1KRB5.CONF(5) MIT Kerberos KRB5.CONF(5)
2
6 krb5.conf - Kerberos configuration file
7 The krb5.conf file contains Kerberos configuration information, includ‐
9 ing the locations of KDCs and admin servers for the Kerberos realms of
10 interest, defaults for the current realm and for Kerberos applications,
11 and mappings of hostnames onto Kerberos realms. Normally, you should
12 install your krb5.conf file in the directory /etc. You can override
13 the default location by setting the environment variable KRB5_CONFIG.
14 Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15 files which are present will be read. Starting in release 1.14, direc‐
16 tory names can also be specified in KRB5_CONFIG; all files within the
17 directory whose names consist solely of alphanumeric characters,
18 dashes, or underscores will be read.
19
21 The krb5.conf file is set up in the style of a Windows INI file. Lines
22 beginning with '#' or ';' (possibly after initial whitespace) are
23 ignored as comments. Sections are headed by the section name, in
24 square brackets. Each section may contain zero or more relations, of
25 the form:
26 foo = bar
28 or:
30 fubar = {
32 foo = bar
33 baz = quux
34 }
35 Placing a '*' at the end of a line indicates that this is the final
37 value for the tag. This means that neither the remainder of this con‐
38 figuration file nor any other configuration file will be checked for
39 any other values for this tag.
40 For example, if you have the following lines:
42 foo = bar*
44 foo = baz
45 then the second value of foo (baz) would never be read.
47 The krb5.conf file can include other files using either of the follow‐
49 ing directives at the beginning of a line:
50 include FILENAME
52 includedir DIRNAME
53 FILENAME or DIRNAME should be an absolute path. The named file or
55 directory must exist and be readable. Including a directory includes
56 all files within the directory whose names consist solely of alphanu‐
57 meric characters, dashes, or underscores. Starting in release 1.15,
58 files with names ending in ".conf" are also included, unless the name
59 begins with ".". Included profile files are syntactically independent
60 of their parents, so each included file must begin with a section
61 header. Starting in release 1.17, files are read in alphanumeric
62 order; in previous releases, they may be read in any order.
63 The krb5.conf file can specify that configuration should be obtained
65 from a loadable module, rather than the file itself, using the follow‐
66 ing directive at the beginning of a line before any section headers:
67 module MODULEPATH:RESIDUAL
69 MODULEPATH may be relative to the library path of the krb5 installa‐
71 tion, or it may be an absolute path. RESIDUAL is provided to the mod‐
72 ule at initialization time. If krb5.conf uses a module directive,
73 kdc.conf(5) should also use one if it exists.
74
76 The krb5.conf file may contain the following sections:
77 ┌───────────────┬────────────────────────────┐
79 │[libdefaults] │ Settings used by the Ker‐ │
80 │ │ beros V5 library │
81 ├───────────────┼────────────────────────────┤
82 │[realms] │ Realm-specific contact │
83 │ │ information and settings │
84 ├───────────────┼────────────────────────────┤
85 │[domain_realm] │ Maps server hostnames to │
86 │ │ Kerberos realms │
87 ├───────────────┼────────────────────────────┤
88 │[capaths] │ Authentication paths for │
89 │ │ non-hierarchical │
90 │ │ cross-realm │
91 ├───────────────┼────────────────────────────┤
92 │[appdefaults] │ Settings used by some Ker‐ │
93 │ │ beros V5 applications │
94 ├───────────────┼────────────────────────────┤
95 │[plugins] │ Controls plugin module │
96 │ │ registration │
97 └───────────────┴────────────────────────────┘
98 Additionally, krb5.conf may include any of the relations described in
100 kdc.conf(5), but it is not a recommended practice.
101 [libdefaults]
103 The libdefaults section may contain any of the following relations:
104 allow_weak_crypto
106 If this flag is set to false, then weak encryption types (as
107 noted in Encryption_types in kdc.conf(5)) will be filtered out
108 of the lists default_tgs_enctypes, default_tkt_enctypes, and
109 permitted_enctypes. The default value for this tag is false,
110 which may cause authentication failures in existing Kerberos in‐
111 frastructures that do not support strong crypto. Users in
112 affected environments should set this tag to true until their
113 infrastructure adopts stronger ciphers.
114 ap_req_checksum_type
116 An integer which specifies the type of AP-REQ checksum to use in
117 authenticators. This variable should be unset so the appropri‐
118 ate checksum for the encryption key in use will be used. This
119 can be set if backward compatibility requires a specific check‐
120 sum type. See the kdc_req_checksum_type configuration option
121 for the possible values and their meanings.
122 canonicalize
124 If this flag is set to true, initial ticket requests to the KDC
125 will request canonicalization of the client principal name, and
126 answers with different client principals than the requested
127 principal will be accepted. The default value is false.
128 ccache_type
130 This parameter determines the format of credential cache types
131 created by kinit(1) or other programs. The default value is 4,
132 which represents the most current format. Smaller values can be
133 used for compatibility with very old implementations of Kerberos
134 which interact with credential caches on the same host.
135 clockskew
137 Sets the maximum allowable amount of clockskew in seconds that
138 the library will tolerate before assuming that a Kerberos mes‐
139 sage is invalid. The default value is 300 seconds, or five min‐
140 utes.
141 The clockskew setting is also used when evaluating ticket start
143 and expiration times. For example, tickets that have reached
144 their expiration time can still be used (and renewed if they are
145 renewable tickets) if they have been expired for a shorter dura‐
146 tion than the clockskew setting.
