1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
6 kdc.conf - Kerberos V5 KDC configuration file
7 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC │
30 │ │ behavior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42 [kdcdefaults]
44 Some relations in the [kdcdefaults] section specify default values for
45 realm variables, to be used if the [realms] subsection does not contain
46 a relation for the tag. See the [realms] section for the definitions
47 of these relations.
48 · host_based_services
50 · kdc_listen
52 · kdc_ports
54 · kdc_tcp_listen
56 · kdc_tcp_ports
58 · no_host_referral
60 · restrict_anonymous_to_tgt
62 The following [kdcdefaults] variables have no per-realm equivalent:
64 kdc_max_dgram_reply_size
66 Specifies the maximum packet size that can be sent over UDP.
67 The default value is 4096 bytes.
68 kdc_tcp_listen_backlog
70 (Integer.) Set the size of the listen queue length for the KDC
71 daemon. The value may be limited by OS settings. The default
72 value is 5.
73 spake_preauth_kdc_challenge
75 (String.) Specifies the group for a SPAKE optimistic challenge.
76 See the spake_preauth_groups variable in libdefaults for possi‐
77 ble values. The default is not to issue an optimistic chal‐
78 lenge. (New in release 1.17.)
79 [realms]
81 Each tag in the [realms] section is the name of a Kerberos realm. The
82 value of the tag is a subsection where the relations define KDC parame‐
83 ters for that particular realm. The following example shows how to
84 define one parameter for the ATHENA.MIT.EDU realm:
85 [realms]
87 ATHENA.MIT.EDU = {
88 max_renewable_life = 7d 0h 0m 0s
89 }
90 The following tags may be specified in a [realms] subsection:
92 acl_file
94 (String.) Location of the access control list file that kad‐
95 mind(8) uses to determine which principals are allowed which
96 permissions on the Kerberos database. To operate without an ACL
97 file, set this relation to the empty string with acl_file = "".
98 The default value is /var/kerberos/krb5kdc/kadm5.acl. For more
99 information on Kerberos ACL file see kadm5.acl(5).
100 database_module
102 (String.) This relation indicates the name of the configuration
103 section under [dbmodules] for database-specific parameters used
104 by the loadable database library. The default value is the
105 realm name. If this configuration section does not exist,
106 default values will be used for all database parameters.
107 database_name
109 (String, deprecated.) This relation specifies the location of
110 the Kerberos database for this realm, if the DB2 module is being
111 used and the [dbmodules] configuration section does not specify
112 a database name. The default value is /var/ker‐
113 beros/krb5kdc/principal.
114 default_principal_expiration
116 (abstime string.) Specifies the default expiration date of
117 principals created in this realm. The default value is 0, which
118 means no expiration date.
119 default_principal_flags
121 (Flag string.) Specifies the default attributes of principals
122 created in this realm. The format for this string is a
123 comma-separated list of flags, with '+' before each flag that
124 should be enabled and '-' before each flag that should be dis‐
125 abled. The postdateable, forwardable, tgt-based, renewable,
126 proxiable, dup-skey, allow-tickets, and service flags default to
127 enabled.
128 There are a number of possible flags:
130 allow-tickets
132 Enabling this flag means that the KDC will issue tickets
133 for this principal. Disabling this flag essentially
134 deactivates the principal within this realm.
135 dup-skey
137 Enabling this flag allows the KDC to issue user-to-user
138 service tickets for this principal.
139 forwardable
141 Enabling this flag allows the principal to obtain for‐
142 wardable tickets.
143 hwauth If this flag is enabled, then the principal is required
145 to preauthenticate using a hardware device before receiv‐
146 ing any tickets.
147 no-auth-data-required
149 Enabling this flag prevents PAC or AD-SIGNEDPATH data
150 from being added to service tickets for the principal.
151 ok-as-delegate
153 If this flag is enabled, it hints the client that creden‐
154 tials can and should be delegated when authenticating to
155 the service.
156 ok-to-auth-as-delegate
158 Enabling this flag allows the principal to use S4USelf
159 tickets.
160 postdateable
162 Enabling this flag allows the principal to obtain post‐
163 dateable tickets.
