1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
3
4
6 kdc.conf - Kerberos V5 KDC configuration file
7
8 The kdc.conf file supplements krb5.conf for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc and kadmind daemons and
10 the kdb5_util program. Relations documented here may also be specified
11 in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf
12 will be merged into a single configuration profile.
13
14 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17
18 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf file.
23
25 The kdc.conf file may contain the following sections:
26
27 ┌──────────────┬────────────────────────────┐
28 │[kdcdefaults] │ Default values for KDC be‐ │
29 │ │ havior │
30 ├──────────────┼────────────────────────────┤
31 │[realms] │ Realm-specific database │
32 │ │ configuration and settings │
33 ├──────────────┼────────────────────────────┤
34 │[dbdefaults] │ Default database settings │
35 ├──────────────┼────────────────────────────┤
36 │[dbmodules] │ Per-database settings │
37 ├──────────────┼────────────────────────────┤
38 │[logging] │ Controls how Kerberos dae‐ │
39 │ │ mons perform logging │
40 └──────────────┴────────────────────────────┘
41
42 [kdcdefaults]
43 Some relations in the [kdcdefaults] section specify default values for
44 realm variables, to be used if the [realms] subsection does not contain
45 a relation for the tag. See the [realms] section for the definitions
46 of these relations.
47
48 • host_based_services
49
50 • kdc_listen
51
52 • kdc_ports
53
54 • kdc_tcp_listen
55
56 • kdc_tcp_ports
57
58 • no_host_referral
59
60 • restrict_anonymous_to_tgt
61
62 The following [kdcdefaults] variables have no per-realm equivalent:
63
64 kdc_max_dgram_reply_size
65 Specifies the maximum packet size that can be sent over UDP.
66 The default value is 4096 bytes.
67
68 kdc_tcp_listen_backlog
69 (Integer.) Set the size of the listen queue length for the KDC
70 daemon. The value may be limited by OS settings. The default
71 value is 5.
72
73 spake_preauth_kdc_challenge
74 (String.) Specifies the group for a SPAKE optimistic challenge.
75 See the spake_preauth_groups variable in [libdefaults] for pos‐
76 sible values. The default is not to issue an optimistic chal‐
77 lenge. (New in release 1.17.)
78
79 [realms]
80 Each tag in the [realms] section is the name of a Kerberos realm. The
81 value of the tag is a subsection where the relations define KDC parame‐
82 ters for that particular realm. The following example shows how to de‐
83 fine one parameter for the ATHENA.MIT.EDU realm:
84
85 [realms]
86 ATHENA.MIT.EDU = {
87 max_renewable_life = 7d 0h 0m 0s
88 }
89
90 The following tags may be specified in a [realms] subsection:
91
92 acl_file
93 (String.) Location of the access control list file that kadmind
94 uses to determine which principals are allowed which permissions
95 on the Kerberos database. To operate without an ACL file, set
96 this relation to the empty string with acl_file = "". The de‐
97 fault value is /var/kerberos/krb5kdc/kadm5.acl. For more infor‐
98 mation on Kerberos ACL file see kadm5.acl.
99
100 database_module
101 (String.) This relation indicates the name of the configuration
102 section under [dbmodules] for database-specific parameters used
103 by the loadable database library. The default value is the
104 realm name. If this configuration section does not exist, de‐
105 fault values will be used for all database parameters.
106
107 database_name
108 (String, deprecated.) This relation specifies the location of
109 the Kerberos database for this realm, if the DB2 module is being
110 used and the [dbmodules] configuration section does not specify
111 a database name. The default value is /var/ker‐
112 beros/krb5kdc/principal.
113
114 default_principal_expiration
115 (Absolute time string.) Specifies the default expiration date
116 of principals created in this realm. The default value is 0,
117 which means no expiration date.
118
119 default_principal_flags
120 (Flag string.) Specifies the default attributes of principals
121 created in this realm. The format for this string is a
122 comma-separated list of flags, with '+' before each flag that
123 should be enabled and '-' before each flag that should be dis‐
124 abled. The postdateable, forwardable, tgt-based, renewable,
125 proxiable, dup-skey, allow-tickets, and service flags default to
126 enabled.
127
128 There are a number of possible flags:
129
130 allow-tickets
131 Enabling this flag means that the KDC will issue tickets
132 for this principal. Disabling this flag essentially de‐
133 activates the principal within this realm.
134
135 dup-skey
136 Enabling this flag allows the KDC to issue user-to-user
137 service tickets for this principal.