147 default_ccache_name
149 This relation specifies the name of the default credential
150 cache. The default is FILE:/tmp/krb5cc_%{uid}. This relation
151 is subject to parameter expansion (see below). New in release
152 1.11.
153 default_client_keytab_name
155 This relation specifies the name of the default keytab for
156 obtaining client credentials. The default is FILE:/var/ker‐
157 beros/krb5/user/%{euid}/client.keytab. This relation is subject
158 to parameter expansion (see below). New in release 1.11.
159 default_keytab_name
161 This relation specifies the default keytab name to be used by
162 application servers such as sshd. The default is
163 FILE:/etc/krb5.keytab. This relation is subject to parameter
164 expansion (see below).
165 default_realm
167 Identifies the default Kerberos realm for the client. Set its
168 value to your Kerberos realm. If this value is not set, then a
169 realm must be specified with every Kerberos principal when
170 invoking programs such as kinit(1).
171 default_tgs_enctypes
173 Identifies the supported list of session key encryption types
174 that the client should request when making a TGS-REQ, in order
175 of preference from highest to lowest. The list may be delimited
176 with commas or whitespace. See Encryption_types in kdc.conf(5)
177 for a list of the accepted values for this tag. The default
178 value is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
179 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
180 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camel‐
181 lia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but sin‐
182 gle-DES encryption types will be implicitly removed from this
183 list if the value of allow_weak_crypto is false.
184 Do not set this unless required for specific backward compati‐
186 bility purposes; stale values of this setting can prevent
187 clients from taking advantage of new stronger enctypes when the
188 libraries are upgraded.
189 default_tkt_enctypes
191 Identifies the supported list of session key encryption types
192 that the client should request when making an AS-REQ, in order
193 of preference from highest to lowest. The format is the same as
194 for default_tgs_enctypes. The default value for this tag is
195 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
196 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
197 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camel‐
198 lia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but sin‐
199 gle-DES encryption types will be implicitly removed from this
200 list if the value of allow_weak_crypto is false.
201 Do not set this unless required for specific backward compati‐
203 bility purposes; stale values of this setting can prevent
204 clients from taking advantage of new stronger enctypes when the
205 libraries are upgraded.
206 dns_canonicalize_hostname
208 Indicate whether name lookups will be used to canonicalize host‐
209 names for use in service principal names. Setting this flag to
210 false can improve security by reducing reliance on DNS, but
211 means that short hostnames will not be canonicalized to
212 fully-qualified hostnames. The default value is true.
213 If this option is set to fallback (new in release 1.18), DNS
215 canonicalization will only be performed the server hostname is
216 not found with the original name when requesting credentials.
217 dns_lookup_kdc
219 Indicate whether DNS SRV records should be used to locate the
220 KDCs and other servers for a realm, if they are not listed in
221 the krb5.conf information for the realm. (Note that the
222 admin_server entry must be in the krb5.conf realm information in
223 order to contact kadmind, because the DNS implementation for
224 kadmin is incomplete.)
225 Enabling this option does open up a type of denial-of-service
227 attack, if someone spoofs the DNS records and redirects you to
228 another server. However, it's no worse than a denial of ser‐
229 vice, because that fake KDC will be unable to decode anything
230 you send it (besides the initial ticket request, which has no
231 encrypted data), and anything the fake KDC sends will not be
232 trusted without verification using some secret that it won't
233 know.
234 dns_uri_lookup
236 Indicate whether DNS URI records should be used to locate the
237 KDCs and other servers for a realm, if they are not listed in
238 the krb5.conf information for the realm. SRV records are used
239 as a fallback if no URI records were found. The default value
240 is true. New in release 1.15.
241 err_fmt
243 This relation allows for custom error message formatting. If a
244 value is set, error messages will be formatted by substituting a
245 normal error message for %M and an error code for %C in the
246 value.
247 extra_addresses
249 This allows a computer to use multiple local addresses, in order
250 to allow Kerberos to work in a network that uses NATs while
251 still using address-restricted tickets. The addresses should be
252 in a comma-separated list. This option has no effect if noad‐
253 dresses is true.
254 forwardable
256 If this flag is true, initial tickets will be forwardable by
257 default, if allowed by the KDC. The default value is false.
258 ignore_acceptor_hostname
260 When accepting GSSAPI or krb5 security contexts for host-based
261 service principals, ignore any hostname passed by the calling
262 application, and allow clients to authenticate to any service
263 principal in the keytab matching the service name and realm name
264 (if given). This option can improve the administrative flexi‐
265 bility of server applications on multihomed hosts, but could
266 compromise the security of virtual hosting environments. The
267 default value is false. New in release 1.10.
268 k5login_authoritative
270 If this flag is true, principals must be listed in a local
271 user's k5login file to be granted login access, if a .k5login(5)
272 file exists. If this flag is false, a principal may still be
273 granted login access through other mechanisms even if a k5login
274 file exists but does not list the principal. The default value
275 is true.
276 k5login_directory
278 If set, the library will look for a local user's k5login file
279 within the named directory, with a filename corresponding to the
280 local username. If not set, the library will look for k5login
281 files in the user's home directory, with the filename .k5login.
282 For security reasons, .k5login files must be owned by the local
283 user or by root.
284 kcm_mach_service
286 On macOS only, determines the name of the bootstrap service used
287 to contact the KCM daemon for the KCM credential cache type. If
288 the value is -, Mach RPC will not be used to contact the KCM
289 daemon. The default value is org.h5l.kcm.
290 kcm_socket
292 Determines the path to the Unix domain socket used to access the
293 KCM daemon for the KCM credential cache type. If the value is
294 -, Unix domain sockets will not be used to contact the KCM dae‐
295 mon. The default value is /var/run/.heim_org.h5l.kcm-socket.