164 preauth
166 If this flag is enabled on a client principal, then that
167 principal is required to preauthenticate to the KDC
168 before receiving any tickets. On a service principal,
169 enabling this flag means that service tickets for this
170 principal will only be issued to clients with a TGT that
171 has the preauthenticated bit set.
172 proxiable
174 Enabling this flag allows the principal to obtain proxy
175 tickets.
176 pwchange
178 Enabling this flag forces a password change for this
179 principal.
180 pwservice
182 If this flag is enabled, it marks this principal as a
183 password change service. This should only be used in
184 special cases, for example, if a user's password has
185 expired, then the user has to get tickets for that prin‐
186 cipal without going through the normal password authenti‐
187 cation in order to be able to change the password.
188 renewable
190 Enabling this flag allows the principal to obtain renew‐
191 able tickets.
192 service
194 Enabling this flag allows the the KDC to issue service
195 tickets for this principal. In release 1.17 and later,
196 user-to-user service tickets are still allowed if the
197 dup-skey flag is set.
198 tgt-based
200 Enabling this flag allows a principal to obtain tickets
201 based on a ticket-granting-ticket, rather than repeating
202 the authentication process that was used to obtain the
203 TGT.
204 dict_file
206 (String.) Location of the dictionary file containing strings
207 that are not allowed as passwords. The file should contain one
208 string per line, with no additional whitespace. If none is
209 specified or if there is no policy assigned to the principal, no
210 dictionary checks of passwords will be performed.
211 encrypted_challenge_indicator
213 (String.) Specifies the authentication indicator value that the
214 KDC asserts into tickets obtained using FAST encrypted challenge
215 pre-authentication. New in 1.16.
216 host_based_services
218 (Whitespace- or comma-separated list.) Lists services which
219 will get host-based referral processing even if the server prin‐
220 cipal is not marked as host-based by the client.
221 iprop_enable
223 (Boolean value.) Specifies whether incremental database propa‐
224 gation is enabled. The default value is false.
225 iprop_master_ulogsize
227 (Integer.) Specifies the maximum number of log entries to be
228 retained for incremental propagation. The default value is
229 1000. Prior to release 1.11, the maximum value was 2500.
230 iprop_replica_poll
232 (Delta time string.) Specifies how often the replica KDC polls
233 for new updates from the master. The default value is 2m (that
234 is, two minutes). New in release 1.17.
235 iprop_slave_poll
237 (Delta time string.) The name for iprop_replica_poll prior to
238 release 1.17. Its value is used as a fallback if
239 iprop_replica_poll is not specified.
240 iprop_listen
242 (Whitespace- or comma-separated list.) Specifies the iprop RPC
243 listening addresses and/or ports for the kadmind(8) daemon.
244 Each entry may be an interface address, a port number, or an
245 address and port number separated by a colon. If the address
246 contains colons, enclose it in square brackets. If no address
247 is specified, the wildcard address is used. If kadmind fails to
248 bind to any of the specified addresses, it will fail to start.
249 The default (when iprop_enable is true) is to bind to the wild‐
250 card address at the port specified in iprop_port. New in
251 release 1.15.
252 iprop_port
254 (Port number.) Specifies the port number to be used for incre‐
255 mental propagation. When iprop_enable is true, this relation is
256 required in the replica KDC configuration file, and this rela‐
257 tion or iprop_listen is required in the master configuration
258 file, as there is no default port number. Port numbers speci‐
259 fied in iprop_listen entries will override this port number for
260 the kadmind(8) daemon.
261 iprop_resync_timeout
263 (Delta time string.) Specifies the amount of time to wait for a
264 full propagation to complete. This is optional in configuration
265 files, and is used by replica KDCs only. The default value is 5
266 minutes (5m). New in release 1.11.
267 iprop_logfile
269 (File name.) Specifies where the update log file for the realm
270 database is to be stored. The default is to use the data‐
271 base_name entry from the realms section of the krb5 config file,
272 with .ulog appended. (NOTE: If database_name isn't specified in
273 the realms section, perhaps because the LDAP database back end
274 is being used, or the file name is specified in the [dbmodules]
275 section, then the hard-coded default for database_name is used.
