1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
6 kdc.conf - Kerberos V5 KDC configuration file
7 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC be‐ │
30 │ │ havior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42 [kdcdefaults]
44 Some relations in the [kdcdefaults] section specify default values for
45 realm variables, to be used if the [realms] subsection does not contain
46 a relation for the tag. See the [realms] section for the definitions
47 of these relations.
48 • host_based_services
50 • kdc_listen
52 • kdc_ports
54 • kdc_tcp_listen
56 • kdc_tcp_ports
58 • no_host_referral
60 • restrict_anonymous_to_tgt
62 The following [kdcdefaults] variables have no per-realm equivalent:
64 kdc_max_dgram_reply_size
66 Specifies the maximum packet size that can be sent over UDP.
67 The default value is 4096 bytes.
68 kdc_tcp_listen_backlog
70 (Integer.) Set the size of the listen queue length for the KDC
71 daemon. The value may be limited by OS settings. The default
72 value is 5.
73 spake_preauth_kdc_challenge
75 (String.) Specifies the group for a SPAKE optimistic challenge.
76 See the spake_preauth_groups variable in libdefaults for possi‐
77 ble values. The default is not to issue an optimistic chal‐
78 lenge. (New in release 1.17.)
79 [realms]
81 Each tag in the [realms] section is the name of a Kerberos realm. The
82 value of the tag is a subsection where the relations define KDC parame‐
83 ters for that particular realm. The following example shows how to de‐
84 fine one parameter for the ATHENA.MIT.EDU realm:
85 [realms]
87 ATHENA.MIT.EDU = {
88 max_renewable_life = 7d 0h 0m 0s
89 }
90 The following tags may be specified in a [realms] subsection:
92 acl_file
94 (String.) Location of the access control list file that kad‐
95 mind(8) uses to determine which principals are allowed which
96 permissions on the Kerberos database. To operate without an ACL
97 file, set this relation to the empty string with acl_file = "".
98 The default value is /var/kerberos/krb5kdc/kadm5.acl. For more
99 information on Kerberos ACL file see kadm5.acl(5).
100 database_module
102 (String.) This relation indicates the name of the configuration
103 section under [dbmodules] for database-specific parameters used
104 by the loadable database library. The default value is the
105 realm name. If this configuration section does not exist, de‐
106 fault values will be used for all database parameters.
107 database_name
109 (String, deprecated.) This relation specifies the location of
110 the Kerberos database for this realm, if the DB2 module is being
111 used and the [dbmodules] configuration section does not specify
112 a database name. The default value is /var/ker‐
113 beros/krb5kdc/principal.
114 default_principal_expiration
116 (abstime string.) Specifies the default expiration date of
117 principals created in this realm. The default value is 0, which
118 means no expiration date.
119 default_principal_flags
121 (Flag string.) Specifies the default attributes of principals
122 created in this realm. The format for this string is a
123 comma-separated list of flags, with '+' before each flag that
124 should be enabled and '-' before each flag that should be dis‐
125 abled. The postdateable, forwardable, tgt-based, renewable,
126 proxiable, dup-skey, allow-tickets, and service flags default to
127 enabled.
128 There are a number of possible flags:
130 allow-tickets
132 Enabling this flag means that the KDC will issue tickets
133 for this principal. Disabling this flag essentially de‐
134 activates the principal within this realm.
135 dup-skey
137 Enabling this flag allows the KDC to issue user-to-user
138 service tickets for this principal.
139 forwardable
141 Enabling this flag allows the principal to obtain for‐
142 wardable tickets.
143 hwauth If this flag is enabled, then the principal is required
145 to preauthenticate using a hardware device before receiv‐
146 ing any tickets.
147 no-auth-data-required
149 Enabling this flag prevents PAC or AD-SIGNEDPATH data
150 from being added to service tickets for the principal.
151 ok-as-delegate
153 If this flag is enabled, it hints the client that creden‐
154 tials can and should be delegated when authenticating to
155 the service.
156 ok-to-auth-as-delegate
158 Enabling this flag allows the principal to use S4USelf
159 tickets.
160 postdateable
162 Enabling this flag allows the principal to obtain post‐
163 dateable tickets.