296 kdc_default_options
298 Default KDC options (Xored for multiple values) when requesting
299 initial tickets. By default it is set to 0x00000010
300 (KDC_OPT_RENEWABLE_OK).
301 kdc_timesync
303 Accepted values for this relation are 1 or 0. If it is nonzero,
304 client machines will compute the difference between their time
305 and the time returned by the KDC in the timestamps in the tick‐
306 ets and use this value to correct for an inaccurate system clock
307 when requesting service tickets or authenticating to services.
308 This corrective factor is only used by the Kerberos library; it
309 is not used to change the system clock. The default value is 1.
310 kdc_req_checksum_type
312 An integer which specifies the type of checksum to use for the
313 KDC requests, for compatibility with very old KDC implementa‐
314 tions. This value is only used for DES keys; other keys use the
315 preferred checksum type for those keys.
316 The possible values and their meanings are as follows.
318 ┌─────┬────────────────────────────┐
320 │1 │ CRC32 │
321 ├─────┼────────────────────────────┤
322 │2 │ RSA MD4 │
323 ├─────┼────────────────────────────┤
324 │3 │ RSA MD4 DES │
325 ├─────┼────────────────────────────┤
326 │4 │ DES CBC │
327 ├─────┼────────────────────────────┤
328 │7 │ RSA MD5 │
329 └─────┴────────────────────────────┘
330 │8 │ RSA MD5 DES │
332 ├─────┼────────────────────────────┤
333 │9 │ NIST SHA │
334 ├─────┼────────────────────────────┤
335 │12 │ HMAC SHA1 DES3 │
336 ├─────┼────────────────────────────┤
337 │-138 │ Microsoft MD5 HMAC check‐ │
338 │ │ sum type │
339 └─────┴────────────────────────────┘
340 noaddresses
342 If this flag is true, requests for initial tickets will not be
343 made with address restrictions set, allowing the tickets to be
344 used across NATs. The default value is true.
345 permitted_enctypes
347 Identifies all encryption types that are permitted for use in
348 session key encryption. The default value for this tag is
349 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
350 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
351 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camel‐
352 lia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but sin‐
353 gle-DES encryption types will be implicitly removed from this
354 list if the value of allow_weak_crypto is false.
355 plugin_base_dir
357 If set, determines the base directory where krb5 plugins are
358 located. The default value is the krb5/plugins subdirectory of
359 the krb5 library directory. This relation is subject to parame‐
360 ter expansion (see below) in release 1.17 and later.
361 preferred_preauth_types
363 This allows you to set the preferred preauthentication types
364 which the client will attempt before others which may be adver‐
365 tised by a KDC. The default value for this setting is "17, 16,
366 15, 14", which forces libkrb5 to attempt to use PKINIT if it is
367 supported.
368 proxiable
370 If this flag is true, initial tickets will be proxiable by
371 default, if allowed by the KDC. The default value is false.
372 rdns If this flag is true, reverse name lookup will be used in addi‐
374 tion to forward name lookup to canonicalizing hostnames for use
375 in service principal names. If dns_canonicalize_hostname is set
376 to false, this flag has no effect. The default value is true.
377 realm_try_domains
379 Indicate whether a host's domain components should be used to
380 determine the Kerberos realm of the host. The value of this
381 variable is an integer: -1 means not to search, 0 means to try
382 the host's domain itself, 1 means to also try the domain's imme‐
383 diate parent, and so forth. The library's usual mechanism for
384 locating Kerberos realms is used to determine whether a domain
385 is a valid realm, which may involve consulting DNS if
386 dns_lookup_kdc is set. The default is not to search domain com‐
387 ponents.
388 renew_lifetime
390 (duration string.) Sets the default renewable lifetime for ini‐
391 tial ticket requests. The default value is 0.
392 safe_checksum_type
394 An integer which specifies the type of checksum to use for the
395 KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES).
396 For compatibility with applications linked against DCE version
397 1.1 or earlier Kerberos libraries, use a value of 3 to use the
398 RSA MD4 DES instead. This field is ignored when its value is
399 incompatible with the session key type. See the kdc_req_check‐
400 sum_type configuration option for the possible values and their
401 meanings.
402 spake_preauth_groups
404 A whitespace or comma-separated list of words which specifies
405 the groups allowed for SPAKE preauthentication. The possible
406 values are:
407 ┌─────────────┬────────────────────────────┐
409 │edwards25519 │ Edwards25519 curve (RFC │
410 │ │ 7748) │
411 ├─────────────┼────────────────────────────┤
412 │P-256 │ NIST P-256 curve (RFC │
413 │ │ 5480) │
414 ├─────────────┼────────────────────────────┤
415 │P-384 │ NIST P-384 curve (RFC │
416 │ │ 5480) │
417 ├─────────────┼────────────────────────────┤
418 │P-521 │ NIST P-521 curve (RFC │
419 │ │ 5480) │
420 └─────────────┴────────────────────────────┘
421 The default value for the client is edwards25519. The default
423 value for the KDC is empty. New in release 1.17.
424 ticket_lifetime
426 (duration string.) Sets the default lifetime for initial ticket
427 requests. The default value is 1 day.
428 udp_preference_limit
430 When sending a message to the KDC, the library will try using
431 TCP before UDP if the size of the message is above udp_prefer‐
432 ence_limit. If the message is smaller than udp_prefer‐
433 ence_limit, then UDP will be tried before TCP. Regardless of
434 the size, both protocols will be tried if the first attempt
435 fails.
