1KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7
8       The krb5.conf file contains Kerberos configuration information, includ‐
9       ing the locations of KDCs and admin servers for the Kerberos realms  of
10       interest, defaults for the current realm and for Kerberos applications,
11       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
12       install  your  krb5.conf  file in the directory /etc.  You can override
13       the default location by setting the environment  variable  KRB5_CONFIG.
14       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15       files which are present will be read.  Starting in release 1.14, direc‐
16       tory  names  can also be specified in KRB5_CONFIG; all files within the
17       directory  whose  names  consist  solely  of  alphanumeric  characters,
18       dashes, or underscores will be read.
19

STRUCTURE

21       The krb5.conf file is set up in the style of a Windows INI file.  Lines
22       beginning with '#' or  ';'  (possibly  after  initial  whitespace)  are
23       ignored  as  comments.   Sections  are  headed  by the section name, in
24       square brackets.  Each section may contain zero or more  relations,  of
25       the form:
26
27          foo = bar
28
29       or:
30
31          fubar = {
32              foo = bar
33              baz = quux
34          }
35
36       Placing  a  '*'  after  the closing bracket of a section name indicates
37       that the section is final, meaning that if  the  same  section  appears
38       within  a  later  file specified in KRB5_CONFIG, it will be ignored.  A
39       subsection can be marked as final by placing a '*' after either the tag
40       name or the closing brace.
41
42       The  krb5.conf file can include other files using either of the follow‐
43       ing directives at the beginning of a line:
44
45          include FILENAME
46          includedir DIRNAME
47
48       FILENAME or DIRNAME should be an  absolute  path.  The  named  file  or
49       directory  must  exist and be readable.  Including a directory includes
50       all files within the directory whose names consist solely  of  alphanu‐
51       meric  characters,  dashes,  or underscores.  Starting in release 1.15,
52       files with names ending in ".conf" are also included, unless  the  name
53       begins  with ".".  Included profile files are syntactically independent
54       of their parents, so each included  file  must  begin  with  a  section
55       header.   Starting  in  release  1.17,  files  are read in alphanumeric
56       order; in previous releases, they may be read in any order.
57
58       The krb5.conf file can specify that configuration  should  be  obtained
59       from  a loadable module, rather than the file itself, using the follow‐
60       ing directive at the beginning of a line before any section headers:
61
62          module MODULEPATH:RESIDUAL
63
64       MODULEPATH may be relative to the library path of  the  krb5  installa‐
65       tion,  or it may be an absolute path.  RESIDUAL is provided to the mod‐
66       ule at initialization time.  If  krb5.conf  uses  a  module  directive,
67       kdc.conf(5) should also use one if it exists.
68

