1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
6 kdc.conf - Kerberos V5 KDC configuration file
7 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC │
30 │ │ behavior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42 [kdcdefaults]
44 Some relations in the [kdcdefaults] section specify default values for
45 realm variables, to be used if the [realms] subsection does not contain
46 a relation for the tag. See the [realms] section for the definitions
47 of these relations.
48 · host_based_services
50 · kdc_listen
52 · kdc_ports
54 · kdc_tcp_listen
56 · kdc_tcp_ports
58 · no_host_referral
60 · restrict_anonymous_to_tgt
62 The following [kdcdefaults] variables have no per-realm equivalent:
64 kdc_max_dgram_reply_size
66 Specifies the maximum packet size that can be sent over UDP.
67 The default value is 4096 bytes.
68 kdc_tcp_listen_backlog
70 (Integer.) Set the size of the listen queue length for the KDC
71 daemon. The value may be limited by OS settings. The default
72 value is 5.
73 spake_preauth_kdc_challenge
75 (String.) Specifies the group for a SPAKE optimistic challenge.
76 See the spake_preauth_groups variable in libdefaults for possi‐
77 ble values. The default is not to issue an optimistic chal‐
78 lenge. (New in release 1.17.)
79 [realms]
81 Each tag in the [realms] section is the name of a Kerberos realm. The
82 value of the tag is a subsection where the relations define KDC parame‐
83 ters for that particular realm. The following example shows how to
84 define one parameter for the ATHENA.MIT.EDU realm:
85 [realms]
87 ATHENA.MIT.EDU = {
88 max_renewable_life = 7d 0h 0m 0s
89 }
90 The following tags may be specified in a [realms] subsection:
92 acl_file
94 (String.) Location of the access control list file that kad‐
95 mind(8) uses to determine which principals are allowed which
96 permissions on the Kerberos database. To operate without an ACL
97 file, set this relation to the empty string with acl_file = "".
98 The default value is /var/kerberos/krb5kdc/kadm5.acl. For more
99 information on Kerberos ACL file see kadm5.acl(5).
100 database_module
102 (String.) This relation indicates the name of the configuration
103 section under [dbmodules] for database-specific parameters used
104 by the loadable database library. The default value is the
105 realm name. If this configuration section does not exist,
106 default values will be used for all database parameters.
107 database_name
109 (String, deprecated.) This relation specifies the location of
110 the Kerberos database for this realm, if the DB2 module is being
111 used and the [dbmodules] configuration section does not specify
112 a database name. The default value is /var/ker‐
113 beros/krb5kdc/principal.
114 default_principal_expiration
116 (abstime string.) Specifies the default expiration date of
117 principals created in this realm. The default value is 0, which
118 means no expiration date.
119 default_principal_flags
121 (Flag string.) Specifies the default attributes of principals
122 created in this realm. The format for this string is a
123 comma-separated list of flags, with '+' before each flag that
124 should be enabled and '-' before each flag that should be dis‐
125 abled. The postdateable, forwardable, tgt-based, renewable,
126 proxiable, dup-skey, allow-tickets, and service flags default to
127 enabled.
128 There are a number of possible flags:
130 allow-tickets
132 Enabling this flag means that the KDC will issue tickets
133 for this principal. Disabling this flag essentially
134 deactivates the principal within this realm.
135 dup-skey
137 Enabling this flag allows the principal to obtain a ses‐
138 sion key for another user, permitting user-to-user
139 authentication for this principal.
140 forwardable
142 Enabling this flag allows the principal to obtain for‐
143 wardable tickets.
144 hwauth If this flag is enabled, then the principal is required
146 to preauthenticate using a hardware device before receiv‐
147 ing any tickets.
148 no-auth-data-required
150 Enabling this flag prevents PAC or AD-SIGNEDPATH data
151 from being added to service tickets for the principal.
152 ok-as-delegate
154 If this flag is enabled, it hints the client that creden‐
155 tials can and should be delegated when authenticating to
156 the service.
157 ok-to-auth-as-delegate
159 Enabling this flag allows the principal to use S4USelf
160 tickets.
161 postdateable
163 Enabling this flag allows the principal to obtain post‐
164 dateable tickets.
165 preauth
167 If this flag is enabled on a client principal, then that
168 principal is required to preauthenticate to the KDC
169 before receiving any tickets. On a service principal,
170 enabling this flag means that service tickets for this
171 principal will only be issued to clients with a TGT that
172 has the preauthenticated bit set.
