1KRB5.CONF(5) MIT Kerberos KRB5.CONF(5)
2
6 krb5.conf - Kerberos configuration file
7 The krb5.conf file contains Kerberos configuration information, includ‐
9 ing the locations of KDCs and admin servers for the Kerberos realms of
10 interest, defaults for the current realm and for Kerberos applications,
11 and mappings of hostnames onto Kerberos realms. Normally, you should
12 install your krb5.conf file in the directory /etc. You can override
13 the default location by setting the environment variable KRB5_CONFIG.
14 Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15 files which are present will be read. Starting in release 1.14, direc‐
16 tory names can also be specified in KRB5_CONFIG; all files within the
17 directory whose names consist solely of alphanumeric characters,
18 dashes, or underscores will be read.
19
21 The krb5.conf file is set up in the style of a Windows INI file. Lines
22 beginning with '#' or ';' (possibly after initial whitespace) are
23 ignored as comments. Sections are headed by the section name, in
24 square brackets. Each section may contain zero or more relations, of
25 the form:
26 foo = bar
28 or:
30 fubar = {
32 foo = bar
33 baz = quux
34 }
35 Placing a '*' after the closing bracket of a section name indicates
37 that the section is final, meaning that if the same section appears
38 within a later file specified in KRB5_CONFIG, it will be ignored. A
39 subsection can be marked as final by placing a '*' after either the tag
40 name or the closing brace.
41 The krb5.conf file can include other files using either of the follow‐
43 ing directives at the beginning of a line:
44 include FILENAME
46 includedir DIRNAME
47 FILENAME or DIRNAME should be an absolute path. The named file or
49 directory must exist and be readable. Including a directory includes
50 all files within the directory whose names consist solely of alphanu‐
51 meric characters, dashes, or underscores. Starting in release 1.15,
52 files with names ending in ".conf" are also included, unless the name
53 begins with ".". Included profile files are syntactically independent
54 of their parents, so each included file must begin with a section
55 header. Starting in release 1.17, files are read in alphanumeric
56 order; in previous releases, they may be read in any order.
57 The krb5.conf file can specify that configuration should be obtained
59 from a loadable module, rather than the file itself, using the follow‐
60 ing directive at the beginning of a line before any section headers:
61 module MODULEPATH:RESIDUAL
63 MODULEPATH may be relative to the library path of the krb5 installa‐
65 tion, or it may be an absolute path. RESIDUAL is provided to the mod‐
66 ule at initialization time. If krb5.conf uses a module directive,
67 kdc.conf(5) should also use one if it exists.
68
70 The krb5.conf file may contain the following sections:
71 ┌───────────────┬────────────────────────────┐
73 │[libdefaults] │ Settings used by the Ker‐ │
74 │ │ beros V5 library │
75 ├───────────────┼────────────────────────────┤
76 │[realms] │ Realm-specific contact │
77 │ │ information and settings │
78 ├───────────────┼────────────────────────────┤
79 │[domain_realm] │ Maps server hostnames to │
80 │ │ Kerberos realms │
81 ├───────────────┼────────────────────────────┤
82 │[capaths] │ Authentication paths for │
83 │ │ non-hierarchical │
84 │ │ cross-realm │
85 ├───────────────┼────────────────────────────┤
86 │[appdefaults] │ Settings used by some Ker‐ │
87 │ │ beros V5 applications │
88 ├───────────────┼────────────────────────────┤
89 │[plugins] │ Controls plugin module │
90 │ │ registration │
91 └───────────────┴────────────────────────────┘
92 Additionally, krb5.conf may include any of the relations described in
94 kdc.conf(5), but it is not a recommended practice.
95 [libdefaults]
97 The libdefaults section may contain any of the following relations:
98 allow_weak_crypto
100 If this flag is set to false, then weak encryption types (as
101 noted in Encryption_types in kdc.conf(5)) will be filtered out
102 of the lists default_tgs_enctypes, default_tkt_enctypes, and
103 permitted_enctypes. The default value for this tag is false.
104 canonicalize
106 If this flag is set to true, initial ticket requests to the KDC
107 will request canonicalization of the client principal name, and
108 answers with different client principals than the requested
109 principal will be accepted. The default value is false.
110 ccache_type
112 This parameter determines the format of credential cache types
113 created by kinit(1) or other programs. The default value is 4,
114 which represents the most current format. Smaller values can be
115 used for compatibility with very old implementations of Kerberos
116 which interact with credential caches on the same host.
117 clockskew
119 Sets the maximum allowable amount of clockskew in seconds that
120 the library will tolerate before assuming that a Kerberos mes‐
121 sage is invalid. The default value is 300 seconds, or five min‐
122 utes.
123 The clockskew setting is also used when evaluating ticket start
125 and expiration times. For example, tickets that have reached
126 their expiration time can still be used (and renewed if they are
127 renewable tickets) if they have been expired for a shorter dura‐
128 tion than the clockskew setting.
129 default_ccache_name
131 This relation specifies the name of the default credential
132 cache. The default is FILE:/tmp/krb5cc_%{uid}. This relation
133 is subject to parameter expansion (see below). New in release
134 1.11.
135 default_client_keytab_name
137 This relation specifies the name of the default keytab for
138 obtaining client credentials. The default is FILE:/var/ker‐
139 beros/krb5/user/%{euid}/client.keytab. This relation is subject
140 to parameter expansion (see below). New in release 1.11.
