1KADM5.ACL(5) MIT Kerberos KADM5.ACL(5)
2
6 kadm5.acl - Kerberos ACL file
7
9 The Kerberos kadmind daemon uses an Access Control List (ACL) file to
10 manage access rights to the Kerberos database. For operations that af‐
11 fect principals, the ACL file also controls which principals can oper‐
12 ate on which other principals.
13 The default location of the Kerberos ACL file is /var/ker‐
15 beros/krb5kdc/kadm5.acl unless this is overridden by the acl_file
16 variable in kdc.conf.
17
19 Empty lines and lines starting with the sharp sign (#) are ignored.
20 Lines containing ACL entries have the format:
21 principal permissions [target_principal [restrictions] ]
23 NOTE:
25 Line order in the ACL file is important. The first matching entry
26 will control access for an actor principal on a target principal.
27 principal
29 (Partially or fully qualified Kerberos principal name.) Speci‐
30 fies the principal whose permissions are to be set.
31 Each component of the name may be wildcarded using the * charac‐
33 ter.
34 permissions
36 Specifies what operations may or may not be performed by a prin‐
37 cipal matching a particular entry. This is a string of one or
38 more of the following list of characters or their upper-case
39 counterparts. If the character is upper-case, then the opera‐
40 tion is disallowed. If the character is lower-case, then the
41 operation is permitted.
42 ┌──┬────────────────────────────┐
44 │a │ [Dis]allows the addition │
45 │ │ of principals or policies │
46 ├──┼────────────────────────────┤
47 │c │ [Dis]allows the changing │
48 │ │ of passwords for princi‐ │
49 │ │ pals │
50 ├──┼────────────────────────────┤
51 │d │ [Dis]allows the deletion │
52 │ │ of principals or policies │
53 ├──┼────────────────────────────┤
54 │e │ [Dis]allows the extraction │
55 │ │ of principal keys │
56 ├──┼────────────────────────────┤
57 │i │ [Dis]allows inquiries │
58 │ │ about principals or poli‐ │
59 │ │ cies │
60 ├──┼────────────────────────────┤
61 │l │ [Dis]allows the listing of │
62 │ │ all principals or policies │
63 └──┴────────────────────────────┘
64 │m │ [Dis]allows the modifica‐ │
68 │ │ tion of principals or │
69 │ │ policies │
70 ├──┼────────────────────────────┤
71 │p │ [Dis]allows the propaga‐ │
72 │ │ tion of the principal │
73 │ │ database (used in │
74 │ │ Incremental database prop‐ │
75 │ │ agation) │
76 ├──┼────────────────────────────┤
77 │s │ [Dis]allows the explicit │
78 │ │ setting of the key for a │
79 │ │ principal │
80 ├──┼────────────────────────────┤
81 │x │ Short for admcilsp. All │
82 │ │ privileges (except e) │
83 ├──┼────────────────────────────┤
84 │* │ Same as x. │
85 └──┴────────────────────────────┘
86 NOTE:
88 The extract privilege is not included in the wildcard privilege; it
89 must be explicitly assigned. This privilege allows the user to ex‐
90 tract keys from the database, and must be handled with great care to
91 avoid disclosure of important keys like those of the kadmin/* or
92 krbtgt/* principals. The lockdown_keys principal attribute can be
93 used to prevent key extraction from specific principals regardless
94 of the granted privilege.
95 target_principal
97 (Optional. Partially or fully qualified Kerberos principal
98 name.) Specifies the principal on which permissions may be ap‐
99 plied. Each component of the name may be wildcarded using the *
100 character.
101 target_principal can also include back-references to principal,
103 in which *number matches the corresponding wildcard in princi‐
104 pal.
105 restrictions
107 (Optional) A string of flags. Allowed restrictions are:
108 {+|-}flagname
110 flag is forced to the indicated value. The permissi‐
111 ble flags are the same as those for the default_prin‐
112 cipal_flags variable in kdc.conf.
113 -clearpolicy
115 policy is forced to be empty.
116 -policy pol
118 policy is forced to be pol.
119 -{expire, pwexpire, maxlife, maxrenewlife} time
121 (getdate time string) associated value will be forced
122 to MIN(time, requested value).
123 The above flags act as restrictions on any add or modify opera‐
125 tion which is allowed due to that ACL line.
126 WARNING:
128 If the kadmind ACL file is modified, the kadmind daemon needs to be
129 restarted for changes to take effect.
130
132 Here is an example of a kadm5.acl file:
133 */admin@ATHENA.MIT.EDU * # line 1
135 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
136 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
137 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
138 */root@ATHENA.MIT.EDU l * # line 5
139 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
140 (line 1) Any principal in the ATHENA.MIT.EDU realm with an admin in‐
142 stance has all administrative privileges except extracting keys.
143 (lines 1-3) The user joeadmin has all permissions except extracting
145 keys with his admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches
146 line 1). He has no permissions at all with his null instance, joead‐
147 min@ATHENA.MIT.EDU (matches line 2). His root and other non-admin,
148 non-null instances (e.g., extra or dbadmin) have inquire permissions
149 with any principal that has the instance root (matches line 3).
150 (line 4) Any root principal in ATHENA.MIT.EDU can inquire or change the
152 password of their null instance, but not any other null instance.
153 (Here, *1 denotes a back-reference to the component matching the first
154 wildcard in the actor principal.)
155 (line 5) Any root principal in ATHENA.MIT.EDU can generate the list of
157 principals in the database, and the list of policies in the database.
158 This line is separate from line 4, because list permission can only be
159 granted globally, not to specific target principals.
160 (line 6) Finally, the Service Management System principal
162 sms@ATHENA.MIT.EDU has all permissions except extracting keys, but any
163 principal that it creates or modifies will not be able to get postdate‐
164 able tickets or tickets with a life of longer than 9 hours.
165
167 The ACL file can coexist with other authorization modules in release
168 1.16 and later, as configured in the kadm5_auth interface section of
169 krb5.conf. The ACL file will positively authorize operations according
170 to the rules above, but will never authoritatively deny an operation,
171 so other modules can authorize operations in addition to those autho‐
172 rized by the ACL file.
173 To operate without an ACL file, set the acl_file variable in kdc.conf
175 to the empty string with acl_file = "".
176
178 kdc.conf, kadmind
179
181 MIT
182
184 1985-2022, MIT
1851.19.2 KADM5.ACL(5)