173 proxiable
175 Enabling this flag allows the principal to obtain proxy
176 tickets.
177 pwchange
179 Enabling this flag forces a password change for this
180 principal.
181 pwservice
183 If this flag is enabled, it marks this principal as a
184 password change service. This should only be used in
185 special cases, for example, if a user's password has
186 expired, then the user has to get tickets for that prin‐
187 cipal without going through the normal password authenti‐
188 cation in order to be able to change the password.
189 renewable
191 Enabling this flag allows the principal to obtain renew‐
192 able tickets.
193 service
195 Enabling this flag allows the the KDC to issue service
196 tickets for this principal.
197 tgt-based
199 Enabling this flag allows a principal to obtain tickets
200 based on a ticket-granting-ticket, rather than repeating
201 the authentication process that was used to obtain the
202 TGT.
203 dict_file
205 (String.) Location of the dictionary file containing strings
206 that are not allowed as passwords. The file should contain one
207 string per line, with no additional whitespace. If none is
208 specified or if there is no policy assigned to the principal, no
209 dictionary checks of passwords will be performed.
210 encrypted_challenge_indicator
212 (String.) Specifies the authentication indicator value that the
213 KDC asserts into tickets obtained using FAST encrypted challenge
214 pre-authentication. New in 1.16.
215 host_based_services
217 (Whitespace- or comma-separated list.) Lists services which
218 will get host-based referral processing even if the server prin‐
219 cipal is not marked as host-based by the client.
220 iprop_enable
222 (Boolean value.) Specifies whether incremental database propa‐
223 gation is enabled. The default value is false.
224 iprop_master_ulogsize
226 (Integer.) Specifies the maximum number of log entries to be
227 retained for incremental propagation. The default value is
228 1000. Prior to release 1.11, the maximum value was 2500.
229 iprop_slave_poll
231 (Delta time string.) Specifies how often the slave KDC polls
232 for new updates from the master. The default value is 2m (that
233 is, two minutes).
234 iprop_listen
236 (Whitespace- or comma-separated list.) Specifies the iprop RPC
237 listening addresses and/or ports for the kadmind(8) daemon.
238 Each entry may be an interface address, a port number, or an
239 address and port number separated by a colon. If the address
240 contains colons, enclose it in square brackets. If no address
241 is specified, the wildcard address is used. If kadmind fails to
242 bind to any of the specified addresses, it will fail to start.
243 The default (when iprop_enable is true) is to bind to the wild‐
244 card address at the port specified in iprop_port. New in
245 release 1.15.
246 iprop_port
248 (Port number.) Specifies the port number to be used for incre‐
249 mental propagation. When iprop_enable is true, this relation is
250 required in the slave configuration file, and this relation or
251 iprop_listen is required in the master configuration file, as
252 there is no default port number. Port numbers specified in
253 iprop_listen entries will override this port number for the kad‐
254 mind(8) daemon.
255 iprop_resync_timeout
257 (Delta time string.) Specifies the amount of time to wait for a
258 full propagation to complete. This is optional in configuration
259 files, and is used by slave KDCs only. The default value is 5
260 minutes (5m). New in release 1.11.
261 iprop_logfile
263 (File name.) Specifies where the update log file for the realm
264 database is to be stored. The default is to use the data‐
265 base_name entry from the realms section of the krb5 config file,
266 with .ulog appended. (NOTE: If database_name isn't specified in
267 the realms section, perhaps because the LDAP database back end
268 is being used, or the file name is specified in the [dbmodules]
269 section, then the hard-coded default for database_name is used.
270 Determination of the iprop_logfile default value will not use
271 values from the [dbmodules] section.)
272 kadmind_listen
274 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
275 listening addresses and/or ports for the kadmind(8) daemon.
276 Each entry may be an interface address, a port number, or an
277 address and port number separated by a colon. If the address
278 contains colons, enclose it in square brackets. If no address
279 is specified, the wildcard address is used. If kadmind fails to
280 bind to any of the specified addresses, it will fail to start.
281 The default is to bind to the wildcard address at the port spec‐
282 ified in kadmind_port, or the standard kadmin port (749). New
283 in release 1.15.
