1KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7
8       The krb5.conf file contains Kerberos configuration information, includ‐
9       ing the locations of KDCs and admin servers for the Kerberos realms  of
10       interest, defaults for the current realm and for Kerberos applications,
11       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
12       install  your  krb5.conf  file in the directory /etc.  You can override
13       the default location by setting the environment  variable  KRB5_CONFIG.
14       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15       files which are present will be read.  Starting in release 1.14, direc‐
16       tory  names  can also be specified in KRB5_CONFIG; all files within the
17       directory  whose  names  consist  solely  of  alphanumeric  characters,
18       dashes, or underscores will be read.
19

STRUCTURE

21       The krb5.conf file is set up in the style of a Windows INI file.  Lines
22       beginning with '#' or ';' (possibly after initial whitespace)  are  ig‐
23       nored  as comments.  Sections are headed by the section name, in square
24       brackets.  Each section may contain zero  or  more  relations,  of  the
25       form:
26
27          foo = bar
28
29       or:
30
31          fubar = {
32              foo = bar
33              baz = quux
34          }
35
36       Placing  a  '*'  after  the closing bracket of a section name indicates
37       that the section is final, meaning that if  the  same  section  appears
38       within  a  later  file specified in KRB5_CONFIG, it will be ignored.  A
39       subsection can be marked as final by placing a '*' after either the tag
40       name or the closing brace.
41
42       The  krb5.conf file can include other files using either of the follow‐
43       ing directives at the beginning of a line:
44
45          include FILENAME
46          includedir DIRNAME
47
48       FILENAME or DIRNAME should be an absolute path. The named file  or  di‐
49       rectory must exist and be readable.  Including a directory includes all
50       files within the directory whose names consist solely  of  alphanumeric
51       characters,  dashes,  or  underscores.  Starting in release 1.15, files
52       with names ending in ".conf" are also included, unless the name  begins
53       with  ".".   Included  profile  files  are syntactically independent of
54       their parents, so each included file must begin with a section  header.
55       Starting in release 1.17, files are read in alphanumeric order; in pre‐
56       vious releases, they may be read in any order.
57
58       The krb5.conf file can specify that configuration  should  be  obtained
59       from  a loadable module, rather than the file itself, using the follow‐
60       ing directive at the beginning of a line before any section headers:
61
62          module MODULEPATH:RESIDUAL
63
64       MODULEPATH may be relative to the library path of  the  krb5  installa‐
65       tion,  or it may be an absolute path.  RESIDUAL is provided to the mod‐
66       ule at initialization time.  If  krb5.conf  uses  a  module  directive,
67       kdc.conf should also use one if it exists.
68