138
139 forwardable
140 Enabling this flag allows the principal to obtain for‐
141 wardable tickets.
142
143 hwauth If this flag is enabled, then the principal is required
144 to preauthenticate using a hardware device before receiv‐
145 ing any tickets.
146
147 no-auth-data-required
148 Enabling this flag prevents PAC or AD-SIGNEDPATH data
149 from being added to service tickets for the principal.
150
151 ok-as-delegate
152 If this flag is enabled, it hints the client that creden‐
153 tials can and should be delegated when authenticating to
154 the service.
155
156 ok-to-auth-as-delegate
157 Enabling this flag allows the principal to use S4USelf
158 tickets.
159
160 postdateable
161 Enabling this flag allows the principal to obtain post‐
162 dateable tickets.
163
164 preauth
165 If this flag is enabled on a client principal, then that
166 principal is required to preauthenticate to the KDC be‐
167 fore receiving any tickets. On a service principal, en‐
168 abling this flag means that service tickets for this
169 principal will only be issued to clients with a TGT that
170 has the preauthenticated bit set.
171
172 proxiable
173 Enabling this flag allows the principal to obtain proxy
174 tickets.
175
176 pwchange
177 Enabling this flag forces a password change for this
178 principal.
179
180 pwservice
181 If this flag is enabled, it marks this principal as a
182 password change service. This should only be used in
183 special cases, for example, if a user's password has ex‐
184 pired, then the user has to get tickets for that princi‐
185 pal without going through the normal password authentica‐
186 tion in order to be able to change the password.
187
188 renewable
189 Enabling this flag allows the principal to obtain renew‐
190 able tickets.
191
192 service
193 Enabling this flag allows the the KDC to issue service
194 tickets for this principal. In release 1.17 and later,
195 user-to-user service tickets are still allowed if the
196 dup-skey flag is set.
197
198 tgt-based
199 Enabling this flag allows a principal to obtain tickets
200 based on a ticket-granting-ticket, rather than repeating
201 the authentication process that was used to obtain the
202 TGT.
203
204 dict_file
205 (String.) Location of the dictionary file containing strings
206 that are not allowed as passwords. The file should contain one
207 string per line, with no additional whitespace. If none is
208 specified or if there is no policy assigned to the principal, no
209 dictionary checks of passwords will be performed.
210
211 encrypted_challenge_indicator
212 (String.) Specifies the authentication indicator value that the
213 KDC asserts into tickets obtained using FAST encrypted challenge
214 pre-authentication. New in 1.16.
215
216 host_based_services
217 (Whitespace- or comma-separated list.) Lists services which
218 will get host-based referral processing even if the server prin‐
219 cipal is not marked as host-based by the client.
220
221 iprop_enable
222 (Boolean value.) Specifies whether incremental database propa‐
223 gation is enabled. The default value is false.
224
225 iprop_ulogsize
226 (Integer.) Specifies the maximum number of log entries to be
227 retained for incremental propagation. The default value is
228 1000. Prior to release 1.11, the maximum value was 2500. New
229 in release 1.19.
230
231 iprop_master_ulogsize
232 The name for iprop_ulogsize prior to release 1.19. Its value is
233 used as a fallback if iprop_ulogsize is not specified.
234
235 iprop_replica_poll
236 (Delta time string.) Specifies how often the replica KDC polls
237 for new updates from the primary. The default value is 2m (that
238 is, two minutes). New in release 1.17.
239
240 iprop_slave_poll
241 (Delta time string.) The name for iprop_replica_poll prior to
242 release 1.17. Its value is used as a fallback if
243 iprop_replica_poll is not specified.
244
245 iprop_listen
246 (Whitespace- or comma-separated list.) Specifies the iprop RPC
247 listening addresses and/or ports for the kadmind daemon. Each
248 entry may be an interface address, a port number, or an address
249 and port number separated by a colon. If the address contains
250 colons, enclose it in square brackets. If no address is speci‐
251 fied, the wildcard address is used. If kadmind fails to bind to
252 any of the specified addresses, it will fail to start. The de‐
253 fault (when iprop_enable is true) is to bind to the wildcard ad‐
254 dress at the port specified in iprop_port. New in release 1.15.
255
256 iprop_port
257 (Port number.) Specifies the port number to be used for incre‐
258 mental propagation. When iprop_enable is true, this relation is
259 required in the replica KDC configuration file, and this rela‐
260 tion or iprop_listen is required in the primary configuration
261 file, as there is no default port number. Port numbers speci‐
262 fied in iprop_listen entries will override this port number for
263 the kadmind daemon.