436 verify_ap_req_nofail
438 If this flag is true, then an attempt to verify initial creden‐
439 tials will fail if the client machine does not have a keytab.
440 The default value is false.
441 [realms]
443 Each tag in the [realms] section of the file is the name of a Kerberos
444 realm. The value of the tag is a subsection with relations that define
445 the properties of that particular realm. For each realm, the following
446 tags may be specified in the realm's subsection:
447 admin_server
449 Identifies the host where the administration server is running.
450 Typically, this is the master Kerberos server. This tag must be
451 given a value in order to communicate with the kadmind(8) server
452 for the realm.
453 auth_to_local
455 This tag allows you to set a general rule for mapping principal
456 names to local user names. It will be used if there is not an
457 explicit mapping for the principal name that is being trans‐
458 lated. The possible values are:
459 RULE:exp
461 The local name will be formulated from exp.
462 The format for exp is [n:string](regexp)s/pat‐
464 tern/replacement/g. The integer n indicates how many
465 components the target principal should have. If this
466 matches, then a string will be formed from string, sub‐
467 stituting the realm of the principal for $0 and the n'th
468 component of the principal for $n (e.g., if the principal
469 was johndoe/admin then [2:$2$1foo] would result in the
470 string adminjohndoefoo). If this string matches regexp,
471 then the s//[g] substitution command will be run over the
472 string. The optional g will cause the substitution to be
473 global over the string, instead of replacing only the
474 first match in the string.
475 DEFAULT
477 The principal name will be used as the local user name.
478 If the principal has more than one component or is not in
479 the default realm, this rule is not applicable and the
480 conversion will fail.
481 For example:
483 [realms]
485 ATHENA.MIT.EDU = {
486 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
487 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
488 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
489 auth_to_local = DEFAULT
490 }
491 would result in any principal without root or admin as the sec‐
493 ond component to be translated with the default rule. A princi‐
494 pal with a second component of admin will become its first com‐
495 ponent. root will be used as the local name for any principal
496 with a second component of root. The exception to these two
497 rules are any principals johndoe/*, which will always get the
498 local name guest.
499 auth_to_local_names
501 This subsection allows you to set explicit mappings from princi‐
502 pal names to local user names. The tag is the mapping name, and
503 the value is the corresponding local user name.
504 default_domain
506 This tag specifies the domain used to expand hostnames when
507 translating Kerberos 4 service principals to Kerberos 5 princi‐
508 pals (for example, when converting rcmd.hostname to host/host‐
509 name.domain).
510 disable_encrypted_timestamp
512 If this flag is true, the client will not perform encrypted
513 timestamp preauthentication if requested by the KDC. Setting
514 this flag can help to prevent dictionary attacks by active
515 attackers, if the realm's KDCs support SPAKE preauthentication
516 or if initial authentication always uses another mechanism or
517 always uses FAST. This flag persists across client referrals
518 during initial authentication. This flag does not prevent the
519 KDC from offering encrypted timestamp. New in release 1.17.
520 http_anchors
522 When KDCs and kpasswd servers are accessed through HTTPS prox‐
523 ies, this tag can be used to specify the location of the CA cer‐
524 tificate which should be trusted to issue the certificate for a
525 proxy server. If left unspecified, the system-wide default set
526 of CA certificates is used.
527 The syntax for values is similar to that of values for the
529 pkinit_anchors tag:
530 FILE: filename
532 filename is assumed to be the name of an OpenSSL-style ca-bundle
534 file.
535 DIR: dirname
537 dirname is assumed to be an directory which contains CA certifi‐
539 cates. All files in the directory will be examined; if they
540 contain certificates (in PEM format), they will be used.
541 ENV: envvar
543 envvar specifies the name of an environment variable which has
545 been set to a value conforming to one of the previous values.
546 For example, ENV:X509_PROXY_CA, where environment variable
547 X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
548 kdc The name or address of a host running a KDC for that realm. An
550 optional port number, separated from the hostname by a colon,
551 may be included. If the name or address contains colons (for
552 example, if it is an IPv6 address), enclose it in square brack‐
553 ets to distinguish the colon from a port separator. For your
554 computer to be able to communicate with the KDC for each realm,
555 this tag must be given a value in each realm subsection in the
556 configuration file, or there must be DNS SRV records specifying
557 the KDCs.
558 kpasswd_server
560 Points to the server where all the password changes are per‐
561 formed. If there is no such entry, DNS will be queried (unless
562 forbidden by dns_lookup_kdc). Finally, port 464 on the
563 admin_server host will be tried.
564 master_kdc
566 Identifies the master KDC(s). Currently, this tag is used in
567 only one case: If an attempt to get credentials fails because of
568 an invalid password, the client software will attempt to contact
569 the master KDC, in case the user's password has just been
570 changed, and the updated database has not been propagated to the
571 replica servers yet.
572 v4_instance_convert
574 This subsection allows the administrator to configure exceptions
575 to the default_domain mapping rule. It contains V4 instances
576 (the tag name) which should be translated to some specific host‐
577 name (the tag value) as the second component in a Kerberos V5
578 principal name.
579 v4_realm
581 This relation is used by the krb524 library routines when con‐
582 verting a V5 principal name to a V4 principal name. It is used
583 when the V4 realm name and the V5 realm name are not the same,
584 but still share the same principal names and passwords. The tag
585 value is the Kerberos V4 realm name.