SECTIONS

70       The krb5.conf file may contain the following sections:
71
72                    ┌───────────────┬────────────────────────────┐
73[libdefaults]  │ Settings  used by the Ker‐ │
74                    │               │ beros V5 library           │
75                    ├───────────────┼────────────────────────────┤
76[realms]       │ Realm-specific contact in‐ │
77                    │               │ formation and settings     │
78                    ├───────────────┼────────────────────────────┤
79[domain_realm] │ Maps  server  hostnames to │
80                    │               │ Kerberos realms            │
81                    ├───────────────┼────────────────────────────┤
82[capaths]      │ Authentication  paths  for │
83                    │               │ non-hierarchical           │
84                    │               │ cross-realm                │
85                    ├───────────────┼────────────────────────────┤
86[appdefaults]  │ Settings used by some Ker‐ │
87                    │               │ beros V5 applications      │
88                    ├───────────────┼────────────────────────────┤
89[plugins]      │ Controls   plugin   module │
90                    │               │ registration               │
91                    └───────────────┴────────────────────────────┘
92
93       Additionally, krb5.conf may include any of the relations  described  in
94       kdc.conf, but it is not a recommended practice.
95
96   [libdefaults]
97       The libdefaults section may contain any of the following relations:
98
99       allow_weak_crypto
100              If  this  flag  is  set to false, then weak encryption types (as
101              noted in Encryption types in kdc.conf) will be filtered  out  of
102              the  lists  default_tgs_enctypes, default_tkt_enctypes, and per‐
103              mitted_enctypes.  The default value for this tag is false.
104
105       canonicalize
106              If this flag is set to true, initial ticket requests to the  KDC
107              will  request canonicalization of the client principal name, and
108              answers with different  client  principals  than  the  requested
109              principal will be accepted.  The default value is false.
110
111       ccache_type
112              This  parameter  determines the format of credential cache types
113              created by kinit or other programs.  The  default  value  is  4,
114              which represents the most current format.  Smaller values can be
115              used for compatibility with very old implementations of Kerberos
116              which interact with credential caches on the same host.
117
118       clockskew
119              Sets  the  maximum allowable amount of clockskew in seconds that
120              the library will tolerate before assuming that a  Kerberos  mes‐
121              sage is invalid.  The default value is 300 seconds, or five min‐
122              utes.
123
124              The clockskew setting is also used when evaluating ticket  start
125              and  expiration  times.   For example, tickets that have reached
126              their expiration time can still be used (and renewed if they are
127              renewable tickets) if they have been expired for a shorter dura‐
128              tion than the clockskew setting.
129
130       default_ccache_name
131              This relation specifies  the  name  of  the  default  credential
132              cache.   The  default is FILE:/tmp/krb5cc_%{uid}.  This relation
133              is subject to parameter expansion (see below).  New  in  release
134              1.11.
135
136       default_client_keytab_name
137              This  relation  specifies the name of the default keytab for ob‐
138              taining  client  credentials.   The  default  is  FILE:/var/ker‐
139              beros/krb5/user/%{euid}/client.keytab.  This relation is subject
140              to parameter expansion (see below).  New in release 1.11.
141
142       default_keytab_name
143              This relation specifies the default keytab name to  be  used  by
144              application    servers   such   as   sshd.    The   default   is
145              FILE:/etc/krb5.keytab.  This relation is  subject  to  parameter
146              expansion (see below).
147
148       default_rcache_name
149              This  relation  specifies  the name of the default replay cache.
150              The default is dfl:.  This relation is subject to parameter  ex‐
151              pansion (see below).  New in release 1.18.
152
153       default_realm
154              Identifies  the  default Kerberos realm for the client.  Set its
155              value to your Kerberos realm.  If this value is not set, then  a
156              realm  must  be specified with every Kerberos principal when in‐
157              voking programs such as kinit.
158
159       default_tgs_enctypes
160              Identifies the supported list of session  key  encryption  types
161              that  the  client should request when making a TGS-REQ, in order
162              of preference from highest to lowest.  The list may be delimited
163              with commas or whitespace.  See Encryption types in kdc.conf for
164              a list of the accepted values for this tag.  Starting in release
165              1.18, the default value is the value of permitted_enctypes.  For
166              previous releases or if permitted_enctypes is not set,  the  de‐
167              fault  value  is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
168              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
169              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
170
171              Do  not  set this unless required for specific backward compati‐
172              bility purposes;  stale  values  of  this  setting  can  prevent
173              clients  from taking advantage of new stronger enctypes when the
174              libraries are upgraded.
175
176       default_tkt_enctypes
177              Identifies the supported list of session  key  encryption  types
178              that  the  client should request when making an AS-REQ, in order
179              of preference from highest to lowest.  The format is the same as
180              for default_tgs_enctypes.  Starting in release 1.18, the default
181              value is the value of permitted_enctypes.  For previous releases
182              or  if  permitted_enctypes  is  not  set,  the  default value is
183              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
184              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
185              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
186
187              Do not set this unless required for specific  backward  compati‐
188              bility  purposes;  stale  values  of  this  setting  can prevent
189              clients from taking advantage of new stronger enctypes when  the
190              libraries are upgraded.
191
192       dns_canonicalize_hostname
193              Indicate whether name lookups will be used to canonicalize host‐
194              names for use in service principal names.  Setting this flag  to
195              false  can  improve  security  by  reducing reliance on DNS, but
196              means  that  short  hostnames  will  not  be  canonicalized   to
197              fully-qualified  hostnames.   If  this option is set to fallback
198              (new in release 1.18), DNS canonicalization will  only  be  per‐
199              formed  the  server hostname is not found with the original name
200              when requesting credentials.  The default value is true.
201
202       dns_lookup_kdc
203              Indicate whether DNS SRV records should be used  to  locate  the
204              KDCs  and  other  servers for a realm, if they are not listed in
205              the krb5.conf information for the realm.   (Note  that  the  ad‐
206              min_server  entry  must be in the krb5.conf realm information in
207              order to contact kadmind, because  the  DNS  implementation  for
208              kadmin is incomplete.)
209
210              Enabling  this  option  does open up a type of denial-of-service
211              attack, if someone spoofs the DNS records and redirects  you  to
212              another  server.   However,  it's no worse than a denial of ser‐
213              vice, because that fake KDC will be unable  to  decode  anything
214              you  send  it  (besides the initial ticket request, which has no
215              encrypted data), and anything the fake KDC  sends  will  not  be