264
265 iprop_resync_timeout
266 (Delta time string.) Specifies the amount of time to wait for a
267 full propagation to complete. This is optional in configuration
268 files, and is used by replica KDCs only. The default value is 5
269 minutes (5m). New in release 1.11.
270
271 iprop_logfile
272 (File name.) Specifies where the update log file for the realm
273 database is to be stored. The default is to use the data‐
274 base_name entry from the realms section of the krb5 config file,
275 with .ulog appended. (NOTE: If database_name isn't specified in
276 the realms section, perhaps because the LDAP database back end
277 is being used, or the file name is specified in the [dbmodules]
278 section, then the hard-coded default for database_name is used.
279 Determination of the iprop_logfile default value will not use
280 values from the [dbmodules] section.)
281
282 kadmind_listen
283 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
284 listening addresses and/or ports for the kadmind daemon. Each
285 entry may be an interface address, a port number, or an address
286 and port number separated by a colon. If the address contains
287 colons, enclose it in square brackets. If no address is speci‐
288 fied, the wildcard address is used. If kadmind fails to bind to
289 any of the specified addresses, it will fail to start. The de‐
290 fault is to bind to the wildcard address at the port specified
291 in kadmind_port, or the standard kadmin port (749). New in re‐
292 lease 1.15.
293
294 kadmind_port
295 (Port number.) Specifies the port on which the kadmind daemon
296 is to listen for this realm. Port numbers specified in kad‐
297 mind_listen entries will override this port number. The as‐
298 signed port for kadmind is 749, which is used by default.
299
300 key_stash_file
301 (String.) Specifies the location where the master key has been
302 stored (via kdb5_util stash). The default is /var/ker‐
303 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
304
305 kdc_listen
306 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
307 tening addresses and/or ports for the krb5kdc daemon. Each en‐
308 try may be an interface address, a port number, or an address
309 and port number separated by a colon. If the address contains
310 colons, enclose it in square brackets. If no address is speci‐
311 fied, the wildcard address is used. If no port is specified,
312 the standard port (88) is used. If the KDC daemon fails to bind
313 to any of the specified addresses, it will fail to start. The
314 default is to bind to the wildcard address on the standard port.
315 New in release 1.15.
316
317 kdc_ports
318 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
319 lease 1.15, this relation lists the ports for the krb5kdc daemon
320 to listen on for UDP requests. In release 1.15 and later, it
321 has the same meaning as kdc_listen if that relation is not de‐
322 fined.
323
324 kdc_tcp_listen
325 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
326 tening addresses and/or ports for the krb5kdc daemon. Each en‐
327 try may be an interface address, a port number, or an address
328 and port number separated by a colon. If the address contains
329 colons, enclose it in square brackets. If no address is speci‐
330 fied, the wildcard address is used. If no port is specified,
331 the standard port (88) is used. To disable listening on TCP,
332 set this relation to the empty string with kdc_tcp_listen = "".
333 If the KDC daemon fails to bind to any of the specified ad‐
334 dresses, it will fail to start. The default is to bind to the
335 wildcard address on the standard port. New in release 1.15.
336
337 kdc_tcp_ports
338 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
339 lease 1.15, this relation lists the ports for the krb5kdc daemon
340 to listen on for UDP requests. In release 1.15 and later, it
341 has the same meaning as kdc_tcp_listen if that relation is not
342 defined.
343
344 kpasswd_listen
345 (Comma-separated list.) Specifies the kpasswd listening ad‐
346 dresses and/or ports for the kadmind daemon. Each entry may be
347 an interface address, a port number, or an address and port num‐
348 ber separated by a colon. If the address contains colons, en‐
349 close it in square brackets. If no address is specified, the
350 wildcard address is used. If kadmind fails to bind to any of
351 the specified addresses, it will fail to start. The default is
352 to bind to the wildcard address at the port specified in
353 kpasswd_port, or the standard kpasswd port (464). New in re‐
354 lease 1.15.
355
356 kpasswd_port
357 (Port number.) Specifies the port on which the kadmind daemon
358 is to listen for password change requests for this realm. Port
359 numbers specified in kpasswd_listen entries will override this
360 port number. The assigned port for password change requests is
361 464, which is used by default.
362
363 master_key_name
364 (String.) Specifies the name of the principal associated with
365 the master key. The default is K/M.