284 kadmind_port
286 (Port number.) Specifies the port on which the kadmind(8) dae‐
287 mon is to listen for this realm. Port numbers specified in kad‐
288 mind_listen entries will override this port number. The
289 assigned port for kadmind is 749, which is used by default.
290 key_stash_file
292 (String.) Specifies the location where the master key has been
293 stored (via kdb5_util stash). The default is /var/ker‐
294 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
295 kdc_listen
297 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
298 tening addresses and/or ports for the krb5kdc(8) daemon. Each
299 entry may be an interface address, a port number, or an address
300 and port number separated by a colon. If the address contains
301 colons, enclose it in square brackets. If no address is speci‐
302 fied, the wildcard address is used. If no port is specified,
303 the standard port (88) is used. If the KDC daemon fails to bind
304 to any of the specified addresses, it will fail to start. The
305 default is to bind to the wildcard address on the standard port.
306 New in release 1.15.
307 kdc_ports
309 (Whitespace- or comma-separated list, deprecated.) Prior to
310 release 1.15, this relation lists the ports for the krb5kdc(8)
311 daemon to listen on for UDP requests. In release 1.15 and
312 later, it has the same meaning as kdc_listen if that relation is
313 not defined.
314 kdc_tcp_listen
316 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
317 tening addresses and/or ports for the krb5kdc(8) daemon. Each
318 entry may be an interface address, a port number, or an address
319 and port number separated by a colon. If the address contains
320 colons, enclose it in square brackets. If no address is speci‐
321 fied, the wildcard address is used. If no port is specified,
322 the standard port (88) is used. To disable listening on TCP,
323 set this relation to the empty string with kdc_tcp_listen = "".
324 If the KDC daemon fails to bind to any of the specified
325 addresses, it will fail to start. The default is to bind to the
326 wildcard address on the standard port. New in release 1.15.
327 kdc_tcp_ports
329 (Whitespace- or comma-separated list, deprecated.) Prior to
330 release 1.15, this relation lists the ports for the krb5kdc(8)
331 daemon to listen on for UDP requests. In release 1.15 and
332 later, it has the same meaning as kdc_tcp_listen if that rela‐
333 tion is not defined.
334 kpasswd_listen
336 (Comma-separated list.) Specifies the kpasswd listening
337 addresses and/or ports for the kadmind(8) daemon. Each entry
338 may be an interface address, a port number, or an address and
339 port number separated by a colon. If the address contains
340 colons, enclose it in square brackets. If no address is speci‐
341 fied, the wildcard address is used. If kadmind fails to bind to
342 any of the specified addresses, it will fail to start. The
343 default is to bind to the wildcard address at the port specified
344 in kpasswd_port, or the standard kpasswd port (464). New in
345 release 1.15.
346 kpasswd_port
348 (Port number.) Specifies the port on which the kadmind(8) dae‐
349 mon is to listen for password change requests for this realm.
350 Port numbers specified in kpasswd_listen entries will override
351 this port number. The assigned port for password change
352 requests is 464, which is used by default.
353 master_key_name
355 (String.) Specifies the name of the principal associated with
356 the master key. The default is K/M.
357 master_key_type
359 (Key type string.) Specifies the master key's key type. The
360 default value for this is aes256-cts-hmac-sha1-96. For a list
361 of all possible values, see Encryption types.
362 max_life
364 (duration string.) Specifies the maximum time period for which
365 a ticket may be valid in this realm. The default value is 24
366 hours.
367 max_renewable_life
369 (duration string.) Specifies the maximum time period during
370 which a valid ticket may be renewed in this realm. The default
371 value is 0.
372 no_host_referral
374 (Whitespace- or comma-separated list.) Lists services to block
375 from getting host-based referral processing, even if the client
376 marks the server principal as host-based or the service is also
377 listed in host_based_services. no_host_referral = * will dis‐
378 able referral processing altogether.
379 des_crc_session_supported
381 (Boolean value). If set to true, the KDC will assume that ser‐
382 vice principals support des-cbc-crc for session key enctype
383 negotiation purposes. If allow_weak_crypto in libdefaults is
384 false, or if des-cbc-crc is not a permitted enctype, then this
385 variable has no effect. Defaults to true. New in release 1.11.