SECTIONS

70       The krb5.conf file may contain the following sections:
71
72                    ┌───────────────┬────────────────────────────┐
73[libdefaults]  │ Settings  used by the Ker‐ │
74                    │               │ beros V5 library           │
75                    ├───────────────┼────────────────────────────┤
76[realms]       │ Realm-specific     contact │
77                    │               │ information and settings   │
78                    ├───────────────┼────────────────────────────┤
79[domain_realm] │ Maps  server  hostnames to │
80                    │               │ Kerberos realms            │
81                    ├───────────────┼────────────────────────────┤
82[capaths]      │ Authentication  paths  for │
83                    │               │ non-hierarchical           │
84                    │               │ cross-realm                │
85                    ├───────────────┼────────────────────────────┤
86[appdefaults]  │ Settings used by some Ker‐ │
87                    │               │ beros V5 applications      │
88                    ├───────────────┼────────────────────────────┤
89[plugins]      │ Controls   plugin   module │
90                    │               │ registration               │
91                    └───────────────┴────────────────────────────┘
92
93       Additionally, krb5.conf may include any of the relations  described  in
94       kdc.conf(5), but it is not a recommended practice.
95
96   [libdefaults]
97       The libdefaults section may contain any of the following relations:
98
99       allow_weak_crypto
100              If  this  flag  is  set to false, then weak encryption types (as
101              noted in Encryption_types in kdc.conf(5)) will be  filtered  out
102              of  the  lists  default_tgs_enctypes,  default_tkt_enctypes, and
103              permitted_enctypes.  The default value for this tag is false.
104
105       canonicalize
106              If this flag is set to true, initial ticket requests to the  KDC
107              will  request canonicalization of the client principal name, and
108              answers with different  client  principals  than  the  requested
109              principal will be accepted.  The default value is false.
110
111       ccache_type
112              This  parameter  determines the format of credential cache types
113              created by kinit(1) or other programs.  The default value is  4,
114              which represents the most current format.  Smaller values can be
115              used for compatibility with very old implementations of Kerberos
116              which interact with credential caches on the same host.
117
118       clockskew
119              Sets  the  maximum allowable amount of clockskew in seconds that
120              the library will tolerate before assuming that a  Kerberos  mes‐
121              sage is invalid.  The default value is 300 seconds, or five min‐
122              utes.
123
124              The clockskew setting is also used when evaluating ticket  start
125              and  expiration  times.   For example, tickets that have reached
126              their expiration time can still be used (and renewed if they are
127              renewable tickets) if they have been expired for a shorter dura‐
128              tion than the clockskew setting.
129
130       default_ccache_name
131              This relation specifies  the  name  of  the  default  credential
132              cache.   The  default is FILE:/tmp/krb5cc_%{uid}.  This relation
133              is subject to parameter expansion (see below).  New  in  release
134              1.11.
135
136       default_client_keytab_name
137              This  relation  specifies  the  name  of  the default keytab for
138              obtaining client credentials.   The  default  is  FILE:/var/ker‐
139              beros/krb5/user/%{euid}/client.keytab.  This relation is subject
140              to parameter expansion (see below).  New in release 1.11.
141
142       default_keytab_name
143              This relation specifies the default keytab name to  be  used  by
144              application    servers   such   as   sshd.    The   default   is
145              FILE:/etc/krb5.keytab.  This relation is  subject  to  parameter
146              expansion (see below).
147
148       default_rcache_name
149              This  relation  specifies  the name of the default replay cache.
150              The default is dfl:.  This  relation  is  subject  to  parameter
151              expansion (see below).  New in release 1.18.
152
153       default_realm
154              Identifies  the  default Kerberos realm for the client.  Set its
155              value to your Kerberos realm.  If this value is not set, then  a
156              realm  must  be  specified  with  every  Kerberos principal when
157              invoking programs such as kinit(1).
158
159       default_tgs_enctypes
160              Identifies the supported list of session  key  encryption  types
161              that  the  client should request when making a TGS-REQ, in order
162              of preference from highest to lowest.  The list may be delimited
163              with  commas or whitespace.  See Encryption_types in kdc.conf(5)
164              for a list of the accepted values for  this  tag.   Starting  in
165              release  1.18,  the default value is the value of permitted_enc‐
166              types.  For previous releases or if  permitted_enctypes  is  not
167              set,    the    default    value    is    aes256-cts-hmac-sha1-96
168              aes128-cts-hmac-sha1-96               aes256-cts-hmac-sha384-192
169              aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac
170              camellia128-cts-cmac.
171
172              Do not set this unless required for specific  backward  compati‐
173              bility  purposes;  stale  values  of  this  setting  can prevent
174              clients from taking advantage of new stronger enctypes when  the
175              libraries are upgraded.
176
177       default_tkt_enctypes
178              Identifies  the  supported  list of session key encryption types
179              that the client should request when making an AS-REQ,  in  order
180              of preference from highest to lowest.  The format is the same as
181              for default_tgs_enctypes.  Starting in release 1.18, the default
182              value is the value of permitted_enctypes.  For previous releases
183              or if permitted_enctypes  is  not  set,  the  default  value  is
184              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
185              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
186              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
187
188              Do  not  set this unless required for specific backward compati‐
189              bility purposes;  stale  values  of  this  setting  can  prevent
190              clients  from taking advantage of new stronger enctypes when the
191              libraries are upgraded.
192
193       dns_canonicalize_hostname
194              Indicate whether name lookups will be used to canonicalize host‐
195              names  for use in service principal names.  Setting this flag to
196              false can improve security by  reducing  reliance  on  DNS,  but
197              means   that  short  hostnames  will  not  be  canonicalized  to
198              fully-qualified hostnames.  The default value is true.
199
200              If this option is set to fallback (new  in  release  1.18),  DNS
201              canonicalization  will  only be performed the server hostname is
202              not found with the original name when requesting credentials.
203
204       dns_lookup_kdc
205              Indicate whether DNS SRV records should be used  to  locate  the
206              KDCs  and  other  servers for a realm, if they are not listed in
207              the  krb5.conf  information  for  the  realm.   (Note  that  the
208              admin_server entry must be in the krb5.conf realm information in
209              order to contact kadmind, because  the  DNS  implementation  for
210              kadmin is incomplete.)
211
212              Enabling  this  option  does open up a type of denial-of-service
213              attack, if someone spoofs the DNS records and redirects  you  to
214              another  server.   However,  it's no worse than a denial of ser‐