164 preauth
166 If this flag is enabled on a client principal, then that
167 principal is required to preauthenticate to the KDC be‐
168 fore receiving any tickets. On a service principal, en‐
169 abling this flag means that service tickets for this
170 principal will only be issued to clients with a TGT that
171 has the preauthenticated bit set.
172 proxiable
174 Enabling this flag allows the principal to obtain proxy
175 tickets.
176 pwchange
178 Enabling this flag forces a password change for this
179 principal.
180 pwservice
182 If this flag is enabled, it marks this principal as a
183 password change service. This should only be used in
184 special cases, for example, if a user's password has ex‐
185 pired, then the user has to get tickets for that princi‐
186 pal without going through the normal password authentica‐
187 tion in order to be able to change the password.
188 renewable
190 Enabling this flag allows the principal to obtain renew‐
191 able tickets.
192 service
194 Enabling this flag allows the the KDC to issue service
195 tickets for this principal. In release 1.17 and later,
196 user-to-user service tickets are still allowed if the
197 dup-skey flag is set.
198 tgt-based
200 Enabling this flag allows a principal to obtain tickets
201 based on a ticket-granting-ticket, rather than repeating
202 the authentication process that was used to obtain the
203 TGT.
204 dict_file
206 (String.) Location of the dictionary file containing strings
207 that are not allowed as passwords. The file should contain one
208 string per line, with no additional whitespace. If none is
209 specified or if there is no policy assigned to the principal, no
210 dictionary checks of passwords will be performed.
211 encrypted_challenge_indicator
213 (String.) Specifies the authentication indicator value that the
214 KDC asserts into tickets obtained using FAST encrypted challenge
215 pre-authentication. New in 1.16.
216 host_based_services
218 (Whitespace- or comma-separated list.) Lists services which
219 will get host-based referral processing even if the server prin‐
220 cipal is not marked as host-based by the client.
221 iprop_enable
223 (Boolean value.) Specifies whether incremental database propa‐
224 gation is enabled. The default value is false.
225 iprop_ulogsize
227 (Integer.) Specifies the maximum number of log entries to be
228 retained for incremental propagation. The default value is
229 1000. Prior to release 1.11, the maximum value was 2500. New
230 in release 1.19.
231 iprop_master_ulogsize
233 The name for iprop_ulogsize prior to release 1.19. Its value is
234 used as a fallback if iprop_ulogsize is not specified.
235 iprop_replica_poll
237 (Delta time string.) Specifies how often the replica KDC polls
238 for new updates from the primary. The default value is 2m (that
239 is, two minutes). New in release 1.17.
240 iprop_slave_poll
242 (Delta time string.) The name for iprop_replica_poll prior to
243 release 1.17. Its value is used as a fallback if
244 iprop_replica_poll is not specified.
245 iprop_listen
247 (Whitespace- or comma-separated list.) Specifies the iprop RPC
248 listening addresses and/or ports for the kadmind(8) daemon.
249 Each entry may be an interface address, a port number, or an ad‐
250 dress and port number separated by a colon. If the address con‐
251 tains colons, enclose it in square brackets. If no address is
252 specified, the wildcard address is used. If kadmind fails to
253 bind to any of the specified addresses, it will fail to start.
254 The default (when iprop_enable is true) is to bind to the wild‐
255 card address at the port specified in iprop_port. New in re‐
256 lease 1.15.
257 iprop_port
259 (Port number.) Specifies the port number to be used for incre‐
260 mental propagation. When iprop_enable is true, this relation is
261 required in the replica KDC configuration file, and this rela‐
262 tion or iprop_listen is required in the primary configuration
263 file, as there is no default port number. Port numbers speci‐
264 fied in iprop_listen entries will override this port number for
265 the kadmind(8) daemon.
266 iprop_resync_timeout
268 (Delta time string.) Specifies the amount of time to wait for a
269 full propagation to complete. This is optional in configuration
270 files, and is used by replica KDCs only. The default value is 5
271 minutes (5m). New in release 1.11.
272 iprop_logfile
274 (File name.) Specifies where the update log file for the realm
275 database is to be stored. The default is to use the data‐
276 base_name entry from the realms section of the krb5 config file,
277 with .ulog appended. (NOTE: If database_name isn't specified in
278 the realms section, perhaps because the LDAP database back end
279 is being used, or the file name is specified in the [dbmodules]
280 section, then the hard-coded default for database_name is used.