216              trusted  without  verification  using  some secret that it won't
217              know.
218
219       dns_uri_lookup
220              Indicate whether DNS URI records should be used  to  locate  the
221              KDCs  and  other  servers for a realm, if they are not listed in
222              the krb5.conf information for the realm.  SRV records  are  used
223              as  a  fallback if no URI records were found.  The default value
224              is true.  New in release 1.15.
225
226       enforce_ok_as_delegate
227              If this flag to true, GSSAPI credential delegation will be  dis‐
228              abled  when  the  ok-as-delegate  flag is not set in the service
229              ticket.  If this flag is false, the ok-as-delegate  ticket  flag
230              is  only  enforced when an application specifically requests en‐
231              forcement.  The default value is false.
232
233       err_fmt
234              This relation allows for custom error message formatting.  If  a
235              value is set, error messages will be formatted by substituting a
236              normal error message for %M and an error  code  for  %C  in  the
237              value.
238
239       extra_addresses
240              This allows a computer to use multiple local addresses, in order
241              to allow Kerberos to work in a  network  that  uses  NATs  while
242              still using address-restricted tickets.  The addresses should be
243              in a comma-separated list.  This option has no effect  if  noad‐
244              dresses is true.
245
246       forwardable
247              If this flag is true, initial tickets will be forwardable by de‐
248              fault, if allowed by the KDC.  The default value is false.
249
250       ignore_acceptor_hostname
251              When accepting GSSAPI or krb5 security contexts  for  host-based
252              service  principals,  ignore  any hostname passed by the calling
253              application, and allow clients to authenticate  to  any  service
254              principal in the keytab matching the service name and realm name
255              (if given).  This option can improve the  administrative  flexi‐
256              bility  of  server  applications  on multihomed hosts, but could
257              compromise the security of virtual  hosting  environments.   The
258              default value is false.  New in release 1.10.
259
260       k5login_authoritative
261              If  this  flag  is  true,  principals  must be listed in a local
262              user's k5login file to be granted login access,  if  a  .k5login
263              file  exists.   If  this flag is false, a principal may still be
264              granted login access through other mechanisms even if a  k5login
265              file  exists but does not list the principal.  The default value
266              is true.
267
268       k5login_directory
269              If set, the library will look for a local  user's  k5login  file
270              within the named directory, with a filename corresponding to the
271              local username.  If not set, the library will look  for  k5login
272              files  in the user's home directory, with the filename .k5login.
273              For security reasons, .k5login files must be owned by the  local
274              user or by root.
275
276       kcm_mach_service
277              On macOS only, determines the name of the bootstrap service used
278              to contact the KCM daemon for the KCM credential cache type.  If
279              the  value  is  -,  Mach RPC will not be used to contact the KCM
280              daemon.  The default value is org.h5l.kcm.
281
282       kcm_socket
283              Determines the path to the Unix domain socket used to access the
284              KCM  daemon  for the KCM credential cache type.  If the value is
285              -, Unix domain sockets will not be used to contact the KCM  dae‐
286              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.
287
288       kdc_default_options
289              Default  KDC options (Xored for multiple values) when requesting
290              initial  tickets.   By  default  it   is   set   to   0x00000010
291              (KDC_OPT_RENEWABLE_OK).
292
293       kdc_timesync
294              Accepted values for this relation are 1 or 0.  If it is nonzero,
295              client machines will compute the difference between  their  time
296              and  the time returned by the KDC in the timestamps in the tick‐
297              ets and use this value to correct for an inaccurate system clock
298              when  requesting  service tickets or authenticating to services.
299              This corrective factor is only used by the Kerberos library;  it
300              is not used to change the system clock.  The default value is 1.
301
302       noaddresses
303              If  this  flag is true, requests for initial tickets will not be
304              made with address restrictions set, allowing the tickets  to  be
305              used across NATs.  The default value is true.
306
307       permitted_enctypes
308              Identifies  the  encryption  types  that servers will permit for
309              session keys and for ticket and  authenticator  encryption,  or‐
310              dered by preference from highest to lowest.  Starting in release
311              1.18,  this  tag  also  acts  as  the  default  value  for   de‐
312              fault_tgs_enctypes  and default_tkt_enctypes.  The default value
313              for this tag is aes256-cts-hmac-sha1-96  aes128-cts-hmac-sha1-96
314              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
315              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
316
317       plugin_base_dir
318              If set, determines the base directory where krb5 plugins are lo‐
319              cated.   The  default  value is the krb5/plugins subdirectory of
320              the krb5 library directory.  This relation is subject to parame‐
321              ter expansion (see below) in release 1.17 and later.
322
323       preferred_preauth_types
324              This  allows  you  to  set the preferred preauthentication types
325              which the client will attempt before others which may be  adver‐
326              tised  by a KDC.  The default value for this setting is "17, 16,
327              15, 14", which forces libkrb5 to attempt to use PKINIT if it  is
328              supported.
329
330       proxiable
331              If  this  flag is true, initial tickets will be proxiable by de‐
332              fault, if allowed by the KDC.  The default value is false.
333
334       qualify_shortname
335              If this string is set, it determines the domain suffix for  sin‐
336              gle-component  hostnames  when  DNS canonicalization is not used
337              (either because dns_canonicalize_hostname is  false  or  because
338              forward  canonicalization  failed).   The  default  value is the
339              first search domain of the system's DNS configuration.  To  dis‐
340              able qualification of shortnames, set this relation to the empty
341              string with qualify_shortname = "".  (New in release 1.18.)
342
343       radius_md5_fips_override
344              Downstream-only option to enable use of MD5 in RADIUS communica‐
345              tion  (libkrad).   This  allows  for local (or protected tunnel)
346              communication with a RADIUS server that doesn't use krad  (e.g.,
347              freeradius) while in FIPS mode.
348
349       rdns   If  this flag is true, reverse name lookup will be used in addi‐
350              tion to forward name lookup to canonicalizing hostnames for  use
351              in service principal names.  If dns_canonicalize_hostname is set
352              to false, this flag has no effect.  The default value is true.
353
354       realm_try_domains
355              Indicate whether a host's domain components should  be  used  to
356              determine  the  Kerberos  realm  of the host.  The value of this
357              variable is an integer: -1 means not to search, 0 means  to  try
358              the host's domain itself, 1 means to also try the domain's imme‐
359              diate parent, and so forth.  The library's usual  mechanism  for
360              locating  Kerberos  realms is used to determine whether a domain
361              is  a  valid  realm,  which  may  involve  consulting   DNS   if