215              vice, because that fake KDC will be unable  to  decode  anything
216              you  send  it  (besides the initial ticket request, which has no
217              encrypted data), and anything the fake KDC  sends  will  not  be
218              trusted  without  verification  using  some secret that it won't
219              know.
220
221       dns_uri_lookup
222              Indicate whether DNS URI records should be used  to  locate  the
223              KDCs  and  other  servers for a realm, if they are not listed in
224              the krb5.conf information for the realm.  SRV records  are  used
225              as  a  fallback if no URI records were found.  The default value
226              is true.  New in release 1.15.
227
228       enforce_ok_as_delegate
229              If this flag to true, GSSAPI credential delegation will be  dis‐
230              abled  when  the  ok-as-delegate  flag is not set in the service
231              ticket.  If this flag is false, the ok-as-delegate  ticket  flag
232              is  only  enforced  when  an  application  specifically requests
233              enforcement.  The default value is false.
234
235       err_fmt
236              This relation allows for custom error message formatting.  If  a
237              value is set, error messages will be formatted by substituting a
238              normal error message for %M and an error  code  for  %C  in  the
239              value.
240
241       extra_addresses
242              This allows a computer to use multiple local addresses, in order
243              to allow Kerberos to work in a  network  that  uses  NATs  while
244              still using address-restricted tickets.  The addresses should be
245              in a comma-separated list.  This option has no effect  if  noad‐
246              dresses is true.
247
248       forwardable
249              If  this  flag  is  true, initial tickets will be forwardable by
250              default, if allowed by the KDC.  The default value is false.
251
252       ignore_acceptor_hostname
253              When accepting GSSAPI or krb5 security contexts  for  host-based
254              service  principals,  ignore  any hostname passed by the calling
255              application, and allow clients to authenticate  to  any  service
256              principal in the keytab matching the service name and realm name
257              (if given).  This option can improve the  administrative  flexi‐
258              bility  of  server  applications  on multihomed hosts, but could
259              compromise the security of virtual  hosting  environments.   The
260              default value is false.  New in release 1.10.
261
262       k5login_authoritative
263              If  this  flag  is  true,  principals  must be listed in a local
264              user's k5login file to be granted login access, if a .k5login(5)
265              file  exists.   If  this flag is false, a principal may still be
266              granted login access through other mechanisms even if a  k5login
267              file  exists but does not list the principal.  The default value
268              is true.
269
270       k5login_directory
271              If set, the library will look for a local  user's  k5login  file
272              within the named directory, with a filename corresponding to the
273              local username.  If not set, the library will look  for  k5login
274              files  in the user's home directory, with the filename .k5login.
275              For security reasons, .k5login files must be owned by the  local
276              user or by root.
277
278       kcm_mach_service
279              On macOS only, determines the name of the bootstrap service used
280              to contact the KCM daemon for the KCM credential cache type.  If
281              the  value  is  -,  Mach RPC will not be used to contact the KCM
282              daemon.  The default value is org.h5l.kcm.
283
284       kcm_socket
285              Determines the path to the Unix domain socket used to access the
286              KCM  daemon  for the KCM credential cache type.  If the value is
287              -, Unix domain sockets will not be used to contact the KCM  dae‐
288              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.
289
290       kdc_default_options
291              Default  KDC options (Xored for multiple values) when requesting
292              initial  tickets.   By  default  it   is   set   to   0x00000010
293              (KDC_OPT_RENEWABLE_OK).
294
295       kdc_timesync
296              Accepted values for this relation are 1 or 0.  If it is nonzero,
297              client machines will compute the difference between  their  time
298              and  the time returned by the KDC in the timestamps in the tick‐
299              ets and use this value to correct for an inaccurate system clock
300              when  requesting  service tickets or authenticating to services.
301              This corrective factor is only used by the Kerberos library;  it
302              is not used to change the system clock.  The default value is 1.
303
304       noaddresses
305              If  this  flag is true, requests for initial tickets will not be
306              made with address restrictions set, allowing the tickets  to  be
307              used across NATs.  The default value is true.
308
309       permitted_enctypes
310              Identifies  the  encryption  types  that servers will permit for
311              session  keys  and  for  ticket  and  authenticator  encryption,
312              ordered  by  preference  from  highest  to  lowest.  Starting in
313              release 1.18, this tag  also  acts  as  the  default  value  for
314              default_tgs_enctypes   and  default_tkt_enctypes.   The  default
315              value    for     this     tag     is     aes256-cts-hmac-sha1-96
316              aes128-cts-hmac-sha1-96               aes256-cts-hmac-sha384-192
317              aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac
318              camellia128-cts-cmac.
319
320       plugin_base_dir
321              If  set,  determines  the  base directory where krb5 plugins are
322              located.  The default value is the krb5/plugins subdirectory  of
323              the krb5 library directory.  This relation is subject to parame‐
324              ter expansion (see below) in release 1.17 and later.
325
326       preferred_preauth_types
327              This allows you to set  the  preferred  preauthentication  types
328              which  the client will attempt before others which may be adver‐
329              tised by a KDC.  The default value for this setting is "17,  16,
330              15,  14", which forces libkrb5 to attempt to use PKINIT if it is
331              supported.
332
333       proxiable
334              If this flag is true,  initial  tickets  will  be  proxiable  by
335              default, if allowed by the KDC.  The default value is false.
336
337       qualify_shortname
338              If  this string is set, it determines the domain suffix for sin‐
339              gle-component hostnames when DNS canonicalization  is  not  used
340              (either  because  dns_canonicalize_hostname  is false or because
341              forward canonicalization failed).   The  default  value  is  the
342              first  search domain of the system's DNS configuration.  To dis‐
343              able qualification of shortnames, set this relation to the empty
344              string with qualify_shortname = "".  (New in release 1.18.)
345
346       rdns   If  this flag is true, reverse name lookup will be used in addi‐
347              tion to forward name lookup to canonicalizing hostnames for  use
348              in service principal names.  If dns_canonicalize_hostname is set
349              to false, this flag has no effect.  The default value is true.
350
351       realm_try_domains
352              Indicate whether a host's domain components should  be  used  to
353              determine  the  Kerberos  realm  of the host.  The value of this
354              variable is an integer: -1 means not to search, 0 means  to  try
355              the host's domain itself, 1 means to also try the domain's imme‐
356              diate parent, and so forth.  The library's usual  mechanism  for
357              locating  Kerberos  realms is used to determine whether a domain
358              is  a  valid  realm,  which  may  involve  consulting   DNS   if
