before any section
69 module MODULEPATH:RESIDUAL
71 *MODULEPATH* may be relative to the library path of the krb5
72 installation, or it may be an absolute path. *RESIDUAL* is provided
73 to the module at initialization time. If krb5.conf uses a module
74 directive, :ref:`kdc.conf(5)` should also use one if it exists.
80 The krb5.conf file may contain the following sections:
82 =================== =======================================================
83 :ref:`libdefaults` Settings used by the Kerberos V5 library
84 :ref:`realms` Realm-specific contact information and settings
85 :ref:`domain_realm` Maps server hostnames to Kerberos realms
86 :ref:`capaths` Authentication paths for non-hierarchical cross-realm
87 :ref:`appdefaults` Settings used by some Kerberos V5 applications
88 :ref:`plugins` Controls plugin module registration
89 =================== =======================================================
97 The libdefaults section may contain any of the following relations:
100 If this flag is set to false, then weak encryption types will be
101 filtered out of the previous three lists (as noted in
102 :ref:`Supported_Encryption_Types_and_Salts`). The default value
103 for this tag is false, which may cause authentication failures in
104 existing Kerberos infrastructures that do not support strong
105 crypto. Users in affected environments should set this tag to
106 true until their infrastructure adopts stronger ciphers.
108 **ap_req_checksum_type**
109 An integer which specifies the type of AP-REQ checksum to use in
110 authenticators. This variable should be unset so the appropriate
111 checksum for the encryption key in use will be used. This can be
112 set if backward compatibility requires a specific checksum type.
113 See the **kdc_req_checksum_type** configuration option for the
114 possible values and their meanings.
117 If this flag is set to true, initial ticket requests to the KDC
118 will request canonicalization of the client principal name, and
119 answers with different client principals than the requested
120 principal will be accepted. The default value is false.
123 This parameter determines the format of credential cache types
124 created by :ref:`kinit(1)` or other programs. The default value
125 is 4, which represents the most current format. Smaller values
126 can be used for compatibility with very old implementations of
127 Kerberos which interact with credential caches on the same host.
130 Sets the maximum allowable amount of clockskew in seconds that the
131 library will tolerate before assuming that a Kerberos message is
132 invalid. The default value is 300 seconds, or five minutes.
134 **default_keytab_name**
135 This relation specifies the default keytab name to be used by
136 application servers such as telnetd and rlogind. The default is
137 ``/etc/krb5.keytab``.
140 Identifies the default Kerberos realm for the client. Set its
141 value to your Kerberos realm. If this value is not set, then a
142 realm must be specified with every Kerberos principal when
143 invoking programs such as :ref:`kinit(1)`.
145 **default_tgs_enctypes**
146 Identifies the supported list of session key encryption types that
147 should be returned by the KDC. The list may be delimited with
148 commas or whitespace. See
149 :ref:`Supported_Encryption_Types_and_Salts` for a list of the
150 accepted values for this tag. The default value is
151 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
152 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
153 single-DES encryption types will be implicitly removed from this
154 list if the value of **allow_weak_crypto** is false.
156 **default_tkt_enctypes**
157 Identifies the supported list of session key encryption types that
158 should be requested by the client. The format is the same as for
159 default_tgs_enctypes. The default value for this tag is
160 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
161 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
162 single-DES encryption types will be implicitly removed from this
163 list if the value of **allow_weak_crypto** is false.
166 Indicate whether DNS SRV records should be used to locate the KDCs
167 and other servers for a realm, if they are not listed in the
168 krb5.conf information for the realm. (Note that the admin_server
169 entry must be in the krb5.conf realm information in order to
170 contact kadmind, because the DNS implementation for kadmin is
173 Enabling this option does open up a type of denial-of-service
174 attack, if someone spoofs the DNS records and redirects you to
175 another server. However, it's no worse than a denial of service,
176 because that fake KDC will be unable to decode anything you send
177 it (besides the initial ticket request, which has no encrypted
178 data), and anything the fake KDC sends will not be trusted without
179 verification using some secret that it won't know.
