1KRB5.CONF(5) BSD File Formats Manual KRB5.CONF(5)
2
4 krb5.conf — configuration file for Kerberos 5
5
7 #include <krb5.h>
8
10 The krb5.conf file specifies several configuration parameters for the
11 Kerberos 5 library, as well as for some programs.
12 The file consists of one or more sections, containing a number of bind‐
14 ings. The value of each binding can be either a string or a list of
15 other bindings. The grammar looks like:
16 file:
18 /* empty */
19 sections
20 sections:
22 section sections
23 section
24 section:
26 '[' section_name ']' bindings
27 section_name:
29 STRING
30 bindings:
32 binding bindings
33 binding
34 binding:
36 name '=' STRING
37 name '=' '{' bindings '}'
38 name:
40 STRING
41 STRINGs consists of one or more non-whitespace characters.
43 STRINGs that are specified later in this man-page uses the following
45 notation.
46 boolean
48 values can be either yes/true or no/false.
49 time
51 values can be a list of year, month, day, hour, min, second.
52 Example: 1 month 2 days 30 min. If no unit is given, seconds
53 is assumed.
54 etypes
56 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
57 md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
58 and aes256-cts-hmac-sha1-96 .
59 address
61 an address can be either a IPv4 or a IPv6 address.
62 Currently recognised sections and bindings are:
64 [appdefaults]
66 Specifies the default values to be used for Kerberos applica‐
67 tions. You can specify defaults per application, realm, or a
68 combination of these. The preference order is:
69 1. application realm option
70 2. application option
71 3. realm option
72 4. option
73 The supported options are:
75 forwardable = boolean
77 When obtaining initial credentials, make the cre‐
78 dentials forwardable.
79 proxiable = boolean
81 When obtaining initial credentials, make the cre‐
82 dentials proxiable.
83 no-addresses = boolean
85 When obtaining initial credentials, request them
86 for an empty set of addresses, making the tickets
87 valid from any address.
88 ticket_lifetime = time
90 Default ticket lifetime.
91 renew_lifetime = time
93 Default renewable ticket lifetime.
94 encrypt = boolean
96 Use encryption, when available.
97 forward = boolean
99 Forward credentials to remote host (for rsh(1),
100 telnet(1), etc).
101 [libdefaults]
103 default_realm = REALM
105 Default realm to use, this is also known as your
106 “local realm”. The default is the result of
107 krb5_get_host_realm(local hostname).
108 allow_weak_crypto = boolean
110 are weak crypto algorithms allowed to be used,
111 among others, DES is considered weak.
112 clockskew = time
114 Maximum time differential (in seconds) allowed when
115 comparing times. Default is 300 seconds (five min‐
116 utes).
117 kdc_timeout = time
119 Maximum time to wait for a reply from the kdc,
120 default is 3 seconds.
121 capath = {
123 destination-realm = next-hop-realm
125 ...
127 }
129 This is deprecated, see the capaths section below.
130 default_cc_type = cctype
132 sets the default credentials type.
133 default_cc_name = ccname
135 the default credentials cache name. If you want to
136 change the type only use default_cc_type. The
137 string can contain variables that are expanded on
138 runtime. The Only supported variable currently is
139 %{uid} which expands to the current user id.
140 default_etypes = etypes ...
142 A list of default encryption types to use.
143 (Default: all enctypes if allow_weak_crypto = TRUE,
144 else all enctypes except single DES enctypes.)
145 default_as_etypes = etypes ...
147 A list of default encryption types to use in AS
148 requests. (Default: the value of default_etypes.)
149 default_tgs_etypes = etypes ...
151 A list of default encryption types to use in TGS
152 requests. (Default: the value of default_etypes.)
153 default_etypes_des = etypes ...
155 A list of default encryption types to use when
156 requesting a DES credential.
157 default_keytab_name = keytab
159 The keytab to use if no other is specified, default
160 is “FILE:/etc/krb5.keytab”.
161 dns_lookup_kdc = boolean
163 Use DNS SRV records to lookup KDC services loca‐
164 tion.