141 default_keytab_name
143 This relation specifies the default keytab name to be used by
144 application servers such as sshd. The default is
145 FILE:/etc/krb5.keytab. This relation is subject to parameter
146 expansion (see below).
147 default_rcache_name
149 This relation specifies the name of the default replay cache.
150 The default is dfl:. This relation is subject to parameter
151 expansion (see below). New in release 1.18.
152 default_realm
154 Identifies the default Kerberos realm for the client. Set its
155 value to your Kerberos realm. If this value is not set, then a
156 realm must be specified with every Kerberos principal when
157 invoking programs such as kinit(1).
158 default_tgs_enctypes
160 Identifies the supported list of session key encryption types
161 that the client should request when making a TGS-REQ, in order
162 of preference from highest to lowest. The list may be delimited
163 with commas or whitespace. See Encryption_types in kdc.conf(5)
164 for a list of the accepted values for this tag. Starting in
165 release 1.18, the default value is the value of permitted_enc‐
166 types. For previous releases or if permitted_enctypes is not
167 set, the default value is aes256-cts-hmac-sha1-96
168 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
169 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac
170 camellia128-cts-cmac.
171 Do not set this unless required for specific backward compati‐
173 bility purposes; stale values of this setting can prevent
174 clients from taking advantage of new stronger enctypes when the
175 libraries are upgraded.
176 default_tkt_enctypes
178 Identifies the supported list of session key encryption types
179 that the client should request when making an AS-REQ, in order
180 of preference from highest to lowest. The format is the same as
181 for default_tgs_enctypes. Starting in release 1.18, the default
182 value is the value of permitted_enctypes. For previous releases
183 or if permitted_enctypes is not set, the default value is
184 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
185 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arc‐
186 four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
187 Do not set this unless required for specific backward compati‐
189 bility purposes; stale values of this setting can prevent
190 clients from taking advantage of new stronger enctypes when the
191 libraries are upgraded.
192 dns_canonicalize_hostname
194 Indicate whether name lookups will be used to canonicalize host‐
195 names for use in service principal names. Setting this flag to
196 false can improve security by reducing reliance on DNS, but
197 means that short hostnames will not be canonicalized to
198 fully-qualified hostnames. The default value is true.
199 If this option is set to fallback (new in release 1.18), DNS
201 canonicalization will only be performed the server hostname is
202 not found with the original name when requesting credentials.
203 dns_lookup_kdc
205 Indicate whether DNS SRV records should be used to locate the
206 KDCs and other servers for a realm, if they are not listed in
207 the krb5.conf information for the realm. (Note that the
208 admin_server entry must be in the krb5.conf realm information in
209 order to contact kadmind, because the DNS implementation for
210 kadmin is incomplete.)
211 Enabling this option does open up a type of denial-of-service
213 attack, if someone spoofs the DNS records and redirects you to
214 another server. However, it's no worse than a denial of ser‐
215 vice, because that fake KDC will be unable to decode anything
216 you send it (besides the initial ticket request, which has no
217 encrypted data), and anything the fake KDC sends will not be
218 trusted without verification using some secret that it won't
219 know.
220 dns_uri_lookup
222 Indicate whether DNS URI records should be used to locate the
223 KDCs and other servers for a realm, if they are not listed in
224 the krb5.conf information for the realm. SRV records are used
225 as a fallback if no URI records were found. The default value
226 is true. New in release 1.15.
227 enforce_ok_as_delegate
229 If this flag to true, GSSAPI credential delegation will be dis‐
230 abled when the ok-as-delegate flag is not set in the service
231 ticket. If this flag is false, the ok-as-delegate ticket flag
232 is only enforced when an application specifically requests
233 enforcement. The default value is false.
234 err_fmt
236 This relation allows for custom error message formatting. If a
237 value is set, error messages will be formatted by substituting a
238 normal error message for %M and an error code for %C in the
239 value.
240 extra_addresses
242 This allows a computer to use multiple local addresses, in order
243 to allow Kerberos to work in a network that uses NATs while
244 still using address-restricted tickets. The addresses should be
245 in a comma-separated list. This option has no effect if noad‐
246 dresses is true.
247 forwardable
249 If this flag is true, initial tickets will be forwardable by
250 default, if allowed by the KDC. The default value is false.
251 ignore_acceptor_hostname
253 When accepting GSSAPI or krb5 security contexts for host-based
254 service principals, ignore any hostname passed by the calling
255 application, and allow clients to authenticate to any service
256 principal in the keytab matching the service name and realm name
257 (if given). This option can improve the administrative flexi‐
258 bility of server applications on multihomed hosts, but could
259 compromise the security of virtual hosting environments. The
260 default value is false. New in release 1.10.
261 k5login_authoritative
263 If this flag is true, principals must be listed in a local
264 user's k5login file to be granted login access, if a .k5login(5)
265 file exists. If this flag is false, a principal may still be
266 granted login access through other mechanisms even if a k5login
267 file exists but does not list the principal. The default value
268 is true.
269 k5login_directory
271 If set, the library will look for a local user's k5login file
272 within the named directory, with a filename corresponding to the
273 local username. If not set, the library will look for k5login
274 files in the user's home directory, with the filename .k5login.
275 For security reasons, .k5login files must be owned by the local
276 user or by root.
277 kcm_mach_service
279 On macOS only, determines the name of the bootstrap service used
280 to contact the KCM daemon for the KCM credential cache type. If
281 the value is -, Mach RPC will not be used to contact the KCM
282 daemon. The default value is org.h5l.kcm.
