1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
3
4
6 kdc.conf - Kerberos V5 KDC configuration file
7
8 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13
14 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17
18 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27
28 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC │
30 │ │ behavior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42
43 [kdcdefaults]
44 Some relations in the [kdcdefaults] section specify default values for
45 realm variables, to be used if the [realms] subsection does not contain
46 a relation for the tag. See the [realms] section for the definitions
47 of these relations.
48
49 · host_based_services
50
51 · kdc_listen
52
53 · kdc_ports
54
55 · kdc_tcp_listen
56
57 · kdc_tcp_ports
58
59 · no_host_referral
60
61 · restrict_anonymous_to_tgt
62
63 The following [kdcdefaults] variables have no per-realm equivalent:
64
65 kdc_max_dgram_reply_size
66 Specifies the maximum packet size that can be sent over UDP.
67 The default value is 4096 bytes.
68
69 kdc_tcp_listen_backlog
70 (Integer.) Set the size of the listen queue length for the KDC
71 daemon. The value may be limited by OS settings. The default
72 value is 5.
73
74 spake_preauth_kdc_challenge
75 (String.) Specifies the group for a SPAKE optimistic challenge.
76 See the spake_preauth_groups variable in libdefaults for possi‐
77 ble values. The default is not to issue an optimistic chal‐
78 lenge. (New in release 1.17.)
79
80 [realms]
81 Each tag in the [realms] section is the name of a Kerberos realm. The
82 value of the tag is a subsection where the relations define KDC parame‐
83 ters for that particular realm. The following example shows how to
84 define one parameter for the ATHENA.MIT.EDU realm:
85
86 [realms]
87 ATHENA.MIT.EDU = {
88 max_renewable_life = 7d 0h 0m 0s
89 }
90
91 The following tags may be specified in a [realms] subsection:
92
93 acl_file
94 (String.) Location of the access control list file that kad‐
95 mind(8) uses to determine which principals are allowed which
96 permissions on the Kerberos database. To operate without an ACL
97 file, set this relation to the empty string with acl_file = "".
98 The default value is /var/kerberos/krb5kdc/kadm5.acl. For more
99 information on Kerberos ACL file see kadm5.acl(5).
100
101 database_module
102 (String.) This relation indicates the name of the configuration
103 section under [dbmodules] for database-specific parameters used
104 by the loadable database library. The default value is the
105 realm name. If this configuration section does not exist,
106 default values will be used for all database parameters.
107
108 database_name
109 (String, deprecated.) This relation specifies the location of
110 the Kerberos database for this realm, if the DB2 module is being
111 used and the [dbmodules] configuration section does not specify
112 a database name. The default value is /var/ker‐
113 beros/krb5kdc/principal.
114
115 default_principal_expiration
116 (abstime string.) Specifies the default expiration date of
117 principals created in this realm. The default value is 0, which
118 means no expiration date.
119
120 default_principal_flags
121 (Flag string.) Specifies the default attributes of principals
122 created in this realm. The format for this string is a
123 comma-separated list of flags, with '+' before each flag that
124 should be enabled and '-' before each flag that should be dis‐
125 abled. The postdateable, forwardable, tgt-based, renewable,
126 proxiable, dup-skey, allow-tickets, and service flags default to
127 enabled.
128
129 There are a number of possible flags:
130
131 allow-tickets
132 Enabling this flag means that the KDC will issue tickets
133 for this principal. Disabling this flag essentially
134 deactivates the principal within this realm.
135
136 dup-skey
137 Enabling this flag allows the KDC to issue user-to-user
138 service tickets for this principal.
139
140 forwardable
141 Enabling this flag allows the principal to obtain for‐
142 wardable tickets.
143
144 hwauth If this flag is enabled, then the principal is required
145 to preauthenticate using a hardware device before receiv‐
146 ing any tickets.
147
148 no-auth-data-required
149 Enabling this flag prevents PAC or AD-SIGNEDPATH data
150 from being added to service tickets for the principal.
151
152 ok-as-delegate
153 If this flag is enabled, it hints the client that creden‐
154 tials can and should be delegated when authenticating to
155 the service.
156
157 ok-to-auth-as-delegate
158 Enabling this flag allows the principal to use S4USelf
159 tickets.