182 This allows a computer to use multiple local addresses, in order
183 to allow Kerberos to work in a network that uses NATs while still
184 using address-restricted tickets. The addresses should be in a
185 comma-separated list. This option has no effect if
186 **noaddresses** is true.
189 If this flag is true, initial tickets will be forwardable by
190 default, if allowed by the KDC. The default value is false.
192 **ignore_acceptor_hostname**
193 When accepting GSSAPI or krb5 security contexts for host-based
194 service principals, ignore any hostname passed by the calling
195 application, and allow clients to authenticate to any service
196 principal in the keytab matching the service name and realm name
197 (if given). This option can improve the administrative
198 flexibility of server applications on multihomed hosts, but could
199 compromise the security of virtual hosting environments. The
200 default value is false.
202 **k5login_authoritative**
203 If this flag is true, principals must be listed in a local user's
204 k5login file to be granted login access, if a :ref:`.k5login(5)`
205 file exists. If this flag is false, a principal may still be
206 granted login access through other mechanisms even if a k5login
207 file exists but does not list the principal. The default value is
210 **k5login_directory**
211 If set, the library will look for a local user's k5login file
212 within the named directory, with a filename corresponding to the
213 local username. If not set, the library will look for k5login
214 files in the user's home directory, with the filename .k5login.
215 For security reasons, .k5login files must be owned by
216 the local user or by root.
218 **kdc_default_options**
219 Default KDC options (Xored for multiple values) when requesting
220 initial tickets. By default it is set to 0x00000010
221 (KDC_OPT_RENEWABLE_OK).
224 If this flag is true, client machines will compute the difference
225 between their time and the time returned by the KDC in the
226 timestamps in the tickets and use this value to correct for an
227 inaccurate system clock when requesting service tickets or
228 authenticating to services. This corrective factor is only used
229 by the Kerberos library; it is not used to change the system
230 clock. The default value is true.
232 **kdc_req_checksum_type**
233 An integer which specifies the type of checksum to use for the KDC
234 requests, for compatibility with very old KDC implementations.
235 This value is only used for DES keys; other keys use the preferred
236 checksum type for those keys.
238 The possible values and their meanings are as follows.
240 ======== ===============================
249 -138 Microsoft MD5 HMAC checksum type
250 ======== ===============================
253 If this flag is true, requests for initial tickets will not be
254 made with address restrictions set, allowing the tickets to be
255 used across NATs. The default value is true.
257 **permitted_enctypes**
258 Identifies all encryption types that are permitted for use in
259 session key encryption. The default value for this tag is
260 ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
261 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
262 single-DES encryption types will be implicitly removed from this
263 list if the value of **allow_weak_crypto** is false.
266 If set, determines the base directory where krb5 plugins are
267 located. The default value is the ``krb5/plugins`` subdirectory
268 of the krb5 library directory.
270 **preferred_preauth_types**
271 This allows you to set the preferred preauthentication types which
272 the client will attempt before others which may be advertised by a
273 KDC. The default value for this setting is "17, 16, 15, 14",
274 which forces libkrb5 to attempt to use PKINIT if it is supported.
277 If this flag is true, initial tickets will be proxiable by
278 default, if allowed by the KDC. The default value is false.
281 If this flag is true, reverse name lookup will be used in addition
282 to forward name lookup to canonicalizing hostnames for use in
283 service principal names. The default value is true.
285 **realm_try_domains**
286 Indicate whether a host's domain components should be used to
287 determine the Kerberos realm of the host. The value of this
288 variable is an integer: -1 means not to search, 0 means to try the
289 host's domain itself, 1 means to also try the domain's immediate
290 parent, and so forth. The library's usual mechanism for locating
291 Kerberos realms is used to determine whether a domain is a valid
292 realm--which may involve consulting DNS if **dns_lookup_kdc** is
293 set. The default is not to search domain components.