386 reject_bad_transit
388 (Boolean value.) If set to true, the KDC will check the list of
389 transited realms for cross-realm tickets against the transit
390 path computed from the realm names and the capaths section of
391 its krb5.conf(5) file; if the path in the ticket to be issued
392 contains any realms not in the computed path, the ticket will
393 not be issued, and an error will be returned to the client
394 instead. If this value is set to false, such tickets will be
395 issued anyways, and it will be left up to the application server
396 to validate the realm transit path.
397 If the disable-transited-check flag is set in the incoming
399 request, this check is not performed at all. Having the
400 reject_bad_transit option will cause such ticket requests to be
401 rejected always.
402 This transit path checking and config file option currently
404 apply only to TGS requests.
405 The default value is true.
407 restrict_anonymous_to_tgt
409 (Boolean value.) If set to true, the KDC will reject ticket
410 requests from anonymous principals to service principals other
411 than the realm's ticket-granting service. This option allows
412 anonymous PKINIT to be enabled for use as FAST armor tickets
413 without allowing anonymous authentication to services. The
414 default value is false. New in release 1.9.
415 spake_preauth_indicator
417 (String.) Specifies an authentication indicator value that the
418 KDC asserts into tickets obtained using SPAKE pre-authentica‐
419 tion. The default is not to add any indicators. This option
420 may be specified multiple times. New in release 1.17.
421 supported_enctypes
423 (List of key:salt strings.) Specifies the default key/salt com‐
424 binations of principals for this realm. Any principals created
425 through kadmin(1) will have keys of these types. The default
426 value for this tag is aes256-cts-hmac-sha1-96:normal
427 aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arc‐
428 four-hmac-md5:normal. For lists of possible values, see Keysalt
429 lists.
430 [dbdefaults]
432 The [dbdefaults] section specifies default values for some database
433 parameters, to be used if the [dbmodules] subsection does not contain a
434 relation for the tag. See the [dbmodules] section for the definitions
435 of these relations.
436 · ldap_kerberos_container_dn
438 · ldap_kdc_dn
440 · ldap_kdc_sasl_authcid
442 · ldap_kdc_sasl_authzid
444 · ldap_kdc_sasl_mech
446 · ldap_kdc_sasl_realm
448 · ldap_kadmind_dn
450 · ldap_kadmind_sasl_authcid
452 · ldap_kadmind_sasl_authzid
454 · ldap_kadmind_sasl_mech
456 · ldap_kadmind_sasl_realm
458 · ldap_service_password_file
460 · ldap_servers
462 · ldap_conns_per_server
464 [dbmodules]
466 The [dbmodules] section contains parameters used by the KDC database
467 library and database modules. Each tag in the [dbmodules] section is
468 the name of a Kerberos realm or a section name specified by a realm's
469 database_module parameter. The following example shows how to define
470 one database parameter for the ATHENA.MIT.EDU realm:
471 [dbmodules]
473 ATHENA.MIT.EDU = {
474 disable_last_success = true
475 }
476 The following tags may be specified in a [dbmodules] subsection:
478 database_name
480 This DB2-specific tag indicates the location of the database in
481 the filesystem. The default is /var/kerberos/krb5kdc/principal.
482 db_library
484 This tag indicates the name of the loadable database module.
485 The value should be db2 for the DB2 module and kldap for the
486 LDAP module.
487 disable_last_success
489 If set to true, suppresses KDC updates to the "Last successful
490 authentication" field of principal entries requiring preauthen‐
491 tication. Setting this flag may improve performance. (Princi‐
492 pal entries which do not require preauthentication never update
493 the "Last successful authentication" field.). First introduced
494 in release 1.9.
495 disable_lockout
497 If set to true, suppresses KDC updates to the "Last failed
498 authentication" and "Failed password attempts" fields of princi‐
499 pal entries requiring preauthentication. Setting this flag may
500 improve performance, but also disables account lockout. First
501 introduced in release 1.9.
502 ldap_conns_per_server
504 This LDAP-specific tag indicates the number of connections to be
505 maintained per LDAP server.
506 ldap_kdc_dn and ldap_kadmind_dn
508 These LDAP-specific tags indicate the default DN for binding to
509 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
510 the kadmind(8) daemon and other administrative programs use
511 ldap_kadmind_dn. The kadmind DN must have the rights to read
512 and write the Kerberos data in the LDAP database. The KDC DN
513 must have the same rights, unless disable_lockout and dis‐
514 able_last_success are true, in which case it only needs to have
515 rights to read the Kerberos data. These tags are ignored if a
516 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
517 mind_sasl_mech.