160
161 postdateable
162 Enabling this flag allows the principal to obtain post‐
163 dateable tickets.
164
165 preauth
166 If this flag is enabled on a client principal, then that
167 principal is required to preauthenticate to the KDC
168 before receiving any tickets. On a service principal,
169 enabling this flag means that service tickets for this
170 principal will only be issued to clients with a TGT that
171 has the preauthenticated bit set.
172
173 proxiable
174 Enabling this flag allows the principal to obtain proxy
175 tickets.
176
177 pwchange
178 Enabling this flag forces a password change for this
179 principal.
180
181 pwservice
182 If this flag is enabled, it marks this principal as a
183 password change service. This should only be used in
184 special cases, for example, if a user's password has
185 expired, then the user has to get tickets for that prin‐
186 cipal without going through the normal password authenti‐
187 cation in order to be able to change the password.
188
189 renewable
190 Enabling this flag allows the principal to obtain renew‐
191 able tickets.
192
193 service
194 Enabling this flag allows the the KDC to issue service
195 tickets for this principal. In release 1.17 and later,
196 user-to-user service tickets are still allowed if the
197 dup-skey flag is set.
198
199 tgt-based
200 Enabling this flag allows a principal to obtain tickets
201 based on a ticket-granting-ticket, rather than repeating
202 the authentication process that was used to obtain the
203 TGT.
204
205 dict_file
206 (String.) Location of the dictionary file containing strings
207 that are not allowed as passwords. The file should contain one
208 string per line, with no additional whitespace. If none is
209 specified or if there is no policy assigned to the principal, no
210 dictionary checks of passwords will be performed.
211
212 encrypted_challenge_indicator
213 (String.) Specifies the authentication indicator value that the
214 KDC asserts into tickets obtained using FAST encrypted challenge
215 pre-authentication. New in 1.16.
216
217 host_based_services
218 (Whitespace- or comma-separated list.) Lists services which
219 will get host-based referral processing even if the server prin‐
220 cipal is not marked as host-based by the client.
221
222 iprop_enable
223 (Boolean value.) Specifies whether incremental database propa‐
224 gation is enabled. The default value is false.
225
226 iprop_master_ulogsize
227 (Integer.) Specifies the maximum number of log entries to be
228 retained for incremental propagation. The default value is
229 1000. Prior to release 1.11, the maximum value was 2500.
230
231 iprop_replica_poll
232 (Delta time string.) Specifies how often the replica KDC polls
233 for new updates from the master. The default value is 2m (that
234 is, two minutes). New in release 1.17.
235
236 iprop_slave_poll
237 (Delta time string.) The name for iprop_replica_poll prior to
238 release 1.17. Its value is used as a fallback if
239 iprop_replica_poll is not specified.
240
241 iprop_listen
242 (Whitespace- or comma-separated list.) Specifies the iprop RPC
243 listening addresses and/or ports for the kadmind(8) daemon.
244 Each entry may be an interface address, a port number, or an
245 address and port number separated by a colon. If the address
246 contains colons, enclose it in square brackets. If no address
247 is specified, the wildcard address is used. If kadmind fails to
248 bind to any of the specified addresses, it will fail to start.
249 The default (when iprop_enable is true) is to bind to the wild‐
250 card address at the port specified in iprop_port. New in
251 release 1.15.
252
253 iprop_port
254 (Port number.) Specifies the port number to be used for incre‐
255 mental propagation. When iprop_enable is true, this relation is
256 required in the replica KDC configuration file, and this rela‐
257 tion or iprop_listen is required in the master configuration
258 file, as there is no default port number. Port numbers speci‐
259 fied in iprop_listen entries will override this port number for
260 the kadmind(8) daemon.
261
262 iprop_resync_timeout
263 (Delta time string.) Specifies the amount of time to wait for a
264 full propagation to complete. This is optional in configuration
265 files, and is used by replica KDCs only. The default value is 5
266 minutes (5m). New in release 1.11.
267
268 iprop_logfile
269 (File name.) Specifies where the update log file for the realm
270 database is to be stored. The default is to use the data‐
271 base_name entry from the realms section of the krb5 config file,
272 with .ulog appended. (NOTE: If database_name isn't specified in
273 the realms section, perhaps because the LDAP database back end
274 is being used, or the file name is specified in the [dbmodules]
275 section, then the hard-coded default for database_name is used.