296 Sets the default renewable lifetime for initial ticket requests.
297 The default value is 0.
299 **safe_checksum_type**
300 An integer which specifies the type of checksum to use for the
301 KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
302 compatibility with applications linked against DCE version 1.1 or
303 earlier Kerberos libraries, use a value of 3 to use the RSA MD4
304 DES instead. This field is ignored when its value is incompatible
305 with the session key type. See the **kdc_req_checksum_type**
306 configuration option for the possible values and their meanings.
309 Sets the default lifetime for initial ticket requests. The
310 default value is 1 day.
312 **udp_preference_limit**
313 When sending a message to the KDC, the library will try using TCP
314 before UDP if the size of the message is above
315 **udp_preference_limit**. If the message is smaller than
316 **udp_preference_limit**, then UDP will be tried before TCP.
317 Regardless of the size, both protocols will be tried if the first
320 **verify_ap_req_nofail**
321 If this flag is true, then an attempt to verify initial
322 credentials will fail if the client machine does not have a
323 keytab. The default value is false.
331 Each tag in the [realms] section of the file is the name of a Kerberos
332 realm. The value of the tag is a subsection with relations that
333 define the properties of that particular realm. For each realm, the
334 following tags may be specified in the realm's subsection:
337 Identifies the host where the administration server is running.
338 Typically, this is the master Kerberos server. This tag must be
339 given a value in order to communicate with the :ref:`kadmind(8)`
340 server for the realm.
343 This tag allows you to set a general rule for mapping principal
344 names to local user names. It will be used if there is not an
345 explicit mapping for the principal name that is being
346 translated. The possible values are:
349 The local name will be formulated from *exp*.
351 The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\
352 *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**.
353 The integer *n* indicates how many components the target
354 principal should have. If this matches, then a string will be
355 formed from *string*, substituting the realm of the principal
356 for ``$0`` and the *n*'th component of the principal for
357 ``$n`` (e.g. if the principal was ``johndoe/admin`` then
358 ``[2:$2$1foo]`` would result in the string
359 ``adminjohndoefoo``). If this string matches *regexp*, then
360 the ``s//[g]`` substitution command will be run over the
361 string. The optional **g** will cause the substitution to be
362 global over the *string*, instead of replacing only the first
363 match in the *string*.
366 The principal name will be used as the local user name. If
367 the principal has more than one component or is not in the
368 default realm, this rule is not applicable and the conversion
376 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
377 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
378 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
379 auto_to_local = DEFAULT
382 would result in any principal without ``root`` or ``admin`` as the
383 second component to be translated with the default rule. A
384 principal with a second component of ``admin`` will become its
385 first component. ``root`` will be used as the local name for any
386 principal with a second component of ``root``. The exception to
387 these two rules are any principals ``johndoe/*``, which will
388 always get the local name ``guest``.
390 **auth_to_local_names**
391 This subsection allows you to set explicit mappings from principal
392 names to local user names. The tag is the mapping name, and the
393 value is the corresponding local user name.
396 This tag specifies the domain used to expand hostnames when
397 translating Kerberos 4 service principals to Kerberos 5 principals
398 (for example, when converting ``rcmd.hostname`` to
399 ``host/hostname.domain``).
402 The name or address of a host running a KDC for that realm. An
403 optional port number, separated from the hostname by a colon, may
404 be included. If the name or address contains colons (for example,
405 if it is an IPv6 address), enclose it in square brackets to
406 distinguish the colon from a port separator. For your computer to
407 be able to communicate with the KDC for each realm, this tag must
408 be given a value in each realm subsection in the configuration
409 file, or there must be DNS SRV records specifying the KDCs.