518 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
520 These LDAP-specific tags specify the SASL mechanism (such as
521 EXTERNAL) to use when binding to the LDAP server. New in
522 release 1.13.
523 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
525 These LDAP-specific tags specify the SASL authentication iden‐
526 tity to use when binding to the LDAP server. Not all SASL mech‐
527 anisms require an authentication identity. If the SASL mecha‐
528 nism requires a secret (such as the password for DIGEST-MD5),
529 these tags also determine the name within the ldap_service_pass‐
530 word_file where the secret is stashed. New in release 1.13.
531 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
533 These LDAP-specific tags specify the SASL authorization identity
534 to use when binding to the LDAP server. In most circumstances
535 they do not need to be specified. New in release 1.13.
536 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
538 These LDAP-specific tags specify the SASL realm to use when
539 binding to the LDAP server. In most circumstances they do not
540 need to be set. New in release 1.13.
541 ldap_kerberos_container_dn
543 This LDAP-specific tag indicates the DN of the container object
544 where the realm objects will be located.
545 ldap_servers
547 This LDAP-specific tag indicates the list of LDAP servers that
548 the Kerberos servers can connect to. The list of LDAP servers
549 is whitespace-separated. The LDAP server is specified by a LDAP
550 URI. It is recommended to use ldapi: or ldaps: URLs to connect
551 to the LDAP server.
552 ldap_service_password_file
554 This LDAP-specific tag indicates the file containing the stashed
555 passwords (created by kdb5_ldap_util stashsrvpw) for the
556 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
557 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
558 SASL authentication. This file must be kept secure.
559 unlockiter
561 If set to true, this DB2-specific tag causes iteration opera‐
562 tions to release the database lock while processing each princi‐
563 pal. Setting this flag to true can prevent extended blocking of
564 KDC or kadmin operations when dumps of large databases are in
565 progress. First introduced in release 1.13.
566 The following tag may be specified directly in the [dbmodules] section
568 to control where database modules are loaded from:
569 db_module_dir
571 This tag controls where the plugin system looks for database
572 modules. The value should be an absolute path.
573 [logging]
575 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
576 logging. It may contain the following relations:
577 admin_server
579 Specifies how kadmind(8) performs logging.
580 kdc Specifies how krb5kdc(8) performs logging.
582 default
584 Specifies how either daemon performs logging in the absence of
585 relations specific to the daemon.
586 debug (Boolean value.) Specifies whether debugging messages are
588 included in log outputs other than SYSLOG. Debugging messages
589 are always included in the system log output because syslog per‐
590 forms its own priority filtering. The default value is false.
591 New in release 1.15.
592 Logging specifications may have the following forms:
594 FILE=filename or FILE:filename
596 This value causes the daemon's logging messages to go to the
597 filename. If the = form is used, the file is overwritten. If
598 the : form is used, the file is appended to.
599 STDERR This value causes the daemon's logging messages to go to its
601 standard error stream.
602 CONSOLE
604 This value causes the daemon's logging messages to go to the
605 console, if the system supports it.
606 DEVICE=<devicename>
608 This causes the daemon's logging messages to go to the specified
609 device.
610 SYSLOG[:severity[:facility]]
612 This causes the daemon's logging messages to go to the system
613 log.
614 The severity argument specifies the default severity of system
616 log messages. This may be any of the following severities sup‐
617 ported by the syslog(3) call, minus the LOG_ prefix: EMERG,
618 ALERT, CRIT, ERR, WARNING, NOTICE, INFO, and DEBUG.
619 The facility argument specifies the facility under which the
621 messages are logged. This may be any of the following facili‐
622 ties supported by the syslog(3) call minus the LOG_ prefix:
623 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and
624 LOCAL0 through LOCAL7.
625 If no severity is specified, the default is ERR. If no facility
627 is specified, the default is AUTH.
628 In the following example, the logging messages from the KDC will go to
630 the console and to the system log under the facility LOG_DAEMON with
631 default severity of LOG_INFO; and the logging messages from the admin‐
632 istrative server will be appended to the file /var/adm/kadmin.log and
633 sent to the device /dev/tty04.