165 dns_lookup_realm = boolean
167 Use DNS TXT records to lookup domain to realm map‐
168 pings.
169 kdc_timesync = boolean
171 Try to keep track of the time differential between
172 the local machine and the KDC, and then compensate
173 for that when issuing requests.
174 max_retries = number
176 The max number of times to try to contact each KDC.
177 large_msg_size = number
179 The threshold where protocols with tiny maximum
180 message sizes are not considered usable to send
181 messages to the KDC.
182 ticket_lifetime = time
184 Default ticket lifetime.
185 renew_lifetime = time
187 Default renewable ticket lifetime.
188 forwardable = boolean
190 When obtaining initial credentials, make the cre‐
191 dentials forwardable. This option is also valid in
192 the [realms] section.
193 proxiable = boolean
195 When obtaining initial credentials, make the cre‐
196 dentials proxiable. This option is also valid in
197 the [realms] section.
198 verify_ap_req_nofail = boolean
200 If enabled, failure to verify credentials against a
201 local key is a fatal error. The application has to
202 be able to read the corresponding service key for
203 this to work. Some applications, like su(1),
204 enable this option unconditionally.
205 warn_pwexpire = time
207 How soon to warn for expiring password. Default is
208 seven days.
209 http_proxy = proxy-spec
211 A HTTP-proxy to use when talking to the KDC via
212 HTTP.
213 dns_proxy = proxy-spec
215 Enable using DNS via HTTP.
216 extra_addresses = address ...
218 A list of addresses to get tickets for along with
219 all local addresses.
220 time_format = string
222 How to print time strings in logs, this string is
223 passed to strftime(3).
224 date_format = string
226 How to print date strings in logs, this string is
227 passed to strftime(3).
228 log_utc = boolean
230 Write log-entries using UTC instead of your local
231 time zone.
232 scan_interfaces = boolean
234 Scan all network interfaces for addresses, as
235 opposed to simply using the address associated with
236 the system's host name.
237 fcache_version = int
239 Use file credential cache format version specified.
240 fcc-mit-ticketflags = boolean
242 Use MIT compatible format for file credential
243 cache. It's the field ticketflags that is stored
244 in reverse bit order for older than Heimdal 0.7.
245 Setting this flag to TRUE makes it store the MIT
246 way, this is default for Heimdal 0.7.
247 check-rd-req-server
249 If set to "ignore", the framework will ignore any
250 of the server input to krb5_rd_req(3), this is very
251 useful when the GSS-API server input the wrong
252 server name into the gss_accept_sec_context call.
253 k5login_directory = directory
255 Alternative location for user .k5login files. This
256 option is provided for compatibility with MIT krb5
257 configuration files.
258 k5login_authoritative = boolean
260 If true then if a principal is not found in k5login
261 files then krb5_userok(3) will not fallback on
262 principal to username mapping. This option is pro‐
263 vided for compatibility with MIT krb5 configuration
264 files.
265 kuserok = rule ...
267 Specifies krb5_userok(3) behavior. If multiple
268 values are given, then krb5_userok(3) will evaluate
269 them in order until one succeeds or all fail.
270 Rules are implemented by plugins, with three built-
271 in plugins described below. Default: USER-K5LOGIN
272 SIMPLE DENY.
273 kuserok = DENY
275 If set and evaluated then krb5_userok(3) will deny
276 access to the given username no matter what the
277 principal name might be.
278 kuserok = SIMPLE
280 If set and evaluated then krb5_userok(3) will use
281 principal to username mapping (see auth_to_local
282 below). If the principal maps to the requested
283 username then access is allowed.
284 kuserok = SYSTEM-K5LOGIN[:directory]
286 If set and evaluated then krb5_userok(3) will use
287 k5login files named after the luser argument to
288 krb5_userok(3) in the given directory or in
289 /etc/k5login.d/. K5login files are text files,
290 with each line containing just a principal name;
291 principals apearing in a user's k5login file are
292 permitted access to the user's account. Note: this
293 rule performs no ownership nor permissions checks
294 on k5login files; proper ownership and permis‐
295 sions/ACLs are expected due to the k5login location
296 being a system location.