283 kcm_socket
285 Determines the path to the Unix domain socket used to access the
286 KCM daemon for the KCM credential cache type. If the value is
287 -, Unix domain sockets will not be used to contact the KCM dae‐
288 mon. The default value is /var/run/.heim_org.h5l.kcm-socket.
289 kdc_default_options
291 Default KDC options (Xored for multiple values) when requesting
292 initial tickets. By default it is set to 0x00000010
293 (KDC_OPT_RENEWABLE_OK).
294 kdc_timesync
296 Accepted values for this relation are 1 or 0. If it is nonzero,
297 client machines will compute the difference between their time
298 and the time returned by the KDC in the timestamps in the tick‐
299 ets and use this value to correct for an inaccurate system clock
300 when requesting service tickets or authenticating to services.
301 This corrective factor is only used by the Kerberos library; it
302 is not used to change the system clock. The default value is 1.
303 noaddresses
305 If this flag is true, requests for initial tickets will not be
306 made with address restrictions set, allowing the tickets to be
307 used across NATs. The default value is true.
308 permitted_enctypes
310 Identifies the encryption types that servers will permit for
311 session keys and for ticket and authenticator encryption,
312 ordered by preference from highest to lowest. Starting in
313 release 1.18, this tag also acts as the default value for
314 default_tgs_enctypes and default_tkt_enctypes. The default
315 value for this tag is aes256-cts-hmac-sha1-96
316 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
317 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac
318 camellia128-cts-cmac.
319 plugin_base_dir
321 If set, determines the base directory where krb5 plugins are
322 located. The default value is the krb5/plugins subdirectory of
323 the krb5 library directory. This relation is subject to parame‐
324 ter expansion (see below) in release 1.17 and later.
325 preferred_preauth_types
327 This allows you to set the preferred preauthentication types
328 which the client will attempt before others which may be adver‐
329 tised by a KDC. The default value for this setting is "17, 16,
330 15, 14", which forces libkrb5 to attempt to use PKINIT if it is
331 supported.
332 proxiable
334 If this flag is true, initial tickets will be proxiable by
335 default, if allowed by the KDC. The default value is false.
336 qualify_shortname
338 If this string is set, it determines the domain suffix for sin‐
339 gle-component hostnames when DNS canonicalization is not used
340 (either because dns_canonicalize_hostname is false or because
341 forward canonicalization failed). The default value is the
342 first search domain of the system's DNS configuration. To dis‐
343 able qualification of shortnames, set this relation to the empty
344 string with qualify_shortname = "". (New in release 1.18.)
345 rdns If this flag is true, reverse name lookup will be used in addi‐
347 tion to forward name lookup to canonicalizing hostnames for use
348 in service principal names. If dns_canonicalize_hostname is set
349 to false, this flag has no effect. The default value is true.
350 realm_try_domains
352 Indicate whether a host's domain components should be used to
353 determine the Kerberos realm of the host. The value of this
354 variable is an integer: -1 means not to search, 0 means to try
355 the host's domain itself, 1 means to also try the domain's imme‐
356 diate parent, and so forth. The library's usual mechanism for
357 locating Kerberos realms is used to determine whether a domain
358 is a valid realm, which may involve consulting DNS if
359 dns_lookup_kdc is set. The default is not to search domain com‐
360 ponents.
361 renew_lifetime
363 (duration string.) Sets the default renewable lifetime for ini‐
364 tial ticket requests. The default value is 0.
365 spake_preauth_groups
367 A whitespace or comma-separated list of words which specifies
368 the groups allowed for SPAKE preauthentication. The possible
369 values are:
370 ┌─────────────┬────────────────────────────┐
372 │edwards25519 │ Edwards25519 curve (RFC │
373 │ │ 7748) │
374 ├─────────────┼────────────────────────────┤
375 │P-256 │ NIST P-256 curve (RFC │
376 │ │ 5480) │
377 ├─────────────┼────────────────────────────┤
378 │P-384 │ NIST P-384 curve (RFC │
379 │ │ 5480) │
380 ├─────────────┼────────────────────────────┤
381 │P-521 │ NIST P-521 curve (RFC │
382 │ │ 5480) │
383 └─────────────┴────────────────────────────┘
384 The default value for the client is edwards25519. The default
386 value for the KDC is empty. New in release 1.17.
387 ticket_lifetime
389 (duration string.) Sets the default lifetime for initial ticket
390 requests. The default value is 1 day.
391 udp_preference_limit
393 When sending a message to the KDC, the library will try using
394 TCP before UDP if the size of the message is above udp_prefer‐
395 ence_limit. If the message is smaller than udp_prefer‐
396 ence_limit, then UDP will be tried before TCP. Regardless of
397 the size, both protocols will be tried if the first attempt
398 fails.
399 verify_ap_req_nofail
401 If this flag is true, then an attempt to verify initial creden‐
402 tials will fail if the client machine does not have a keytab.
403 The default value is false.
404 [realms]
406 Each tag in the [realms] section of the file is the name of a Kerberos
407 realm. The value of the tag is a subsection with relations that define
408 the properties of that particular realm. For each realm, the following
409 tags may be specified in the realm's subsection:
410 admin_server
412 Identifies the host where the administration server is running.
413 Typically, this is the master Kerberos server. This tag must be
414 given a value in order to communicate with the kadmind(8) server
415 for the realm.