634 [logging]
636 kdc = CONSOLE
637 kdc = SYSLOG:INFO:DAEMON
638 admin_server = FILE:/var/adm/kadmin.log
639 admin_server = DEVICE=/dev/tty04
640 [otp]
642 Each subsection of [otp] is the name of an OTP token type. The tags
643 within the subsection define the configuration required to forward a
644 One Time Password request to a RADIUS server.
645 For each token type, the following tags may be specified:
647 server This is the server to send the RADIUS request to. It can be a
649 hostname with optional port, an ip address with optional port,
650 or a Unix domain socket address. The default is /var/ker‐
651 beros/krb5kdc/<name>.socket.
652 secret This tag indicates a filename (which may be relative to
654 /var/kerberos/krb5kdc) containing the secret used to encrypt the
655 RADIUS packets. The secret should appear in the first line of
656 the file by itself; leading and trailing whitespace on the line
657 will be removed. If the value of server is a Unix domain socket
658 address, this tag is optional, and an empty secret will be used
659 if it is not specified. Otherwise, this tag is required.
660 timeout
662 An integer which specifies the time in seconds during which the
663 KDC should attempt to contact the RADIUS server. This tag is
664 the total time across all retries and should be less than the
665 time which an OTP value remains valid for. The default is 5
666 seconds.
667 retries
669 This tag specifies the number of retries to make to the RADIUS
670 server. The default is 3 retries (4 tries).
671 strip_realm
673 If this tag is true, the principal without the realm will be
674 passed to the RADIUS server. Otherwise, the realm will be
675 included. The default value is true.
676 indicator
678 This tag specifies an authentication indicator to be included in
679 the ticket if this token type is used to authenticate. This
680 option may be specified multiple times. (New in release 1.14.)
681 In the following example, requests are sent to a remote server via UDP:
683 [otp]
685 MyRemoteTokenType = {
686 server = radius.mydomain.com:1812
687 secret = SEmfiajf42$
688 timeout = 15
689 retries = 5
690 strip_realm = true
691 }
692 An implicit default token type named DEFAULT is defined for when the
694 per-principal configuration does not specify a token type. Its config‐
695 uration is shown below. You may override this token type to something
696 applicable for your situation:
697 [otp]
699 DEFAULT = {
700 strip_realm = false
701 }
702
704 NOTE:
705 The following are pkinit-specific options. These values may be
706 specified in [kdcdefaults] as global defaults, or within a
707 realm-specific subsection of [realms]. Also note that a realm-spe‐
708 cific value over-rides, does not add to, a generic [kdcdefaults]
709 specification. The search order is:
710 1. realm-specific subsection of [realms]:
712 [realms]
714 EXAMPLE.COM = {
715 pkinit_anchors = FILE:/usr/local/example.com.crt
716 }
717 2. generic value in the [kdcdefaults] section:
719 [kdcdefaults]
721 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
722 For information about the syntax of some of these options, see Specify‐
724 ing PKINIT identity information in krb5.conf(5).
725 pkinit_anchors
727 Specifies the location of trusted anchor (root) certificates
728 which the KDC trusts to sign client certificates. This option
729 is required if pkinit is to be supported by the KDC. This
730 option may be specified multiple times.
731 pkinit_dh_min_bits
733 Specifies the minimum number of bits the KDC is willing to
734 accept for a client's Diffie-Hellman key. The default is 2048.
735 pkinit_allow_upn
737 Specifies that the KDC is willing to accept client certificates
738 with the Microsoft UserPrincipalName (UPN) Subject Alternative
739 Name (SAN). This means the KDC accepts the binding of the UPN
740 in the certificate to the Kerberos principal name. The default
741 value is false.
742 Without this option, the KDC will only accept certificates with
744 the id-pkinit-san as defined in RFC 4556. There is currently no
745 option to disable SAN checking in the KDC.
746 pkinit_eku_checking
748 This option specifies what Extended Key Usage (EKU) values the
749 KDC is willing to accept in client certificates. The values
750 recognized in the kdc.conf file are:
751 kpClientAuth
753 This is the default value and specifies that client cer‐
754 tificates must have the id-pkinit-KPClientAuth EKU as
755 defined in RFC 4556.
756 scLogin
758 If scLogin is specified, client certificates with the Mi‐
759 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
760 accepted.
761 none If none is specified, then client certificates will not
763 be checked to verify they have an acceptable EKU. The
764 use of this option is not recommended.