359              dns_lookup_kdc is set.  The default is not to search domain com‐
360              ponents.
361
362       renew_lifetime
363              (duration string.)  Sets the default renewable lifetime for ini‐
364              tial ticket requests.  The default value is 0.
365
366       spake_preauth_groups
367              A  whitespace  or  comma-separated list of words which specifies
368              the groups allowed for SPAKE  preauthentication.   The  possible
369              values are:
370
371                        ┌─────────────┬────────────────────────────┐
372                        │edwards25519 │ Edwards25519   curve  (RFC
373                        │             │ 7748)                      │
374                        ├─────────────┼────────────────────────────┤
375                        │P-256        │ NIST  P-256   curve   (RFC
376                        │             │ 5480)                      │
377                        ├─────────────┼────────────────────────────┤
378                        │P-384        │ NIST   P-384   curve  (RFC
379                        │             │ 5480)                      │
380                        ├─────────────┼────────────────────────────┤
381                        │P-521        │ NIST  P-521   curve   (RFC
382                        │             │ 5480)                      │
383                        └─────────────┴────────────────────────────┘
384
385              The  default  value for the client is edwards25519.  The default
386              value for the KDC is empty.  New in release 1.17.
387
388       ticket_lifetime
389              (duration string.)  Sets the default lifetime for initial ticket
390              requests.  The default value is 1 day.
391
392       udp_preference_limit
393              When  sending  a  message to the KDC, the library will try using
394              TCP before UDP if the size of the message is  above  udp_prefer‐
395              ence_limit.    If   the  message  is  smaller  than  udp_prefer‐
396              ence_limit, then UDP will be tried before  TCP.   Regardless  of
397              the  size,  both  protocols  will  be tried if the first attempt
398              fails.
399
400       verify_ap_req_nofail
401              If this flag is true, then an attempt to verify initial  creden‐
402              tials  will  fail  if the client machine does not have a keytab.
403              The default value is false.
404
405   [realms]
406       Each tag in the [realms] section of the file is the name of a  Kerberos
407       realm.  The value of the tag is a subsection with relations that define
408       the properties of that particular realm.  For each realm, the following
409       tags may be specified in the realm's subsection:
410
411       admin_server
412              Identifies  the host where the administration server is running.
413              Typically, this is the master Kerberos server.  This tag must be
414              given a value in order to communicate with the kadmind(8) server
415              for the realm.
416
417       auth_to_local
418              This tag allows you to set a general rule for mapping  principal
419              names  to  local user names.  It will be used if there is not an
420              explicit mapping for the principal name  that  is  being  trans‐
421              lated. The possible values are:
422
423              RULE:exp
424                     The local name will be formulated from exp.
425
426                     The    format   for   exp   is   [n:string](regexp)s/pat‐
427                     tern/replacement/g.  The integer  n  indicates  how  many
428                     components  the  target  principal  should have.  If this
429                     matches, then a string will be formed from  string,  sub‐
430                     stituting  the realm of the principal for $0 and the n'th
431                     component of the principal for $n (e.g., if the principal
432                     was  johndoe/admin  then  [2:$2$1foo] would result in the
433                     string adminjohndoefoo).  If this string matches  regexp,
434                     then the s//[g] substitution command will be run over the
435                     string.  The optional g will cause the substitution to be
436                     global  over  the  string,  instead of replacing only the
437                     first match in the string.
438
439              DEFAULT
440                     The principal name will be used as the local  user  name.
441                     If the principal has more than one component or is not in
442                     the default realm, this rule is not  applicable  and  the
443                     conversion will fail.
444
445              For example:
446
447                 [realms]
448                     ATHENA.MIT.EDU = {
449                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
450                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
451                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
452                         auth_to_local = DEFAULT
453                     }
454
455              would  result in any principal without root or admin as the sec‐
456              ond component to be translated with the default rule.  A princi‐
457              pal  with a second component of admin will become its first com‐
458              ponent.  root will be used as the local name for  any  principal
459              with  a  second  component  of root.  The exception to these two
460              rules are any principals johndoe/*, which will  always  get  the
461              local name guest.
462
463       auth_to_local_names
464              This subsection allows you to set explicit mappings from princi‐
465              pal names to local user names.  The tag is the mapping name, and
466              the value is the corresponding local user name.
467
468       default_domain
469              This  tag  specifies  the  domain  used to expand hostnames when
470              translating Kerberos 4 service principals to Kerberos 5  princi‐
471              pals  (for  example, when converting rcmd.hostname to host/host‐
472              name.domain).
473
474       disable_encrypted_timestamp
475              If this flag is true, the  client  will  not  perform  encrypted
476              timestamp  preauthentication  if  requested by the KDC.  Setting
477              this flag can help  to  prevent  dictionary  attacks  by  active
478              attackers,  if  the realm's KDCs support SPAKE preauthentication
479              or if initial authentication always uses  another  mechanism  or
480              always  uses  FAST.   This flag persists across client referrals
481              during initial authentication.  This flag does not  prevent  the
482              KDC from offering encrypted timestamp.  New in release 1.17.
483
484       http_anchors
485              When  KDCs  and kpasswd servers are accessed through HTTPS prox‐
486              ies, this tag can be used to specify the location of the CA cer‐
487              tificate  which should be trusted to issue the certificate for a
488              proxy server.  If left unspecified, the system-wide default  set
489              of CA certificates is used.
490
491              The  syntax  for  values  is  similar  to that of values for the
492              pkinit_anchors tag:
493
494              FILE: filename
495
496              filename is assumed to be the name of an OpenSSL-style ca-bundle
497              file.
498
499              DIR: dirname
500
501              dirname is assumed to be an directory which contains CA certifi‐
502              cates.  All files in the directory will  be  examined;  if  they
503              contain certificates (in PEM format), they will be used.
504
505              ENV: envvar
506
507              envvar  specifies  the name of an environment variable which has
508              been set to a value conforming to one of  the  previous  values.
509              For   example,  ENV:X509_PROXY_CA,  where  environment  variable
510              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
511
512       kdc    The name or address of a host running a KDC for that realm.   An
513              optional  port  number,  separated from the hostname by a colon,
514              may be included.  If the name or address  contains  colons  (for