412 Points to the server where all the password changes are performed.
413 If there is no such entry, the port 464 on the **admin_server**
417 Identifies the master KDC(s). Currently, this tag is used in only
418 one case: If an attempt to get credentials fails because of an
419 invalid password, the client software will attempt to contact the
420 master KDC, in case the user's password has just been changed, and
421 the updated database has not been propagated to the slave servers
424 **v4_instance_convert**
425 This subsection allows the administrator to configure exceptions
426 to the **default_domain** mapping rule. It contains V4 instances
427 (the tag name) which should be translated to some specific
428 hostname (the tag value) as the second component in a Kerberos V5
432 This relation is used by the krb524 library routines when
433 converting a V5 principal name to a V4 principal name. It is used
434 when the V4 realm name and the V5 realm name are not the same, but
435 still share the same principal names and passwords. The tag value
436 is the Kerberos V4 realm name.
444 The [domain_realm] section provides a translation from a domain name
445 or hostname to a Kerberos realm name. The tag name can be a host name
446 or domain name, where domain names are indicated by a prefix of a
447 period (``.``). The value of the relation is the Kerberos realm name
448 for that particular host or domain. The Kerberos realm may be
449 identified either in the realms_ section or using DNS SRV records.
450 Host names and domain names should be in lower case. For example:
455 crash.mit.edu = TEST.ATHENA.MIT.EDU
456 .mit.edu = ATHENA.MIT.EDU
457 mit.edu = ATHENA.MIT.EDU
459 maps the host with the exact name ``crash.mit.edu`` into the
460 TEST.ATHENA.MIT.EDU realm. The period prefix in ``.mit.edu`` denotes
461 that all systems in the ``mit.edu`` domain belong to
462 ``ATHENA.MIT.EDU`` realm. The third entry maps the host ``mit.edu``
463 itself to the ``ATHENA.MIT.EDU`` realm.
465 If no translation entry applies to a hostname used for a service
466 principal for a service ticket request, the library will try to get a
467 referral to the appropriate realm from the client realm's KDC. If
468 that does not succeed, the host's realm is considered to be the
469 hostname's domain portion converted to uppercase, unless the
470 **realm_try_domains** setting in [libdefaults] causes a different
471 parent domain to be used.
479 In order to perform direct (non-hierarchical) cross-realm
480 authentication, configuration is needed to determine the
481 authentication paths between realms.
483 A client will use this section to find the authentication path between
484 its realm and the realm of the server. The server will use this
485 section to verify the authentication path used by the client, by
486 checking the transited field of the received ticket.
488 There is a tag for each participating client realm, and each tag has
489 subtags for each of the server realms. The value of the subtags is an
490 intermediate realm which may participate in the cross-realm
491 authentication. The subtags may be repeated if there is more then one
492 intermediate realm. A value of "." means that the two realms share
493 keys directly, and no intermediate realms should be allowed to
496 Only those entries which will be needed on the client or the server
497 need to be present. A client needs a tag for its local realm with
498 subtags for all the realms of servers it will need to authenticate to.
499 A server needs a tag for each realm of the clients it will serve, with
500 a subtag of the server realm.
502 For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to
503 use the ``ES.NET`` realm as an intermediate realm. ANL has a sub
504 realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
505 but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
506 would look like this:
530 The [capaths] section of the configuration file used on ``NERSC.GOV``
531 systems would look like this:
538 TEST.ANL.GOV = ES.NET
539 TEST.ANL.GOV = ANL.GOV
557 When a subtag is used more than once within a tag, clients will use
558 the order of values to determine the path. The order of values is not
559 important to servers.
567 Each tag in the [appdefaults] section names a Kerberos V5 application
568 or an option that is used by some Kerberos V5 application[s]. The
569 value of the tag defines the default behaviors for that application.