366
367 master_key_type
368 (Key type string.) Specifies the master key's key type. The
369 default value for this is aes256-cts-hmac-sha1-96. For a list
370 of all possible values, see Encryption types.
371
372 max_life
373 (Time duration string.) Specifies the maximum time period for
374 which a ticket may be valid in this realm. The default value is
375 24 hours.
376
377 max_renewable_life
378 (Time duration string.) Specifies the maximum time period dur‐
379 ing which a valid ticket may be renewed in this realm. The de‐
380 fault value is 0.
381
382 no_host_referral
383 (Whitespace- or comma-separated list.) Lists services to block
384 from getting host-based referral processing, even if the client
385 marks the server principal as host-based or the service is also
386 listed in host_based_services. no_host_referral = * will dis‐
387 able referral processing altogether.
388
389 reject_bad_transit
390 (Boolean value.) If set to true, the KDC will check the list of
391 transited realms for cross-realm tickets against the transit
392 path computed from the realm names and the capaths section of
393 its krb5.conf file; if the path in the ticket to be issued con‐
394 tains any realms not in the computed path, the ticket will not
395 be issued, and an error will be returned to the client instead.
396 If this value is set to false, such tickets will be issued any‐
397 ways, and it will be left up to the application server to vali‐
398 date the realm transit path.
399
400 If the disable-transited-check flag is set in the incoming re‐
401 quest, this check is not performed at all. Having the re‐
402 ject_bad_transit option will cause such ticket requests to be
403 rejected always.
404
405 This transit path checking and config file option currently ap‐
406 ply only to TGS requests.
407
408 The default value is true.
409
410 restrict_anonymous_to_tgt
411 (Boolean value.) If set to true, the KDC will reject ticket re‐
412 quests from anonymous principals to service principals other
413 than the realm's ticket-granting service. This option allows
414 anonymous PKINIT to be enabled for use as FAST armor tickets
415 without allowing anonymous authentication to services. The de‐
416 fault value is false. New in release 1.9.
417
418 spake_preauth_indicator
419 (String.) Specifies an authentication indicator value that the
420 KDC asserts into tickets obtained using SPAKE pre-authentica‐
421 tion. The default is not to add any indicators. This option
422 may be specified multiple times. New in release 1.17.
423
424 supported_enctypes
425 (List of key:salt strings.) Specifies the default key/salt com‐
426 binations of principals for this realm. Any principals created
427 through kadmin will have keys of these types. The default value
428 for this tag is aes256-cts-hmac-sha1-96:normal
429 aes128-cts-hmac-sha1-96:normal. For lists of possible values,
430 see Keysalt lists.
431
432 [dbdefaults]
433 The [dbdefaults] section specifies default values for some database pa‐
434 rameters, to be used if the [dbmodules] subsection does not contain a
435 relation for the tag. See the [dbmodules] section for the definitions
436 of these relations.
437
438 • ldap_kerberos_container_dn
439
440 • ldap_kdc_dn
441
442 • ldap_kdc_sasl_authcid
443
444 • ldap_kdc_sasl_authzid
445
446 • ldap_kdc_sasl_mech
447
448 • ldap_kdc_sasl_realm
449
450 • ldap_kadmind_dn
451
452 • ldap_kadmind_sasl_authcid
453
454 • ldap_kadmind_sasl_authzid
455
456 • ldap_kadmind_sasl_mech
457
458 • ldap_kadmind_sasl_realm
459
460 • ldap_service_password_file
461
462 • ldap_conns_per_server
463
464 [dbmodules]
465 The [dbmodules] section contains parameters used by the KDC database
466 library and database modules. Each tag in the [dbmodules] section is
467 the name of a Kerberos realm or a section name specified by a realm's
468 database_module parameter. The following example shows how to define
469 one database parameter for the ATHENA.MIT.EDU realm:
470
471 [dbmodules]
472 ATHENA.MIT.EDU = {
473 disable_last_success = true
474 }
475
476 The following tags may be specified in a [dbmodules] subsection:
477
478 database_name
479 This DB2-specific tag indicates the location of the database in
480 the filesystem. The default is /var/kerberos/krb5kdc/principal.
481
482 db_library
483 This tag indicates the name of the loadable database module.
484 The value should be db2 for the DB2 module, klmdb for the LMDB
485 module, or kldap for the LDAP module.