281 Determination of the iprop_logfile default value will not use
282 values from the [dbmodules] section.)
283 kadmind_listen
285 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
286 listening addresses and/or ports for the kadmind(8) daemon.
287 Each entry may be an interface address, a port number, or an ad‐
288 dress and port number separated by a colon. If the address con‐
289 tains colons, enclose it in square brackets. If no address is
290 specified, the wildcard address is used. If kadmind fails to
291 bind to any of the specified addresses, it will fail to start.
292 The default is to bind to the wildcard address at the port spec‐
293 ified in kadmind_port, or the standard kadmin port (749). New
294 in release 1.15.
295 kadmind_port
297 (Port number.) Specifies the port on which the kadmind(8) dae‐
298 mon is to listen for this realm. Port numbers specified in kad‐
299 mind_listen entries will override this port number. The as‐
300 signed port for kadmind is 749, which is used by default.
301 key_stash_file
303 (String.) Specifies the location where the master key has been
304 stored (via kdb5_util stash). The default is /var/ker‐
305 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
306 kdc_listen
308 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
309 tening addresses and/or ports for the krb5kdc(8) daemon. Each
310 entry may be an interface address, a port number, or an address
311 and port number separated by a colon. If the address contains
312 colons, enclose it in square brackets. If no address is speci‐
313 fied, the wildcard address is used. If no port is specified,
314 the standard port (88) is used. If the KDC daemon fails to bind
315 to any of the specified addresses, it will fail to start. The
316 default is to bind to the wildcard address on the standard port.
317 New in release 1.15.
318 kdc_ports
320 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
321 lease 1.15, this relation lists the ports for the krb5kdc(8)
322 daemon to listen on for UDP requests. In release 1.15 and
323 later, it has the same meaning as kdc_listen if that relation is
324 not defined.
325 kdc_tcp_listen
327 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
328 tening addresses and/or ports for the krb5kdc(8) daemon. Each
329 entry may be an interface address, a port number, or an address
330 and port number separated by a colon. If the address contains
331 colons, enclose it in square brackets. If no address is speci‐
332 fied, the wildcard address is used. If no port is specified,
333 the standard port (88) is used. To disable listening on TCP,
334 set this relation to the empty string with kdc_tcp_listen = "".
335 If the KDC daemon fails to bind to any of the specified ad‐
336 dresses, it will fail to start. The default is to bind to the
337 wildcard address on the standard port. New in release 1.15.
338 kdc_tcp_ports
340 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
341 lease 1.15, this relation lists the ports for the krb5kdc(8)
342 daemon to listen on for UDP requests. In release 1.15 and
343 later, it has the same meaning as kdc_tcp_listen if that rela‐
344 tion is not defined.
345 kpasswd_listen
347 (Comma-separated list.) Specifies the kpasswd listening ad‐
348 dresses and/or ports for the kadmind(8) daemon. Each entry may
349 be an interface address, a port number, or an address and port
350 number separated by a colon. If the address contains colons,
351 enclose it in square brackets. If no address is specified, the
352 wildcard address is used. If kadmind fails to bind to any of
353 the specified addresses, it will fail to start. The default is
354 to bind to the wildcard address at the port specified in
355 kpasswd_port, or the standard kpasswd port (464). New in re‐
356 lease 1.15.
357 kpasswd_port
359 (Port number.) Specifies the port on which the kadmind(8) dae‐
360 mon is to listen for password change requests for this realm.
361 Port numbers specified in kpasswd_listen entries will override
362 this port number. The assigned port for password change re‐
363 quests is 464, which is used by default.
364 master_key_name
366 (String.) Specifies the name of the principal associated with
367 the master key. The default is K/M.
368 master_key_type
370 (Key type string.) Specifies the master key's key type. The
371 default value for this is aes256-cts-hmac-sha1-96. For a list
372 of all possible values, see Encryption types.
373 max_life
375 (duration string.) Specifies the maximum time period for which
376 a ticket may be valid in this realm. The default value is 24
377 hours.
378 max_renewable_life
380 (duration string.) Specifies the maximum time period during
381 which a valid ticket may be renewed in this realm. The default
382 value is 0.