515              example,  if it is an IPv6 address), enclose it in square brack‐
516              ets to distinguish the colon from a port  separator.   For  your
517              computer  to be able to communicate with the KDC for each realm,
518              this tag must be given a value in each realm subsection  in  the
519              configuration  file, or there must be DNS SRV records specifying
520              the KDCs.
521
522       kpasswd_server
523              Points to the server where all the  password  changes  are  per‐
524              formed.   If there is no such entry, DNS will be queried (unless
525              forbidden  by  dns_lookup_kdc).   Finally,  port  464   on   the
526              admin_server host will be tried.
527
528       master_kdc
529              Identifies  the  master  KDC(s).  Currently, this tag is used in
530              only one case: If an attempt to get credentials fails because of
531              an invalid password, the client software will attempt to contact
532              the master KDC, in  case  the  user's  password  has  just  been
533              changed, and the updated database has not been propagated to the
534              replica servers yet.
535
536       v4_instance_convert
537              This subsection allows the administrator to configure exceptions
538              to  the  default_domain  mapping rule.  It contains V4 instances
539              (the tag name) which should be translated to some specific host‐
540              name  (the  tag  value) as the second component in a Kerberos V5
541              principal name.
542
543       v4_realm
544              This relation is used by the krb524 library routines  when  con‐
545              verting  a V5 principal name to a V4 principal name.  It is used
546              when the V4 realm name and the V5 realm name are not  the  same,
547              but  still share the same principal names and passwords. The tag
548              value is the Kerberos V4 realm name.
549
550   [domain_realm]
551       The [domain_realm] section provides a translation from a domain name or
552       hostname  to a Kerberos realm name.  The tag name can be a host name or
553       domain name, where domain names are indicated by a prefix of  a  period
554       (.).   The  value  of  the relation is the Kerberos realm name for that
555       particular host or domain.  A host name  relation  implicitly  provides
556       the  corresponding domain name relation, unless an explicit domain name
557       relation is provided.  The Kerberos realm may be identified  either  in
558       the  realms  section  or  using DNS SRV records.  Host names and domain
559       names should be in lower case.  For example:
560
561          [domain_realm]
562              crash.mit.edu = TEST.ATHENA.MIT.EDU
563              .dev.mit.edu = TEST.ATHENA.MIT.EDU
564              mit.edu = ATHENA.MIT.EDU
565
566       maps the host with the name crash.mit.edu into the  TEST.ATHENA.MIT.EDU
567       realm.   The  second  entry maps all hosts under the domain dev.mit.edu
568       into the TEST.ATHENA.MIT.EDU realm, but not  the  host  with  the  name
569       dev.mit.edu.   That  host is matched by the third entry, which maps the
570       host mit.edu and all hosts under the domain mit.edu that do not match a
571       preceding rule into the realm ATHENA.MIT.EDU.
572
573       If  no translation entry applies to a hostname used for a service prin‐
574       cipal for a service ticket request, the  library  will  try  to  get  a
575       referral to the appropriate realm from the client realm's KDC.  If that
576       does not succeed, the host's realm is considered to be  the  hostname's
577       domain  portion  converted  to  uppercase, unless the realm_try_domains
578       setting in [libdefaults] causes a different parent domain to be used.
579
580   [capaths]
581       In order to perform direct (non-hierarchical)  cross-realm  authentica‐
582       tion,  configuration  is  needed  to determine the authentication paths
583       between realms.
584
585       A client will use this section to find the authentication path  between
586       its  realm  and the realm of the server.  The server will use this sec‐
587       tion to verify the authentication path used by the client, by  checking
588       the transited field of the received ticket.
589
590       There  is  a  tag for each participating client realm, and each tag has
591       subtags for each of the server realms.  The value of the subtags is  an
592       intermediate realm which may participate in the cross-realm authentica‐
593       tion.  The subtags may be repeated if there is more then one intermedi‐
594       ate  realm.   A  value  of  "."  means  that  the two realms share keys
595       directly, and no intermediate realms should be allowed to participate.
596
597       Only those entries which will be needed on the  client  or  the  server
598       need to be present.  A client needs a tag for its local realm with sub‐
599       tags for all the realms of servers it will need to authenticate to.   A
600       server  needs a tag for each realm of the clients it will serve, with a
601       subtag of the server realm.
602
603       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
604       realm  as  an  intermediate realm.  ANL has a sub realm of TEST.ANL.GOV
605       which will authenticate with NERSC.GOV but not PNL.GOV.  The  [capaths]
606       section for ANL.GOV systems would look like this:
607
608          [capaths]
609              ANL.GOV = {
610                  TEST.ANL.GOV = .
611                  PNL.GOV = ES.NET
612                  NERSC.GOV = ES.NET
613                  ES.NET = .
614              }
615              TEST.ANL.GOV = {
616                  ANL.GOV = .
617              }
618              PNL.GOV = {
619                  ANL.GOV = ES.NET
620              }
621              NERSC.GOV = {
622                  ANL.GOV = ES.NET
623              }
624              ES.NET = {
625                  ANL.GOV = .
626              }
627
628       The  [capaths] section of the configuration file used on NERSC.GOV sys‐
629       tems would look like this:
630
631          [capaths]
632              NERSC.GOV = {
633                  ANL.GOV = ES.NET
634                  TEST.ANL.GOV = ES.NET
635                  TEST.ANL.GOV = ANL.GOV
636                  PNL.GOV = ES.NET
637                  ES.NET = .
638              }
639              ANL.GOV = {
640                  NERSC.GOV = ES.NET
641              }
642              PNL.GOV = {
643                  NERSC.GOV = ES.NET
644              }
645              ES.NET = {
646                  NERSC.GOV = .
647              }
648              TEST.ANL.GOV = {
649                  NERSC.GOV = ANL.GOV
650                  NERSC.GOV = ES.NET
651              }
652
653       When a subtag is used more than once within a tag, clients will use the
654       order  of  values  to  determine  the path.  The order of values is not
655       important to servers.
656
657   [appdefaults]
658       Each tag in the [appdefaults] section names a Kerberos  V5  application
659       or  an  option  that  is  used by some Kerberos V5 application[s].  The
660       value of the tag defines the default behaviors for that application.
661
662       For example:
663
664          [appdefaults]
665              telnet = {
666                  ATHENA.MIT.EDU = {
667                      option1 = false
668                  }
669              }
670              telnet = {
671                  option1 = true
672                  option2 = true
673              }
674              ATHENA.MIT.EDU = {
675                  option2 = false
676              }
677              option2 = true
678
679       The above four ways of specifying the value of an option are  shown  in
680       order  of  decreasing precedence. In this example, if telnet is running
681       in the realm EXAMPLE.COM, it  should,  by  default,  have  option1  and
682       option2   set  to  true.   However,  a  telnet  program  in  the  realm
683       ATHENA.MIT.EDU should have option1 set to  false  and  option2  set  to
684       true.   Any other programs in ATHENA.MIT.EDU should have option2 set to
685       false by default.  Any programs running in  other  realms  should  have
686       option2 set to true.
687
688       The  list  of  specifiable options for each application may be found in