276 Determination of the iprop_logfile default value will not use
277 values from the [dbmodules] section.)
278 kadmind_listen
280 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
281 listening addresses and/or ports for the kadmind(8) daemon.
282 Each entry may be an interface address, a port number, or an
283 address and port number separated by a colon. If the address
284 contains colons, enclose it in square brackets. If no address
285 is specified, the wildcard address is used. If kadmind fails to
286 bind to any of the specified addresses, it will fail to start.
287 The default is to bind to the wildcard address at the port spec‐
288 ified in kadmind_port, or the standard kadmin port (749). New
289 in release 1.15.
290 kadmind_port
292 (Port number.) Specifies the port on which the kadmind(8) dae‐
293 mon is to listen for this realm. Port numbers specified in kad‐
294 mind_listen entries will override this port number. The
295 assigned port for kadmind is 749, which is used by default.
296 key_stash_file
298 (String.) Specifies the location where the master key has been
299 stored (via kdb5_util stash). The default is /var/ker‐
300 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
301 kdc_listen
303 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
304 tening addresses and/or ports for the krb5kdc(8) daemon. Each
305 entry may be an interface address, a port number, or an address
306 and port number separated by a colon. If the address contains
307 colons, enclose it in square brackets. If no address is speci‐
308 fied, the wildcard address is used. If no port is specified,
309 the standard port (88) is used. If the KDC daemon fails to bind
310 to any of the specified addresses, it will fail to start. The
311 default is to bind to the wildcard address on the standard port.
312 New in release 1.15.
313 kdc_ports
315 (Whitespace- or comma-separated list, deprecated.) Prior to
316 release 1.15, this relation lists the ports for the krb5kdc(8)
317 daemon to listen on for UDP requests. In release 1.15 and
318 later, it has the same meaning as kdc_listen if that relation is
319 not defined.
320 kdc_tcp_listen
322 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
323 tening addresses and/or ports for the krb5kdc(8) daemon. Each
324 entry may be an interface address, a port number, or an address
325 and port number separated by a colon. If the address contains
326 colons, enclose it in square brackets. If no address is speci‐
327 fied, the wildcard address is used. If no port is specified,
328 the standard port (88) is used. To disable listening on TCP,
329 set this relation to the empty string with kdc_tcp_listen = "".
330 If the KDC daemon fails to bind to any of the specified
331 addresses, it will fail to start. The default is to bind to the
332 wildcard address on the standard port. New in release 1.15.
333 kdc_tcp_ports
335 (Whitespace- or comma-separated list, deprecated.) Prior to
336 release 1.15, this relation lists the ports for the krb5kdc(8)
337 daemon to listen on for UDP requests. In release 1.15 and
338 later, it has the same meaning as kdc_tcp_listen if that rela‐
339 tion is not defined.
340 kpasswd_listen
342 (Comma-separated list.) Specifies the kpasswd listening
343 addresses and/or ports for the kadmind(8) daemon. Each entry
344 may be an interface address, a port number, or an address and
345 port number separated by a colon. If the address contains
346 colons, enclose it in square brackets. If no address is speci‐
347 fied, the wildcard address is used. If kadmind fails to bind to
348 any of the specified addresses, it will fail to start. The
349 default is to bind to the wildcard address at the port specified
350 in kpasswd_port, or the standard kpasswd port (464). New in
351 release 1.15.
352 kpasswd_port
354 (Port number.) Specifies the port on which the kadmind(8) dae‐
355 mon is to listen for password change requests for this realm.
356 Port numbers specified in kpasswd_listen entries will override
357 this port number. The assigned port for password change
358 requests is 464, which is used by default.
359 master_key_name
361 (String.) Specifies the name of the principal associated with
362 the master key. The default is K/M.
363 master_key_type
365 (Key type string.) Specifies the master key's key type. The
366 default value for this is aes256-cts-hmac-sha1-96. For a list
367 of all possible values, see Encryption types.
368 max_life
370 (duration string.) Specifies the maximum time period for which
371 a ticket may be valid in this realm. The default value is 24
372 hours.
373 max_renewable_life
375 (duration string.) Specifies the maximum time period during
376 which a valid ticket may be renewed in this realm. The default
377 value is 0.