297 kuserok = USER-K5LOGIN
299 If set and evaluated then krb5_userok(3) will use
300 ~luser/.k5login and ~luser/.k5login.d/*. User
301 k5login files and directories must be owned by the
302 user and must not have world nor group write per‐
303 missions.
304 aname2lname-text-db = filename
306 The named file must be a sorted (in increasing
307 order) text file where every line consists of an
308 unparsed principal name optionally followed by
309 whitespace and a username. The aname2lname func‐
310 tion will do a binary search on this file, if con‐
311 figured, looking for lines that match the given
312 principal name, and if found the given username
313 will be used, or, if the username is missing, an
314 error will be returned. If the file doesn't exist,
315 or if no matching line is found then other plugins
316 will be allowed to run.
317 fcache_strict_checking
319 strict checking in FILE credential caches that
320 owner, no symlink and permissions is correct.
321 name_canon_rules = rules
323 One or more service principal name canonicalization
324 rules. Each rule consists of one or more tokens
325 separated by colon (':'). Currently these rules
326 are used only for hostname canonicalization (usu‐
327 ally when getting a service ticket, from a ccache
328 or a TGS, but also when acquiring GSS initiator
329 credentials from a keytab). These rules can be
330 used to implement DNS resolver-like search lists
331 without having to use DNS.
332 NOTE: Name canonicalization rules are an experimen‐
334 tal feature.
335 The first token is a rule type, one of: as-is,
337 qualify, or nss.
338 Any remaining tokens must be options tokens:
340 use_fast (use FAST to protect TGS exchanges; cur‐
341 rently not supported), use_dnssec (use DNSSEC to
342 protect hostname lookups; currently not supported),
343 ccache_only , use_referrals, no_referrals,
344 lookup_realm, mindots=N, maxdots=N, order=N,
345 domain= domain, realm= realm, match_domain= domain,
346 and match_realm= realm.
347 When trying to obtain a service ticket for a host-
349 based service principal name, name canonicalization
350 rules are applied to that name in the order given,
351 one by one, until one succeds (a service ticket is
352 obtained), or all fail. Similarly when acquiring
353 GSS initiator credentials from a keytab, and when
354 comparing a non-canonical GSS name to a canonical
355 one.
356 For each rule the system checks that the hostname
358 has at least mindots periods (if given) in it, at
359 most maxdots periods (if given), that the hostname
360 ends in the given match_domain (if given), and that
361 the realm of the principal matches the match_realm
362 (if given).
363 As-is rules leave the hostname unmodified but may
365 set a realm. Qualify rules qualify the hostname
366 with the given domain and also may set the realm.
367 The nss rule uses the system resolver to lookup the
368 host's canonical name and is usually not secure.
369 Note that using the nss rule type implies having to
370 have principal aliases in the HDB (though not nec‐
371 essarily in keytabs).
372 The empty realm denotes "ask the client's realm's
374 TGS". The empty realm may be set as well as
375 matched.
376 The order in which rules are applied is as follows:
378 first all the rules with explicit order then all
379 other rules in the order in which they appear. If
380 any two rules have the same explicit order, their
381 order of appearance in krb5.conf breaks the tie.
382 Explicitly specifying order can be useful where
383 tools read and write the configuration file without
384 preserving parameter order.
385 Malformed rules are ignored.
387 allow_hierarchical_capaths = boolean
389 When validating cross-realm transit paths, absent
390 any explicit capath from the client realm to the
391 server realm, allow a hierarchical transit path via
392 the common ancestor domain of the two realms.
393 Defaults to true. Note, absent an explicit set‐
394 ting, hierarchical capaths are always used by the
395 KDC when generating a referral to a destination
396 with which is no direct trust.