689       that application's man pages.  The application defaults specified  here
690       are overridden by those specified in the realms section.
691
692   [plugins]
693          · pwqual interface
694
695          · kadm5_hook interface
696
697          · clpreauth and kdcpreauth interfaces
698
699       Tags  in  the  [plugins] section can be used to register dynamic plugin
700       modules and to turn modules on  and  off.   Not  every  krb5  pluggable
701       interface  uses  the [plugins] section; the ones that do are documented
702       here.
703
704       New in release 1.9.
705
706       Each pluggable interface corresponds to a subsection of [plugins].  All
707       subsections support the same tags:
708
709       disable
710              This  tag may have multiple values. If there are values for this
711              tag, then the named modules will be disabled for  the  pluggable
712              interface.
713
714       enable_only
715              This  tag may have multiple values. If there are values for this
716              tag, then only the named modules will be enabled for  the  plug‐
717              gable interface.
718
719       module This  tag  may  have multiple values.  Each value is a string of
720              the form modulename:pathname, which  causes  the  shared  object
721              located  at  pathname to be registered as a dynamic module named
722              modulename for the pluggable interface.  If pathname is  not  an
723              absolute  path,  it  will  be  treated  as relative to the plug‐
724              in_base_dir value from [libdefaults].
725
726       For pluggable interfaces where module order matters, modules registered
727       with  a  module  tag  normally come first, in the order they are regis‐
728       tered, followed by built-in modules in the order  they  are  documented
729       below.   If  enable_only  tags  are  used, then the order of those tags
730       overrides the normal module order.
731
732       The following subsections are currently supported within the  [plugins]
733       section:
734
735   ccselect interface
736       The ccselect subsection controls modules for credential cache selection
737       within a cache collection.  In addition to any registered dynamic  mod‐
738       ules,  the  following  built-in modules exist (and may be disabled with
739       the disable tag):
740
741       k5identity
742              Uses a .k5identity file in the user's home directory to select a
743              client principal
744
745       realm  Uses  the  service  realm to guess an appropriate cache from the
746              collection
747
748       hostname
749              If the service principal is host-based, uses the  service  host‐
750              name to guess an appropriate cache from the collection
751
752   pwqual interface
753       The  pwqual subsection controls modules for the password quality inter‐
754       face, which is  used  to  reject  weak  passwords  when  passwords  are
755       changed.  The following built-in modules exist for this interface:
756
757       dict   Checks against the realm dictionary file
758
759       empty  Rejects empty passwords
760
761       hesiod Checks  against  user information stored in Hesiod (only if Ker‐
762              beros was built with Hesiod support)
763
764       princ  Checks against components of the principal name
765
766   kadm5_hook interface
767       The kadm5_hook interface provides plugins with information on principal
768       creation,  modification, password changes and deletion.  This interface
769       can be used to write a plugin to synchronize MIT Kerberos with  another
770       database  such  as  Active Directory.  No plugins are built in for this
771       interface.
772
773   kadm5_auth interface
774       The kadm5_auth section (introduced in release  1.16)  controls  modules
775       for  the  kadmin  authorization  interface,  which determines whether a
776       client principal is allowed to perform a kadmin operation.  The follow‐
777       ing built-in modules exist for this interface:
778
779       acl    This  module  reads the kadm5.acl(5) file, and authorizes opera‐
780              tions which are allowed according to the rules in the file.
781
782       self   This module authorizes self-service operations  including  pass‐
783              word changes, creation of new random keys, fetching the client's
784              principal record or string attributes, and fetching  the  policy
785              record associated with the client principal.
786
787   clpreauth and kdcpreauth interfaces
788       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
789       client and KDC preauthentication mechanisms.   The  following  built-in
790       modules exist for these interfaces:
791
792       pkinit This module implements the PKINIT preauthentication mechanism.
793
794       encrypted_challenge
795              This module implements the encrypted challenge FAST factor.
796
797       encrypted_timestamp
798              This module implements the encrypted timestamp mechanism.
799
800   hostrealm interface
801       The hostrealm section (introduced in release 1.12) controls modules for
802       the host-to-realm interface, which affects the local mapping  of  host‐
803       names  to  realm  names and the choice of default realm.  The following
804       built-in modules exist for this interface:
805
806       profile
807              This module consults the [domain_realm] section of  the  profile
808              for  authoritative host-to-realm mappings, and the default_realm
809              variable for the default realm.
810
811       dns    This module looks for DNS  records  for  fallback  host-to-realm
812              mappings  and  the  default  realm.   It  only  operates  if the
813              dns_lookup_realm variable is set to true.
814
815       domain This module applies heuristics for fallback  host-to-realm  map‐
816              pings.   It  implements the realm_try_domains variable, and uses
817              the uppercased parent domain of the hostname if  that  does  not
818              produce a result.
819
820   localauth interface
821       The localauth section (introduced in release 1.12) controls modules for
822       the local  authorization  interface,  which  affects  the  relationship
823       between  Kerberos  principals and local system accounts.  The following
824       built-in modules exist for this interface:
825
826       default
827              This module implements the DEFAULT type for  auth_to_local  val‐
828              ues.
829
830       rule   This module implements the RULE type for auth_to_local values.
831
832       names  This  module  looks  for  an auth_to_local_names mapping for the
833              principal name.
834
835       auth_to_local
836              This  module  processes  auth_to_local  values  in  the  default
837              realm's   section,   and   applies  the  default  method  if  no
838              auth_to_local values exist.
839
840       k5login
841              This module authorizes a principal to a local account  according
842              to the account's .k5login(5) file.
843
844       an2ln  This  module  authorizes  a  principal to a local account if the
845              principal name maps to the local account name.
846
847   certauth interface
848       The certauth section (introduced in release 1.16) controls modules  for
849       the  certificate  authorization  interface,  which determines whether a
850       certificate is allowed to preauthenticate a user via PKINIT.  The  fol‐
851       lowing built-in modules exist for this interface:
852
853       pkinit_san
854              This  module  authorizes the certificate if it contains a PKINIT
855              Subject Alternative Name for the requested client principal,  or
856              a  Microsoft  UPN SAN matching the principal if pkinit_allow_upn
857              is set to true for the realm.
858
859       pkinit_eku
860              This module rejects the certificate if it does  not  contain  an
861              Extended    Key    Usage    attribute    consistent   with   the
862              pkinit_eku_checking value for the realm.
863
864       dbmatch
865              This module authorizes or rejects the certificate  according  to
866              whether it matches the pkinit_cert_match string attribute on the
867              client principal, if that attribute is present.
868