765 pkinit_identity
767 Specifies the location of the KDC's X.509 identity information.
768 This option is required if pkinit is to be supported by the KDC.
769 pkinit_indicator
771 Specifies an authentication indicator to include in the ticket
772 if pkinit is used to authenticate. This option may be specified
773 multiple times. (New in release 1.14.)
774 pkinit_pool
776 Specifies the location of intermediate certificates which may be
777 used by the KDC to complete the trust chain between a client's
778 certificate and a trusted anchor. This option may be specified
779 multiple times.
780 pkinit_revoke
782 Specifies the location of Certificate Revocation List (CRL)
783 information to be used by the KDC when verifying the validity of
784 client certificates. This option may be specified multiple
785 times.
786 pkinit_require_crl_checking
788 The default certificate verification process will always check
789 the available revocation information to see if a certificate has
790 been revoked. If a match is found for the certificate in a CRL,
791 verification fails. If the certificate being verified is not
792 listed in a CRL, or there is no CRL present for its issuing CA,
793 and pkinit_require_crl_checking is false, then verification suc‐
794 ceeds.
795 However, if pkinit_require_crl_checking is true and there is no
797 CRL information available for the issuing CA, then verification
798 fails.
799 pkinit_require_crl_checking should be set to true if the policy
801 is such that up-to-date CRLs must be present for every CA.
802 pkinit_require_freshness
804 Specifies whether to require clients to include a freshness
805 token in PKINIT requests. The default value is false. (New in
806 release 1.17.)
807
809 Any tag in the configuration files which requires a list of encryption
810 types can be set to some combination of the following strings. Encryp‐
811 tion types marked as "weak" are available for compatibility but not
812 recommended for use.
813 ┌───────────────────────────┬─────────────────────────────┐
815 │des-cbc-crc │ DES cbc mode with CRC-32 │
816 │ │ (weak) │
817 └───────────────────────────┴─────────────────────────────┘
818 │des-cbc-md4 │ DES cbc mode with RSA-MD4 │
822 │ │ (weak) │
823 ├───────────────────────────┼─────────────────────────────┤
824 │des-cbc-md5 │ DES cbc mode with RSA-MD5 │
825 │ │ (weak) │
826 ├───────────────────────────┼─────────────────────────────┤
827 │des-cbc-raw │ DES cbc mode raw (weak) │
828 ├───────────────────────────┼─────────────────────────────┤
829 │des3-cbc-raw │ Triple DES cbc mode raw │
830 │ │ (weak) │
831 ├───────────────────────────┼─────────────────────────────┤
832 │des3-cbc-sha1 │ Triple DES cbc mode with │
833 │des3-hmac-sha1 │ HMAC/sha1 │
834 │des3-cbc-sha1-kd │ │
835 ├───────────────────────────┼─────────────────────────────┤
836 │des-hmac-sha1 │ DES with HMAC/sha1 (weak) │
837 ├───────────────────────────┼─────────────────────────────┤
838 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
839 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
840 ├───────────────────────────┼─────────────────────────────┤
841 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
842 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
843 ├───────────────────────────┼─────────────────────────────┤
844 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
845 │aes256-sha2 │ 192-bit SHA-384 HMAC │
846 ├───────────────────────────┼─────────────────────────────┤
847 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
848 │aes128-sha2 │ 128-bit SHA-256 HMAC │
849 ├───────────────────────────┼─────────────────────────────┤
850 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 │
851 │four-hmac-md5 │ │
852 ├───────────────────────────┼─────────────────────────────┤
853 │arcfour-hmac-exp │ Exportable RC4 with │
854 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
855 │four-hmac-md5-exp │ │
856 ├───────────────────────────┼─────────────────────────────┤
857 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
858 │camellia256-cts │ CMAC │
859 ├───────────────────────────┼─────────────────────────────┤
860 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
861 │camellia128-cts │ CMAC │
862 ├───────────────────────────┼─────────────────────────────┤
863 │des │ The DES family: │
864 │ │ des-cbc-crc, des-cbc-md5, │
865 │ │ and des-cbc-md4 (weak) │
866 ├───────────────────────────┼─────────────────────────────┤
867 │des3 │ The triple DES family: │
868 │ │ des3-cbc-sha1 │
869 ├───────────────────────────┼─────────────────────────────┤
870 │aes │ The AES family: │
871 │ │ aes256-cts-hmac-sha1-96, │
872 │ │ aes128-cts-hmac-sha1-96, │
873 │ │ aes256-cts-hmac-sha384-192, │
874 │ │ and │
875 │ │ aes128-cts-hmac-sha256-128 │
876 ├───────────────────────────┼─────────────────────────────┤
877 │rc4 │ The RC4 family: arc‐ │
878 │ │ four-hmac │
879 ├───────────────────────────┼─────────────────────────────┤
880 │camellia │ The Camellia family: camel‐ │
881 │ │ lia256-cts-cmac and camel‐ │
882 │ │ lia128-cts-cmac │
883 └───────────────────────────┴─────────────────────────────┘
884 The string DEFAULT can be used to refer to the default set of types for
886 the variable in question. Types or families can be removed from the
887 current list by prefixing them with a minus sign ("-"). Types or fami‐
888 lies can be prefixed with a plus sign ("+") for symmetry; it has the
889 same meaning as just listing the type or family. For example, "DEFAULT
890 -des" would be the default set of encryption types with DES types
891 removed, and "des3 DEFAULT" would be the default set of encryption
892 types with triple DES types moved to the front.