586 [domain_realm]
588 The [domain_realm] section provides a translation from a domain name or
589 hostname to a Kerberos realm name. The tag name can be a host name or
590 domain name, where domain names are indicated by a prefix of a period
591 (.). The value of the relation is the Kerberos realm name for that
592 particular host or domain. A host name relation implicitly provides
593 the corresponding domain name relation, unless an explicit domain name
594 relation is provided. The Kerberos realm may be identified either in
595 the realms section or using DNS SRV records. Host names and domain
596 names should be in lower case. For example:
597 [domain_realm]
599 crash.mit.edu = TEST.ATHENA.MIT.EDU
600 .dev.mit.edu = TEST.ATHENA.MIT.EDU
601 mit.edu = ATHENA.MIT.EDU
602 maps the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
604 realm. The second entry maps all hosts under the domain dev.mit.edu
605 into the TEST.ATHENA.MIT.EDU realm, but not the host with the name
606 dev.mit.edu. That host is matched by the third entry, which maps the
607 host mit.edu and all hosts under the domain mit.edu that do not match a
608 preceding rule into the realm ATHENA.MIT.EDU.
609 If no translation entry applies to a hostname used for a service prin‐
611 cipal for a service ticket request, the library will try to get a
612 referral to the appropriate realm from the client realm's KDC. If that
613 does not succeed, the host's realm is considered to be the hostname's
614 domain portion converted to uppercase, unless the realm_try_domains
615 setting in [libdefaults] causes a different parent domain to be used.
616 [capaths]
618 In order to perform direct (non-hierarchical) cross-realm authentica‐
619 tion, configuration is needed to determine the authentication paths
620 between realms.
621 A client will use this section to find the authentication path between
623 its realm and the realm of the server. The server will use this sec‐
624 tion to verify the authentication path used by the client, by checking
625 the transited field of the received ticket.
626 There is a tag for each participating client realm, and each tag has
628 subtags for each of the server realms. The value of the subtags is an
629 intermediate realm which may participate in the cross-realm authentica‐
630 tion. The subtags may be repeated if there is more then one intermedi‐
631 ate realm. A value of "." means that the two realms share keys
632 directly, and no intermediate realms should be allowed to participate.
633 Only those entries which will be needed on the client or the server
635 need to be present. A client needs a tag for its local realm with sub‐
636 tags for all the realms of servers it will need to authenticate to. A
637 server needs a tag for each realm of the clients it will serve, with a
638 subtag of the server realm.
639 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
641 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
642 which will authenticate with NERSC.GOV but not PNL.GOV. The [capaths]
643 section for ANL.GOV systems would look like this:
644 [capaths]
646 ANL.GOV = {
647 TEST.ANL.GOV = .
648 PNL.GOV = ES.NET
649 NERSC.GOV = ES.NET
650 ES.NET = .
651 }
652 TEST.ANL.GOV = {
653 ANL.GOV = .
654 }
655 PNL.GOV = {
656 ANL.GOV = ES.NET
657 }
658 NERSC.GOV = {
659 ANL.GOV = ES.NET
660 }
661 ES.NET = {
662 ANL.GOV = .
663 }
664 The [capaths] section of the configuration file used on NERSC.GOV sys‐
666 tems would look like this:
667 [capaths]
669 NERSC.GOV = {
670 ANL.GOV = ES.NET
671 TEST.ANL.GOV = ES.NET
672 TEST.ANL.GOV = ANL.GOV
673 PNL.GOV = ES.NET
674 ES.NET = .
675 }
676 ANL.GOV = {
677 NERSC.GOV = ES.NET
678 }
679 PNL.GOV = {
680 NERSC.GOV = ES.NET
681 }
682 ES.NET = {
683 NERSC.GOV = .
684 }
685 TEST.ANL.GOV = {
686 NERSC.GOV = ANL.GOV
687 NERSC.GOV = ES.NET
688 }
689 When a subtag is used more than once within a tag, clients will use the
691 order of values to determine the path. The order of values is not
692 important to servers.
693 [appdefaults]
695 Each tag in the [appdefaults] section names a Kerberos V5 application
696 or an option that is used by some Kerberos V5 application[s]. The
697 value of the tag defines the default behaviors for that application.
698 For example:
700 [appdefaults]
702 telnet = {
703 ATHENA.MIT.EDU = {
704 option1 = false
705 }
706 }
707 telnet = {
708 option1 = true
709 option2 = true
710 }
711 ATHENA.MIT.EDU = {
712 option2 = false
713 }
714 option2 = true
715 The above four ways of specifying the value of an option are shown in
717 order of decreasing precedence. In this example, if telnet is running
718 in the realm EXAMPLE.COM, it should, by default, have option1 and
719 option2 set to true. However, a telnet program in the realm
720 ATHENA.MIT.EDU should have option1 set to false and option2 set to
721 true. Any other programs in ATHENA.MIT.EDU should have option2 set to
722 false by default. Any programs running in other realms should have
723 option2 set to true.
724 The list of specifiable options for each application may be found in
726 that application's man pages. The application defaults specified here
727 are overridden by those specified in the realms section.
728 [plugins]
730 · pwqual interface
731 · kadm5_hook interface
733 · clpreauth and kdcpreauth interfaces
735 Tags in the [plugins] section can be used to register dynamic plugin
737 modules and to turn modules on and off. Not every krb5 pluggable
738 interface uses the [plugins] section; the ones that do are documented
739 here.
740 New in release 1.9.
742 Each pluggable interface corresponds to a subsection of [plugins]. All
744 subsections support the same tags:
745 disable
747 This tag may have multiple values. If there are values for this
748 tag, then the named modules will be disabled for the pluggable
749 interface.
750 enable_only
752 This tag may have multiple values. If there are values for this
753 tag, then only the named modules will be enabled for the plug‐
754 gable interface.