416 auth_to_local
418 This tag allows you to set a general rule for mapping principal
419 names to local user names. It will be used if there is not an
420 explicit mapping for the principal name that is being trans‐
421 lated. The possible values are:
422 RULE:exp
424 The local name will be formulated from exp.
425 The format for exp is [n:string](regexp)s/pat‐
427 tern/replacement/g. The integer n indicates how many
428 components the target principal should have. If this
429 matches, then a string will be formed from string, sub‐
430 stituting the realm of the principal for $0 and the n'th
431 component of the principal for $n (e.g., if the principal
432 was johndoe/admin then [2:$2$1foo] would result in the
433 string adminjohndoefoo). If this string matches regexp,
434 then the s//[g] substitution command will be run over the
435 string. The optional g will cause the substitution to be
436 global over the string, instead of replacing only the
437 first match in the string.
438 DEFAULT
440 The principal name will be used as the local user name.
441 If the principal has more than one component or is not in
442 the default realm, this rule is not applicable and the
443 conversion will fail.
444 For example:
446 [realms]
448 ATHENA.MIT.EDU = {
449 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
450 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
451 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
452 auth_to_local = DEFAULT
453 }
454 would result in any principal without root or admin as the sec‐
456 ond component to be translated with the default rule. A princi‐
457 pal with a second component of admin will become its first com‐
458 ponent. root will be used as the local name for any principal
459 with a second component of root. The exception to these two
460 rules are any principals johndoe/*, which will always get the
461 local name guest.
462 auth_to_local_names
464 This subsection allows you to set explicit mappings from princi‐
465 pal names to local user names. The tag is the mapping name, and
466 the value is the corresponding local user name.
467 default_domain
469 This tag specifies the domain used to expand hostnames when
470 translating Kerberos 4 service principals to Kerberos 5 princi‐
471 pals (for example, when converting rcmd.hostname to host/host‐
472 name.domain).
473 disable_encrypted_timestamp
475 If this flag is true, the client will not perform encrypted
476 timestamp preauthentication if requested by the KDC. Setting
477 this flag can help to prevent dictionary attacks by active
478 attackers, if the realm's KDCs support SPAKE preauthentication
479 or if initial authentication always uses another mechanism or
480 always uses FAST. This flag persists across client referrals
481 during initial authentication. This flag does not prevent the
482 KDC from offering encrypted timestamp. New in release 1.17.
483 http_anchors
485 When KDCs and kpasswd servers are accessed through HTTPS prox‐
486 ies, this tag can be used to specify the location of the CA cer‐
487 tificate which should be trusted to issue the certificate for a
488 proxy server. If left unspecified, the system-wide default set
489 of CA certificates is used.
490 The syntax for values is similar to that of values for the
492 pkinit_anchors tag:
493 FILE: filename
495 filename is assumed to be the name of an OpenSSL-style ca-bundle
497 file.
498 DIR: dirname
500 dirname is assumed to be an directory which contains CA certifi‐
502 cates. All files in the directory will be examined; if they
503 contain certificates (in PEM format), they will be used.
504 ENV: envvar
506 envvar specifies the name of an environment variable which has
508 been set to a value conforming to one of the previous values.
509 For example, ENV:X509_PROXY_CA, where environment variable
510 X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
511 kdc The name or address of a host running a KDC for that realm. An
513 optional port number, separated from the hostname by a colon,
514 may be included. If the name or address contains colons (for
515 example, if it is an IPv6 address), enclose it in square brack‐
516 ets to distinguish the colon from a port separator. For your
517 computer to be able to communicate with the KDC for each realm,
518 this tag must be given a value in each realm subsection in the
519 configuration file, or there must be DNS SRV records specifying
520 the KDCs.
521 kpasswd_server
523 Points to the server where all the password changes are per‐
524 formed. If there is no such entry, DNS will be queried (unless
525 forbidden by dns_lookup_kdc). Finally, port 464 on the
526 admin_server host will be tried.
527 master_kdc
529 Identifies the master KDC(s). Currently, this tag is used in
530 only one case: If an attempt to get credentials fails because of
531 an invalid password, the client software will attempt to contact
532 the master KDC, in case the user's password has just been
533 changed, and the updated database has not been propagated to the
534 replica servers yet.
535 v4_instance_convert
537 This subsection allows the administrator to configure exceptions
538 to the default_domain mapping rule. It contains V4 instances
539 (the tag name) which should be translated to some specific host‐
540 name (the tag value) as the second component in a Kerberos V5
541 principal name.
542 v4_realm
544 This relation is used by the krb524 library routines when con‐
545 verting a V5 principal name to a V4 principal name. It is used
546 when the V4 realm name and the V5 realm name are not the same,
547 but still share the same principal names and passwords. The tag
548 value is the Kerberos V4 realm name.
549 [domain_realm]
551 The [domain_realm] section provides a translation from a domain name or
552 hostname to a Kerberos realm name. The tag name can be a host name or
553 domain name, where domain names are indicated by a prefix of a period
554 (.). The value of the relation is the Kerberos realm name for that
555 particular host or domain. A host name relation implicitly provides
556 the corresponding domain name relation, unless an explicit domain name
557 relation is provided. The Kerberos realm may be identified either in
558 the realms section or using DNS SRV records. Host names and domain
559 names should be in lower case. For example:
560 [domain_realm]
562 crash.mit.edu = TEST.ATHENA.MIT.EDU
563 .dev.mit.edu = TEST.ATHENA.MIT.EDU
564 mit.edu = ATHENA.MIT.EDU
565 maps the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
567 realm. The second entry maps all hosts under the domain dev.mit.edu
568 into the TEST.ATHENA.MIT.EDU realm, but not the host with the name
569 dev.mit.edu. That host is matched by the third entry, which maps the
570 host mit.edu and all hosts under the domain mit.edu that do not match a
571 preceding rule into the realm ATHENA.MIT.EDU.