589 The above four ways of specifying the value of an option are shown in
590 order of decreasing precedence. In this example, if telnet is running
591 in the realm EXAMPLE.COM, it should, by default, have option1 and
592 option2 set to true. However, a telnet program in the realm
593 ``ATHENA.MIT.EDU`` should have ``option1`` set to false and
594 ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should
595 have ``option2`` set to false by default. Any programs running in
596 other realms should have ``option2`` set to true.
598 The list of specifiable options for each application may be found in
599 that application's man pages. The application defaults specified here
600 are overridden by those specified in the realms_ section.
609 * kadm5_hook_ interface
610 * clpreauth_ and kdcpreauth_ interfaces
612 Tags in the [plugins] section can be used to register dynamic plugin
613 modules and to turn modules on and off. Not every krb5 pluggable
614 interface uses the [plugins] section; the ones that do are documented
617 Each pluggable interface corresponds to a subsection of [plugins].
618 All subsections support the same tags:
621 This tag may have multiple values. If there are values for this
622 tag, then the named modules will be disabled for the pluggable
626 This tag may have multiple values. If there are values for this
627 tag, then only the named modules will be enabled for the pluggable
631 This tag may have multiple values. Each value is a string of the
632 form ``modulename:pathname``, which causes the shared object
633 located at *pathname* to be registered as a dynamic module named
634 *modulename* for the pluggable interface. If *pathname* is not an
635 absolute path, it will be treated as relative to the
636 **plugin_base_dir** value from :ref:`libdefaults`.
638 The following subsections are currently supported within the [plugins]
646 The pwqual subsection controls modules for the password quality
647 interface, which is used to reject weak passwords when passwords are
648 changed. In addition to any registered dynamic modules, the following
649 built-in modules exist (and may be disabled with the disable tag):
652 Checks against the realm dictionary file
655 Rejects empty passwords
658 Checks against user information stored in Hesiod (only if Kerberos
659 was built with Hesiod support)
662 Checks against components of the principal name
669 The kadm5_hook interface provides plugins with information on
670 principal creation, modification, password changes and deletion. This
671 interface can be used to write a plugin to synchronize MIT Kerberos
672 with another database such as Active Directory. No plugins are built
673 in for this interface.
679 clpreauth and kdcpreauth interfaces
680 ###################################
682 The clpreauth and kdcpreauth interfaces allow plugin modules to
683 provide client and KDC preauthentication mechanisms. The following
684 built-in modules exist for these interfaces:
687 This module implements the PKINIT preauthentication mechanism.
689 **encrypted_challenge**
690 This module implements the encrypted challenge FAST factor.
692 **encrypted_timestamp**
693 This module implements the encrypted timestamp mechanism.
699 .. note:: The following are PKINIT-specific options. These values may
700 be specified in [libdefaults] as global defaults, or within
701 a realm-specific subsection of [libdefaults], or may be
702 specified as realm-specific values in the [realms] section.
703 A realm-specific value overrides, not adds to, a generic
704 [libdefaults] specification. The search order is:
706 1. realm-specific subsection of [libdefaults]:
712 pkinit_anchors = FILE\:/usr/local/example.com.crt
715 2. realm-specific value in the [realms] section,
721 pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
724 3. generic value in the [libdefaults] section.
729 pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
734 Specifying PKINIT identity information
735 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
737 The syntax for specifying Public Key identity, trust, and revocation
738 information for PKINIT is as follows:
740 **FILE:**\ *filename*\ [**,**\ *keyfilename*]
741 This option has context-specific behavior.
743 In **pkinit_identity** or **pkinit_identities**, *filename*
744 specifies the name of a PEM-format file containing the user's
745 certificate. If *keyfilename* is not specified, the user's
746 private key is expected to be in *filename* as well. Otherwise,
747 *keyfilename* is the name of the file containing the private key.
749 In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to
750 be the name of an OpenSSL-style ca-bundle file.
