1KRB5.CONF(5) MIT Kerberos KRB5.CONF(5)
2
6 krb5.conf - Kerberos configuration file
7 The krb5.conf file contains Kerberos configuration information, includ‐
9 ing the locations of KDCs and admin servers for the Kerberos realms of
10 interest, defaults for the current realm and for Kerberos applications,
11 and mappings of hostnames onto Kerberos realms. Normally, you should
12 install your krb5.conf file in the directory /etc. You can override
13 the default location by setting the environment variable KRB5_CONFIG.
14 Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15 files which are present will be read. Starting in release 1.14, direc‐
16 tory names can also be specified in KRB5_CONFIG; all files within the
17 directory whose names consist solely of alphanumeric characters,
18 dashes, or underscores will be read.
19
21 The krb5.conf file is set up in the style of a Windows INI file. Lines
22 beginning with '#' or ';' (possibly after initial whitespace) are ig‐
23 nored as comments. Sections are headed by the section name, in square
24 brackets. Each section may contain zero or more relations, of the
25 form:
26 foo = bar
28 or:
30 fubar = {
32 foo = bar
33 baz = quux
34 }
35 Placing a '*' after the closing bracket of a section name indicates
37 that the section is final, meaning that if the same section appears
38 within a later file specified in KRB5_CONFIG, it will be ignored. A
39 subsection can be marked as final by placing a '*' after either the tag
40 name or the closing brace.
41 The krb5.conf file can include other files using either of the follow‐
43 ing directives at the beginning of a line:
44 include FILENAME
46 includedir DIRNAME
47 FILENAME or DIRNAME should be an absolute path. The named file or di‐
49 rectory must exist and be readable. Including a directory includes all
50 files within the directory whose names consist solely of alphanumeric
51 characters, dashes, or underscores. Starting in release 1.15, files
52 with names ending in ".conf" are also included, unless the name begins
53 with ".". Included profile files are syntactically independent of
54 their parents, so each included file must begin with a section header.
55 Starting in release 1.17, files are read in alphanumeric order; in pre‐
56 vious releases, they may be read in any order.
57 The krb5.conf file can specify that configuration should be obtained
59 from a loadable module, rather than the file itself, using the follow‐
60 ing directive at the beginning of a line before any section headers:
61 module MODULEPATH:RESIDUAL
63 MODULEPATH may be relative to the library path of the krb5 installa‐
65 tion, or it may be an absolute path. RESIDUAL is provided to the mod‐
66 ule at initialization time. If krb5.conf uses a module directive,
67 kdc.conf should also use one if it exists.
68
70 The krb5.conf file may contain the following sections:
71 ┌───────────────┬────────────────────────────┐
73 │[libdefaults] │ Settings used by the Ker‐ │
74 │ │ beros V5 library │
75 ├───────────────┼────────────────────────────┤
76 │[realms] │ Realm-specific contact in‐ │
77 │ │ formation and settings │
78 ├───────────────┼────────────────────────────┤
79 │[domain_realm] │ Maps server hostnames to │
80 │ │ Kerberos realms │
81 ├───────────────┼────────────────────────────┤
82 │[capaths] │ Authentication paths for │
83 │ │ non-hierarchical │
84 │ │ cross-realm │
85 ├───────────────┼────────────────────────────┤
86 │[appdefaults] │ Settings used by some Ker‐ │
87 │ │ beros V5 applications │
88 ├───────────────┼────────────────────────────┤
89 │[plugins] │ Controls plugin module │
90 │ │ registration │
91 └───────────────┴────────────────────────────┘
92 Additionally, krb5.conf may include any of the relations described in
94 kdc.conf, but it is not a recommended practice.
95 [libdefaults]
97 The libdefaults section may contain any of the following relations:
98 allow_weak_crypto
100 If this flag is set to false, then weak encryption types (as
101 noted in Encryption types in kdc.conf) will be filtered out of
102 the lists default_tgs_enctypes, default_tkt_enctypes, and per‐
103 mitted_enctypes. The default value for this tag is false.
104 canonicalize
106 If this flag is set to true, initial ticket requests to the KDC
107 will request canonicalization of the client principal name, and
108 answers with different client principals than the requested
109 principal will be accepted. The default value is false.