572 If no translation entry applies to a hostname used for a service prin‐
574 cipal for a service ticket request, the library will try to get a
575 referral to the appropriate realm from the client realm's KDC. If that
576 does not succeed, the host's realm is considered to be the hostname's
577 domain portion converted to uppercase, unless the realm_try_domains
578 setting in [libdefaults] causes a different parent domain to be used.
579 [capaths]
581 In order to perform direct (non-hierarchical) cross-realm authentica‐
582 tion, configuration is needed to determine the authentication paths
583 between realms.
584 A client will use this section to find the authentication path between
586 its realm and the realm of the server. The server will use this sec‐
587 tion to verify the authentication path used by the client, by checking
588 the transited field of the received ticket.
589 There is a tag for each participating client realm, and each tag has
591 subtags for each of the server realms. The value of the subtags is an
592 intermediate realm which may participate in the cross-realm authentica‐
593 tion. The subtags may be repeated if there is more then one intermedi‐
594 ate realm. A value of "." means that the two realms share keys
595 directly, and no intermediate realms should be allowed to participate.
596 Only those entries which will be needed on the client or the server
598 need to be present. A client needs a tag for its local realm with sub‐
599 tags for all the realms of servers it will need to authenticate to. A
600 server needs a tag for each realm of the clients it will serve, with a
601 subtag of the server realm.
602 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
604 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
605 which will authenticate with NERSC.GOV but not PNL.GOV. The [capaths]
606 section for ANL.GOV systems would look like this:
607 [capaths]
609 ANL.GOV = {
610 TEST.ANL.GOV = .
611 PNL.GOV = ES.NET
612 NERSC.GOV = ES.NET
613 ES.NET = .
614 }
615 TEST.ANL.GOV = {
616 ANL.GOV = .
617 }
618 PNL.GOV = {
619 ANL.GOV = ES.NET
620 }
621 NERSC.GOV = {
622 ANL.GOV = ES.NET
623 }
624 ES.NET = {
625 ANL.GOV = .
626 }
627 The [capaths] section of the configuration file used on NERSC.GOV sys‐
629 tems would look like this:
630 [capaths]
632 NERSC.GOV = {
633 ANL.GOV = ES.NET
634 TEST.ANL.GOV = ES.NET
635 TEST.ANL.GOV = ANL.GOV
636 PNL.GOV = ES.NET
637 ES.NET = .
638 }
639 ANL.GOV = {
640 NERSC.GOV = ES.NET
641 }
642 PNL.GOV = {
643 NERSC.GOV = ES.NET
644 }
645 ES.NET = {
646 NERSC.GOV = .
647 }
648 TEST.ANL.GOV = {
649 NERSC.GOV = ANL.GOV
650 NERSC.GOV = ES.NET
651 }
652 When a subtag is used more than once within a tag, clients will use the
654 order of values to determine the path. The order of values is not
655 important to servers.
656 [appdefaults]
658 Each tag in the [appdefaults] section names a Kerberos V5 application
659 or an option that is used by some Kerberos V5 application[s]. The
660 value of the tag defines the default behaviors for that application.
661 For example:
663 [appdefaults]
665 telnet = {
666 ATHENA.MIT.EDU = {
667 option1 = false
668 }
669 }
670 telnet = {
671 option1 = true
672 option2 = true
673 }
674 ATHENA.MIT.EDU = {
675 option2 = false
676 }
677 option2 = true
678 The above four ways of specifying the value of an option are shown in
680 order of decreasing precedence. In this example, if telnet is running
681 in the realm EXAMPLE.COM, it should, by default, have option1 and
682 option2 set to true. However, a telnet program in the realm
683 ATHENA.MIT.EDU should have option1 set to false and option2 set to
684 true. Any other programs in ATHENA.MIT.EDU should have option2 set to
685 false by default. Any programs running in other realms should have
686 option2 set to true.
687 The list of specifiable options for each application may be found in
689 that application's man pages. The application defaults specified here
690 are overridden by those specified in the realms section.
691 [plugins]
693 · pwqual interface
694 · kadm5_hook interface
696 · clpreauth and kdcpreauth interfaces
698 Tags in the [plugins] section can be used to register dynamic plugin
700 modules and to turn modules on and off. Not every krb5 pluggable
701 interface uses the [plugins] section; the ones that do are documented
702 here.
703 New in release 1.9.
705 Each pluggable interface corresponds to a subsection of [plugins]. All
707 subsections support the same tags:
708 disable
710 This tag may have multiple values. If there are values for this
711 tag, then the named modules will be disabled for the pluggable
712 interface.
713 enable_only
715 This tag may have multiple values. If there are values for this
716 tag, then only the named modules will be enabled for the plug‐
717 gable interface.
718 module This tag may have multiple values. Each value is a string of
720 the form modulename:pathname, which causes the shared object
721 located at pathname to be registered as a dynamic module named
722 modulename for the pluggable interface. If pathname is not an
723 absolute path, it will be treated as relative to the plug‐
724 in_base_dir value from [libdefaults].
725 For pluggable interfaces where module order matters, modules registered
727 with a module tag normally come first, in the order they are regis‐
728 tered, followed by built-in modules in the order they are documented
729 below. If enable_only tags are used, then the order of those tags
730 overrides the normal module order.