276 Determination of the iprop_logfile default value will not use
277 values from the [dbmodules] section.)
278
279 kadmind_listen
280 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
281 listening addresses and/or ports for the kadmind(8) daemon.
282 Each entry may be an interface address, a port number, or an
283 address and port number separated by a colon. If the address
284 contains colons, enclose it in square brackets. If no address
285 is specified, the wildcard address is used. If kadmind fails to
286 bind to any of the specified addresses, it will fail to start.
287 The default is to bind to the wildcard address at the port spec‐
288 ified in kadmind_port, or the standard kadmin port (749). New
289 in release 1.15.
290
291 kadmind_port
292 (Port number.) Specifies the port on which the kadmind(8) dae‐
293 mon is to listen for this realm. Port numbers specified in kad‐
294 mind_listen entries will override this port number. The
295 assigned port for kadmind is 749, which is used by default.
296
297 key_stash_file
298 (String.) Specifies the location where the master key has been
299 stored (via kdb5_util stash). The default is /var/ker‐
300 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
301
302 kdc_listen
303 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
304 tening addresses and/or ports for the krb5kdc(8) daemon. Each
305 entry may be an interface address, a port number, or an address
306 and port number separated by a colon. If the address contains
307 colons, enclose it in square brackets. If no address is speci‐
308 fied, the wildcard address is used. If no port is specified,
309 the standard port (88) is used. If the KDC daemon fails to bind
310 to any of the specified addresses, it will fail to start. The
311 default is to bind to the wildcard address on the standard port.
312 New in release 1.15.
313
314 kdc_ports
315 (Whitespace- or comma-separated list, deprecated.) Prior to
316 release 1.15, this relation lists the ports for the krb5kdc(8)
317 daemon to listen on for UDP requests. In release 1.15 and
318 later, it has the same meaning as kdc_listen if that relation is
319 not defined.
320
321 kdc_tcp_listen
322 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
323 tening addresses and/or ports for the krb5kdc(8) daemon. Each
324 entry may be an interface address, a port number, or an address
325 and port number separated by a colon. If the address contains
326 colons, enclose it in square brackets. If no address is speci‐
327 fied, the wildcard address is used. If no port is specified,
328 the standard port (88) is used. To disable listening on TCP,
329 set this relation to the empty string with kdc_tcp_listen = "".
330 If the KDC daemon fails to bind to any of the specified
331 addresses, it will fail to start. The default is to bind to the
332 wildcard address on the standard port. New in release 1.15.
333
334 kdc_tcp_ports
335 (Whitespace- or comma-separated list, deprecated.) Prior to
336 release 1.15, this relation lists the ports for the krb5kdc(8)
337 daemon to listen on for UDP requests. In release 1.15 and
338 later, it has the same meaning as kdc_tcp_listen if that rela‐
339 tion is not defined.
340
341 kpasswd_listen
342 (Comma-separated list.) Specifies the kpasswd listening
343 addresses and/or ports for the kadmind(8) daemon. Each entry
344 may be an interface address, a port number, or an address and
345 port number separated by a colon. If the address contains
346 colons, enclose it in square brackets. If no address is speci‐
347 fied, the wildcard address is used. If kadmind fails to bind to
348 any of the specified addresses, it will fail to start. The
349 default is to bind to the wildcard address at the port specified
350 in kpasswd_port, or the standard kpasswd port (464). New in
351 release 1.15.
352
353 kpasswd_port
354 (Port number.) Specifies the port on which the kadmind(8) dae‐
355 mon is to listen for password change requests for this realm.
356 Port numbers specified in kpasswd_listen entries will override
357 this port number. The assigned port for password change
358 requests is 464, which is used by default.
359
360 master_key_name
361 (String.) Specifies the name of the principal associated with
362 the master key. The default is K/M.
363
364 master_key_type
365 (Key type string.) Specifies the master key's key type. The
366 default value for this is aes256-cts-hmac-sha1-96. For a list
367 of all possible values, see Encryption types.
368
369 max_life
370 (duration string.) Specifies the maximum time period for which
371 a ticket may be valid in this realm. The default value is 24
372 hours.
373
374 max_renewable_life
375 (duration string.) Specifies the maximum time period during
376 which a valid ticket may be renewed in this realm. The default
377 value is 0.