362              dns_lookup_kdc is set.  The default is not to search domain com‐
363              ponents.
364
365       renew_lifetime
366              (Time duration string.)  Sets the default renewable lifetime for
367              initial ticket requests.  The default value is 0.
368
369       spake_preauth_groups
370              A  whitespace  or  comma-separated list of words which specifies
371              the groups allowed for SPAKE  preauthentication.   The  possible
372              values are:
373
374                        ┌─────────────┬────────────────────────────┐
375                        │edwards25519 │ Edwards25519   curve  (RFC
376                        │             │ 7748)                      │
377                        ├─────────────┼────────────────────────────┤
378                        │P-256        │ NIST  P-256   curve   (RFC
379                        │             │ 5480)                      │
380                        ├─────────────┼────────────────────────────┤
381                        │P-384        │ NIST   P-384   curve  (RFC
382                        │             │ 5480)                      │
383                        ├─────────────┼────────────────────────────┤
384                        │P-521        │ NIST  P-521   curve   (RFC
385                        │             │ 5480)                      │
386                        └─────────────┴────────────────────────────┘
387
388              The  default  value for the client is edwards25519.  The default
389              value for the KDC is empty.  New in release 1.17.
390
391       ticket_lifetime
392              (Time duration string.)  Sets the default lifetime  for  initial
393              ticket requests.  The default value is 1 day.
394
395       udp_preference_limit
396              When  sending  a  message to the KDC, the library will try using
397              TCP before UDP if the size of the message is  above  udp_prefer‐
398              ence_limit.    If   the  message  is  smaller  than  udp_prefer‐
399              ence_limit, then UDP will be tried before  TCP.   Regardless  of
400              the  size,  both  protocols  will  be tried if the first attempt
401              fails.
402
403       verify_ap_req_nofail
404              If this flag is true, then an attempt to verify initial  creden‐
405              tials  will  fail  if the client machine does not have a keytab.
406              The default value is false.
407
408       client_aware_channel_bindings
409              If this flag is true, then all application protocol  authentica‐
410              tion  requests  will be flagged to indicate that the application
411              supports channel bindings when operating over a secure  channel.
412              The default value is false.
413
414   [realms]
415       Each  tag in the [realms] section of the file is the name of a Kerberos
416       realm.  The value of the tag is a subsection with relations that define
417       the properties of that particular realm.  For each realm, the following
418       tags may be specified in the realm's subsection:
419
420       admin_server
421              Identifies the host where the administration server is  running.
422              Typically,  this  is the primary Kerberos server.  This tag must
423              be given a value in order to communicate with the kadmind server
424              for the realm.
425
426       auth_to_local
427              This  tag allows you to set a general rule for mapping principal
428              names to local user names.  It will be used if there is  not  an
429              explicit  mapping  for  the  principal name that is being trans‐
430              lated. The possible values are:
431
432              RULE:exp
433                     The local name will be formulated from exp.
434
435                     The format  for  exp  is  [n:string](regexp)s/pattern/re‐
436                     placement/g.  The integer n indicates how many components
437                     the target principal should have.  If this matches,  then
438                     a  string  will  be  formed from string, substituting the
439                     realm of the principal for $0 and the n'th  component  of
440                     the  principal  for  $n (e.g., if the principal was john‐
441                     doe/admin then [2:$2$1foo] would result in the string ad‐
442                     minjohndoefoo).   If this string matches regexp, then the
443                     s//[g] substitution command will be run over the  string.
444                     The  optional  g will cause the substitution to be global
445                     over the string, instead  of  replacing  only  the  first
446                     match in the string.
447
448              DEFAULT
449                     The  principal  name will be used as the local user name.
450                     If the principal has more than one component or is not in
451                     the  default  realm,  this rule is not applicable and the
452                     conversion will fail.
453
454              For example:
455
456                 [realms]
457                     ATHENA.MIT.EDU = {
458                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
459                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
460                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
461                         auth_to_local = DEFAULT
462                     }
463
464              would result in any principal without root or admin as the  sec‐
465              ond component to be translated with the default rule.  A princi‐
466              pal with a second component of admin will become its first  com‐
467              ponent.   root  will be used as the local name for any principal
468              with a second component of root.  The  exception  to  these  two
469              rules  are  any  principals johndoe/*, which will always get the
470              local name guest.
471
472       auth_to_local_names
473              This subsection allows you to set explicit mappings from princi‐
474              pal names to local user names.  The tag is the mapping name, and
475              the value is the corresponding local user name.
476
477       default_domain
478              This tag specifies the domain  used  to  expand  hostnames  when
479              translating  Kerberos 4 service principals to Kerberos 5 princi‐
480              pals (for example, when converting rcmd.hostname  to  host/host‐
481              name.domain).
482
483       disable_encrypted_timestamp
484              If  this  flag  is  true,  the client will not perform encrypted
485              timestamp preauthentication if requested by  the  KDC.   Setting
486              this  flag  can help to prevent dictionary attacks by active at‐
487              tackers, if the realm's KDCs support SPAKE preauthentication  or
488              if  initial  authentication always uses another mechanism or al‐
489              ways uses FAST.  This flag persists across client referrals dur‐
490              ing  initial authentication.  This flag does not prevent the KDC
491              from offering encrypted timestamp.  New in release 1.17.
492
493       http_anchors
494              When KDCs and kpasswd servers are accessed through  HTTPS  prox‐
495              ies, this tag can be used to specify the location of the CA cer‐
496              tificate which should be trusted to issue the certificate for  a
497              proxy  server.  If left unspecified, the system-wide default set
498              of CA certificates is used.
499
500              The syntax for values is similar  to  that  of  values  for  the
501              pkinit_anchors tag:
502
503              FILE: filename
504
505              filename is assumed to be the name of an OpenSSL-style ca-bundle
506              file.
507
508              DIR: dirname
509
510              dirname is assumed to be an directory which contains CA certifi‐
511              cates.   All  files  in  the directory will be examined; if they
512              contain certificates (in PEM format), they will be used.
513
514              ENV: envvar
515
516              envvar specifies the name of an environment variable  which  has
517              been  set  to  a value conforming to one of the previous values.
518              For  example,  ENV:X509_PROXY_CA,  where  environment   variable
519              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
520
521       kdc    The  name or address of a host running a KDC for that realm.  An