731 The following subsections are currently supported within the [plugins]
733 section:
734 ccselect interface
736 The ccselect subsection controls modules for credential cache selection
737 within a cache collection. In addition to any registered dynamic mod‐
738 ules, the following built-in modules exist (and may be disabled with
739 the disable tag):
740 k5identity
742 Uses a .k5identity file in the user's home directory to select a
743 client principal
744 realm Uses the service realm to guess an appropriate cache from the
746 collection
747 hostname
749 If the service principal is host-based, uses the service host‐
750 name to guess an appropriate cache from the collection
751 pwqual interface
753 The pwqual subsection controls modules for the password quality inter‐
754 face, which is used to reject weak passwords when passwords are
755 changed. The following built-in modules exist for this interface:
756 dict Checks against the realm dictionary file
758 empty Rejects empty passwords
760 hesiod Checks against user information stored in Hesiod (only if Ker‐
762 beros was built with Hesiod support)
763 princ Checks against components of the principal name
765 kadm5_hook interface
767 The kadm5_hook interface provides plugins with information on principal
768 creation, modification, password changes and deletion. This interface
769 can be used to write a plugin to synchronize MIT Kerberos with another
770 database such as Active Directory. No plugins are built in for this
771 interface.
772 kadm5_auth interface
774 The kadm5_auth section (introduced in release 1.16) controls modules
775 for the kadmin authorization interface, which determines whether a
776 client principal is allowed to perform a kadmin operation. The follow‐
777 ing built-in modules exist for this interface:
778 acl This module reads the kadm5.acl(5) file, and authorizes opera‐
780 tions which are allowed according to the rules in the file.
781 self This module authorizes self-service operations including pass‐
783 word changes, creation of new random keys, fetching the client's
784 principal record or string attributes, and fetching the policy
785 record associated with the client principal.
786 clpreauth and kdcpreauth interfaces
788 The clpreauth and kdcpreauth interfaces allow plugin modules to provide
789 client and KDC preauthentication mechanisms. The following built-in
790 modules exist for these interfaces:
791 pkinit This module implements the PKINIT preauthentication mechanism.
793 encrypted_challenge
795 This module implements the encrypted challenge FAST factor.
796 encrypted_timestamp
798 This module implements the encrypted timestamp mechanism.
799 hostrealm interface
801 The hostrealm section (introduced in release 1.12) controls modules for
802 the host-to-realm interface, which affects the local mapping of host‐
803 names to realm names and the choice of default realm. The following
804 built-in modules exist for this interface:
805 profile
807 This module consults the [domain_realm] section of the profile
808 for authoritative host-to-realm mappings, and the default_realm
809 variable for the default realm.
810 dns This module looks for DNS records for fallback host-to-realm
812 mappings and the default realm. It only operates if the
813 dns_lookup_realm variable is set to true.
814 domain This module applies heuristics for fallback host-to-realm map‐
816 pings. It implements the realm_try_domains variable, and uses
817 the uppercased parent domain of the hostname if that does not
818 produce a result.
819 localauth interface
821 The localauth section (introduced in release 1.12) controls modules for
822 the local authorization interface, which affects the relationship
823 between Kerberos principals and local system accounts. The following
824 built-in modules exist for this interface:
825 default
827 This module implements the DEFAULT type for auth_to_local val‐
828 ues.
829 rule This module implements the RULE type for auth_to_local values.
831 names This module looks for an auth_to_local_names mapping for the
833 principal name.
834 auth_to_local
836 This module processes auth_to_local values in the default
837 realm's section, and applies the default method if no
838 auth_to_local values exist.
839 k5login
841 This module authorizes a principal to a local account according
842 to the account's .k5login(5) file.
843 an2ln This module authorizes a principal to a local account if the
845 principal name maps to the local account name.
846 certauth interface
848 The certauth section (introduced in release 1.16) controls modules for
849 the certificate authorization interface, which determines whether a
850 certificate is allowed to preauthenticate a user via PKINIT. The fol‐
851 lowing built-in modules exist for this interface:
852 pkinit_san
854 This module authorizes the certificate if it contains a PKINIT
855 Subject Alternative Name for the requested client principal, or
856 a Microsoft UPN SAN matching the principal if pkinit_allow_upn
857 is set to true for the realm.
858 pkinit_eku
860 This module rejects the certificate if it does not contain an
861 Extended Key Usage attribute consistent with the
862 pkinit_eku_checking value for the realm.
863 dbmatch
865 This module authorizes or rejects the certificate according to
866 whether it matches the pkinit_cert_match string attribute on the
867 client principal, if that attribute is present.
868
870 NOTE:
871 The following are PKINIT-specific options. These values may be
872 specified in [libdefaults] as global defaults, or within a
873 realm-specific subsection of [libdefaults], or may be specified as
874 realm-specific values in the [realms] section. A realm-specific
875 value overrides, not adds to, a generic [libdefaults] specification.