378 no_host_referral
380 (Whitespace- or comma-separated list.) Lists services to block
381 from getting host-based referral processing, even if the client
382 marks the server principal as host-based or the service is also
383 listed in host_based_services. no_host_referral = * will dis‐
384 able referral processing altogether.
385 reject_bad_transit
387 (Boolean value.) If set to true, the KDC will check the list of
388 transited realms for cross-realm tickets against the transit
389 path computed from the realm names and the capaths section of
390 its krb5.conf(5) file; if the path in the ticket to be issued
391 contains any realms not in the computed path, the ticket will
392 not be issued, and an error will be returned to the client
393 instead. If this value is set to false, such tickets will be
394 issued anyways, and it will be left up to the application server
395 to validate the realm transit path.
396 If the disable-transited-check flag is set in the incoming
398 request, this check is not performed at all. Having the
399 reject_bad_transit option will cause such ticket requests to be
400 rejected always.
401 This transit path checking and config file option currently
403 apply only to TGS requests.
404 The default value is true.
406 restrict_anonymous_to_tgt
408 (Boolean value.) If set to true, the KDC will reject ticket
409 requests from anonymous principals to service principals other
410 than the realm's ticket-granting service. This option allows
411 anonymous PKINIT to be enabled for use as FAST armor tickets
412 without allowing anonymous authentication to services. The
413 default value is false. New in release 1.9.
414 spake_preauth_indicator
416 (String.) Specifies an authentication indicator value that the
417 KDC asserts into tickets obtained using SPAKE pre-authentica‐
418 tion. The default is not to add any indicators. This option
419 may be specified multiple times. New in release 1.17.
420 supported_enctypes
422 (List of key:salt strings.) Specifies the default key/salt com‐
423 binations of principals for this realm. Any principals created
424 through kadmin(1) will have keys of these types. The default
425 value for this tag is aes256-cts-hmac-sha1-96:normal
426 aes128-cts-hmac-sha1-96:normal. For lists of possible values,
427 see Keysalt lists.
428 [dbdefaults]
430 The [dbdefaults] section specifies default values for some database
431 parameters, to be used if the [dbmodules] subsection does not contain a
432 relation for the tag. See the [dbmodules] section for the definitions
433 of these relations.
434 · ldap_kerberos_container_dn
436 · ldap_kdc_dn
438 · ldap_kdc_sasl_authcid
440 · ldap_kdc_sasl_authzid
442 · ldap_kdc_sasl_mech
444 · ldap_kdc_sasl_realm
446 · ldap_kadmind_dn
448 · ldap_kadmind_sasl_authcid
450 · ldap_kadmind_sasl_authzid
452 · ldap_kadmind_sasl_mech
454 · ldap_kadmind_sasl_realm
456 · ldap_service_password_file
458 · ldap_conns_per_server
460 [dbmodules]
462 The [dbmodules] section contains parameters used by the KDC database
463 library and database modules. Each tag in the [dbmodules] section is
464 the name of a Kerberos realm or a section name specified by a realm's
465 database_module parameter. The following example shows how to define
466 one database parameter for the ATHENA.MIT.EDU realm:
467 [dbmodules]
469 ATHENA.MIT.EDU = {
470 disable_last_success = true
471 }
472 The following tags may be specified in a [dbmodules] subsection:
474 database_name
476 This DB2-specific tag indicates the location of the database in
477 the filesystem. The default is /var/kerberos/krb5kdc/principal.
478 db_library
480 This tag indicates the name of the loadable database module.
481 The value should be db2 for the DB2 module, klmdb for the LMDB
482 module, or kldap for the LDAP module.
483 disable_last_success
485 If set to true, suppresses KDC updates to the "Last successful
486 authentication" field of principal entries requiring preauthen‐
487 tication. Setting this flag may improve performance. (Princi‐
488 pal entries which do not require preauthentication never update
489 the "Last successful authentication" field.). First introduced
490 in release 1.9.
491 disable_lockout
493 If set to true, suppresses KDC updates to the "Last failed
494 authentication" and "Failed password attempts" fields of princi‐
495 pal entries requiring preauthentication. Setting this flag may
496 improve performance, but also disables account lockout. First
497 introduced in release 1.9.