753 This option has context-specific behavior.
755 In **pkinit_identity** or **pkinit_identities**, *dirname*
756 specifies a directory with files named ``*.crt`` and ``*.key``
757 where the first part of the file name is the same for matching
758 pairs of certificate and private key files. When a file with a
759 name ending with ``.crt`` is found, a matching file ending with
760 ``.key`` is assumed to contain the private key. If no such file
761 is found, then the certificate in the ``.crt`` is not used.
763 In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to
764 be an OpenSSL-style hashed CA directory where each CA cert is
765 stored in a file named ``hash-of-ca-cert.#``. This infrastructure
766 is encouraged, but all files in the directory will be examined and
767 if they contain certificates (in PEM format), they will be used.
769 In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style
770 hashed CA directory where each revocation list is stored in a file
771 named ``hash-of-ca-cert.r#``. This infrastructure is encouraged,
772 but all files in the directory will be examined and if they
773 contain a revocation list (in PEM format), they will be used.
775 **PKCS12:**\ *filename*
776 *filename* is the name of a PKCS #12 format file, containing the
777 user's certificate and private key.
779 **PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*]
780 All keyword/values are optional. *modname* specifies the location
781 of a library implementing PKCS #11. If a value is encountered
782 with no keyword, it is assumed to be the *modname*. If no
783 module-name is specified, the default is ``opensc-pkcs11.so``.
784 ``slotid=`` and/or ``token=`` may be specified to force the use of
785 a particular smard card reader or token if there is more than one
786 available. ``certid=`` and/or ``certlabel=`` may be specified to
787 force the selection of a particular certificate on the device.
788 See the **pkinit_cert_match** configuration option for more ways
789 to select a particular certificate to use for PKINIT.
792 *envvar* specifies the name of an environment variable which has
793 been set to a value conforming to one of the previous values. For
794 example, ``ENV:X509_PROXY``, where environment variable
795 ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``.
798 PKINIT krb5.conf options
799 ~~~~~~~~~~~~~~~~~~~~~~~~
802 Specifies the location of trusted anchor (root) certificates which
803 the client trusts to sign KDC certificates. This option may be
804 specified multiple times. These values from the config file are
805 not used if the user specifies X509_anchors on the command line.
807 **pkinit_cert_match**
808 Specifies matching rules that the client certificate must match
809 before it is used to attempt PKINIT authentication. If a user has
810 multiple certificates available (on a smart card, or via other
811 media), there must be exactly one certificate chosen before
812 attempting PKINIT authentication. This option may be specified
813 multiple times. All the available certificates are checked
814 against each rule in order until there is a match of exactly one
817 The Subject and Issuer comparison strings are the :rfc:`2253`
818 string representations from the certificate Subject DN and Issuer
821 The syntax of the matching rules is:
823 [*relation-operator*\ ]\ *component-rule* ...
828 can be either ``&&``, meaning all component rules must match,
829 or ``||``, meaning only one component rule must match. The
833 can be one of the following. Note that there is no
834 punctuation or whitespace between component rules.
836 | **<SUBJECT>**\ *regular-expression*
837 | **<ISSUER>**\ *regular-expression*
838 | **<SAN>**\ *regular-expression*
839 | **<EKU>**\ *extended-key-usage-list*
840 | **<KU>**\ *key-usage-list*
842 *extended-key-usage-list* is a comma-separated list of
843 required Extended Key Usage values. All values in the list
844 must be present in the certificate. Extended Key Usage values
852 *key-usage-list* is a comma-separated list of required Key
853 Usage values. All values in the list must be present in the
854 certificate. Key Usage values can be:
863 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
864 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
865 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
867 **pkinit_eku_checking**
868 This option specifies what Extended Key Usage value the KDC
869 certificate presented to the client must contain. (Note that if
870 the KDC certificate has the pkinit SubjectAlternativeName encoded
871 as the Kerberos TGS name, EKU checking is not necessary since the
872 issuing CA has certified this as a KDC certificate.) The values
873 recognized in the krb5.conf file are:
876 This is the default value and specifies that the KDC must have
877 the id-pkinit-KPKdc EKU as defined in :rfc:`4556`.