486
487 disable_last_success
488 If set to true, suppresses KDC updates to the "Last successful
489 authentication" field of principal entries requiring preauthen‐
490 tication. Setting this flag may improve performance. (Princi‐
491 pal entries which do not require preauthentication never update
492 the "Last successful authentication" field.). First introduced
493 in release 1.9.
494
495 disable_lockout
496 If set to true, suppresses KDC updates to the "Last failed au‐
497 thentication" and "Failed password attempts" fields of principal
498 entries requiring preauthentication. Setting this flag may im‐
499 prove performance, but also disables account lockout. First in‐
500 troduced in release 1.9.
501
502 ldap_conns_per_server
503 This LDAP-specific tag indicates the number of connections to be
504 maintained per LDAP server.
505
506 ldap_kdc_dn and ldap_kadmind_dn
507 These LDAP-specific tags indicate the default DN for binding to
508 the LDAP server. The krb5kdc daemon uses ldap_kdc_dn, while the
509 kadmind daemon and other administrative programs use ldap_kad‐
510 mind_dn. The kadmind DN must have the rights to read and write
511 the Kerberos data in the LDAP database. The KDC DN must have
512 the same rights, unless disable_lockout and disable_last_success
513 are true, in which case it only needs to have rights to read the
514 Kerberos data. These tags are ignored if a SASL mechanism is
515 set with ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.
516
517 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
518 These LDAP-specific tags specify the SASL mechanism (such as EX‐
519 TERNAL) to use when binding to the LDAP server. New in release
520 1.13.
521
522 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
523 These LDAP-specific tags specify the SASL authentication iden‐
524 tity to use when binding to the LDAP server. Not all SASL mech‐
525 anisms require an authentication identity. If the SASL mecha‐
526 nism requires a secret (such as the password for DIGEST-MD5),
527 these tags also determine the name within the ldap_service_pass‐
528 word_file where the secret is stashed. New in release 1.13.
529
530 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
531 These LDAP-specific tags specify the SASL authorization identity
532 to use when binding to the LDAP server. In most circumstances
533 they do not need to be specified. New in release 1.13.
534
535 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
536 These LDAP-specific tags specify the SASL realm to use when
537 binding to the LDAP server. In most circumstances they do not
538 need to be set. New in release 1.13.
539
540 ldap_kerberos_container_dn
541 This LDAP-specific tag indicates the DN of the container object
542 where the realm objects will be located.
543
544 ldap_servers
545 This LDAP-specific tag indicates the list of LDAP servers that
546 the Kerberos servers can connect to. The list of LDAP servers
547 is whitespace-separated. The LDAP server is specified by a LDAP
548 URI. It is recommended to use ldapi: or ldaps: URLs to connect
549 to the LDAP server.
550
551 ldap_service_password_file
552 This LDAP-specific tag indicates the file containing the stashed
553 passwords (created by kdb5_ldap_util stashsrvpw) for the
554 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
555 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
556 SASL authentication. This file must be kept secure.
557
558 mapsize
559 This LMDB-specific tag indicates the maximum size of the two
560 database environments in megabytes. The default value is 128.
561 Increase this value to address "Environment mapsize limit
562 reached" errors. New in release 1.17.
563
564 max_readers
565 This LMDB-specific tag indicates the maximum number of concur‐
566 rent reading processes for the databases. The default value is
567 128. New in release 1.17.
568
569 nosync This LMDB-specific tag can be set to improve the throughput of
570 kadmind and other administrative agents, at the expense of dura‐
571 bility (recent database changes may not survive a power outage
572 or other sudden reboot). It does not affect the throughput of
573 the KDC. The default value is false. New in release 1.17.
574
575 unlockiter
576 If set to true, this DB2-specific tag causes iteration opera‐
577 tions to release the database lock while processing each princi‐
578 pal. Setting this flag to true can prevent extended blocking of
579 KDC or kadmin operations when dumps of large databases are in
580 progress. First introduced in release 1.13.
581
582 The following tag may be specified directly in the [dbmodules] section
583 to control where database modules are loaded from:
584
585 db_module_dir
586 This tag controls where the plugin system looks for database
587 modules. The value should be an absolute path.
588
589 [logging]
590 The [logging] section indicates how krb5kdc and kadmind perform log‐
591 ging. It may contain the following relations:
592
593 admin_server
594 Specifies how kadmind performs logging.
595
596 kdc Specifies how krb5kdc performs logging.
597
598 default
599 Specifies how either daemon performs logging in the absence of
600 relations specific to the daemon.