PKINIT OPTIONS

870       NOTE:
871          The following are PKINIT-specific  options.   These  values  may  be
872          specified   in   [libdefaults]  as  global  defaults,  or  within  a
873          realm-specific subsection of [libdefaults], or may be  specified  as
874          realm-specific  values  in  the  [realms] section.  A realm-specific
875          value overrides, not adds to, a generic [libdefaults] specification.
876          The search order is:
877
878       1. realm-specific subsection of [libdefaults]:
879
880             [libdefaults]
881                 EXAMPLE.COM = {
882                     pkinit_anchors = FILE:/usr/local/example.com.crt
883                 }
884
885       2. realm-specific value in the [realms] section:
886
887             [realms]
888                 OTHERREALM.ORG = {
889                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
890                 }
891
892       3. generic value in the [libdefaults] section:
893
894             [libdefaults]
895                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
896
897   Specifying PKINIT identity information
898       The  syntax  for  specifying Public Key identity, trust, and revocation
899       information for PKINIT is as follows:
900
901       FILE:filename[,keyfilename]
902              This option has context-specific behavior.
903
904              In pkinit_identity or pkinit_identities, filename specifies  the
905              name of a PEM-format file containing the user's certificate.  If
906              keyfilename is not specified, the user's private key is expected
907              to  be  in filename as well.  Otherwise, keyfilename is the name
908              of the file containing the private key.
909
910              In pkinit_anchors or pkinit_pool, filename is assumed to be  the
911              name of an OpenSSL-style ca-bundle file.
912
913       DIR:dirname
914              This option has context-specific behavior.
915
916              In  pkinit_identity  or  pkinit_identities,  dirname specifies a
917              directory with files named *.crt and *.key where the first  part
918              of  the  file name is the same for matching pairs of certificate
919              and private key files.  When a file with a name ending with .crt
920              is found, a matching file ending with .key is assumed to contain
921              the private key.  If no such file is found, then the certificate
922              in the .crt is not used.
923
924              In  pkinit_anchors  or  pkinit_pool, dirname is assumed to be an
925              OpenSSL-style hashed CA directory where each CA cert  is  stored
926              in  a  file  named  hash-of-ca-cert.#.   This  infrastructure is
927              encouraged, but all files in the directory will be examined  and
928              if they contain certificates (in PEM format), they will be used.
929
930              In  pkinit_revoke,  dirname  is  assumed  to be an OpenSSL-style
931              hashed CA directory where each revocation list is  stored  in  a
932              file  named  hash-of-ca-cert.r#.  This infrastructure is encour‐
933              aged, but all files in the directory will  be  examined  and  if
934              they  contain  a  revocation  list (in PEM format), they will be
935              used.
936
937       PKCS12:filename
938              filename is the name of a PKCS #12 format file,  containing  the
939              user's certificate and private key.
940
941       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
942       tid=cert-id][:certlabel=cert-label]
943              All keyword/values are optional.  modname specifies the location
944              of  a  library implementing PKCS #11.  If a value is encountered
945              with no keyword, it is assumed to be the modname.   If  no  mod‐
946              ule-name is specified, the default is opensc-pkcs11.so.  slotid=
947              and/or token= may be specified to force the use of a  particular
948              smard  card reader or token if there is more than one available.
949              certid= and/or certlabel= may be specified to force  the  selec‐
950              tion  of  a  particular  certificate  on  the  device.   See the
951              pkinit_cert_match configuration option for more ways to select a
952              particular certificate to use for PKINIT.
953
954       ENV:envvar
955              envvar  specifies  the name of an environment variable which has
956              been set to a value conforming to one of  the  previous  values.
957              For   example,   ENV:X509_PROXY,   where   environment  variable
958              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
959
960   PKINIT krb5.conf options
961       pkinit_anchors
962              Specifies the location of  trusted  anchor  (root)  certificates
963              which  the  client trusts to sign KDC certificates.  This option
964              may be specified multiple times.  These values from  the  config
965              file are not used if the user specifies X509_anchors on the com‐
966              mand line.
967
968       pkinit_cert_match
969              Specifies matching rules that the client certificate must  match
970              before  it  is used to attempt PKINIT authentication.  If a user
971              has multiple certificates available (on a  smart  card,  or  via
972              other  media),  there  must  be  exactly  one certificate chosen
973              before attempting PKINIT authentication.   This  option  may  be
974              specified  multiple  times.   All the available certificates are
975              checked against each rule in order until there  is  a  match  of
976              exactly one certificate.
977
978              The  Subject  and  Issuer  comparison  strings  are the RFC 2253
979              string representations  from  the  certificate  Subject  DN  and
980              Issuer DN values.
981
982              The syntax of the matching rules is:
983                 [relation-operator]component-rule ...
984
985              where:
986
987              relation-operator
988                     can be either &&, meaning all component rules must match,
989                     or ||, meaning only one component rule must  match.   The
990                     default is &&.
991
992              component-rule
993                     can be one of the following.  Note that there is no punc‐
994                     tuation or whitespace between component rules.
995                        <SUBJECT>regular-expression
996                        <ISSUER>regular-expression
997                        <SAN>regular-expression
998                        <EKU>extended-key-usage-list
999                        <KU>key-usage-list
1000
1001
1002                     extended-key-usage-list  is  a  comma-separated  list  of
1003                     required  Extended  Key  Usage values.  All values in the
1004                     list must be present in the  certificate.   Extended  Key
1005                     Usage values can be:
1006
1007                     · pkinit
1008
1009                     · msScLogin
1010
1011                     · clientAuth
1012
1013                     · emailProtection
1014
1015                     key-usage-list  is a comma-separated list of required Key
1016                     Usage values.  All values in the list must be present  in
1017                     the certificate.  Key Usage values can be:
1018
1019                     · digitalSignature
1020
1021                     · keyEncipherment
1022
1023              Examples:
1024
1025                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1026                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1027                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1028
1029       pkinit_eku_checking
1030              This option specifies what Extended Key Usage value the KDC cer‐
1031              tificate presented to the client must contain.   (Note  that  if
1032              the   KDC  certificate  has  the  pkinit  SubjectAlternativeName
1033              encoded as the Kerberos TGS name, EKU checking is not  necessary
1034              since  the  issuing CA has certified this as a KDC certificate.)
1035              The values recognized in the krb5.conf file are:
1036
1037              kpKDC  This is the default value and specifies that the KDC must
1038                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1039
1040              kpServerAuth
1041                     If  kpServerAuth is specified, a KDC certificate with the
1042                     id-kp-serverAuth EKU will be accepted.   This  key  usage
1043                     value is used in most commercially issued server certifi‐
1044                     cates.
1045
1046              none   If none is specified, then the KDC certificate  will  not
1047                     be  checked  to verify it has an acceptable EKU.  The use
1048                     of this option is not recommended.
1049
1050       pkinit_dh_min_bits
1051              Specifies the size of the Diffie-Hellman  key  the  client  will
1052              attempt to use.  The acceptable values are 1024, 2048, and 4096.
1053              The default is 2048.
1054
1055       pkinit_identities
1056              Specifies the location(s) to be used to find  the  user's  X.509
1057              identity  information.   If  this  option  is specified multiple
1058              times, the first valid value is used; this can be used to  spec‐
1059              ify  an  environment  variable  (with  ENV:envvar) followed by a
1060              default value.  Note that these values are not used if the  user
1061              specifies X509_user_identity on the command line.
1062
1063       pkinit_kdc_hostname
1064              The presense of this option indicates that the client is willing
1065              to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1066              tive Name) rather than requiring the id-pkinit-san as defined in
1067              RFC 4556.  This option may be  specified  multiple  times.   Its
1068              value  should  contain  the  acceptable hostname for the KDC (as
1069              contained in its certificate).
1070
1071       pkinit_pool
1072              Specifies the location of intermediate certificates which may be
1073              used  by  the  client  to complete the trust chain between a KDC
1074              certificate and a trusted anchor.  This option may be  specified
1075              multiple times.
1076
1077       pkinit_require_crl_checking
1078              The  default  certificate verification process will always check
1079              the available revocation information to see if a certificate has
1080              been revoked.  If a match is found for the certificate in a CRL,
1081              verification fails.  If the certificate being  verified  is  not
1082              listed  in a CRL, or there is no CRL present for its issuing CA,
1083              and pkinit_require_crl_checking is false, then verification suc‐
1084              ceeds.
1085
1086              However,  if pkinit_require_crl_checking is true and there is no
1087              CRL information available for the issuing CA, then  verification
1088              fails.
1089
1090              pkinit_require_crl_checking  should be set to true if the policy
1091              is such that up-to-date CRLs must be present for every CA.
1092
1093       pkinit_revoke
1094              Specifies the location  of  Certificate  Revocation  List  (CRL)
1095              information to be used by the client when verifying the validity
1096              of the KDC certificate presented.  This option may be  specified
1097              multiple times.
1098