755 module This tag may have multiple values. Each value is a string of
757 the form modulename:pathname, which causes the shared object
758 located at pathname to be registered as a dynamic module named
759 modulename for the pluggable interface. If pathname is not an
760 absolute path, it will be treated as relative to the plug‐
761 in_base_dir value from [libdefaults].
762 For pluggable interfaces where module order matters, modules registered
764 with a module tag normally come first, in the order they are regis‐
765 tered, followed by built-in modules in the order they are documented
766 below. If enable_only tags are used, then the order of those tags
767 overrides the normal module order.
768 The following subsections are currently supported within the [plugins]
770 section:
771 ccselect interface
773 The ccselect subsection controls modules for credential cache selection
774 within a cache collection. In addition to any registered dynamic mod‐
775 ules, the following built-in modules exist (and may be disabled with
776 the disable tag):
777 k5identity
779 Uses a .k5identity file in the user's home directory to select a
780 client principal
781 realm Uses the service realm to guess an appropriate cache from the
783 collection
784 hostname
786 If the service principal is host-based, uses the service host‐
787 name to guess an appropriate cache from the collection
788 pwqual interface
790 The pwqual subsection controls modules for the password quality inter‐
791 face, which is used to reject weak passwords when passwords are
792 changed. The following built-in modules exist for this interface:
793 dict Checks against the realm dictionary file
795 empty Rejects empty passwords
797 hesiod Checks against user information stored in Hesiod (only if Ker‐
799 beros was built with Hesiod support)
800 princ Checks against components of the principal name
802 kadm5_hook interface
804 The kadm5_hook interface provides plugins with information on principal
805 creation, modification, password changes and deletion. This interface
806 can be used to write a plugin to synchronize MIT Kerberos with another
807 database such as Active Directory. No plugins are built in for this
808 interface.
809 kadm5_auth interface
811 The kadm5_auth section (introduced in release 1.16) controls modules
812 for the kadmin authorization interface, which determines whether a
813 client principal is allowed to perform a kadmin operation. The follow‐
814 ing built-in modules exist for this interface:
815 acl This module reads the kadm5.acl(5) file, and authorizes opera‐
817 tions which are allowed according to the rules in the file.
818 self This module authorizes self-service operations including pass‐
820 word changes, creation of new random keys, fetching the client's
821 principal record or string attributes, and fetching the policy
822 record associated with the client principal.
823 clpreauth and kdcpreauth interfaces
825 The clpreauth and kdcpreauth interfaces allow plugin modules to provide
826 client and KDC preauthentication mechanisms. The following built-in
827 modules exist for these interfaces:
828 pkinit This module implements the PKINIT preauthentication mechanism.
830 encrypted_challenge
832 This module implements the encrypted challenge FAST factor.
833 encrypted_timestamp
835 This module implements the encrypted timestamp mechanism.
836 hostrealm interface
838 The hostrealm section (introduced in release 1.12) controls modules for
839 the host-to-realm interface, which affects the local mapping of host‐
840 names to realm names and the choice of default realm. The following
841 built-in modules exist for this interface:
842 profile
844 This module consults the [domain_realm] section of the profile
845 for authoritative host-to-realm mappings, and the default_realm
846 variable for the default realm.
847 dns This module looks for DNS records for fallback host-to-realm
849 mappings and the default realm. It only operates if the
850 dns_lookup_realm variable is set to true.
851 domain This module applies heuristics for fallback host-to-realm map‐
853 pings. It implements the realm_try_domains variable, and uses
854 the uppercased parent domain of the hostname if that does not
855 produce a result.
856 localauth interface
858 The localauth section (introduced in release 1.12) controls modules for
859 the local authorization interface, which affects the relationship
860 between Kerberos principals and local system accounts. The following
861 built-in modules exist for this interface:
862 default
864 This module implements the DEFAULT type for auth_to_local val‐
865 ues.
866 rule This module implements the RULE type for auth_to_local values.
868 names This module looks for an auth_to_local_names mapping for the
870 principal name.
871 auth_to_local
873 This module processes auth_to_local values in the default
874 realm's section, and applies the default method if no
875 auth_to_local values exist.
876 k5login
878 This module authorizes a principal to a local account according
879 to the account's .k5login(5) file.
880 an2ln This module authorizes a principal to a local account if the
882 principal name maps to the local account name.
883 certauth interface
885 The certauth section (introduced in release 1.16) controls modules for
886 the certificate authorization interface, which determines whether a
887 certificate is allowed to preauthenticate a user via PKINIT. The fol‐
888 lowing built-in modules exist for this interface:
889 pkinit_san
891 This module authorizes the certificate if it contains a PKINIT
892 Subject Alternative Name for the requested client principal, or
893 a Microsoft UPN SAN matching the principal if pkinit_allow_upn
894 is set to true for the realm.
895 pkinit_eku
897 This module rejects the certificate if it does not contain an
898 Extended Key Usage attribute consistent with the
899 pkinit_eku_checking value for the realm.
900 dbmatch
902 This module authorizes or rejects the certificate according to
903 whether it matches the pkinit_cert_match string attribute on the
904 client principal, if that attribute is present.
905
907 NOTE:
908 The following are PKINIT-specific options. These values may be
909 specified in [libdefaults] as global defaults, or within a
910 realm-specific subsection of [libdefaults], or may be specified as
911 realm-specific values in the [realms] section. A realm-specific
912 value overrides, not adds to, a generic [libdefaults] specification.