383 no_host_referral
385 (Whitespace- or comma-separated list.) Lists services to block
386 from getting host-based referral processing, even if the client
387 marks the server principal as host-based or the service is also
388 listed in host_based_services. no_host_referral = * will dis‐
389 able referral processing altogether.
390 reject_bad_transit
392 (Boolean value.) If set to true, the KDC will check the list of
393 transited realms for cross-realm tickets against the transit
394 path computed from the realm names and the capaths section of
395 its krb5.conf(5) file; if the path in the ticket to be issued
396 contains any realms not in the computed path, the ticket will
397 not be issued, and an error will be returned to the client in‐
398 stead. If this value is set to false, such tickets will be is‐
399 sued anyways, and it will be left up to the application server
400 to validate the realm transit path.
401 If the disable-transited-check flag is set in the incoming re‐
403 quest, this check is not performed at all. Having the re‐
404 ject_bad_transit option will cause such ticket requests to be
405 rejected always.
406 This transit path checking and config file option currently ap‐
408 ply only to TGS requests.
409 The default value is true.
411 restrict_anonymous_to_tgt
413 (Boolean value.) If set to true, the KDC will reject ticket re‐
414 quests from anonymous principals to service principals other
415 than the realm's ticket-granting service. This option allows
416 anonymous PKINIT to be enabled for use as FAST armor tickets
417 without allowing anonymous authentication to services. The de‐
418 fault value is false. New in release 1.9.
419 spake_preauth_indicator
421 (String.) Specifies an authentication indicator value that the
422 KDC asserts into tickets obtained using SPAKE pre-authentica‐
423 tion. The default is not to add any indicators. This option
424 may be specified multiple times. New in release 1.17.
425 supported_enctypes
427 (List of key:salt strings.) Specifies the default key/salt com‐
428 binations of principals for this realm. Any principals created
429 through kadmin(1) will have keys of these types. The default
430 value for this tag is aes256-cts-hmac-sha1-96:normal
431 aes128-cts-hmac-sha1-96:normal. For lists of possible values,
432 see Keysalt lists.
433 [dbdefaults]
435 The [dbdefaults] section specifies default values for some database pa‐
436 rameters, to be used if the [dbmodules] subsection does not contain a
437 relation for the tag. See the [dbmodules] section for the definitions
438 of these relations.
439 • ldap_kerberos_container_dn
441 • ldap_kdc_dn
443 • ldap_kdc_sasl_authcid
445 • ldap_kdc_sasl_authzid
447 • ldap_kdc_sasl_mech
449 • ldap_kdc_sasl_realm
451 • ldap_kadmind_dn
453 • ldap_kadmind_sasl_authcid
455 • ldap_kadmind_sasl_authzid
457 • ldap_kadmind_sasl_mech
459 • ldap_kadmind_sasl_realm
461 • ldap_service_password_file
463 • ldap_conns_per_server
465 [dbmodules]
467 The [dbmodules] section contains parameters used by the KDC database
468 library and database modules. Each tag in the [dbmodules] section is
469 the name of a Kerberos realm or a section name specified by a realm's
470 database_module parameter. The following example shows how to define
471 one database parameter for the ATHENA.MIT.EDU realm:
472 [dbmodules]
474 ATHENA.MIT.EDU = {
475 disable_last_success = true
476 }
477 The following tags may be specified in a [dbmodules] subsection:
479 database_name
481 This DB2-specific tag indicates the location of the database in
482 the filesystem. The default is /var/kerberos/krb5kdc/principal.
483 db_library
485 This tag indicates the name of the loadable database module.
486 The value should be db2 for the DB2 module, klmdb for the LMDB
487 module, or kldap for the LDAP module.
488 disable_last_success
490 If set to true, suppresses KDC updates to the "Last successful
491 authentication" field of principal entries requiring preauthen‐
492 tication. Setting this flag may improve performance. (Princi‐
493 pal entries which do not require preauthentication never update
494 the "Last successful authentication" field.). First introduced
495 in release 1.9.
496 disable_lockout
498 If set to true, suppresses KDC updates to the "Last failed au‐
499 thentication" and "Failed password attempts" fields of principal
500 entries requiring preauthentication. Setting this flag may im‐
501 prove performance, but also disables account lockout. First in‐
502 troduced in release 1.9.