397 [domain_realm]
399 This is a list of mappings from DNS domain to Kerberos realm.
400 Each binding in this section looks like:
401 domain = realm
403 The domain can be either a full name of a host or a trailing
405 component, in the latter case the domain-string should start
406 with a period. The trailing component only matches hosts that
407 are in the same domain, ie “.example.com” matches
408 “foo.example.com”, but not “foo.test.example.com”.
409 The realm may be the token `dns_locate', in which case the
411 actual realm will be determined using DNS (independently of
412 the setting of the `dns_lookup_realm' option).
413 [realms]
415 REALM = {
417 kdc = [service/]host[:port]
419 Specifies a list of kdcs for this realm.
420 If the optional port is absent, the
421 default value for the “kerberos/udp”
422 “kerberos/tcp”, and “http/tcp” port
423 (depending on service) will be used.
424 The kdcs will be used in the order that
425 they are specified.
426 The optional service specifies over what
428 medium the kdc should be contacted.
429 Possible services are “udp”, “tcp”, and
430 “http”. Http can also be written as
431 “http://”. Default service is “udp” and
432 “tcp”.
433 admin_server = host[:port]
435 Specifies the admin server for this
436 realm, where all the modifications to
437 the database are performed.
438 kpasswd_server = host[:port]
440 Points to the server where all the pass‐
441 word changes are performed. If there is
442 no such entry, the kpasswd port on the
443 admin_server host will be tried.
444 tgs_require_subkey
446 a boolan variable that defaults to
447 false. Old DCE secd (pre 1.1) might
448 need this to be true.
449 auth_to_local_names = {
451 principal_name = username
453 The given principal_name will
454 be mapped to the given
455 username if the REALM is a
456 default realm.
457 }
459 auth_to_local = HEIMDAL_DEFAULT
461 Use the Heimdal default principal to
462 username mapping. Applies to principals
463 from the REALM if and only if REALM is a
464 default realm.
465 auth_to_local = DEFAULT
467 Use the MIT default principal to user‐
468 name mapping. Applies to principals
469 from the REALM if and only if REALM is a
470 default realm.
471 auth_to_local = DB:/path/to/db.txt
473 Use a binary search of the given DB.
474 The DB must be a flat-text file sortedf
475 in the "C" locale, with each record
476 being a line (separated by either LF or
477 CRLF) consisting of a principal name
478 followed by whitespace followed by a
479 username. Applies to principals from
480 the REALM if and only if REALM is a
481 default realm.
482 auth_to_local = DB:/path/to/db
484 Use the given DB, if there's a plugin
485 for it. Applies to principals from the
486 REALM if and only if REALM is a default
487 realm.
488 auth_to_local = RULE:...
490 Use the given rule, if there's a plugin
491 for it. Applies to principals from the
492 REALM if and only if REALM is a default
493 realm.
494 auth_to_local = NONE
496 No additional principal to username map‐
497 ping is done. Note that
498 auth_to_local_names and any preceding
499 auth_to_local rules have precedence.
500 }
502 [capaths]
504 client-realm = {
506 server-realm = hop-realm ...
508 This serves two purposes. First the
509 first listed hop-realm tells a client
510 which realm it should contact in order
511 to ultimately obtain credentials for a
512 service in the server-realm. Secondly,
513 it tells the KDC (and other servers)
514 which realms are allowed in a multi-hop
515 traversal from client-realm to
516 server-realm. Except for the client
517 case, the order of the realms are not
518 important.
519 }
521 [logging]
523 entity = destination
525 Specifies that entity should use the specified
526 destination for logging. See the krb5_openlog(3)
527 manual page for a list of defined destinations.
528 [kdc]
530 database = {
532 dbname = [DATBASETYPE:]DATABASENAME
534 Use this database for this realm. The
535 DATABASETYPE should be one of 'lmdb',
536 'db3', 'db1', 'db', 'sqlite', or 'ldap'.
537 See the info documetation how to config‐
538 ure different database backends.
539 realm = REALM
541 Specifies the realm that will be stored
542 in this database. It realm isn't set,
543 it will used as the default database,
544 there can only be one entry that doesn't
545 have a realm stanza.