913 The search order is:
914 1. realm-specific subsection of [libdefaults]:
916 [libdefaults]
918 EXAMPLE.COM = {
919 pkinit_anchors = FILE:/usr/local/example.com.crt
920 }
921 2. realm-specific value in the [realms] section:
923 [realms]
925 OTHERREALM.ORG = {
926 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
927 }
928 3. generic value in the [libdefaults] section:
930 [libdefaults]
932 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
933 Specifying PKINIT identity information
935 The syntax for specifying Public Key identity, trust, and revocation
936 information for PKINIT is as follows:
937 FILE:filename[,keyfilename]
939 This option has context-specific behavior.
940 In pkinit_identity or pkinit_identities, filename specifies the
942 name of a PEM-format file containing the user's certificate. If
943 keyfilename is not specified, the user's private key is expected
944 to be in filename as well. Otherwise, keyfilename is the name
945 of the file containing the private key.
946 In pkinit_anchors or pkinit_pool, filename is assumed to be the
948 name of an OpenSSL-style ca-bundle file.
949 DIR:dirname
951 This option has context-specific behavior.
952 In pkinit_identity or pkinit_identities, dirname specifies a
954 directory with files named *.crt and *.key where the first part
955 of the file name is the same for matching pairs of certificate
956 and private key files. When a file with a name ending with .crt
957 is found, a matching file ending with .key is assumed to contain
958 the private key. If no such file is found, then the certificate
959 in the .crt is not used.
960 In pkinit_anchors or pkinit_pool, dirname is assumed to be an
962 OpenSSL-style hashed CA directory where each CA cert is stored
963 in a file named hash-of-ca-cert.#. This infrastructure is
964 encouraged, but all files in the directory will be examined and
965 if they contain certificates (in PEM format), they will be used.
966 In pkinit_revoke, dirname is assumed to be an OpenSSL-style
968 hashed CA directory where each revocation list is stored in a
969 file named hash-of-ca-cert.r#. This infrastructure is encour‐
970 aged, but all files in the directory will be examined and if
971 they contain a revocation list (in PEM format), they will be
972 used.
973 PKCS12:filename
975 filename is the name of a PKCS #12 format file, containing the
976 user's certificate and private key.
977 PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
979 tid=cert-id][:certlabel=cert-label]
980 All keyword/values are optional. modname specifies the location
981 of a library implementing PKCS #11. If a value is encountered
982 with no keyword, it is assumed to be the modname. If no mod‐
983 ule-name is specified, the default is opensc-pkcs11.so. slotid=
984 and/or token= may be specified to force the use of a particular
985 smard card reader or token if there is more than one available.
986 certid= and/or certlabel= may be specified to force the selec‐
987 tion of a particular certificate on the device. See the
988 pkinit_cert_match configuration option for more ways to select a
989 particular certificate to use for PKINIT.
990 ENV:envvar
992 envvar specifies the name of an environment variable which has
993 been set to a value conforming to one of the previous values.
994 For example, ENV:X509_PROXY, where environment variable
995 X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
996 PKINIT krb5.conf options
998 pkinit_anchors
999 Specifies the location of trusted anchor (root) certificates
1000 which the client trusts to sign KDC certificates. This option
1001 may be specified multiple times. These values from the config
1002 file are not used if the user specifies X509_anchors on the com‐
1003 mand line.
1004 pkinit_cert_match
1006 Specifies matching rules that the client certificate must match
1007 before it is used to attempt PKINIT authentication. If a user
1008 has multiple certificates available (on a smart card, or via
1009 other media), there must be exactly one certificate chosen
1010 before attempting PKINIT authentication. This option may be
1011 specified multiple times. All the available certificates are
1012 checked against each rule in order until there is a match of
1013 exactly one certificate.
1014 The Subject and Issuer comparison strings are the RFC 2253
1016 string representations from the certificate Subject DN and
1017 Issuer DN values.
1018 The syntax of the matching rules is:
1020 [relation-operator]component-rule ...
1021 where:
1023 relation-operator
1025 can be either &&, meaning all component rules must match,
1026 or ||, meaning only one component rule must match. The
1027 default is &&.
1028 component-rule
1030 can be one of the following. Note that there is no punc‐
1031 tuation or whitespace between component rules.
1032 <SUBJECT>regular-expression
1033 <ISSUER>regular-expression
1034 <SAN>regular-expression
1035 <EKU>extended-key-usage-list
1036 <KU>key-usage-list
1037 extended-key-usage-list is a comma-separated list of
1040 required Extended Key Usage values. All values in the
1041 list must be present in the certificate. Extended Key
1042 Usage values can be:
1043 · pkinit
1045 · msScLogin
1047 · clientAuth
1049 · emailProtection
1051 key-usage-list is a comma-separated list of required Key
1053 Usage values. All values in the list must be present in
1054 the certificate. Key Usage values can be:
1055 · digitalSignature
1057 · keyEncipherment
1059 Examples:
1061 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1063 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1064 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1065 pkinit_eku_checking
1067 This option specifies what Extended Key Usage value the KDC cer‐
1068 tificate presented to the client must contain. (Note that if
1069 the KDC certificate has the pkinit SubjectAlternativeName
1070 encoded as the Kerberos TGS name, EKU checking is not necessary
1071 since the issuing CA has certified this as a KDC certificate.)
1072 The values recognized in the krb5.conf file are:
1073 kpKDC This is the default value and specifies that the KDC must
1075 have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1076 kpServerAuth
1078 If kpServerAuth is specified, a KDC certificate with the
1079 id-kp-serverAuth EKU will be accepted. This key usage
1080 value is used in most commercially issued server certifi‐
1081 cates.
1082 none If none is specified, then the KDC certificate will not
1084 be checked to verify it has an acceptable EKU. The use
1085 of this option is not recommended.