498 ldap_conns_per_server
500 This LDAP-specific tag indicates the number of connections to be
501 maintained per LDAP server.
502 ldap_kdc_dn and ldap_kadmind_dn
504 These LDAP-specific tags indicate the default DN for binding to
505 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
506 the kadmind(8) daemon and other administrative programs use
507 ldap_kadmind_dn. The kadmind DN must have the rights to read
508 and write the Kerberos data in the LDAP database. The KDC DN
509 must have the same rights, unless disable_lockout and dis‐
510 able_last_success are true, in which case it only needs to have
511 rights to read the Kerberos data. These tags are ignored if a
512 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
513 mind_sasl_mech.
514 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
516 These LDAP-specific tags specify the SASL mechanism (such as
517 EXTERNAL) to use when binding to the LDAP server. New in
518 release 1.13.
519 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
521 These LDAP-specific tags specify the SASL authentication iden‐
522 tity to use when binding to the LDAP server. Not all SASL mech‐
523 anisms require an authentication identity. If the SASL mecha‐
524 nism requires a secret (such as the password for DIGEST-MD5),
525 these tags also determine the name within the ldap_service_pass‐
526 word_file where the secret is stashed. New in release 1.13.
527 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
529 These LDAP-specific tags specify the SASL authorization identity
530 to use when binding to the LDAP server. In most circumstances
531 they do not need to be specified. New in release 1.13.
532 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
534 These LDAP-specific tags specify the SASL realm to use when
535 binding to the LDAP server. In most circumstances they do not
536 need to be set. New in release 1.13.
537 ldap_kerberos_container_dn
539 This LDAP-specific tag indicates the DN of the container object
540 where the realm objects will be located.
541 ldap_servers
543 This LDAP-specific tag indicates the list of LDAP servers that
544 the Kerberos servers can connect to. The list of LDAP servers
545 is whitespace-separated. The LDAP server is specified by a LDAP
546 URI. It is recommended to use ldapi: or ldaps: URLs to connect
547 to the LDAP server.
548 ldap_service_password_file
550 This LDAP-specific tag indicates the file containing the stashed
551 passwords (created by kdb5_ldap_util stashsrvpw) for the
552 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
553 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
554 SASL authentication. This file must be kept secure.
555 mapsize
557 This LMDB-specific tag indicates the maximum size of the two
558 database environments in megabytes. The default value is 128.
559 Increase this value to address "Environment mapsize limit
560 reached" errors. New in release 1.17.
561 max_readers
563 This LMDB-specific tag indicates the maximum number of concur‐
564 rent reading processes for the databases. The default value is
565 128. New in release 1.17.
566 nosync This LMDB-specific tag can be set to improve the throughput of
568 kadmind and other administrative agents, at the expense of dura‐
569 bility (recent database changes may not survive a power outage
570 or other sudden reboot). It does not affect the throughput of
571 the KDC. The default value is false. New in release 1.17.
572 unlockiter
574 If set to true, this DB2-specific tag causes iteration opera‐
575 tions to release the database lock while processing each princi‐
576 pal. Setting this flag to true can prevent extended blocking of
577 KDC or kadmin operations when dumps of large databases are in
578 progress. First introduced in release 1.13.
579 The following tag may be specified directly in the [dbmodules] section
581 to control where database modules are loaded from:
582 db_module_dir
584 This tag controls where the plugin system looks for database
585 modules. The value should be an absolute path.
586 [logging]
588 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
589 logging. It may contain the following relations:
590 admin_server
592 Specifies how kadmind(8) performs logging.
593 kdc Specifies how krb5kdc(8) performs logging.
595 default
597 Specifies how either daemon performs logging in the absence of
598 relations specific to the daemon.
599 debug (Boolean value.) Specifies whether debugging messages are
601 included in log outputs other than SYSLOG. Debugging messages
602 are always included in the system log output because syslog per‐
603 forms its own priority filtering. The default value is false.
604 New in release 1.15.
605 Logging specifications may have the following forms:
607 FILE=filename or FILE:filename
609 This value causes the daemon's logging messages to go to the
610 filename. If the = form is used, the file is overwritten. If
611 the : form is used, the file is appended to.