880 If **kpServerAuth** is specified, a KDC certificate with the
881 id-kp-serverAuth EKU as used by Microsoft will be accepted.
884 If **none** is specified, then the KDC certificate will not be
885 checked to verify it has an acceptable EKU. The use of this
886 option is not recommended.
888 **pkinit_dh_min_bits**
889 Specifies the size of the Diffie-Hellman key the client will
890 attempt to use. The acceptable values are 1024, 2048, and 4096.
893 **pkinit_identities**
894 Specifies the location(s) to be used to find the user's X.509
895 identity information. This option may be specified multiple
896 times. Each value is attempted in order until identity
897 information is found and authentication is attempted. Note that
898 these values are not used if the user specifies
899 **X509_user_identity** on the command line.
901 **pkinit_kdc_hostname**
902 The presense of this option indicates that the client is willing
903 to accept a KDC certificate with a dNSName SAN (Subject
904 Alternative Name) rather than requiring the id-pkinit-san as
905 defined in :rfc:`4556`. This option may be specified multiple
906 times. Its value should contain the acceptable hostname for the
907 KDC (as contained in its certificate).
910 If this flag is set to true, we are talking to the Longhorn KDC.
913 Specifies the location of intermediate certificates which may be
914 used by the client to complete the trust chain between a KDC
915 certificate and a trusted anchor. This option may be specified
918 **pkinit_require_crl_checking**
919 The default certificate verification process will always check the
920 available revocation information to see if a certificate has been
921 revoked. If a match is found for the certificate in a CRL,
922 verification fails. If the certificate being verified is not
923 listed in a CRL, or there is no CRL present for its issuing CA,
924 and **pkinit_require_crl_checking** is false, then verification
927 However, if **pkinit_require_crl_checking** is true and there is
928 no CRL information available for the issuing CA, then verification
931 **pkinit_require_crl_checking** should be set to true if the
932 policy is such that up-to-date CRLs must be present for every CA.
935 Specifies the location of Certificate Revocation List (CRL)
936 information to be used by the client when verifying the validity
937 of the KDC certificate presented. This option may be specified
941 This flag specifies whether the target realm is assumed to support
942 only the old, pre-RFC version of the protocol. The default is
945 **pkinit_win2k_require_binding**
946 If this flag is set to true, it expects that the target KDC is
947 patched to return a reply with a checksum rather than a nonce.
948 The default is false.
951 Sample krb5.conf file
952 ---------------------
954 Here is an example of a generic krb5.conf file:
959 default_realm = ATHENA.MIT.EDU
960 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
961 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
962 dns_lookup_kdc = true
963 dns_lookup_realm = false
967 kdc = kerberos.mit.edu
968 kdc = kerberos-1.mit.edu
969 kdc = kerberos-2.mit.edu:750
970 admin_server = kerberos.mit.edu
971 master_kdc = kerberos.mit.edu
972 default_domain = mit.edu
975 kdc = kerberos.example.com
976 kdc = kerberos-1.example.com
977 admin_server = kerberos.example.com
980 kdc = kerberos.mit.edu
981 admin_server = kerberos.mit.edu
982 database_module = openldap_ldapconf
986 .mit.edu = ATHENA.MIT.EDU
987 mit.edu = ATHENA.MIT.EDU
999 admin_server = FILE=/var/kadm5.log
1001 ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
1003 openldap_ldapconf = {
1005 disable_last_success = true
1006 ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
1007 ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
1008 # this object needs to have read rights on
1009 # the realm container and principal subtrees
1010 ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
1011 # this object needs to have read and write rights on
1012 # the realm container and principal subtrees
1013 ldap_service_password_file = /etc/kerberos/service.keyfile
1014 ldap_servers = ldaps://kerberos.mit.edu
1015 ldap_conns_per_server = 5