378
379 no_host_referral
380 (Whitespace- or comma-separated list.) Lists services to block
381 from getting host-based referral processing, even if the client
382 marks the server principal as host-based or the service is also
383 listed in host_based_services. no_host_referral = * will dis‐
384 able referral processing altogether.
385
386 reject_bad_transit
387 (Boolean value.) If set to true, the KDC will check the list of
388 transited realms for cross-realm tickets against the transit
389 path computed from the realm names and the capaths section of
390 its krb5.conf(5) file; if the path in the ticket to be issued
391 contains any realms not in the computed path, the ticket will
392 not be issued, and an error will be returned to the client
393 instead. If this value is set to false, such tickets will be
394 issued anyways, and it will be left up to the application server
395 to validate the realm transit path.
396
397 If the disable-transited-check flag is set in the incoming
398 request, this check is not performed at all. Having the
399 reject_bad_transit option will cause such ticket requests to be
400 rejected always.
401
402 This transit path checking and config file option currently
403 apply only to TGS requests.
404
405 The default value is true.
406
407 restrict_anonymous_to_tgt
408 (Boolean value.) If set to true, the KDC will reject ticket
409 requests from anonymous principals to service principals other
410 than the realm's ticket-granting service. This option allows
411 anonymous PKINIT to be enabled for use as FAST armor tickets
412 without allowing anonymous authentication to services. The
413 default value is false. New in release 1.9.
414
415 spake_preauth_indicator
416 (String.) Specifies an authentication indicator value that the
417 KDC asserts into tickets obtained using SPAKE pre-authentica‐
418 tion. The default is not to add any indicators. This option
419 may be specified multiple times. New in release 1.17.
420
421 supported_enctypes
422 (List of key:salt strings.) Specifies the default key/salt com‐
423 binations of principals for this realm. Any principals created
424 through kadmin(1) will have keys of these types. The default
425 value for this tag is aes256-cts-hmac-sha1-96:normal
426 aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arc‐
427 four-hmac-md5:normal. For lists of possible values, see Keysalt
428 lists.
429
430 [dbdefaults]
431 The [dbdefaults] section specifies default values for some database
432 parameters, to be used if the [dbmodules] subsection does not contain a
433 relation for the tag. See the [dbmodules] section for the definitions
434 of these relations.
435
436 · ldap_kerberos_container_dn
437
438 · ldap_kdc_dn
439
440 · ldap_kdc_sasl_authcid
441
442 · ldap_kdc_sasl_authzid
443
444 · ldap_kdc_sasl_mech
445
446 · ldap_kdc_sasl_realm
447
448 · ldap_kadmind_dn
449
450 · ldap_kadmind_sasl_authcid
451
452 · ldap_kadmind_sasl_authzid
453
454 · ldap_kadmind_sasl_mech
455
456 · ldap_kadmind_sasl_realm
457
458 · ldap_service_password_file
459
460 · ldap_servers
461
462 · ldap_conns_per_server
463
464 [dbmodules]
465 The [dbmodules] section contains parameters used by the KDC database
466 library and database modules. Each tag in the [dbmodules] section is
467 the name of a Kerberos realm or a section name specified by a realm's
468 database_module parameter. The following example shows how to define
469 one database parameter for the ATHENA.MIT.EDU realm:
470
471 [dbmodules]
472 ATHENA.MIT.EDU = {
473 disable_last_success = true
474 }
475
476 The following tags may be specified in a [dbmodules] subsection:
477
478 database_name
479 This DB2-specific tag indicates the location of the database in
480 the filesystem. The default is /var/kerberos/krb5kdc/principal.
481
482 db_library
483 This tag indicates the name of the loadable database module.
484 The value should be db2 for the DB2 module, klmdb for the LMDB
485 module, or kldap for the LDAP module.
486
487 disable_last_success
488 If set to true, suppresses KDC updates to the "Last successful
489 authentication" field of principal entries requiring preauthen‐
490 tication. Setting this flag may improve performance. (Princi‐
491 pal entries which do not require preauthentication never update
492 the "Last successful authentication" field.). First introduced
493 in release 1.9.