612 STDERR This value causes the daemon's logging messages to go to its
614 standard error stream.
615 CONSOLE
617 This value causes the daemon's logging messages to go to the
618 console, if the system supports it.
619 DEVICE=<devicename>
621 This causes the daemon's logging messages to go to the specified
622 device.
623 SYSLOG[:severity[:facility]]
625 This causes the daemon's logging messages to go to the system
626 log.
627 For backward compatibility, a severity argument may be speci‐
629 fied, and must be specified in order to specify a facility.
630 This argument will be ignored.
631 The facility argument specifies the facility under which the
633 messages are logged. This may be any of the following facili‐
634 ties supported by the syslog(3) call minus the LOG_ prefix:
635 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and
636 LOCAL0 through LOCAL7. If no facility is specified, the default
637 is AUTH.
638 In the following example, the logging messages from the KDC will go to
640 the console and to the system log under the facility LOG_DAEMON, and
641 the logging messages from the administrative server will be appended to
642 the file /var/adm/kadmin.log and sent to the device /dev/tty04.
643 [logging]
645 kdc = CONSOLE
646 kdc = SYSLOG:INFO:DAEMON
647 admin_server = FILE:/var/adm/kadmin.log
648 admin_server = DEVICE=/dev/tty04
649 If no logging specification is given, the default is to use syslog. To
651 disable logging entirely, specify default = DEVICE=/dev/null.
652 [otp]
654 Each subsection of [otp] is the name of an OTP token type. The tags
655 within the subsection define the configuration required to forward a
656 One Time Password request to a RADIUS server.
657 For each token type, the following tags may be specified:
659 server This is the server to send the RADIUS request to. It can be a
661 hostname with optional port, an ip address with optional port,
662 or a Unix domain socket address. The default is /var/ker‐
663 beros/krb5kdc/<name>.socket.
664 secret This tag indicates a filename (which may be relative to
666 /var/kerberos/krb5kdc) containing the secret used to encrypt the
667 RADIUS packets. The secret should appear in the first line of
668 the file by itself; leading and trailing whitespace on the line
669 will be removed. If the value of server is a Unix domain socket
670 address, this tag is optional, and an empty secret will be used
671 if it is not specified. Otherwise, this tag is required.
672 timeout
674 An integer which specifies the time in seconds during which the
675 KDC should attempt to contact the RADIUS server. This tag is
676 the total time across all retries and should be less than the
677 time which an OTP value remains valid for. The default is 5
678 seconds.
679 retries
681 This tag specifies the number of retries to make to the RADIUS
682 server. The default is 3 retries (4 tries).
683 strip_realm
685 If this tag is true, the principal without the realm will be
686 passed to the RADIUS server. Otherwise, the realm will be
687 included. The default value is true.
688 indicator
690 This tag specifies an authentication indicator to be included in
691 the ticket if this token type is used to authenticate. This
692 option may be specified multiple times. (New in release 1.14.)
693 In the following example, requests are sent to a remote server via UDP:
695 [otp]
697 MyRemoteTokenType = {
698 server = radius.mydomain.com:1812
699 secret = SEmfiajf42$
700 timeout = 15
701 retries = 5
702 strip_realm = true
703 }
704 An implicit default token type named DEFAULT is defined for when the
706 per-principal configuration does not specify a token type. Its config‐
707 uration is shown below. You may override this token type to something
708 applicable for your situation:
709 [otp]
711 DEFAULT = {
712 strip_realm = false
713 }
714
716 NOTE:
717 The following are pkinit-specific options. These values may be
718 specified in [kdcdefaults] as global defaults, or within a
719 realm-specific subsection of [realms]. Also note that a realm-spe‐
720 cific value over-rides, does not add to, a generic [kdcdefaults]
721 specification. The search order is:
722 1. realm-specific subsection of [realms]:
724 [realms]
726 EXAMPLE.COM = {
727 pkinit_anchors = FILE:/usr/local/example.com.crt
728 }
729 2. generic value in the [kdcdefaults] section:
731 [kdcdefaults]
733 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
734 For information about the syntax of some of these options, see Specify‐
736 ing PKINIT identity information in krb5.conf(5).