110 ccache_type
112 This parameter determines the format of credential cache types
113 created by kinit or other programs. The default value is 4,
114 which represents the most current format. Smaller values can be
115 used for compatibility with very old implementations of Kerberos
116 which interact with credential caches on the same host.
117 clockskew
119 Sets the maximum allowable amount of clockskew in seconds that
120 the library will tolerate before assuming that a Kerberos mes‐
121 sage is invalid. The default value is 300 seconds, or five min‐
122 utes.
123 The clockskew setting is also used when evaluating ticket start
125 and expiration times. For example, tickets that have reached
126 their expiration time can still be used (and renewed if they are
127 renewable tickets) if they have been expired for a shorter dura‐
128 tion than the clockskew setting.
129 default_ccache_name
131 This relation specifies the name of the default credential
132 cache. The default is FILE:/tmp/krb5cc_%{uid}. This relation
133 is subject to parameter expansion (see below). New in release
134 1.11.
135 default_client_keytab_name
137 This relation specifies the name of the default keytab for ob‐
138 taining client credentials. The default is FILE:/var/ker‐
139 beros/krb5/user/%{euid}/client.keytab. This relation is subject
140 to parameter expansion (see below). New in release 1.11.
141 default_keytab_name
143 This relation specifies the default keytab name to be used by
144 application servers such as sshd. The default is
145 FILE:/etc/krb5.keytab. This relation is subject to parameter
146 expansion (see below).
147 default_rcache_name
149 This relation specifies the name of the default replay cache.
150 The default is dfl:. This relation is subject to parameter ex‐
151 pansion (see below). New in release 1.18.
152 default_realm
154 Identifies the default Kerberos realm for the client. Set its
155 value to your Kerberos realm. If this value is not set, then a
156 realm must be specified with every Kerberos principal when in‐
157 voking programs such as kinit.
158 default_tgs_enctypes
160 Identifies the supported list of session key encryption types
161 that the client should request when making a TGS-REQ, in order
162 of preference from highest to lowest. The list may be delimited
163 with commas or whitespace. See Encryption types in kdc.conf for
164 a list of the accepted values for this tag. Starting in release
165 1.18, the default value is the value of permitted_enctypes. For
166 previous releases or if permitted_enctypes is not set, the de‐
167 fault value is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
168 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arc‐
169 four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
170 Do not set this unless required for specific backward compati‐
172 bility purposes; stale values of this setting can prevent
173 clients from taking advantage of new stronger enctypes when the
174 libraries are upgraded.
175 default_tkt_enctypes
177 Identifies the supported list of session key encryption types
178 that the client should request when making an AS-REQ, in order
179 of preference from highest to lowest. The format is the same as
180 for default_tgs_enctypes. Starting in release 1.18, the default
181 value is the value of permitted_enctypes. For previous releases
182 or if permitted_enctypes is not set, the default value is
183 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
184 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arc‐
185 four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
186 Do not set this unless required for specific backward compati‐
188 bility purposes; stale values of this setting can prevent
189 clients from taking advantage of new stronger enctypes when the
190 libraries are upgraded.
191 dns_canonicalize_hostname
193 Indicate whether name lookups will be used to canonicalize host‐
194 names for use in service principal names. Setting this flag to
195 false can improve security by reducing reliance on DNS, but
196 means that short hostnames will not be canonicalized to
197 fully-qualified hostnames. If this option is set to fallback
198 (new in release 1.18), DNS canonicalization will only be per‐
199 formed the server hostname is not found with the original name
200 when requesting credentials. The default value is true.
201 dns_lookup_kdc
203 Indicate whether DNS SRV records should be used to locate the
204 KDCs and other servers for a realm, if they are not listed in
205 the krb5.conf information for the realm. (Note that the ad‐
206 min_server entry must be in the krb5.conf realm information in
207 order to contact kadmind, because the DNS implementation for
208 kadmin is incomplete.)
209 Enabling this option does open up a type of denial-of-service
211 attack, if someone spoofs the DNS records and redirects you to
212 another server. However, it's no worse than a denial of ser‐
213 vice, because that fake KDC will be unable to decode anything
214 you send it (besides the initial ticket request, which has no
215 encrypted data), and anything the fake KDC sends will not be
216 trusted without verification using some secret that it won't
217 know.