601
602 debug (Boolean value.) Specifies whether debugging messages are in‐
603 cluded in log outputs other than SYSLOG. Debugging messages are
604 always included in the system log output because syslog performs
605 its own priority filtering. The default value is false. New in
606 release 1.15.
607
608 Logging specifications may have the following forms:
609
610 FILE=filename or FILE:filename
611 This value causes the daemon's logging messages to go to the
612 filename. If the = form is used, the file is overwritten. If
613 the : form is used, the file is appended to.
614
615 STDERR This value causes the daemon's logging messages to go to its
616 standard error stream.
617
618 CONSOLE
619 This value causes the daemon's logging messages to go to the
620 console, if the system supports it.
621
622 DEVICE=<devicename>
623 This causes the daemon's logging messages to go to the specified
624 device.
625
626 SYSLOG[:severity[:facility]]
627 This causes the daemon's logging messages to go to the system
628 log.
629
630 For backward compatibility, a severity argument may be speci‐
631 fied, and must be specified in order to specify a facility.
632 This argument will be ignored.
633
634 The facility argument specifies the facility under which the
635 messages are logged. This may be any of the following facili‐
636 ties supported by the syslog(3) call minus the LOG_ prefix:
637 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LO‐
638 CAL0 through LOCAL7. If no facility is specified, the default
639 is AUTH.
640
641 In the following example, the logging messages from the KDC will go to
642 the console and to the system log under the facility LOG_DAEMON, and
643 the logging messages from the administrative server will be appended to
644 the file /var/adm/kadmin.log and sent to the device /dev/tty04.
645
646 [logging]
647 kdc = CONSOLE
648 kdc = SYSLOG:INFO:DAEMON
649 admin_server = FILE:/var/adm/kadmin.log
650 admin_server = DEVICE=/dev/tty04
651
652 If no logging specification is given, the default is to use syslog. To
653 disable logging entirely, specify default = DEVICE=/dev/null.
654
655 [otp]
656 Each subsection of [otp] is the name of an OTP token type. The tags
657 within the subsection define the configuration required to forward a
658 One Time Password request to a RADIUS server.
659
660 For each token type, the following tags may be specified:
661
662 server This is the server to send the RADIUS request to. It can be a
663 hostname with optional port, an ip address with optional port,
664 or a Unix domain socket address. The default is /var/ker‐
665 beros/krb5kdc/<name>.socket.
666
667 secret This tag indicates a filename (which may be relative to
668 /var/kerberos/krb5kdc) containing the secret used to encrypt the
669 RADIUS packets. The secret should appear in the first line of
670 the file by itself; leading and trailing whitespace on the line
671 will be removed. If the value of server is a Unix domain socket
672 address, this tag is optional, and an empty secret will be used
673 if it is not specified. Otherwise, this tag is required.
674
675 timeout
676 An integer which specifies the time in seconds during which the
677 KDC should attempt to contact the RADIUS server. This tag is
678 the total time across all retries and should be less than the
679 time which an OTP value remains valid for. The default is 5
680 seconds.
681
682 retries
683 This tag specifies the number of retries to make to the RADIUS
684 server. The default is 3 retries (4 tries).
685
686 strip_realm
687 If this tag is true, the principal without the realm will be
688 passed to the RADIUS server. Otherwise, the realm will be in‐
689 cluded. The default value is true.
690
691 indicator
692 This tag specifies an authentication indicator to be included in
693 the ticket if this token type is used to authenticate. This op‐
694 tion may be specified multiple times. (New in release 1.14.)
695
696 In the following example, requests are sent to a remote server via UDP:
697
698 [otp]
699 MyRemoteTokenType = {
700 server = radius.mydomain.com:1812
701 secret = SEmfiajf42$
702 timeout = 15
703 retries = 5
704 strip_realm = true
705 }
706
707 An implicit default token type named DEFAULT is defined for when the
708 per-principal configuration does not specify a token type. Its config‐
709 uration is shown below. You may override this token type to something
710 applicable for your situation:
711
712 [otp]
713 DEFAULT = {
714 strip_realm = false
715 }
716
718 NOTE:
719 The following are pkinit-specific options. These values may be
720 specified in [kdcdefaults] as global defaults, or within a
721 realm-specific subsection of [realms]. Also note that a realm-spe‐
722 cific value over-rides, does not add to, a generic [kdcdefaults]
723 specification. The search order is:
724
725 1. realm-specific subsection of [realms]:
726
727 [realms]
728 EXAMPLE.COM = {
729 pkinit_anchors = FILE:/usr/local/example.com.crt
730 }
731
732 2. generic value in the [kdcdefaults] section:
733
734 [kdcdefaults]
735 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
736
737 For information about the syntax of some of these options, see
738 Specifying PKINIT identity information in krb5.conf.
739
740 pkinit_anchors
741 Specifies the location of trusted anchor (root) certificates
742 which the KDC trusts to sign client certificates. This option
743 is required if pkinit is to be supported by the KDC. This op‐
744 tion may be specified multiple times.