737 pkinit_anchors
739 Specifies the location of trusted anchor (root) certificates
740 which the KDC trusts to sign client certificates. This option
741 is required if pkinit is to be supported by the KDC. This
742 option may be specified multiple times.
743 pkinit_dh_min_bits
745 Specifies the minimum number of bits the KDC is willing to
746 accept for a client's Diffie-Hellman key. The default is 2048.
747 pkinit_allow_upn
749 Specifies that the KDC is willing to accept client certificates
750 with the Microsoft UserPrincipalName (UPN) Subject Alternative
751 Name (SAN). This means the KDC accepts the binding of the UPN
752 in the certificate to the Kerberos principal name. The default
753 value is false.
754 Without this option, the KDC will only accept certificates with
756 the id-pkinit-san as defined in RFC 4556. There is currently no
757 option to disable SAN checking in the KDC.
758 pkinit_eku_checking
760 This option specifies what Extended Key Usage (EKU) values the
761 KDC is willing to accept in client certificates. The values
762 recognized in the kdc.conf file are:
763 kpClientAuth
765 This is the default value and specifies that client cer‐
766 tificates must have the id-pkinit-KPClientAuth EKU as
767 defined in RFC 4556.
768 scLogin
770 If scLogin is specified, client certificates with the Mi‐
771 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
772 accepted.
773 none If none is specified, then client certificates will not
775 be checked to verify they have an acceptable EKU. The
776 use of this option is not recommended.
777 pkinit_identity
779 Specifies the location of the KDC's X.509 identity information.
780 This option is required if pkinit is to be supported by the KDC.
781 pkinit_indicator
783 Specifies an authentication indicator to include in the ticket
784 if pkinit is used to authenticate. This option may be specified
785 multiple times. (New in release 1.14.)
786 pkinit_pool
788 Specifies the location of intermediate certificates which may be
789 used by the KDC to complete the trust chain between a client's
790 certificate and a trusted anchor. This option may be specified
791 multiple times.
792 pkinit_revoke
794 Specifies the location of Certificate Revocation List (CRL)
795 information to be used by the KDC when verifying the validity of
796 client certificates. This option may be specified multiple
797 times.
798 pkinit_require_crl_checking
800 The default certificate verification process will always check
801 the available revocation information to see if a certificate has
802 been revoked. If a match is found for the certificate in a CRL,
803 verification fails. If the certificate being verified is not
804 listed in a CRL, or there is no CRL present for its issuing CA,
805 and pkinit_require_crl_checking is false, then verification suc‐
806 ceeds.
807 However, if pkinit_require_crl_checking is true and there is no
809 CRL information available for the issuing CA, then verification
810 fails.
811 pkinit_require_crl_checking should be set to true if the policy
813 is such that up-to-date CRLs must be present for every CA.
814 pkinit_require_freshness
816 Specifies whether to require clients to include a freshness
817 token in PKINIT requests. The default value is false. (New in
818 release 1.17.)
819
821 Any tag in the configuration files which requires a list of encryption
822 types can be set to some combination of the following strings. Encryp‐
823 tion types marked as "weak" are available for compatibility but not
824 recommended for use.