522              optional port number, separated from the hostname  by  a  colon,
523              may  be  included.   If the name or address contains colons (for
524              example, if it is an IPv6 address), enclose it in square  brack‐
525              ets  to  distinguish  the colon from a port separator.  For your
526              computer to be able to communicate with the KDC for each  realm,
527              this  tag  must be given a value in each realm subsection in the
528              configuration file, or there must be DNS SRV records  specifying
529              the KDCs.
530
531       kpasswd_server
532              Points  to  the  server  where all the password changes are per‐
533              formed.  If there is no such entry, DNS will be queried  (unless
534              forbidden  by  dns_lookup_kdc).   Finally,  port  464 on the ad‐
535              min_server host will be tried.
536
537       master_kdc
538              The name for primary_kdc prior to release 1.19.   Its  value  is
539              used as a fallback if primary_kdc is not specified.
540
541       primary_kdc
542              Identifies  the  primary KDC(s).  Currently, this tag is used in
543              only one case: If an attempt to get credentials fails because of
544              an invalid password, the client software will attempt to contact
545              the primary KDC, in case  the  user's  password  has  just  been
546              changed, and the updated database has not been propagated to the
547              replica servers yet.  New in release 1.19.
548
549       v4_instance_convert
550              This subsection allows the administrator to configure exceptions
551              to  the  default_domain  mapping rule.  It contains V4 instances
552              (the tag name) which should be translated to some specific host‐
553              name  (the  tag  value) as the second component in a Kerberos V5
554              principal name.
555
556       v4_realm
557              This relation is used by the krb524 library routines  when  con‐
558              verting  a V5 principal name to a V4 principal name.  It is used
559              when the V4 realm name and the V5 realm name are not  the  same,
560              but  still share the same principal names and passwords. The tag
561              value is the Kerberos V4 realm name.
562
563   [domain_realm]
564       The [domain_realm] section provides a translation from a domain name or
565       hostname  to a Kerberos realm name.  The tag name can be a host name or
566       domain name, where domain names are indicated by a prefix of  a  period
567       (.).   The  value  of  the relation is the Kerberos realm name for that
568       particular host or domain.  A host name  relation  implicitly  provides
569       the  corresponding domain name relation, unless an explicit domain name
570       relation is provided.  The Kerberos realm may be identified  either  in
571       the  realms  section  or  using DNS SRV records.  Host names and domain
572       names should be in lower case.  For example:
573
574          [domain_realm]
575              crash.mit.edu = TEST.ATHENA.MIT.EDU
576              .dev.mit.edu = TEST.ATHENA.MIT.EDU
577              mit.edu = ATHENA.MIT.EDU
578
579       maps the host with the name crash.mit.edu into the  TEST.ATHENA.MIT.EDU
580       realm.   The  second  entry maps all hosts under the domain dev.mit.edu
581       into the TEST.ATHENA.MIT.EDU realm, but not  the  host  with  the  name
582       dev.mit.edu.   That  host is matched by the third entry, which maps the
583       host mit.edu and all hosts under the domain mit.edu that do not match a
584       preceding rule into the realm ATHENA.MIT.EDU.
585
586       If  no translation entry applies to a hostname used for a service prin‐
587       cipal for a service ticket request, the library will try to get  a  re‐
588       ferral  to  the appropriate realm from the client realm's KDC.  If that
589       does not succeed, the host's realm is considered to be  the  hostname's
590       domain  portion  converted  to  uppercase, unless the realm_try_domains
591       setting in [libdefaults] causes a different parent domain to be used.
592
593   [capaths]
594       In order to perform direct (non-hierarchical)  cross-realm  authentica‐
595       tion, configuration is needed to determine the authentication paths be‐
596       tween realms.
597
598       A client will use this section to find the authentication path  between
599       its  realm  and the realm of the server.  The server will use this sec‐
600       tion to verify the authentication path used by the client, by  checking
601       the transited field of the received ticket.
602
603       There  is  a  tag for each participating client realm, and each tag has
604       subtags for each of the server realms.  The value of the subtags is  an
605       intermediate realm which may participate in the cross-realm authentica‐
606       tion.  The subtags may be repeated if there is more then one intermedi‐
607       ate  realm.   A  value  of "." means that the two realms share keys di‐
608       rectly, and no intermediate realms should be allowed to participate.
609
610       Only those entries which will be needed on the  client  or  the  server
611       need to be present.  A client needs a tag for its local realm with sub‐
612       tags for all the realms of servers it will need to authenticate to.   A
613       server  needs a tag for each realm of the clients it will serve, with a
614       subtag of the server realm.
615
616       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
617       realm  as  an  intermediate realm.  ANL has a sub realm of TEST.ANL.GOV
618       which will authenticate with NERSC.GOV but not PNL.GOV.  The  [capaths]
619       section for ANL.GOV systems would look like this:
620
621          [capaths]
622              ANL.GOV = {
623                  TEST.ANL.GOV = .
624                  PNL.GOV = ES.NET
625                  NERSC.GOV = ES.NET
626                  ES.NET = .
627              }
628              TEST.ANL.GOV = {
629                  ANL.GOV = .
630              }
631              PNL.GOV = {
632                  ANL.GOV = ES.NET
633              }
634              NERSC.GOV = {
635                  ANL.GOV = ES.NET
636              }
637              ES.NET = {
638                  ANL.GOV = .
639              }
640
641       The  [capaths] section of the configuration file used on NERSC.GOV sys‐
642       tems would look like this:
643
644          [capaths]
645              NERSC.GOV = {
646                  ANL.GOV = ES.NET
647                  TEST.ANL.GOV = ES.NET
648                  TEST.ANL.GOV = ANL.GOV
649                  PNL.GOV = ES.NET
650                  ES.NET = .
651              }
652              ANL.GOV = {
653                  NERSC.GOV = ES.NET
654              }
655              PNL.GOV = {
656                  NERSC.GOV = ES.NET
657              }
658              ES.NET = {
659                  NERSC.GOV = .
660              }
661              TEST.ANL.GOV = {
662                  NERSC.GOV = ANL.GOV
663                  NERSC.GOV = ES.NET
664              }
665
666       When a subtag is used more than once within a tag, clients will use the
667       order  of values to determine the path.  The order of values is not im‐
668       portant to servers.
669
670   [appdefaults]
671       Each tag in the [appdefaults] section names a Kerberos  V5  application
672       or  an  option  that  is  used by some Kerberos V5 application[s].  The
673       value of the tag defines the default behaviors for that application.
674
675       For example:
676
677          [appdefaults]
678              telnet = {
679                  ATHENA.MIT.EDU = {
680                      option1 = false
681                  }
682              }
683              telnet = {
684                  option1 = true
685                  option2 = true
686              }
687              ATHENA.MIT.EDU = {
688                  option2 = false
689              }
690              option2 = true
691
692       The above four ways of specifying the value of an option are  shown  in
693       order  of  decreasing precedence. In this example, if telnet is running
694       in the realm EXAMPLE.COM, it should, by default, have option1  and  op‐
695       tion2   set   to   true.   However,  a  telnet  program  in  the  realm
696       ATHENA.MIT.EDU should have option1 set to  false  and  option2  set  to
697       true.   Any other programs in ATHENA.MIT.EDU should have option2 set to