745
746 pkinit_dh_min_bits
747 Specifies the minimum number of bits the KDC is willing to ac‐
748 cept for a client's Diffie-Hellman key. The default is 2048.
749
750 pkinit_allow_upn
751 Specifies that the KDC is willing to accept client certificates
752 with the Microsoft UserPrincipalName (UPN) Subject Alternative
753 Name (SAN). This means the KDC accepts the binding of the UPN
754 in the certificate to the Kerberos principal name. The default
755 value is false.
756
757 Without this option, the KDC will only accept certificates with
758 the id-pkinit-san as defined in RFC 4556. There is currently no
759 option to disable SAN checking in the KDC.
760
761 pkinit_eku_checking
762 This option specifies what Extended Key Usage (EKU) values the
763 KDC is willing to accept in client certificates. The values
764 recognized in the kdc.conf file are:
765
766 kpClientAuth
767 This is the default value and specifies that client cer‐
768 tificates must have the id-pkinit-KPClientAuth EKU as de‐
769 fined in RFC 4556.
770
771 scLogin
772 If scLogin is specified, client certificates with the Mi‐
773 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
774 accepted.
775
776 none If none is specified, then client certificates will not
777 be checked to verify they have an acceptable EKU. The
778 use of this option is not recommended.
779
780 pkinit_identity
781 Specifies the location of the KDC's X.509 identity information.
782 This option is required if pkinit is to be supported by the KDC.
783
784 pkinit_indicator
785 Specifies an authentication indicator to include in the ticket
786 if pkinit is used to authenticate. This option may be specified
787 multiple times. (New in release 1.14.)
788
789 pkinit_pool
790 Specifies the location of intermediate certificates which may be
791 used by the KDC to complete the trust chain between a client's
792 certificate and a trusted anchor. This option may be specified
793 multiple times.
794
795 pkinit_revoke
796 Specifies the location of Certificate Revocation List (CRL) in‐
797 formation to be used by the KDC when verifying the validity of
798 client certificates. This option may be specified multiple
799 times.
800
801 pkinit_require_crl_checking
802 The default certificate verification process will always check
803 the available revocation information to see if a certificate has
804 been revoked. If a match is found for the certificate in a CRL,
805 verification fails. If the certificate being verified is not
806 listed in a CRL, or there is no CRL present for its issuing CA,
807 and pkinit_require_crl_checking is false, then verification suc‐
808 ceeds.
809
810 However, if pkinit_require_crl_checking is true and there is no
811 CRL information available for the issuing CA, then verification
812 fails.
813
814 pkinit_require_crl_checking should be set to true if the policy
815 is such that up-to-date CRLs must be present for every CA.
816
817 pkinit_require_freshness
818 Specifies whether to require clients to include a freshness to‐
819 ken in PKINIT requests. The default value is false. (New in
820 release 1.17.)
821
823 Any tag in the configuration files which requires a list of encryption
824 types can be set to some combination of the following strings. Encryp‐
825 tion types marked as "weak" and "deprecated" are available for compati‐
826 bility but not recommended for use.