825 ┌───────────────────────────┬─────────────────────────────┐
827 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
828 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
829 ├───────────────────────────┼─────────────────────────────┤
830 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
831 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
832 ├───────────────────────────┼─────────────────────────────┤
833 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
834 │aes256-sha2 │ 192-bit SHA-384 HMAC │
835 ├───────────────────────────┼─────────────────────────────┤
836 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
837 │aes128-sha2 │ 128-bit SHA-256 HMAC │
838 ├───────────────────────────┼─────────────────────────────┤
839 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 │
840 │four-hmac-md5 │ │
841 └───────────────────────────┴─────────────────────────────┘
842 │arcfour-hmac-exp │ Exportable RC4 with │
847 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
848 │four-hmac-md5-exp │ │
849 ├───────────────────────────┼─────────────────────────────┤
850 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
851 │camellia256-cts │ CMAC │
852 ├───────────────────────────┼─────────────────────────────┤
853 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
854 │camellia128-cts │ CMAC │
855 ├───────────────────────────┼─────────────────────────────┤
856 │aes │ The AES family: │
857 │ │ aes256-cts-hmac-sha1-96, │
858 │ │ aes128-cts-hmac-sha1-96, │
859 │ │ aes256-cts-hmac-sha384-192, │
860 │ │ and │
861 │ │ aes128-cts-hmac-sha256-128 │
862 ├───────────────────────────┼─────────────────────────────┤
863 │rc4 │ The RC4 family: arc‐ │
864 │ │ four-hmac │
865 ├───────────────────────────┼─────────────────────────────┤
866 │camellia │ The Camellia family: camel‐ │
867 │ │ lia256-cts-cmac and camel‐ │
868 │ │ lia128-cts-cmac │
869 └───────────────────────────┴─────────────────────────────┘
870 The string DEFAULT can be used to refer to the default set of types for
872 the variable in question. Types or families can be removed from the
873 current list by prefixing them with a minus sign ("-"). Types or fami‐
874 lies can be prefixed with a plus sign ("+") for symmetry; it has the
875 same meaning as just listing the type or family. For example, "DEFAULT
876 -rc4" would be the default set of encryption types with RC4 types
877 removed, and "aes128-sha2 DEFAULT" would be the default set of encryp‐
878 tion types with aes128-sha2 moved to the front.
879 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
881 tions, they are not supported by very old versions of our GSSAPI imple‐
882 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
883 without AES support must not be given keys of these encryption types in
884 the KDC database.
885 The aes128-sha2 and aes256-sha2 encryption types are new in release
887 1.15. Services running versions of krb5 without support for these
888 newer encryption types must not be given keys of these encryption types
889 in the KDC database.
890
892 Kerberos keys for users are usually derived from passwords. Kerberos
893 commands and configuration parameters that affect generation of keys
894 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
895 lists. Each keysalt pair is an enctype name followed by a salttype
896 name, in the format enc:salt. Individual keysalt list members are sep‐
897 arated by comma (",") characters or space characters. For example:
898 kadmin -e aes256-cts:normal,aes128-cts:normal
900 would start up kadmin so that by default it would generate pass‐
902 word-derived keys for the aes256-cts and aes128-cts encryption types,
903 using a normal salt.
904 To ensure that people who happen to pick the same password do not have
906 the same key, Kerberos 5 incorporates more information into the key
907 using something called a salt. The supported salt types are as fol‐
908 lows:
909 ┌──────────┬────────────────────────────┐
911 │normal │ default for Kerberos Ver‐ │
912 │ │ sion 5 │
913 ├──────────┼────────────────────────────┤
914 │norealm │ same as the default, with‐ │
915 │ │ out using realm informa‐ │
916 │ │ tion │
917 └──────────┴────────────────────────────┘
918 │onlyrealm │ uses only realm informa‐ │
920 │ │ tion as the salt │
921 ├──────────┼────────────────────────────┤
922 │special │ generate a random salt │
923 └──────────┴────────────────────────────┘
924
926 Here's an example of a kdc.conf file:
927 [kdcdefaults]
929 kdc_listen = 88
930 kdc_tcp_listen = 88
931 [realms]
932 ATHENA.MIT.EDU = {
933 kadmind_port = 749
934 max_life = 12h 0m 0s
935 max_renewable_life = 7d 0h 0m 0s
936 master_key_type = aes256-cts-hmac-sha1-96
937 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
938 database_module = openldap_ldapconf
939 }
940 [logging]
942 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
943 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
944 [dbdefaults]
946 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
947 [dbmodules]
949 openldap_ldapconf = {
950 db_library = kldap
951 disable_last_success = true
952 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
953 # this object needs to have read rights on
954 # the realm container and principal subtrees
955 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
956 # this object needs to have read and write rights on
957 # the realm container and principal subtrees
958 ldap_service_password_file = /etc/kerberos/service.keyfile
959 ldap_servers = ldaps://kerberos.mit.edu
960 ldap_conns_per_server = 5
961 }
962
964 /var/kerberos/krb5kdc/kdc.conf
965
967 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
968
970 MIT
971
973 1985-2020, MIT
9741.18.2 KDC.CONF(5)