698       false by default.  Any programs running in other realms should have op‐
699       tion2 set to true.
700
701       The  list  of  specifiable options for each application may be found in
702       that application's man pages.  The application defaults specified  here
703       are overridden by those specified in the realms section.
704
705   [plugins]
706pwqual interface
707
708kadm5_hook interface
709
710clpreauth and kdcpreauth interfaces
711
712       Tags  in  the  [plugins] section can be used to register dynamic plugin
713       modules and to turn modules on and off.  Not every krb5  pluggable  in‐
714       terface  uses  the  [plugins]  section; the ones that do are documented
715       here.
716
717       New in release 1.9.
718
719       Each pluggable interface corresponds to a subsection of [plugins].  All
720       subsections support the same tags:
721
722       disable
723              This  tag may have multiple values. If there are values for this
724              tag, then the named modules will be disabled for  the  pluggable
725              interface.
726
727       enable_only
728              This  tag may have multiple values. If there are values for this
729              tag, then only the named modules will be enabled for  the  plug‐
730              gable interface.
731
732       module This  tag  may  have multiple values.  Each value is a string of
733              the form modulename:pathname, which causes the shared object lo‐
734              cated  at  pathname  to  be registered as a dynamic module named
735              modulename for the pluggable interface.  If pathname is  not  an
736              absolute   path,   it   will  be  treated  as  relative  to  the
737              plugin_base_dir value from [libdefaults].
738
739       For pluggable interfaces where module order matters, modules registered
740       with  a  module  tag  normally come first, in the order they are regis‐
741       tered, followed by built-in modules in the order  they  are  documented
742       below.   If  enable_only  tags  are  used, then the order of those tags
743       overrides the normal module order.
744
745       The following subsections are currently supported within the  [plugins]
746       section:
747
748   ccselect interface
749       The ccselect subsection controls modules for credential cache selection
750       within a cache collection.  In addition to any registered dynamic  mod‐
751       ules,  the  following  built-in modules exist (and may be disabled with
752       the disable tag):
753
754       k5identity
755              Uses a .k5identity file in the user's home directory to select a
756              client principal
757
758       realm  Uses  the  service  realm to guess an appropriate cache from the
759              collection
760
761       hostname
762              If the service principal is host-based, uses the  service  host‐
763              name to guess an appropriate cache from the collection
764
765   pwqual interface
766       The  pwqual subsection controls modules for the password quality inter‐
767       face, which is  used  to  reject  weak  passwords  when  passwords  are
768       changed.  The following built-in modules exist for this interface:
769
770       dict   Checks against the realm dictionary file
771
772       empty  Rejects empty passwords
773
774       hesiod Checks  against  user information stored in Hesiod (only if Ker‐
775              beros was built with Hesiod support)
776
777       princ  Checks against components of the principal name
778
779   kadm5_hook interface
780       The kadm5_hook interface provides plugins with information on principal
781       creation,  modification, password changes and deletion.  This interface
782       can be used to write a plugin to synchronize MIT Kerberos with  another
783       database  such  as  Active Directory.  No plugins are built in for this
784       interface.
785
786   kadm5_auth interface
787       The kadm5_auth section (introduced in release  1.16)  controls  modules
788       for  the  kadmin  authorization  interface,  which determines whether a
789       client principal is allowed to perform a kadmin operation.  The follow‐
790       ing built-in modules exist for this interface:
791
792       acl    This  module reads the kadm5.acl file, and authorizes operations
793              which are allowed according to the rules in the file.
794
795       self   This module authorizes self-service operations  including  pass‐
796              word changes, creation of new random keys, fetching the client's
797              principal record or string attributes, and fetching  the  policy
798              record associated with the client principal.
799
800   clpreauth and kdcpreauth interfaces
801       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
802       client and KDC preauthentication mechanisms.   The  following  built-in
803       modules exist for these interfaces:
804
805       pkinit This module implements the PKINIT preauthentication mechanism.
806
807       encrypted_challenge
808              This module implements the encrypted challenge FAST factor.
809
810       encrypted_timestamp
811              This module implements the encrypted timestamp mechanism.
812
813   hostrealm interface
814       The hostrealm section (introduced in release 1.12) controls modules for
815       the host-to-realm interface, which affects the local mapping  of  host‐
816       names  to  realm  names and the choice of default realm.  The following
817       built-in modules exist for this interface:
818
819       profile
820              This module consults the [domain_realm] section of  the  profile
821              for  authoritative host-to-realm mappings, and the default_realm
822              variable for the default realm.
823
824       dns    This module looks for DNS  records  for  fallback  host-to-realm
825              mappings  and  the  default  realm.   It  only  operates  if the
826              dns_lookup_realm variable is set to true.
827
828       domain This module applies heuristics for fallback  host-to-realm  map‐
829              pings.   It  implements the realm_try_domains variable, and uses
830              the uppercased parent domain of the hostname if  that  does  not
831              produce a result.
832
833   localauth interface
834       The localauth section (introduced in release 1.12) controls modules for
835       the local authorization interface, which affects the  relationship  be‐
836       tween  Kerberos  principals  and  local system accounts.  The following
837       built-in modules exist for this interface:
838
839       default
840              This module implements the DEFAULT type for  auth_to_local  val‐
841              ues.
842
843       rule   This module implements the RULE type for auth_to_local values.
844
845       names  This  module  looks  for  an auth_to_local_names mapping for the
846              principal name.
847
848       auth_to_local
849              This  module  processes  auth_to_local  values  in  the  default
850              realm's   section,   and   applies  the  default  method  if  no
851              auth_to_local values exist.
852
853       k5login
854              This module authorizes a principal to a local account  according
855              to the account's .k5login file.
856
857       an2ln  This  module  authorizes  a  principal to a local account if the
858              principal name maps to the local account name.
859
860   certauth interface
861       The certauth section (introduced in release 1.16) controls modules  for
862       the  certificate  authorization  interface,  which determines whether a
863       certificate is allowed to preauthenticate a user via PKINIT.  The  fol‐
864       lowing built-in modules exist for this interface:
865
866       pkinit_san
867              This  module  authorizes the certificate if it contains a PKINIT
868              Subject Alternative Name for the requested client principal,  or
869              a  Microsoft  UPN SAN matching the principal if pkinit_allow_upn
870              is set to true for the realm.
871
872       pkinit_eku
873              This module rejects the certificate if it does  not  contain  an
874              Extended    Key    Usage    attribute    consistent   with   the
875              pkinit_eku_checking value for the realm.
876
877       dbmatch
878              This module authorizes or rejects the certificate  according  to
879              whether it matches the pkinit_cert_match string attribute on the
880              client principal, if that attribute is present.
881