494
495 disable_lockout
496 If set to true, suppresses KDC updates to the "Last failed
497 authentication" and "Failed password attempts" fields of princi‐
498 pal entries requiring preauthentication. Setting this flag may
499 improve performance, but also disables account lockout. First
500 introduced in release 1.9.
501
502 ldap_conns_per_server
503 This LDAP-specific tag indicates the number of connections to be
504 maintained per LDAP server.
505
506 ldap_kdc_dn and ldap_kadmind_dn
507 These LDAP-specific tags indicate the default DN for binding to
508 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
509 the kadmind(8) daemon and other administrative programs use
510 ldap_kadmind_dn. The kadmind DN must have the rights to read
511 and write the Kerberos data in the LDAP database. The KDC DN
512 must have the same rights, unless disable_lockout and dis‐
513 able_last_success are true, in which case it only needs to have
514 rights to read the Kerberos data. These tags are ignored if a
515 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
516 mind_sasl_mech.
517
518 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
519 These LDAP-specific tags specify the SASL mechanism (such as
520 EXTERNAL) to use when binding to the LDAP server. New in
521 release 1.13.
522
523 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
524 These LDAP-specific tags specify the SASL authentication iden‐
525 tity to use when binding to the LDAP server. Not all SASL mech‐
526 anisms require an authentication identity. If the SASL mecha‐
527 nism requires a secret (such as the password for DIGEST-MD5),
528 these tags also determine the name within the ldap_service_pass‐
529 word_file where the secret is stashed. New in release 1.13.
530
531 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
532 These LDAP-specific tags specify the SASL authorization identity
533 to use when binding to the LDAP server. In most circumstances
534 they do not need to be specified. New in release 1.13.
535
536 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
537 These LDAP-specific tags specify the SASL realm to use when
538 binding to the LDAP server. In most circumstances they do not
539 need to be set. New in release 1.13.
540
541 ldap_kerberos_container_dn
542 This LDAP-specific tag indicates the DN of the container object
543 where the realm objects will be located.
544
545 ldap_servers
546 This LDAP-specific tag indicates the list of LDAP servers that
547 the Kerberos servers can connect to. The list of LDAP servers
548 is whitespace-separated. The LDAP server is specified by a LDAP
549 URI. It is recommended to use ldapi: or ldaps: URLs to connect
550 to the LDAP server.
551
552 ldap_service_password_file
553 This LDAP-specific tag indicates the file containing the stashed
554 passwords (created by kdb5_ldap_util stashsrvpw) for the
555 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
556 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
557 SASL authentication. This file must be kept secure.
558
559 mapsize
560 This LMDB-specific tag indicates the maximum size of the two
561 database environments in megabytes. The default value is 128.
562 Increase this value to address "Environment mapsize limit
563 reached" errors. New in release 1.17.
564
565 max_readers
566 This LMDB-specific tag indicates the maximum number of concur‐
567 rent reading processes for the databases. The default value is
568 128. New in release 1.17.
569
570 nosync This LMDB-specific tag can be set to improve the throughput of
571 kadmind and other administrative agents, at the expense of dura‐
572 bility (recent database changes may not survive a power outage
573 or other sudden reboot). It does not affect the throughput of
574 the KDC. The default value is false. New in release 1.17.
575
576 unlockiter
577 If set to true, this DB2-specific tag causes iteration opera‐
578 tions to release the database lock while processing each princi‐
579 pal. Setting this flag to true can prevent extended blocking of
580 KDC or kadmin operations when dumps of large databases are in
581 progress. First introduced in release 1.13.
582
583 The following tag may be specified directly in the [dbmodules] section
584 to control where database modules are loaded from:
585
586 db_module_dir
587 This tag controls where the plugin system looks for database
588 modules. The value should be an absolute path.
589
590 [logging]
591 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
592 logging. It may contain the following relations:
593
594 admin_server
595 Specifies how kadmind(8) performs logging.
596
597 kdc Specifies how krb5kdc(8) performs logging.
598
599 default
600 Specifies how either daemon performs logging in the absence of
601 relations specific to the daemon.
602
603 debug (Boolean value.) Specifies whether debugging messages are
604 included in log outputs other than SYSLOG. Debugging messages
605 are always included in the system log output because syslog per‐
606 forms its own priority filtering. The default value is false.