876 The search order is:
877 1. realm-specific subsection of [libdefaults]:
879 [libdefaults]
881 EXAMPLE.COM = {
882 pkinit_anchors = FILE:/usr/local/example.com.crt
883 }
884 2. realm-specific value in the [realms] section:
886 [realms]
888 OTHERREALM.ORG = {
889 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
890 }
891 3. generic value in the [libdefaults] section:
893 [libdefaults]
895 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
896 Specifying PKINIT identity information
898 The syntax for specifying Public Key identity, trust, and revocation
899 information for PKINIT is as follows:
900 FILE:filename[,keyfilename]
902 This option has context-specific behavior.
903 In pkinit_identity or pkinit_identities, filename specifies the
905 name of a PEM-format file containing the user's certificate. If
906 keyfilename is not specified, the user's private key is expected
907 to be in filename as well. Otherwise, keyfilename is the name
908 of the file containing the private key.
909 In pkinit_anchors or pkinit_pool, filename is assumed to be the
911 name of an OpenSSL-style ca-bundle file.
912 DIR:dirname
914 This option has context-specific behavior.
915 In pkinit_identity or pkinit_identities, dirname specifies a
917 directory with files named *.crt and *.key where the first part
918 of the file name is the same for matching pairs of certificate
919 and private key files. When a file with a name ending with .crt
920 is found, a matching file ending with .key is assumed to contain
921 the private key. If no such file is found, then the certificate
922 in the .crt is not used.
923 In pkinit_anchors or pkinit_pool, dirname is assumed to be an
925 OpenSSL-style hashed CA directory where each CA cert is stored
926 in a file named hash-of-ca-cert.#. This infrastructure is
927 encouraged, but all files in the directory will be examined and
928 if they contain certificates (in PEM format), they will be used.
929 In pkinit_revoke, dirname is assumed to be an OpenSSL-style
931 hashed CA directory where each revocation list is stored in a
932 file named hash-of-ca-cert.r#. This infrastructure is encour‐
933 aged, but all files in the directory will be examined and if
934 they contain a revocation list (in PEM format), they will be
935 used.
936 PKCS12:filename
938 filename is the name of a PKCS #12 format file, containing the
939 user's certificate and private key.
940 PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
942 tid=cert-id][:certlabel=cert-label]
943 All keyword/values are optional. modname specifies the location
944 of a library implementing PKCS #11. If a value is encountered
945 with no keyword, it is assumed to be the modname. If no mod‐
946 ule-name is specified, the default is opensc-pkcs11.so. slotid=
947 and/or token= may be specified to force the use of a particular
948 smard card reader or token if there is more than one available.
949 certid= and/or certlabel= may be specified to force the selec‐
950 tion of a particular certificate on the device. See the
951 pkinit_cert_match configuration option for more ways to select a
952 particular certificate to use for PKINIT.
953 ENV:envvar
955 envvar specifies the name of an environment variable which has
956 been set to a value conforming to one of the previous values.
957 For example, ENV:X509_PROXY, where environment variable
958 X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
959 PKINIT krb5.conf options
961 pkinit_anchors
962 Specifies the location of trusted anchor (root) certificates
963 which the client trusts to sign KDC certificates. This option
964 may be specified multiple times. These values from the config
965 file are not used if the user specifies X509_anchors on the com‐
966 mand line.
967 pkinit_cert_match
969 Specifies matching rules that the client certificate must match
970 before it is used to attempt PKINIT authentication. If a user
971 has multiple certificates available (on a smart card, or via
972 other media), there must be exactly one certificate chosen
973 before attempting PKINIT authentication. This option may be
974 specified multiple times. All the available certificates are
975 checked against each rule in order until there is a match of
976 exactly one certificate.
977 The Subject and Issuer comparison strings are the RFC 2253
979 string representations from the certificate Subject DN and
980 Issuer DN values.
981 The syntax of the matching rules is:
983 [relation-operator]component-rule ...
984 where:
986 relation-operator
988 can be either &&, meaning all component rules must match,
989 or ||, meaning only one component rule must match. The
990 default is &&.
991 component-rule
993 can be one of the following. Note that there is no punc‐
994 tuation or whitespace between component rules.
995 <SUBJECT>regular-expression
996 <ISSUER>regular-expression
997 <SAN>regular-expression
998 <EKU>extended-key-usage-list
999 <KU>key-usage-list
1000 extended-key-usage-list is a comma-separated list of
1003 required Extended Key Usage values. All values in the
1004 list must be present in the certificate. Extended Key
1005 Usage values can be:
1006 · pkinit
1008 · msScLogin
1010 · clientAuth
1012 · emailProtection
1014 key-usage-list is a comma-separated list of required Key
1016 Usage values. All values in the list must be present in
1017 the certificate. Key Usage values can be:
1018 · digitalSignature
1020 · keyEncipherment
1022 Examples:
1024 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1026 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1027 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1028 pkinit_eku_checking
1030 This option specifies what Extended Key Usage value the KDC cer‐
1031 tificate presented to the client must contain. (Note that if
1032 the KDC certificate has the pkinit SubjectAlternativeName
1033 encoded as the Kerberos TGS name, EKU checking is not necessary
1034 since the issuing CA has certified this as a KDC certificate.)
1035 The values recognized in the krb5.conf file are:
1036 kpKDC This is the default value and specifies that the KDC must
1038 have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1039 kpServerAuth
1041 If kpServerAuth is specified, a KDC certificate with the
1042 id-kp-serverAuth EKU will be accepted. This key usage
1043 value is used in most commercially issued server certifi‐
1044 cates.
1045 none If none is specified, then the KDC certificate will not
1047 be checked to verify it has an acceptable EKU. The use
1048 of this option is not recommended.
1049 pkinit_dh_min_bits
1051 Specifies the size of the Diffie-Hellman key the client will
1052 attempt to use. The acceptable values are 1024, 2048, and 4096.