PKINIT OPTIONS

883       NOTE:
884          The following are PKINIT-specific  options.   These  values  may  be
885          specified   in   [libdefaults]  as  global  defaults,  or  within  a
886          realm-specific subsection of [libdefaults], or may be  specified  as
887          realm-specific  values  in  the  [realms] section.  A realm-specific
888          value overrides, not adds to, a generic [libdefaults] specification.
889          The search order is:
890
891       1. realm-specific subsection of [libdefaults]:
892
893             [libdefaults]
894                 EXAMPLE.COM = {
895                     pkinit_anchors = FILE:/usr/local/example.com.crt
896                 }
897
898       2. realm-specific value in the [realms] section:
899
900             [realms]
901                 OTHERREALM.ORG = {
902                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
903                 }
904
905       3. generic value in the [libdefaults] section:
906
907             [libdefaults]
908                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
909
910   Specifying PKINIT identity information
911       The  syntax  for  specifying Public Key identity, trust, and revocation
912       information for PKINIT is as follows:
913
914       FILE:filename[,keyfilename]
915              This option has context-specific behavior.
916
917              In pkinit_identity or pkinit_identities, filename specifies  the
918              name of a PEM-format file containing the user's certificate.  If
919              keyfilename is not specified, the user's private key is expected
920              to  be  in filename as well.  Otherwise, keyfilename is the name
921              of the file containing the private key.
922
923              In pkinit_anchors or pkinit_pool, filename is assumed to be  the
924              name of an OpenSSL-style ca-bundle file.
925
926       DIR:dirname
927              This option has context-specific behavior.
928
929              In pkinit_identity or pkinit_identities, dirname specifies a di‐
930              rectory with files named *.crt and *.key where the first part of
931              the  file name is the same for matching pairs of certificate and
932              private key files.  When a file with a name ending with .crt  is
933              found,  a  matching  file ending with .key is assumed to contain
934              the private key.  If no such file is found, then the certificate
935              in the .crt is not used.
936
937              In  pkinit_anchors  or  pkinit_pool, dirname is assumed to be an
938              OpenSSL-style hashed CA directory where each CA cert  is  stored
939              in  a  file named hash-of-ca-cert.#.  This infrastructure is en‐
940              couraged, but all files in the directory will be examined and if
941              they contain certificates (in PEM format), they will be used.
942
943              In  pkinit_revoke,  dirname  is  assumed  to be an OpenSSL-style
944              hashed CA directory where each revocation list is  stored  in  a
945              file  named  hash-of-ca-cert.r#.  This infrastructure is encour‐
946              aged, but all files in the directory will  be  examined  and  if
947              they  contain  a  revocation  list (in PEM format), they will be
948              used.
949
950       PKCS12:filename
951              filename is the name of a PKCS #12 format file,  containing  the
952              user's certificate and private key.
953
954       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
955       tid=cert-id][:certlabel=cert-label]
956              All keyword/values are optional.  modname specifies the location
957              of  a  library implementing PKCS #11.  If a value is encountered
958              with no keyword, it is assumed to be the modname.   If  no  mod‐
959              ule-name is specified, the default is p11-kit-proxy.so.  slotid=
960              and/or token= may be specified to force the use of a  particular
961              smard  card reader or token if there is more than one available.
962              certid= and/or certlabel= may be specified to force  the  selec‐
963              tion  of  a  particular  certificate  on  the  device.   See the
964              pkinit_cert_match configuration option for more ways to select a
965              particular certificate to use for PKINIT.
966
967       ENV:envvar
968              envvar  specifies  the name of an environment variable which has
969              been set to a value conforming to one of  the  previous  values.
970              For   example,   ENV:X509_PROXY,   where   environment  variable
971              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
972
973   PKINIT krb5.conf options
974       pkinit_anchors
975              Specifies the location of  trusted  anchor  (root)  certificates
976              which  the  client trusts to sign KDC certificates.  This option
977              may be specified multiple times.  These values from  the  config
978              file are not used if the user specifies X509_anchors on the com‐
979              mand line.
980
981       pkinit_cert_match
982              Specifies matching rules that the client certificate must  match
983              before  it  is used to attempt PKINIT authentication.  If a user
984              has multiple certificates available (on a  smart  card,  or  via
985              other  media),  there must be exactly one certificate chosen be‐
986              fore attempting PKINIT authentication.  This option may be spec‐
987              ified  multiple  times.   All  the  available  certificates  are
988              checked against each rule in order until there is a match of ex‐
989              actly one certificate.
990
991              The  Subject  and  Issuer  comparison  strings  are the RFC 2253
992              string representations from the certificate Subject DN  and  Is‐
993              suer DN values.
994
995              The syntax of the matching rules is:
996                 [relation-operator]component-rule ...
997
998              where:
999
1000              relation-operator
1001                     can be either &&, meaning all component rules must match,
1002                     or ||, meaning only one component rule must  match.   The
1003                     default is &&.
1004
1005              component-rule
1006                     can be one of the following.  Note that there is no punc‐
1007                     tuation or whitespace between component rules.
1008                        <SUBJECT>regular-expression
1009                        <ISSUER>regular-expression
1010                        <SAN>regular-expression
1011                        <EKU>extended-key-usage-list
1012                        <KU>key-usage-list
1013
1014
1015                     extended-key-usage-list is a comma-separated list of  re‐
1016                     quired Extended Key Usage values.  All values in the list
1017                     must be present in the certificate.  Extended  Key  Usage
1018                     values can be:
1019
1020                     • pkinit
1021
1022                     • msScLogin
1023
1024                     • clientAuth
1025
1026                     • emailProtection
1027
1028                     key-usage-list  is a comma-separated list of required Key
1029                     Usage values.  All values in the list must be present  in
1030                     the certificate.  Key Usage values can be:
1031
1032                     • digitalSignature
1033
1034                     • keyEncipherment
1035
1036              Examples:
1037
1038                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1039                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1040                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1041
1042       pkinit_eku_checking
1043              This option specifies what Extended Key Usage value the KDC cer‐
1044              tificate presented to the client must contain.   (Note  that  if
1045              the  KDC  certificate  has the pkinit SubjectAlternativeName en‐
1046              coded as the Kerberos TGS name, EKU checking  is  not  necessary
1047              since  the  issuing CA has certified this as a KDC certificate.)
1048              The values recognized in the krb5.conf file are:
1049
1050              kpKDC  This is the default value and specifies that the KDC must
1051                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1052
1053              kpServerAuth
1054                     If  kpServerAuth is specified, a KDC certificate with the
1055                     id-kp-serverAuth EKU will be accepted.   This  key  usage
1056                     value is used in most commercially issued server certifi‐
1057                     cates.
1058
1059              none   If none is specified, then the KDC certificate  will  not
1060                     be  checked  to verify it has an acceptable EKU.  The use
1061                     of this option is not recommended.
1062
1063       pkinit_dh_min_bits
1064              Specifies the size of the Diffie-Hellman key the client will at‐
1065              tempt  to  use.  The acceptable values are 1024, 2048, and 4096.
1066              The default is 2048.
1067
1068       pkinit_identities
1069              Specifies the location(s) to be used to find  the  user's  X.509
1070              identity  information.   If  this  option  is specified multiple
1071              times, each value is attempted in order until  certificates  are
1072              found.   Note  that these values are not used if the user speci‐
1073              fies X509_user_identity on the command line.
1074
1075       pkinit_kdc_hostname
1076              The presence of this option indicates that the client is willing
1077              to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1078              tive Name) rather than requiring the id-pkinit-san as defined in
1079              RFC  4556.   This  option  may be specified multiple times.  Its
1080              value should contain the acceptable hostname  for  the  KDC  (as
1081              contained in its certificate).
1082
1083       pkinit_pool
1084              Specifies the location of intermediate certificates which may be
1085              used by the client to complete the trust  chain  between  a  KDC
1086              certificate  and a trusted anchor.  This option may be specified
1087              multiple times.
1088
1089       pkinit_require_crl_checking
1090              The default certificate verification process will  always  check
1091              the available revocation information to see if a certificate has
1092              been revoked.  If a match is found for the certificate in a CRL,
1093              verification  fails.   If  the certificate being verified is not
1094              listed in a CRL, or there is no CRL present for its issuing  CA,
1095              and pkinit_require_crl_checking is false, then verification suc‐
1096              ceeds.
1097
1098              However, if pkinit_require_crl_checking is true and there is  no
1099              CRL  information available for the issuing CA, then verification
1100              fails.
1101
1102              pkinit_require_crl_checking should be set to true if the  policy
1103              is such that up-to-date CRLs must be present for every CA.
1104
1105       pkinit_revoke
1106              Specifies  the location of Certificate Revocation List (CRL) in‐
1107              formation to be used by the client when verifying  the  validity
1108              of  the KDC certificate presented.  This option may be specified
1109              multiple times.
1110