607 New in release 1.15.
608
609 Logging specifications may have the following forms:
610
611 FILE=filename or FILE:filename
612 This value causes the daemon's logging messages to go to the
613 filename. If the = form is used, the file is overwritten. If
614 the : form is used, the file is appended to.
615
616 STDERR This value causes the daemon's logging messages to go to its
617 standard error stream.
618
619 CONSOLE
620 This value causes the daemon's logging messages to go to the
621 console, if the system supports it.
622
623 DEVICE=<devicename>
624 This causes the daemon's logging messages to go to the specified
625 device.
626
627 SYSLOG[:severity[:facility]]
628 This causes the daemon's logging messages to go to the system
629 log.
630
631 For backward compatibility, a severity argument may be speci‐
632 fied, and must be specified in order to specify a facility.
633 This argument will be ignored.
634
635 The facility argument specifies the facility under which the
636 messages are logged. This may be any of the following facili‐
637 ties supported by the syslog(3) call minus the LOG_ prefix:
638 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and
639 LOCAL0 through LOCAL7. If no facility is specified, the default
640 is AUTH.
641
642 In the following example, the logging messages from the KDC will go to
643 the console and to the system log under the facility LOG_DAEMON with
644 default severity of LOG_INFO; and the logging messages from the admin‐
645 istrative server will be appended to the file /var/adm/kadmin.log and
646 sent to the device /dev/tty04.
647
648 [logging]
649 kdc = CONSOLE
650 kdc = SYSLOG:INFO:DAEMON
651 admin_server = FILE:/var/adm/kadmin.log
652 admin_server = DEVICE=/dev/tty04
653
654 [otp]
655 Each subsection of [otp] is the name of an OTP token type. The tags
656 within the subsection define the configuration required to forward a
657 One Time Password request to a RADIUS server.
658
659 For each token type, the following tags may be specified:
660
661 server This is the server to send the RADIUS request to. It can be a
662 hostname with optional port, an ip address with optional port,
663 or a Unix domain socket address. The default is /var/ker‐
664 beros/krb5kdc/<name>.socket.
665
666 secret This tag indicates a filename (which may be relative to
667 /var/kerberos/krb5kdc) containing the secret used to encrypt the
668 RADIUS packets. The secret should appear in the first line of
669 the file by itself; leading and trailing whitespace on the line
670 will be removed. If the value of server is a Unix domain socket
671 address, this tag is optional, and an empty secret will be used
672 if it is not specified. Otherwise, this tag is required.
673
674 timeout
675 An integer which specifies the time in seconds during which the
676 KDC should attempt to contact the RADIUS server. This tag is
677 the total time across all retries and should be less than the
678 time which an OTP value remains valid for. The default is 5
679 seconds.
680
681 retries
682 This tag specifies the number of retries to make to the RADIUS
683 server. The default is 3 retries (4 tries).
684
685 strip_realm
686 If this tag is true, the principal without the realm will be
687 passed to the RADIUS server. Otherwise, the realm will be
688 included. The default value is true.
689
690 indicator
691 This tag specifies an authentication indicator to be included in
692 the ticket if this token type is used to authenticate. This
693 option may be specified multiple times. (New in release 1.14.)
694
695 In the following example, requests are sent to a remote server via UDP:
696
697 [otp]
698 MyRemoteTokenType = {
699 server = radius.mydomain.com:1812
700 secret = SEmfiajf42$
701 timeout = 15
702 retries = 5
703 strip_realm = true
704 }
705
706 An implicit default token type named DEFAULT is defined for when the
707 per-principal configuration does not specify a token type. Its config‐
708 uration is shown below. You may override this token type to something
709 applicable for your situation:
710
711 [otp]
712 DEFAULT = {
713 strip_realm = false
714 }
715
717 NOTE:
718 The following are pkinit-specific options. These values may be
719 specified in [kdcdefaults] as global defaults, or within a
720 realm-specific subsection of [realms]. Also note that a realm-spe‐
721 cific value over-rides, does not add to, a generic [kdcdefaults]
722 specification. The search order is:
723
724 1. realm-specific subsection of [realms]:
725
726 [realms]
727 EXAMPLE.COM = {
728 pkinit_anchors = FILE:/usr/local/example.com.crt
729 }
730
731 2. generic value in the [kdcdefaults] section:
732
733 [kdcdefaults]
734 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
735
736 For information about the syntax of some of these options, see Specify‐
737 ing PKINIT identity information in krb5.conf(5).