893 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
895 tions, they are not supported by very old versions of our GSSAPI imple‐
896 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
897 without AES support must not be given keys of these encryption types in
898 the KDC database.
899 The aes128-sha2 and aes256-sha2 encryption types are new in release
901 1.15. Services running versions of krb5 without support for these
902 newer encryption types must not be given keys of these encryption types
903 in the KDC database.
904
906 Kerberos keys for users are usually derived from passwords. Kerberos
907 commands and configuration parameters that affect generation of keys
908 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
909 lists. Each keysalt pair is an enctype name followed by a salttype
910 name, in the format enc:salt. Individual keysalt list members are sep‐
911 arated by comma (",") characters or space characters. For example:
912 kadmin -e aes256-cts:normal,aes128-cts:normal
914 would start up kadmin so that by default it would generate pass‐
916 word-derived keys for the aes256-cts and aes128-cts encryption types,
917 using a normal salt.
918 To ensure that people who happen to pick the same password do not have
920 the same key, Kerberos 5 incorporates more information into the key
921 using something called a salt. The supported salt types are as fol‐
922 lows:
923 ┌──────────┬────────────────────────────┐
925 │normal │ default for Kerberos Ver‐ │
926 │ │ sion 5 │
927 ├──────────┼────────────────────────────┤
928 │v4 │ the only type used by Ker‐ │
929 │ │ beros Version 4 (no salt) │
930 ├──────────┼────────────────────────────┤
931 │norealm │ same as the default, with‐ │
932 │ │ out using realm informa‐ │
933 │ │ tion │
934 ├──────────┼────────────────────────────┤
935 │onlyrealm │ uses only realm informa‐ │
936 │ │ tion as the salt │
937 ├──────────┼────────────────────────────┤
938 │afs3 │ AFS version 3, only used │
939 │ │ for compatibility with │
940 │ │ Kerberos 4 in AFS │
941 ├──────────┼────────────────────────────┤
942 │special │ generate a random salt │
943 └──────────┴────────────────────────────┘
944
946 Here's an example of a kdc.conf file:
947 [kdcdefaults]
949 kdc_listen = 88
950 kdc_tcp_listen = 88
951 [realms]
952 ATHENA.MIT.EDU = {
953 kadmind_port = 749
954 max_life = 12h 0m 0s
955 max_renewable_life = 7d 0h 0m 0s
956 master_key_type = aes256-cts-hmac-sha1-96
957 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
958 database_module = openldap_ldapconf
959 }
960 [logging]
962 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
963 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
964 [dbdefaults]
966 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
967 [dbmodules]
969 openldap_ldapconf = {
970 db_library = kldap
971 disable_last_success = true
972 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
973 # this object needs to have read rights on
974 # the realm container and principal subtrees
975 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
976 # this object needs to have read and write rights on
977 # the realm container and principal subtrees
978 ldap_service_password_file = /etc/kerberos/service.keyfile
979 ldap_servers = ldaps://kerberos.mit.edu
980 ldap_conns_per_server = 5
981 }
982
984 /var/kerberos/krb5kdc/kdc.conf
985
987 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
988
990 MIT
991
993 1985-2018, MIT
9941.16.1 KDC.CONF(5)