546 mkey_file = FILENAME
548 Use this keytab file for the master key
549 of this database. If not specified
550 DATABASENAME.mkey will be used.
551 acl_file = PA FILENAME
553 Use this file for the ACL list of this
554 database.
555 log_file = FILENAME
557 Use this file as the log of changes per‐
558 formed to the database. This file is
559 used by ipropd-master for propagating
560 changes to slaves. It is also used by
561 kadmind and kadmin (when used with the
562 -l option), and by all applications
563 using libkadm5 with the local backend,
564 for two-phase commit functionality.
565 Slaves also use this. Setting this to
566 /dev/null disables two-phase commit and
567 incremental propagation. Use iprop-log
568 to show the contents of this log file.
569 log-max-size = number
571 When the log reaches this size (in
572 bytes), the log will be truncated, sav‐
573 ing some entries, and keeping the latest
574 version number so as to not disrupt
575 incremental propagation. If set to a
576 negative value then automatic log trun‐
577 cation will be disabled. Defaults to
578 52428800 (50MB).
579 }
581 max-request = SIZE
583 Maximum size of a kdc request.
584 require-preauth = BOOL
586 If set pre-authentication is required.
587 ports = list of ports
589 List of ports the kdc should listen to.
590 addresses = list of interfaces
592 List of addresses the kdc should bind to.
593 enable-http = BOOL
595 Should the kdc answer kdc-requests over http.
596 tgt-use-strongest-session-key = BOOL
598 If this is TRUE then the KDC will prefer the
599 strongest key from the client's AS-REQ or TGS-REQ
600 enctype list for the ticket session key that is
601 supported by the KDC and the target principal when
602 the target principal is a krbtgt principal. Else
603 it will prefer the first key from the client's AS-
604 REQ enctype list that is also supported by the KDC
605 and the target principal. Defaults to FALSE.
606 svc-use-strongest-session-key = BOOL
608 Like tgt-use-strongest-session-key, but applies to
609 the session key enctype of tickets for services
610 other than krbtgt principals. Defaults to FALSE.
611 preauth-use-strongest-session-key = BOOL
613 If TRUE then select the strongest possible enctype
614 from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
615 for password-based pre-authentication). Else pick
616 the first supported enctype from the client's AS-
617 REQ. Defaults to FALSE.
618 use-strongest-server-key = BOOL
620 If TRUE then the KDC picks, for the ticket
621 encrypted part's key, the first supported enctype
622 from the target service principal's hdb entry's
623 current keyset. Else the KDC picks the first sup‐
624 ported enctype from the target service principal's
625 hdb entry's current keyset. Defaults to TRUE.
626 check-ticket-addresses = BOOL
628 Verify the addresses in the tickets used in tgs
629 requests.
630 allow-null-ticket-addresses = BOOL
632 Allow address-less tickets.
633 allow-anonymous = BOOL
635 If the kdc is allowed to hand out anonymous tick‐
636 ets.
637 encode_as_rep_as_tgs_rep = BOOL
639 Encode as-rep as tgs-rep tobe compatible with mis‐
640 takes older DCE secd did.
641 kdc_warn_pwexpire = TIME
643 The time before expiration that the user should be
644 warned that her password is about to expire.
645 logging = Logging
647 What type of logging the kdc should use, see also
648 [logging]/kdc.
649 hdb-ldap-structural-object structural object
651 If the LDAP backend is used for storing principals,
652 this is the structural object that will be used
653 when creating and when reading objects. The
654 default value is account .
655 hdb-ldap-create-base creation dn
657 is the dn that will be appended to the principal
658 when creating entries. Default value is the search
659 dn.
660 enable-digest = BOOL
662 Should the kdc answer digest requests. The default
663 is FALSE.
664 digests_allowed = list of digests
666 Specifies the digests the kdc will reply to. The
667 default is ntlm-v2.
668 kx509_ca = file
670 Specifies the PEM credentials for the kx509 certi‐
671 fication authority.