218 dns_uri_lookup
220 Indicate whether DNS URI records should be used to locate the
221 KDCs and other servers for a realm, if they are not listed in
222 the krb5.conf information for the realm. SRV records are used
223 as a fallback if no URI records were found. The default value
224 is true. New in release 1.15.
225 enforce_ok_as_delegate
227 If this flag to true, GSSAPI credential delegation will be dis‐
228 abled when the ok-as-delegate flag is not set in the service
229 ticket. If this flag is false, the ok-as-delegate ticket flag
230 is only enforced when an application specifically requests en‐
231 forcement. The default value is false.
232 err_fmt
234 This relation allows for custom error message formatting. If a
235 value is set, error messages will be formatted by substituting a
236 normal error message for %M and an error code for %C in the
237 value.
238 extra_addresses
240 This allows a computer to use multiple local addresses, in order
241 to allow Kerberos to work in a network that uses NATs while
242 still using address-restricted tickets. The addresses should be
243 in a comma-separated list. This option has no effect if noad‐
244 dresses is true.
245 forwardable
247 If this flag is true, initial tickets will be forwardable by de‐
248 fault, if allowed by the KDC. The default value is false.
249 ignore_acceptor_hostname
251 When accepting GSSAPI or krb5 security contexts for host-based
252 service principals, ignore any hostname passed by the calling
253 application, and allow clients to authenticate to any service
254 principal in the keytab matching the service name and realm name
255 (if given). This option can improve the administrative flexi‐
256 bility of server applications on multihomed hosts, but could
257 compromise the security of virtual hosting environments. The
258 default value is false. New in release 1.10.
259 k5login_authoritative
261 If this flag is true, principals must be listed in a local
262 user's k5login file to be granted login access, if a .k5login
263 file exists. If this flag is false, a principal may still be
264 granted login access through other mechanisms even if a k5login
265 file exists but does not list the principal. The default value
266 is true.
267 k5login_directory
269 If set, the library will look for a local user's k5login file
270 within the named directory, with a filename corresponding to the
271 local username. If not set, the library will look for k5login
272 files in the user's home directory, with the filename .k5login.
273 For security reasons, .k5login files must be owned by the local
274 user or by root.
275 kcm_mach_service
277 On macOS only, determines the name of the bootstrap service used
278 to contact the KCM daemon for the KCM credential cache type. If
279 the value is -, Mach RPC will not be used to contact the KCM
280 daemon. The default value is org.h5l.kcm.
281 kcm_socket
283 Determines the path to the Unix domain socket used to access the
284 KCM daemon for the KCM credential cache type. If the value is
285 -, Unix domain sockets will not be used to contact the KCM dae‐
286 mon. The default value is /var/run/.heim_org.h5l.kcm-socket.
287 kdc_default_options
289 Default KDC options (Xored for multiple values) when requesting
290 initial tickets. By default it is set to 0x00000010
291 (KDC_OPT_RENEWABLE_OK).
292 kdc_timesync
294 Accepted values for this relation are 1 or 0. If it is nonzero,
295 client machines will compute the difference between their time
296 and the time returned by the KDC in the timestamps in the tick‐
297 ets and use this value to correct for an inaccurate system clock
298 when requesting service tickets or authenticating to services.
299 This corrective factor is only used by the Kerberos library; it
300 is not used to change the system clock. The default value is 1.
301 noaddresses
303 If this flag is true, requests for initial tickets will not be
304 made with address restrictions set, allowing the tickets to be
305 used across NATs. The default value is true.
306 permitted_enctypes
308 Identifies the encryption types that servers will permit for
309 session keys and for ticket and authenticator encryption, or‐
310 dered by preference from highest to lowest. Starting in release
311 1.18, this tag also acts as the default value for de‐
312 fault_tgs_enctypes and default_tkt_enctypes. The default value
313 for this tag is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
314 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arc‐
315 four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
316 plugin_base_dir
318 If set, determines the base directory where krb5 plugins are lo‐
319 cated. The default value is the krb5/plugins subdirectory of
320 the krb5 library directory. This relation is subject to parame‐
321 ter expansion (see below) in release 1.17 and later.
322 preferred_preauth_types
324 This allows you to set the preferred preauthentication types
325 which the client will attempt before others which may be adver‐
326 tised by a KDC. The default value for this setting is "17, 16,
327 15, 14", which forces libkrb5 to attempt to use PKINIT if it is
328 supported.