PARAMETER EXPANSION

1112       Starting  with  release  1.11,   several   variables,   such   as   de‐
1113       fault_keytab_name,  allow  parameters to be expanded.  Valid parameters
1114       are:
1115
1116                    ┌──────────────────┬────────────────────────────┐
1117                    │%{TEMP}           │ Temporary directory        │
1118                    ├──────────────────┼────────────────────────────┤
1119                    │%{uid}            │ Unix real UID  or  Windows │
1120                    │                  │ SID                        │
1121                    ├──────────────────┼────────────────────────────┤
1122                    │%{euid}           │ Unix  effective user ID or │
1123                    │                  │ Windows SID                │
1124                    ├──────────────────┼────────────────────────────┤
1125                    │%{USERID}         │ Same as %{uid}             │
1126                    ├──────────────────┼────────────────────────────┤
1127                    │%{null}           │ Empty string               │
1128                    ├──────────────────┼────────────────────────────┤
1129                    │%{LIBDIR}         │ Installation  library  di‐ │
1130                    │                  │ rectory                    │
1131                    ├──────────────────┼────────────────────────────┤
1132                    │%{BINDIR}         │ Installation binary direc‐ │
1133                    │                  │ tory                       │
1134                    ├──────────────────┼────────────────────────────┤
1135                    │%{SBINDIR}        │ Installation admin  binary │
1136                    │                  │ directory                  │
1137                    ├──────────────────┼────────────────────────────┤
1138                    │%{username}       │ (Unix)  Username of effec‐ │
1139                    │                  │ tive user ID               │
1140                    ├──────────────────┼────────────────────────────┤
1141                    │%{APPDATA}        │ (Windows) Roaming applica‐ │
1142                    │                  │ tion data for current user │
1143                    ├──────────────────┼────────────────────────────┤
1144                    │%{COMMON_APPDATA} │ (Windows) Application data │
1145                    │                  │ for all users              │
1146                    ├──────────────────┼────────────────────────────┤
1147                    │%{LOCAL_APPDATA}  │ (Windows)  Local  applica‐ │
1148                    │                  │ tion data for current user │
1149                    ├──────────────────┼────────────────────────────┤
1150                    │%{SYSTEM}         │ (Windows)  Windows  system │
1151                    │                  │ folder                     │
1152                    ├──────────────────┼────────────────────────────┤
1153                    │%{WINDOWS}        │ (Windows) Windows folder   │
1154                    ├──────────────────┼────────────────────────────┤
1155                    │%{USERCONFIG}     │ (Windows)   Per-user   MIT │
1156                    │                  │ krb5 config file directory │
1157                    ├──────────────────┼────────────────────────────┤
1158                    │%{COMMONCONFIG}   │ (Windows)  Common MIT krb5 │
1159                    │                  │ config file directory      │
1160                    └──────────────────┴────────────────────────────┘
1161

SAMPLE KRB5.CONF FILE

1163       Here is an example of a generic krb5.conf file:
1164
1165          [libdefaults]
1166              default_realm = ATHENA.MIT.EDU
1167              dns_lookup_kdc = true
1168              dns_lookup_realm = false
1169
1170          [realms]
1171              ATHENA.MIT.EDU = {
1172                  kdc = kerberos.mit.edu
1173                  kdc = kerberos-1.mit.edu
1174                  kdc = kerberos-2.mit.edu
1175                  admin_server = kerberos.mit.edu
1176                  primary_kdc = kerberos.mit.edu
1177              }
1178              EXAMPLE.COM = {
1179                  kdc = kerberos.example.com
1180                  kdc = kerberos-1.example.com
1181                  admin_server = kerberos.example.com
1182              }
1183
1184          [domain_realm]
1185              mit.edu = ATHENA.MIT.EDU
1186
1187          [capaths]
1188              ATHENA.MIT.EDU = {
1189                     EXAMPLE.COM = .
1190              }
1191              EXAMPLE.COM = {
1192                     ATHENA.MIT.EDU = .
1193              }
1194

FILES

1196       /etc/krb5.conf
1197

SEE ALSO

1199       syslog(3)
1200

AUTHOR

1202       MIT
1203
1205       1985-2022, MIT
1206
1207
1208
1209
12101.19.2                                                            KRB5.CONF(5)
Impressum