827
828
829 ┌───────────────────────────┬─────────────────────────────┐
830 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
831 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
832 ├───────────────────────────┼─────────────────────────────┤
833 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
834 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
835 ├───────────────────────────┼─────────────────────────────┤
836 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
837 │aes256-sha2 │ 192-bit SHA-384 HMAC │
838 ├───────────────────────────┼─────────────────────────────┤
839 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
840 │aes128-sha2 │ 128-bit SHA-256 HMAC │
841 ├───────────────────────────┼─────────────────────────────┤
842 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 (depre‐ │
843 │four-hmac-md5 │ cated) │
844 ├───────────────────────────┼─────────────────────────────┤
845 │arcfour-hmac-exp │ Exportable RC4 with │
846 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
847 │four-hmac-md5-exp │ │
848 ├───────────────────────────┼─────────────────────────────┤
849 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
850 │camellia256-cts │ CMAC │
851 ├───────────────────────────┼─────────────────────────────┤
852 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
853 │camellia128-cts │ CMAC │
854 ├───────────────────────────┼─────────────────────────────┤
855 │aes │ The AES family: │
856 │ │ aes256-cts-hmac-sha1-96, │
857 │ │ aes128-cts-hmac-sha1-96, │
858 │ │ aes256-cts-hmac-sha384-192, │
859 │ │ and │
860 │ │ aes128-cts-hmac-sha256-128 │
861 ├───────────────────────────┼─────────────────────────────┤
862 │rc4 │ The RC4 family: arc‐ │
863 │ │ four-hmac │
864 ├───────────────────────────┼─────────────────────────────┤
865 │camellia │ The Camellia family: camel‐ │
866 │ │ lia256-cts-cmac and camel‐ │
867 │ │ lia128-cts-cmac │
868 └───────────────────────────┴─────────────────────────────┘
869
870 The string DEFAULT can be used to refer to the default set of types for
871 the variable in question. Types or families can be removed from the
872 current list by prefixing them with a minus sign ("-"). Types or fami‐
873 lies can be prefixed with a plus sign ("+") for symmetry; it has the
874 same meaning as just listing the type or family. For example, "DEFAULT
875 -rc4" would be the default set of encryption types with RC4 types re‐
876 moved, and "aes128-sha2 DEFAULT" would be the default set of encryption
877 types with aes128-sha2 moved to the front.
878
879 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
880 tions, they are not supported by very old versions of our GSSAPI imple‐
881 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
882 without AES support must not be given keys of these encryption types in
883 the KDC database.
884
885 The aes128-sha2 and aes256-sha2 encryption types are new in release
886 1.15. Services running versions of krb5 without support for these
887 newer encryption types must not be given keys of these encryption types
888 in the KDC database.
889
891 Kerberos keys for users are usually derived from passwords. Kerberos
892 commands and configuration parameters that affect generation of keys
893 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
894 lists. Each keysalt pair is an enctype name followed by a salttype
895 name, in the format enc:salt. Individual keysalt list members are sep‐
896 arated by comma (",") characters or space characters. For example:
897
898 kadmin -e aes256-cts:normal,aes128-cts:normal
899
900 would start up kadmin so that by default it would generate password-de‐
901 rived keys for the aes256-cts and aes128-cts encryption types, using a
902 normal salt.
903
904 To ensure that people who happen to pick the same password do not have
905 the same key, Kerberos 5 incorporates more information into the key us‐
906 ing something called a salt. The supported salt types are as follows:
907
908 ┌──────────┬────────────────────────────┐
909 │normal │ default for Kerberos Ver‐ │
910 │ │ sion 5 │
911 ├──────────┼────────────────────────────┤
912 │norealm │ same as the default, with‐ │
913 │ │ out using realm informa‐ │
914 │ │ tion │
915 ├──────────┼────────────────────────────┤
916 │onlyrealm │ uses only realm informa‐ │
917 │ │ tion as the salt │
918 ├──────────┼────────────────────────────┤
919 │special │ generate a random salt │
920 └──────────┴────────────────────────────┘
921
923 Here's an example of a kdc.conf file:
924
925 [kdcdefaults]
926 kdc_listen = 88
927 kdc_tcp_listen = 88
928 [realms]
929 ATHENA.MIT.EDU = {
930 kadmind_port = 749
931 max_life = 12h 0m 0s
932 max_renewable_life = 7d 0h 0m 0s
933 master_key_type = aes256-cts-hmac-sha1-96
934 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
935 database_module = openldap_ldapconf
936 }
937
938 [logging]
939 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
940 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
941
942 [dbdefaults]
943 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
944
945 [dbmodules]
946 openldap_ldapconf = {
947 db_library = kldap
948 disable_last_success = true
949 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
950 # this object needs to have read rights on
951 # the realm container and principal subtrees
952 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
953 # this object needs to have read and write rights on
954 # the realm container and principal subtrees
955 ldap_service_password_file = /etc/kerberos/service.keyfile
956 ldap_servers = ldaps://kerberos.mit.edu
957 ldap_conns_per_server = 5
958 }
959
961 /var/kerberos/krb5kdc/kdc.conf
962
964 krb5.conf, krb5kdc, kadm5.acl
965
967 MIT
968
970 1985-2022, MIT
971
972
973
974
9751.19.2 KDC.CONF(5)