738
739 pkinit_anchors
740 Specifies the location of trusted anchor (root) certificates
741 which the KDC trusts to sign client certificates. This option
742 is required if pkinit is to be supported by the KDC. This
743 option may be specified multiple times.
744
745 pkinit_dh_min_bits
746 Specifies the minimum number of bits the KDC is willing to
747 accept for a client's Diffie-Hellman key. The default is 2048.
748
749 pkinit_allow_upn
750 Specifies that the KDC is willing to accept client certificates
751 with the Microsoft UserPrincipalName (UPN) Subject Alternative
752 Name (SAN). This means the KDC accepts the binding of the UPN
753 in the certificate to the Kerberos principal name. The default
754 value is false.
755
756 Without this option, the KDC will only accept certificates with
757 the id-pkinit-san as defined in RFC 4556. There is currently no
758 option to disable SAN checking in the KDC.
759
760 pkinit_eku_checking
761 This option specifies what Extended Key Usage (EKU) values the
762 KDC is willing to accept in client certificates. The values
763 recognized in the kdc.conf file are:
764
765 kpClientAuth
766 This is the default value and specifies that client cer‐
767 tificates must have the id-pkinit-KPClientAuth EKU as
768 defined in RFC 4556.
769
770 scLogin
771 If scLogin is specified, client certificates with the Mi‐
772 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
773 accepted.
774
775 none If none is specified, then client certificates will not
776 be checked to verify they have an acceptable EKU. The
777 use of this option is not recommended.
778
779 pkinit_identity
780 Specifies the location of the KDC's X.509 identity information.
781 This option is required if pkinit is to be supported by the KDC.
782
783 pkinit_indicator
784 Specifies an authentication indicator to include in the ticket
785 if pkinit is used to authenticate. This option may be specified
786 multiple times. (New in release 1.14.)
787
788 pkinit_pool
789 Specifies the location of intermediate certificates which may be
790 used by the KDC to complete the trust chain between a client's
791 certificate and a trusted anchor. This option may be specified
792 multiple times.
793
794 pkinit_revoke
795 Specifies the location of Certificate Revocation List (CRL)
796 information to be used by the KDC when verifying the validity of
797 client certificates. This option may be specified multiple
798 times.
799
800 pkinit_require_crl_checking
801 The default certificate verification process will always check
802 the available revocation information to see if a certificate has
803 been revoked. If a match is found for the certificate in a CRL,
804 verification fails. If the certificate being verified is not
805 listed in a CRL, or there is no CRL present for its issuing CA,
806 and pkinit_require_crl_checking is false, then verification suc‐
807 ceeds.
808
809 However, if pkinit_require_crl_checking is true and there is no
810 CRL information available for the issuing CA, then verification
811 fails.
812
813 pkinit_require_crl_checking should be set to true if the policy
814 is such that up-to-date CRLs must be present for every CA.
815
816 pkinit_require_freshness
817 Specifies whether to require clients to include a freshness
818 token in PKINIT requests. The default value is false. (New in
819 release 1.17.)
820
822 Any tag in the configuration files which requires a list of encryption
823 types can be set to some combination of the following strings. Encryp‐
824 tion types marked as "weak" are available for compatibility but not
825 recommended for use.