503 ldap_conns_per_server
505 This LDAP-specific tag indicates the number of connections to be
506 maintained per LDAP server.
507 ldap_kdc_dn and ldap_kadmind_dn
509 These LDAP-specific tags indicate the default DN for binding to
510 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
511 the kadmind(8) daemon and other administrative programs use
512 ldap_kadmind_dn. The kadmind DN must have the rights to read
513 and write the Kerberos data in the LDAP database. The KDC DN
514 must have the same rights, unless disable_lockout and dis‐
515 able_last_success are true, in which case it only needs to have
516 rights to read the Kerberos data. These tags are ignored if a
517 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
518 mind_sasl_mech.
519 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
521 These LDAP-specific tags specify the SASL mechanism (such as EX‐
522 TERNAL) to use when binding to the LDAP server. New in release
523 1.13.
524 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
526 These LDAP-specific tags specify the SASL authentication iden‐
527 tity to use when binding to the LDAP server. Not all SASL mech‐
528 anisms require an authentication identity. If the SASL mecha‐
529 nism requires a secret (such as the password for DIGEST-MD5),
530 these tags also determine the name within the ldap_service_pass‐
531 word_file where the secret is stashed. New in release 1.13.
532 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
534 These LDAP-specific tags specify the SASL authorization identity
535 to use when binding to the LDAP server. In most circumstances
536 they do not need to be specified. New in release 1.13.
537 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
539 These LDAP-specific tags specify the SASL realm to use when
540 binding to the LDAP server. In most circumstances they do not
541 need to be set. New in release 1.13.
542 ldap_kerberos_container_dn
544 This LDAP-specific tag indicates the DN of the container object
545 where the realm objects will be located.
546 ldap_servers
548 This LDAP-specific tag indicates the list of LDAP servers that
549 the Kerberos servers can connect to. The list of LDAP servers
550 is whitespace-separated. The LDAP server is specified by a LDAP
551 URI. It is recommended to use ldapi: or ldaps: URLs to connect
552 to the LDAP server.
553 ldap_service_password_file
555 This LDAP-specific tag indicates the file containing the stashed
556 passwords (created by kdb5_ldap_util stashsrvpw) for the
557 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
558 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
559 SASL authentication. This file must be kept secure.
560 mapsize
562 This LMDB-specific tag indicates the maximum size of the two
563 database environments in megabytes. The default value is 128.
564 Increase this value to address "Environment mapsize limit
565 reached" errors. New in release 1.17.
566 max_readers
568 This LMDB-specific tag indicates the maximum number of concur‐
569 rent reading processes for the databases. The default value is
570 128. New in release 1.17.
571 nosync This LMDB-specific tag can be set to improve the throughput of
573 kadmind and other administrative agents, at the expense of dura‐
574 bility (recent database changes may not survive a power outage
575 or other sudden reboot). It does not affect the throughput of
576 the KDC. The default value is false. New in release 1.17.
577 unlockiter
579 If set to true, this DB2-specific tag causes iteration opera‐
580 tions to release the database lock while processing each princi‐
581 pal. Setting this flag to true can prevent extended blocking of
582 KDC or kadmin operations when dumps of large databases are in
583 progress. First introduced in release 1.13.
584 The following tag may be specified directly in the [dbmodules] section
586 to control where database modules are loaded from:
587 db_module_dir
589 This tag controls where the plugin system looks for database
590 modules. The value should be an absolute path.
591 [logging]
593 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
594 logging. It may contain the following relations:
595 admin_server
597 Specifies how kadmind(8) performs logging.
598 kdc Specifies how krb5kdc(8) performs logging.
600 default
602 Specifies how either daemon performs logging in the absence of
603 relations specific to the daemon.
604 debug (Boolean value.) Specifies whether debugging messages are in‐
606 cluded in log outputs other than SYSLOG. Debugging messages are
607 always included in the system log output because syslog performs
608 its own priority filtering. The default value is false. New in
609 release 1.15.
610 Logging specifications may have the following forms:
612 FILE=filename or FILE:filename
614 This value causes the daemon's logging messages to go to the
615 filename. If the = form is used, the file is overwritten. If
616 the : form is used, the file is appended to.