672 require_initial_kca_tickets = boolean
674 Specified whether to require that tickets for the
675 kca_service service principal be INITIAL. This may
676 be set on a per-realm basis as well as globally.
677 Defaults to true for the global setting.
678 kx509_include_pkinit_san = boolean
680 If true then the kx509 client principal's name and
681 realm will be included in an id-pkinit-san certifi‐
682 cate extension. This can be set on a per-realm
683 basis as well as globally. Defaults to true for
684 the global setting.
685 kx509_template = file
687 Specifies the PEM file with a template for the cer‐
688 tificates to be issued. The following variables
689 can be interpolated in the subject name using
690 ${variable} syntax:
691 principal-name
693 The full name of the kx509 client prin‐
694 cipal.
695 principal-name-without-realm
697 The full name of the kx509 client prin‐
698 cipal, excluding the realm name.
699 principal-name-realm
701 The name of the client principal's
702 realm.
703 The kx509, kx509_template, kx509_include_pkinit_san, and
704 require_initial_kca_tickets parameters may be set on a per-
705 realm basis as well.
706 [kadmin]
708 password_lifetime = time
710 If a principal already have its password set for
711 expiration, this is the time it will be valid for
712 after a change.
713 default_keys = keytypes...
715 For each entry in default_keys try to parse it as a
716 sequence of etype:salttype:salt syntax of this if
717 something like:
718 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
720 If etype is omitted it means everything, and if
722 string is omitted it means the default salt string
723 (for that principal and encryption type). Addi‐
724 tional special values of keytypes are:
725 v5 The Kerberos 5 salt pw-salt
727 default_key_rules = {
729 globing-rule = keytypes...
731 a globbing rule to matching a principal,
732 and when true, use the keytypes as spec‐
733 ified the same format as [kad‐
734 min]default_keys .
735 }
737 prune-key-history = BOOL
739 When adding keys to the key history, drop keys that
740 are too old to match unexpired tickets (based on
741 the principal's maximum ticket lifetime). If the
742 KDC keystore is later compromised traffic protected
743 with the discarded older keys may remain protected.
744 This also keeps the HDB records for principals with
745 key history from growing without bound. The
746 default (backwards compatible) value is "false".
747 use_v4_salt = BOOL
749 When true, this is the same as
750 default_keys = des3:pw-salt v4
752 and is only left for backwards compatibility.
754 [password_quality]
756 Check the Password quality assurance in the info
757 documentation for more information.
758 check_library = library-name
760 Library name that contains the password
761 check_function
762 check_function = function-name
764 Function name for checking passwords in
765 check_library
766 policy_libraries = library1 ... libraryN
768 List of libraries that can do password
769 policy checks
770 policies = policy1 ... policyN
772 List of policy names to apply to the
773 password. Builtin policies are among
774 other minimum-length, character-class,
775 external-check.
776
778 KRB5_CONFIG points to the configuration file to read.
779
781 /etc/krb5.conf configuration file for Kerberos 5.
782
784 [libdefaults]
785 default_realm = FOO.SE
786 name_canon_rules = as-is:realm=FOO.SE
787 name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
788 name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
789 name_canon_rules = nss
790 [domain_realm]
791 .foo.se = FOO.SE
792 .bar.se = FOO.SE
793 [realms]
794 FOO.SE = {
795 kdc = kerberos.foo.se
796 default_domain = foo.se
797 }
798 [logging]
799 kdc = FILE:/var/heimdal/kdc.log
800 kdc = SYSLOG:INFO
801 default = SYSLOG:INFO:USER
802 [kadmin]
803 default_key_rules = {
804 */ppp@* = arcfour-hmac-md5:pw-salt
805 }
806
808 Since krb5.conf is read and parsed by the krb5 library, there is not a
809 lot of opportunities for programs to report parsing errors in any useful
810 format. To help overcome this problem, there is a program
811 verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos‐
812 tics from parsing errors. Note that this program does not have any way
813 of knowing what options are actually used and thus cannot warn about
814 unknown or misspelled ones.
815
817 kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
818HEIMDAL May 4, 2005 HEIMDAL