1086 pkinit_dh_min_bits
1088 Specifies the size of the Diffie-Hellman key the client will
1089 attempt to use. The acceptable values are 1024, 2048, and 4096.
1090 The default is 2048.
1091 pkinit_identities
1093 Specifies the location(s) to be used to find the user's X.509
1094 identity information. If this option is specified multiple
1095 times, the first valid value is used; this can be used to spec‐
1096 ify an environment variable (with ENV:envvar) followed by a
1097 default value. Note that these values are not used if the user
1098 specifies X509_user_identity on the command line.
1099 pkinit_kdc_hostname
1101 The presense of this option indicates that the client is willing
1102 to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1103 tive Name) rather than requiring the id-pkinit-san as defined in
1104 RFC 4556. This option may be specified multiple times. Its
1105 value should contain the acceptable hostname for the KDC (as
1106 contained in its certificate).
1107 pkinit_pool
1109 Specifies the location of intermediate certificates which may be
1110 used by the client to complete the trust chain between a KDC
1111 certificate and a trusted anchor. This option may be specified
1112 multiple times.
1113 pkinit_require_crl_checking
1115 The default certificate verification process will always check
1116 the available revocation information to see if a certificate has
1117 been revoked. If a match is found for the certificate in a CRL,
1118 verification fails. If the certificate being verified is not
1119 listed in a CRL, or there is no CRL present for its issuing CA,
1120 and pkinit_require_crl_checking is false, then verification suc‐
1121 ceeds.
1122 However, if pkinit_require_crl_checking is true and there is no
1124 CRL information available for the issuing CA, then verification
1125 fails.
1126 pkinit_require_crl_checking should be set to true if the policy
1128 is such that up-to-date CRLs must be present for every CA.
1129 pkinit_revoke
1131 Specifies the location of Certificate Revocation List (CRL)
1132 information to be used by the client when verifying the validity
1133 of the KDC certificate presented. This option may be specified
1134 multiple times.
1135
1137 Starting with release 1.11, several variables, such as
1138 default_keytab_name, allow parameters to be expanded. Valid parameters
1139 are:
1140 ┌──────────────────┬────────────────────────────┐
1142 │%{TEMP} │ Temporary directory │
1143 ├──────────────────┼────────────────────────────┤
1144 │%{uid} │ Unix real UID or Windows │
1145 │ │ SID │
1146 ├──────────────────┼────────────────────────────┤
1147 │%{euid} │ Unix effective user ID or │
1148 │ │ Windows SID │
1149 ├──────────────────┼────────────────────────────┤
1150 │%{USERID} │ Same as %{uid} │
1151 ├──────────────────┼────────────────────────────┤
1152 │%{null} │ Empty string │
1153 ├──────────────────┼────────────────────────────┤
1154 │%{LIBDIR} │ Installation library │
1155 │ │ directory │
1156 ├──────────────────┼────────────────────────────┤
1157 │%{BINDIR} │ Installation binary direc‐ │
1158 │ │ tory │
1159 ├──────────────────┼────────────────────────────┤
1160 │%{SBINDIR} │ Installation admin binary │
1161 │ │ directory │
1162 ├──────────────────┼────────────────────────────┤
1163 │%{username} │ (Unix) Username of effec‐ │
1164 │ │ tive user ID │
1165 ├──────────────────┼────────────────────────────┤
1166 │%{APPDATA} │ (Windows) Roaming applica‐ │
1167 │ │ tion data for current user │
1168 ├──────────────────┼────────────────────────────┤
1169 │%{COMMON_APPDATA} │ (Windows) Application data │
1170 │ │ for all users │
1171 ├──────────────────┼────────────────────────────┤
1172 │%{LOCAL_APPDATA} │ (Windows) Local applica‐ │
1173 │ │ tion data for current user │
1174 ├──────────────────┼────────────────────────────┤
1175 │%{SYSTEM} │ (Windows) Windows system │
1176 │ │ folder │
1177 ├──────────────────┼────────────────────────────┤
1178 │%{WINDOWS} │ (Windows) Windows folder │
1179 ├──────────────────┼────────────────────────────┤
1180 │%{USERCONFIG} │ (Windows) Per-user MIT │
1181 │ │ krb5 config file directory │
1182 ├──────────────────┼────────────────────────────┤
1183 │%{COMMONCONFIG} │ (Windows) Common MIT krb5 │
1184 │ │ config file directory │
1185 └──────────────────┴────────────────────────────┘
1186
1188 Here is an example of a generic krb5.conf file:
1189 [libdefaults]
1191 default_realm = ATHENA.MIT.EDU
1192 dns_lookup_kdc = true
1193 dns_lookup_realm = false
1194 [realms]
1196 ATHENA.MIT.EDU = {
1197 kdc = kerberos.mit.edu
1198 kdc = kerberos-1.mit.edu
1199 kdc = kerberos-2.mit.edu
1200 admin_server = kerberos.mit.edu
1201 master_kdc = kerberos.mit.edu
1202 }
1203 EXAMPLE.COM = {
1204 kdc = kerberos.example.com
1205 kdc = kerberos-1.example.com
1206 admin_server = kerberos.example.com
1207 }
1208 [domain_realm]
1210 mit.edu = ATHENA.MIT.EDU
1211 [capaths]
1213 ATHENA.MIT.EDU = {
1214 EXAMPLE.COM = .
1215 }
1216 EXAMPLE.COM = {
1217 ATHENA.MIT.EDU = .
1218 }
1219
1221 /etc/krb5.conf
1222
1224 syslog(3)
1225
1227 MIT
1228
1230 1985-2019, MIT
12311.17 KRB5.CONF(5)