617 STDERR This value causes the daemon's logging messages to go to its
619 standard error stream.
620 CONSOLE
622 This value causes the daemon's logging messages to go to the
623 console, if the system supports it.
624 DEVICE=<devicename>
626 This causes the daemon's logging messages to go to the specified
627 device.
628 SYSLOG[:severity[:facility]]
630 This causes the daemon's logging messages to go to the system
631 log.
632 For backward compatibility, a severity argument may be speci‐
634 fied, and must be specified in order to specify a facility.
635 This argument will be ignored.
636 The facility argument specifies the facility under which the
638 messages are logged. This may be any of the following facili‐
639 ties supported by the syslog(3) call minus the LOG_ prefix:
640 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LO‐
641 CAL0 through LOCAL7. If no facility is specified, the default
642 is AUTH.
643 In the following example, the logging messages from the KDC will go to
645 the console and to the system log under the facility LOG_DAEMON, and
646 the logging messages from the administrative server will be appended to
647 the file /var/adm/kadmin.log and sent to the device /dev/tty04.
648 [logging]
650 kdc = CONSOLE
651 kdc = SYSLOG:INFO:DAEMON
652 admin_server = FILE:/var/adm/kadmin.log
653 admin_server = DEVICE=/dev/tty04
654 If no logging specification is given, the default is to use syslog. To
656 disable logging entirely, specify default = DEVICE=/dev/null.
657 [otp]
659 Each subsection of [otp] is the name of an OTP token type. The tags
660 within the subsection define the configuration required to forward a
661 One Time Password request to a RADIUS server.
662 For each token type, the following tags may be specified:
664 server This is the server to send the RADIUS request to. It can be a
666 hostname with optional port, an ip address with optional port,
667 or a Unix domain socket address. The default is /var/ker‐
668 beros/krb5kdc/<name>.socket.
669 secret This tag indicates a filename (which may be relative to
671 /var/kerberos/krb5kdc) containing the secret used to encrypt the
672 RADIUS packets. The secret should appear in the first line of
673 the file by itself; leading and trailing whitespace on the line
674 will be removed. If the value of server is a Unix domain socket
675 address, this tag is optional, and an empty secret will be used
676 if it is not specified. Otherwise, this tag is required.
677 timeout
679 An integer which specifies the time in seconds during which the
680 KDC should attempt to contact the RADIUS server. This tag is
681 the total time across all retries and should be less than the
682 time which an OTP value remains valid for. The default is 5
683 seconds.
684 retries
686 This tag specifies the number of retries to make to the RADIUS
687 server. The default is 3 retries (4 tries).
688 strip_realm
690 If this tag is true, the principal without the realm will be
691 passed to the RADIUS server. Otherwise, the realm will be in‐
692 cluded. The default value is true.
693 indicator
695 This tag specifies an authentication indicator to be included in
696 the ticket if this token type is used to authenticate. This op‐
697 tion may be specified multiple times. (New in release 1.14.)
698 In the following example, requests are sent to a remote server via UDP:
700 [otp]
702 MyRemoteTokenType = {
703 server = radius.mydomain.com:1812
704 secret = SEmfiajf42$
705 timeout = 15
706 retries = 5
707 strip_realm = true
708 }
709 An implicit default token type named DEFAULT is defined for when the
711 per-principal configuration does not specify a token type. Its config‐
712 uration is shown below. You may override this token type to something
713 applicable for your situation:
714 [otp]
716 DEFAULT = {
717 strip_realm = false
718 }
719
721 NOTE:
722 The following are pkinit-specific options. These values may be
723 specified in [kdcdefaults] as global defaults, or within a
724 realm-specific subsection of [realms]. Also note that a realm-spe‐
725 cific value over-rides, does not add to, a generic [kdcdefaults]
726 specification. The search order is:
727 1. realm-specific subsection of [realms]:
729 [realms]
731 EXAMPLE.COM = {
732 pkinit_anchors = FILE:/usr/local/example.com.crt
733 }
734 2. generic value in the [kdcdefaults] section:
736 [kdcdefaults]
738 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
739 For information about the syntax of some of these options, see Specify‐
741 ing PKINIT identity information in krb5.conf(5).