1053 The default is 2048.
1054 pkinit_identities
1056 Specifies the location(s) to be used to find the user's X.509
1057 identity information. If this option is specified multiple
1058 times, the first valid value is used; this can be used to spec‐
1059 ify an environment variable (with ENV:envvar) followed by a
1060 default value. Note that these values are not used if the user
1061 specifies X509_user_identity on the command line.
1062 pkinit_kdc_hostname
1064 The presense of this option indicates that the client is willing
1065 to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1066 tive Name) rather than requiring the id-pkinit-san as defined in
1067 RFC 4556. This option may be specified multiple times. Its
1068 value should contain the acceptable hostname for the KDC (as
1069 contained in its certificate).
1070 pkinit_pool
1072 Specifies the location of intermediate certificates which may be
1073 used by the client to complete the trust chain between a KDC
1074 certificate and a trusted anchor. This option may be specified
1075 multiple times.
1076 pkinit_require_crl_checking
1078 The default certificate verification process will always check
1079 the available revocation information to see if a certificate has
1080 been revoked. If a match is found for the certificate in a CRL,
1081 verification fails. If the certificate being verified is not
1082 listed in a CRL, or there is no CRL present for its issuing CA,
1083 and pkinit_require_crl_checking is false, then verification suc‐
1084 ceeds.
1085 However, if pkinit_require_crl_checking is true and there is no
1087 CRL information available for the issuing CA, then verification
1088 fails.
1089 pkinit_require_crl_checking should be set to true if the policy
1091 is such that up-to-date CRLs must be present for every CA.
1092 pkinit_revoke
1094 Specifies the location of Certificate Revocation List (CRL)
1095 information to be used by the client when verifying the validity
1096 of the KDC certificate presented. This option may be specified
1097 multiple times.
1098
1100 Starting with release 1.11, several variables, such as
1101 default_keytab_name, allow parameters to be expanded. Valid parameters
1102 are:
1103 ┌──────────────────┬────────────────────────────┐
1105 │%{TEMP} │ Temporary directory │
1106 ├──────────────────┼────────────────────────────┤
1107 │%{uid} │ Unix real UID or Windows │
1108 │ │ SID │
1109 ├──────────────────┼────────────────────────────┤
1110 │%{euid} │ Unix effective user ID or │
1111 │ │ Windows SID │
1112 ├──────────────────┼────────────────────────────┤
1113 │%{USERID} │ Same as %{uid} │
1114 ├──────────────────┼────────────────────────────┤
1115 │%{null} │ Empty string │
1116 ├──────────────────┼────────────────────────────┤
1117 │%{LIBDIR} │ Installation library │
1118 │ │ directory │
1119 ├──────────────────┼────────────────────────────┤
1120 │%{BINDIR} │ Installation binary direc‐ │
1121 │ │ tory │
1122 ├──────────────────┼────────────────────────────┤
1123 │%{SBINDIR} │ Installation admin binary │
1124 │ │ directory │
1125 ├──────────────────┼────────────────────────────┤
1126 │%{username} │ (Unix) Username of effec‐ │
1127 │ │ tive user ID │
1128 ├──────────────────┼────────────────────────────┤
1129 │%{APPDATA} │ (Windows) Roaming applica‐ │
1130 │ │ tion data for current user │
1131 ├──────────────────┼────────────────────────────┤
1132 │%{COMMON_APPDATA} │ (Windows) Application data │
1133 │ │ for all users │
1134 ├──────────────────┼────────────────────────────┤
1135 │%{LOCAL_APPDATA} │ (Windows) Local applica‐ │
1136 │ │ tion data for current user │
1137 ├──────────────────┼────────────────────────────┤
1138 │%{SYSTEM} │ (Windows) Windows system │
1139 │ │ folder │
1140 ├──────────────────┼────────────────────────────┤
1141 │%{WINDOWS} │ (Windows) Windows folder │
1142 ├──────────────────┼────────────────────────────┤
1143 │%{USERCONFIG} │ (Windows) Per-user MIT │
1144 │ │ krb5 config file directory │
1145 ├──────────────────┼────────────────────────────┤
1146 │%{COMMONCONFIG} │ (Windows) Common MIT krb5 │
1147 │ │ config file directory │
1148 └──────────────────┴────────────────────────────┘
1149
1151 Here is an example of a generic krb5.conf file:
1152 [libdefaults]
1154 default_realm = ATHENA.MIT.EDU
1155 dns_lookup_kdc = true
1156 dns_lookup_realm = false
1157 [realms]
1159 ATHENA.MIT.EDU = {
1160 kdc = kerberos.mit.edu
1161 kdc = kerberos-1.mit.edu
1162 kdc = kerberos-2.mit.edu
1163 admin_server = kerberos.mit.edu
1164 master_kdc = kerberos.mit.edu
1165 }
1166 EXAMPLE.COM = {
1167 kdc = kerberos.example.com
1168 kdc = kerberos-1.example.com
1169 admin_server = kerberos.example.com
1170 }
1171 [domain_realm]
1173 mit.edu = ATHENA.MIT.EDU
1174 [capaths]
1176 ATHENA.MIT.EDU = {
1177 EXAMPLE.COM = .
1178 }
1179 EXAMPLE.COM = {
1180 ATHENA.MIT.EDU = .
1181 }
1182
1184 /etc/krb5.conf
1185
1187 syslog(3)
1188
1190 MIT
1191
1193 1985-2020, MIT
11941.18 KRB5.CONF(5)