PARAMETER EXPANSION

1100       Starting    with    release    1.11,   several   variables,   such   as
1101       default_keytab_name, allow parameters to be expanded.  Valid parameters
1102       are:
1103
1104                    ┌──────────────────┬────────────────────────────┐
1105                    │%{TEMP}           │ Temporary directory        │
1106                    ├──────────────────┼────────────────────────────┤
1107                    │%{uid}            │ Unix  real  UID or Windows │
1108                    │                  │ SID                        │
1109                    ├──────────────────┼────────────────────────────┤
1110                    │%{euid}           │ Unix effective user ID  or │
1111                    │                  │ Windows SID                │
1112                    ├──────────────────┼────────────────────────────┤
1113                    │%{USERID}         │ Same as %{uid}             │
1114                    ├──────────────────┼────────────────────────────┤
1115                    │%{null}           │ Empty string               │
1116                    ├──────────────────┼────────────────────────────┤
1117                    │%{LIBDIR}         │ Installation       library │
1118                    │                  │ directory                  │
1119                    ├──────────────────┼────────────────────────────┤
1120                    │%{BINDIR}         │ Installation binary direc‐ │
1121                    │                  │ tory                       │
1122                    ├──────────────────┼────────────────────────────┤
1123                    │%{SBINDIR}        │ Installation  admin binary │
1124                    │                  │ directory                  │
1125                    ├──────────────────┼────────────────────────────┤
1126                    │%{username}       │ (Unix) Username of  effec‐ │
1127                    │                  │ tive user ID               │
1128                    ├──────────────────┼────────────────────────────┤
1129                    │%{APPDATA}        │ (Windows) Roaming applica‐ │
1130                    │                  │ tion data for current user │
1131                    ├──────────────────┼────────────────────────────┤
1132                    │%{COMMON_APPDATA} │ (Windows) Application data │
1133                    │                  │ for all users              │
1134                    ├──────────────────┼────────────────────────────┤
1135                    │%{LOCAL_APPDATA}  │ (Windows)  Local  applica‐ │
1136                    │                  │ tion data for current user │
1137                    ├──────────────────┼────────────────────────────┤
1138                    │%{SYSTEM}         │ (Windows)  Windows  system │
1139                    │                  │ folder                     │
1140                    ├──────────────────┼────────────────────────────┤
1141                    │%{WINDOWS}        │ (Windows) Windows folder   │
1142                    ├──────────────────┼────────────────────────────┤
1143                    │%{USERCONFIG}     │ (Windows)   Per-user   MIT │
1144                    │                  │ krb5 config file directory │
1145                    ├──────────────────┼────────────────────────────┤
1146                    │%{COMMONCONFIG}   │ (Windows) Common MIT  krb5 │
1147                    │                  │ config file directory      │
1148                    └──────────────────┴────────────────────────────┘
1149

SAMPLE KRB5.CONF FILE

1151       Here is an example of a generic krb5.conf file:
1152
1153          [libdefaults]
1154              default_realm = ATHENA.MIT.EDU
1155              dns_lookup_kdc = true
1156              dns_lookup_realm = false
1157
1158          [realms]
1159              ATHENA.MIT.EDU = {
1160                  kdc = kerberos.mit.edu
1161                  kdc = kerberos-1.mit.edu
1162                  kdc = kerberos-2.mit.edu
1163                  admin_server = kerberos.mit.edu
1164                  master_kdc = kerberos.mit.edu
1165              }
1166              EXAMPLE.COM = {
1167                  kdc = kerberos.example.com
1168                  kdc = kerberos-1.example.com
1169                  admin_server = kerberos.example.com
1170              }
1171
1172          [domain_realm]
1173              mit.edu = ATHENA.MIT.EDU
1174
1175          [capaths]
1176              ATHENA.MIT.EDU = {
1177                     EXAMPLE.COM = .
1178              }
1179              EXAMPLE.COM = {
1180                     ATHENA.MIT.EDU = .
1181              }
1182

FILES

1184       /etc/krb5.conf
1185

SEE ALSO

1187       syslog(3)
1188

AUTHOR

1190       MIT
1191
1193       1985-2020, MIT
1194
1195
1196
1197
11981.18                                                              KRB5.CONF(5)
Impressum