742 pkinit_anchors
744 Specifies the location of trusted anchor (root) certificates
745 which the KDC trusts to sign client certificates. This option
746 is required if pkinit is to be supported by the KDC. This op‐
747 tion may be specified multiple times.
748 pkinit_dh_min_bits
750 Specifies the minimum number of bits the KDC is willing to ac‐
751 cept for a client's Diffie-Hellman key. The default is 2048.
752 pkinit_allow_upn
754 Specifies that the KDC is willing to accept client certificates
755 with the Microsoft UserPrincipalName (UPN) Subject Alternative
756 Name (SAN). This means the KDC accepts the binding of the UPN
757 in the certificate to the Kerberos principal name. The default
758 value is false.
759 Without this option, the KDC will only accept certificates with
761 the id-pkinit-san as defined in RFC 4556. There is currently no
762 option to disable SAN checking in the KDC.
763 pkinit_eku_checking
765 This option specifies what Extended Key Usage (EKU) values the
766 KDC is willing to accept in client certificates. The values
767 recognized in the kdc.conf file are:
768 kpClientAuth
770 This is the default value and specifies that client cer‐
771 tificates must have the id-pkinit-KPClientAuth EKU as de‐
772 fined in RFC 4556.
773 scLogin
775 If scLogin is specified, client certificates with the Mi‐
776 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
777 accepted.
778 none If none is specified, then client certificates will not
780 be checked to verify they have an acceptable EKU. The
781 use of this option is not recommended.
782 pkinit_identity
784 Specifies the location of the KDC's X.509 identity information.
785 This option is required if pkinit is to be supported by the KDC.
786 pkinit_indicator
788 Specifies an authentication indicator to include in the ticket
789 if pkinit is used to authenticate. This option may be specified
790 multiple times. (New in release 1.14.)
791 pkinit_pool
793 Specifies the location of intermediate certificates which may be
794 used by the KDC to complete the trust chain between a client's
795 certificate and a trusted anchor. This option may be specified
796 multiple times.
797 pkinit_revoke
799 Specifies the location of Certificate Revocation List (CRL) in‐
800 formation to be used by the KDC when verifying the validity of
801 client certificates. This option may be specified multiple
802 times.
803 pkinit_require_crl_checking
805 The default certificate verification process will always check
806 the available revocation information to see if a certificate has
807 been revoked. If a match is found for the certificate in a CRL,
808 verification fails. If the certificate being verified is not
809 listed in a CRL, or there is no CRL present for its issuing CA,
810 and pkinit_require_crl_checking is false, then verification suc‐
811 ceeds.
812 However, if pkinit_require_crl_checking is true and there is no
814 CRL information available for the issuing CA, then verification
815 fails.
816 pkinit_require_crl_checking should be set to true if the policy
818 is such that up-to-date CRLs must be present for every CA.
819 pkinit_require_freshness
821 Specifies whether to require clients to include a freshness to‐
822 ken in PKINIT requests. The default value is false. (New in
823 release 1.17.)
824
826 Any tag in the configuration files which requires a list of encryption
827 types can be set to some combination of the following strings. Encryp‐
828 tion types marked as "weak" and "deprecated" are available for compati‐
829 bility but not recommended for use.