826
827 ┌───────────────────────────┬─────────────────────────────┐
828 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
829 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
830 ├───────────────────────────┼─────────────────────────────┤
831 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
832 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
833 └───────────────────────────┴─────────────────────────────┘
834
835
836 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
837 │aes256-sha2 │ 192-bit SHA-384 HMAC │
838 ├───────────────────────────┼─────────────────────────────┤
839 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
840 │aes128-sha2 │ 128-bit SHA-256 HMAC │
841 ├───────────────────────────┼─────────────────────────────┤
842 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 │
843 │four-hmac-md5 │ │
844 ├───────────────────────────┼─────────────────────────────┤
845 │arcfour-hmac-exp │ Exportable RC4 with │
846 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
847 │four-hmac-md5-exp │ │
848 ├───────────────────────────┼─────────────────────────────┤
849 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
850 │camellia256-cts │ CMAC │
851 ├───────────────────────────┼─────────────────────────────┤
852 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
853 │camellia128-cts │ CMAC │
854 ├───────────────────────────┼─────────────────────────────┤
855 │aes │ The AES family: │
856 │ │ aes256-cts-hmac-sha1-96, │
857 │ │ aes128-cts-hmac-sha1-96, │
858 │ │ aes256-cts-hmac-sha384-192, │
859 │ │ and │
860 │ │ aes128-cts-hmac-sha256-128 │
861 ├───────────────────────────┼─────────────────────────────┤
862 │rc4 │ The RC4 family: arc‐ │
863 │ │ four-hmac │
864 ├───────────────────────────┼─────────────────────────────┤
865 │camellia │ The Camellia family: camel‐ │
866 │ │ lia256-cts-cmac and camel‐ │
867 │ │ lia128-cts-cmac │
868 └───────────────────────────┴─────────────────────────────┘
869
870 The string DEFAULT can be used to refer to the default set of types for
871 the variable in question. Types or families can be removed from the
872 current list by prefixing them with a minus sign ("-"). Types or fami‐
873 lies can be prefixed with a plus sign ("+") for symmetry; it has the
874 same meaning as just listing the type or family. For example, "DEFAULT
875 -rc4" would be the default set of encryption types with RC4 types
876 removed, and "aes128-sha2 DEFAULT" would be the default set of encryp‐
877 tion types with aes128-sha2 moved to the front.
878
879 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
880 tions, they are not supported by very old versions of our GSSAPI imple‐
881 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
882 without AES support must not be given keys of these encryption types in
883 the KDC database.
884
885 The aes128-sha2 and aes256-sha2 encryption types are new in release
886 1.15. Services running versions of krb5 without support for these
887 newer encryption types must not be given keys of these encryption types
888 in the KDC database.
889
891 Kerberos keys for users are usually derived from passwords. Kerberos
892 commands and configuration parameters that affect generation of keys
893 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
894 lists. Each keysalt pair is an enctype name followed by a salttype
895 name, in the format enc:salt. Individual keysalt list members are sep‐
896 arated by comma (",") characters or space characters. For example:
897
898 kadmin -e aes256-cts:normal,aes128-cts:normal
899
900 would start up kadmin so that by default it would generate pass‐
901 word-derived keys for the aes256-cts and aes128-cts encryption types,
902 using a normal salt.
903
904 To ensure that people who happen to pick the same password do not have
905 the same key, Kerberos 5 incorporates more information into the key
906 using something called a salt. The supported salt types are as fol‐
907 lows:
908
909 ┌──────────┬────────────────────────────┐
910 │normal │ default for Kerberos Ver‐ │
911 │ │ sion 5 │
912 ├──────────┼────────────────────────────┤
913 │norealm │ same as the default, with‐ │
914 │ │ out using realm informa‐ │
915 │ │ tion │
916 ├──────────┼────────────────────────────┤
917 │onlyrealm │ uses only realm informa‐ │
918 │ │ tion as the salt │
919 ├──────────┼────────────────────────────┤
920 │special │ generate a random salt │
921 └──────────┴────────────────────────────┘
922
924 Here's an example of a kdc.conf file:
925
926 [kdcdefaults]
927 kdc_listen = 88
928 kdc_tcp_listen = 88
929 [realms]
930 ATHENA.MIT.EDU = {
931 kadmind_port = 749
932 max_life = 12h 0m 0s
933 max_renewable_life = 7d 0h 0m 0s
934 master_key_type = aes256-cts-hmac-sha1-96
935 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
936 database_module = openldap_ldapconf
937 }
938
939 [logging]
940 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
941 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
942
943 [dbdefaults]
944 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
945
946 [dbmodules]
947 openldap_ldapconf = {
948 db_library = kldap
949 disable_last_success = true
950 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
951 # this object needs to have read rights on
952 # the realm container and principal subtrees
953 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
954 # this object needs to have read and write rights on
955 # the realm container and principal subtrees
956 ldap_service_password_file = /etc/kerberos/service.keyfile
957 ldap_servers = ldaps://kerberos.mit.edu
958 ldap_conns_per_server = 5
959 }
960
962 /var/kerberos/krb5kdc/kdc.conf
963
965 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
966
968 MIT
969
971 1985-2019, MIT
972
973
974
975
9761.17 KDC.CONF(5)