830 ┌───────────────────────────┬─────────────────────────────┐
832 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
833 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
834 ├───────────────────────────┼─────────────────────────────┤
835 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
836 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
837 ├───────────────────────────┼─────────────────────────────┤
838 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
839 │aes256-sha2 │ 192-bit SHA-384 HMAC │
840 ├───────────────────────────┼─────────────────────────────┤
841 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
842 │aes128-sha2 │ 128-bit SHA-256 HMAC │
843 ├───────────────────────────┼─────────────────────────────┤
844 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 (depre‐ │
845 │four-hmac-md5 │ cated) │
846 ├───────────────────────────┼─────────────────────────────┤
847 │arcfour-hmac-exp │ Exportable RC4 with │
848 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
849 │four-hmac-md5-exp │ │
850 ├───────────────────────────┼─────────────────────────────┤
851 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
852 │camellia256-cts │ CMAC │
853 ├───────────────────────────┼─────────────────────────────┤
854 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
855 │camellia128-cts │ CMAC │
856 ├───────────────────────────┼─────────────────────────────┤
857 │aes │ The AES family: │
858 │ │ aes256-cts-hmac-sha1-96, │
859 │ │ aes128-cts-hmac-sha1-96, │
860 │ │ aes256-cts-hmac-sha384-192, │
861 │ │ and │
862 │ │ aes128-cts-hmac-sha256-128 │
863 ├───────────────────────────┼─────────────────────────────┤
864 │rc4 │ The RC4 family: arc‐ │
865 │ │ four-hmac │
866 ├───────────────────────────┼─────────────────────────────┤
867 │camellia │ The Camellia family: camel‐ │
868 │ │ lia256-cts-cmac and camel‐ │
869 │ │ lia128-cts-cmac │
870 └───────────────────────────┴─────────────────────────────┘
871 The string DEFAULT can be used to refer to the default set of types for
873 the variable in question. Types or families can be removed from the
874 current list by prefixing them with a minus sign ("-"). Types or fami‐
875 lies can be prefixed with a plus sign ("+") for symmetry; it has the
876 same meaning as just listing the type or family. For example, "DEFAULT
877 -rc4" would be the default set of encryption types with RC4 types re‐
878 moved, and "aes128-sha2 DEFAULT" would be the default set of encryption
879 types with aes128-sha2 moved to the front.
880 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
882 tions, they are not supported by very old versions of our GSSAPI imple‐
883 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
884 without AES support must not be given keys of these encryption types in
885 the KDC database.
886 The aes128-sha2 and aes256-sha2 encryption types are new in release
888 1.15. Services running versions of krb5 without support for these
889 newer encryption types must not be given keys of these encryption types
890 in the KDC database.
891
893 Kerberos keys for users are usually derived from passwords. Kerberos
894 commands and configuration parameters that affect generation of keys
895 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
896 lists. Each keysalt pair is an enctype name followed by a salttype
897 name, in the format enc:salt. Individual keysalt list members are sep‐
898 arated by comma (",") characters or space characters. For example:
899 kadmin -e aes256-cts:normal,aes128-cts:normal
901 would start up kadmin so that by default it would generate password-de‐
903 rived keys for the aes256-cts and aes128-cts encryption types, using a
904 normal salt.
905 To ensure that people who happen to pick the same password do not have
907 the same key, Kerberos 5 incorporates more information into the key us‐
908 ing something called a salt. The supported salt types are as follows:
909 ┌──────────┬────────────────────────────┐
911 │normal │ default for Kerberos Ver‐ │
912 │ │ sion 5 │
913 ├──────────┼────────────────────────────┤
914 │norealm │ same as the default, with‐ │
915 │ │ out using realm informa‐ │
916 │ │ tion │
917 ├──────────┼────────────────────────────┤
918 │onlyrealm │ uses only realm informa‐ │
919 │ │ tion as the salt │
920 ├──────────┼────────────────────────────┤
921 │special │ generate a random salt │
922 └──────────┴────────────────────────────┘
923
925 Here's an example of a kdc.conf file:
926 [kdcdefaults]
928 kdc_listen = 88
929 kdc_tcp_listen = 88
930 [realms]
931 ATHENA.MIT.EDU = {
932 kadmind_port = 749
933 max_life = 12h 0m 0s
934 max_renewable_life = 7d 0h 0m 0s
935 master_key_type = aes256-cts-hmac-sha1-96
936 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
937 database_module = openldap_ldapconf
938 }
939 [logging]
941 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
942 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
943 [dbdefaults]
945 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
946 [dbmodules]
948 openldap_ldapconf = {
949 db_library = kldap
950 disable_last_success = true
951 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
952 # this object needs to have read rights on
953 # the realm container and principal subtrees
954 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
955 # this object needs to have read and write rights on
956 # the realm container and principal subtrees
957 ldap_service_password_file = /etc/kerberos/service.keyfile
958 ldap_servers = ldaps://kerberos.mit.edu
959 ldap_conns_per_server = 5
960 }
961
963 /var/kerberos/krb5kdc/kdc.conf
964
966 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
967
969 MIT
970
972 1985-2022, MIT
9731.19.2 KDC.CONF(5)