329 proxiable
331 If this flag is true, initial tickets will be proxiable by de‐
332 fault, if allowed by the KDC. The default value is false.
333 qualify_shortname
335 If this string is set, it determines the domain suffix for sin‐
336 gle-component hostnames when DNS canonicalization is not used
337 (either because dns_canonicalize_hostname is false or because
338 forward canonicalization failed). The default value is the
339 first search domain of the system's DNS configuration. To dis‐
340 able qualification of shortnames, set this relation to the empty
341 string with qualify_shortname = "". (New in release 1.18.)
342 radius_md5_fips_override
344 Downstream-only option to enable use of MD5 in RADIUS communica‐
345 tion (libkrad). This allows for local (or protected tunnel)
346 communication with a RADIUS server that doesn't use krad (e.g.,
347 freeradius) while in FIPS mode.
348 rdns If this flag is true, reverse name lookup will be used in addi‐
350 tion to forward name lookup to canonicalizing hostnames for use
351 in service principal names. If dns_canonicalize_hostname is set
352 to false, this flag has no effect. The default value is true.
353 realm_try_domains
355 Indicate whether a host's domain components should be used to
356 determine the Kerberos realm of the host. The value of this
357 variable is an integer: -1 means not to search, 0 means to try
358 the host's domain itself, 1 means to also try the domain's imme‐
359 diate parent, and so forth. The library's usual mechanism for
360 locating Kerberos realms is used to determine whether a domain
361 is a valid realm, which may involve consulting DNS if
362 dns_lookup_kdc is set. The default is not to search domain com‐
363 ponents.
364 renew_lifetime
366 (Time duration string.) Sets the default renewable lifetime for
367 initial ticket requests. The default value is 0.
368 spake_preauth_groups
370 A whitespace or comma-separated list of words which specifies
371 the groups allowed for SPAKE preauthentication. The possible
372 values are:
373 ┌─────────────┬────────────────────────────┐
375 │edwards25519 │ Edwards25519 curve (RFC │
376 │ │ 7748) │
377 ├─────────────┼────────────────────────────┤
378 │P-256 │ NIST P-256 curve (RFC │
379 │ │ 5480) │
380 ├─────────────┼────────────────────────────┤
381 │P-384 │ NIST P-384 curve (RFC │
382 │ │ 5480) │
383 ├─────────────┼────────────────────────────┤
384 │P-521 │ NIST P-521 curve (RFC │
385 │ │ 5480) │
386 └─────────────┴────────────────────────────┘
387 The default value for the client is edwards25519. The default
389 value for the KDC is empty. New in release 1.17.
390 ticket_lifetime
392 (Time duration string.) Sets the default lifetime for initial
393 ticket requests. The default value is 1 day.
394 udp_preference_limit
396 When sending a message to the KDC, the library will try using
397 TCP before UDP if the size of the message is above udp_prefer‐
398 ence_limit. If the message is smaller than udp_prefer‐
399 ence_limit, then UDP will be tried before TCP. Regardless of
400 the size, both protocols will be tried if the first attempt
401 fails.
402 verify_ap_req_nofail
404 If this flag is true, then an attempt to verify initial creden‐
405 tials will fail if the client machine does not have a keytab.
406 The default value is false.
407 client_aware_channel_bindings
409 If this flag is true, then all application protocol authentica‐
410 tion requests will be flagged to indicate that the application
411 supports channel bindings when operating over a secure channel.
412 The default value is false.
413 [realms]
415 Each tag in the [realms] section of the file is the name of a Kerberos
416 realm. The value of the tag is a subsection with relations that define
417 the properties of that particular realm. For each realm, the following
418 tags may be specified in the realm's subsection:
419 admin_server
421 Identifies the host where the administration server is running.
422 Typically, this is the primary Kerberos server. This tag must
423 be given a value in order to communicate with the kadmind server
424 for the realm.
425 auth_to_local
427 This tag allows you to set a general rule for mapping principal
428 names to local user names. It will be used if there is not an
429 explicit mapping for the principal name that is being trans‐
430 lated. The possible values are:
431 RULE:exp
433 The local name will be formulated from exp.
434 The format for exp is [n:string](regexp)s/pattern/re‐
436 placement/g. The integer n indicates how many components
437 the target principal should have. If this matches, then
438 a string will be formed from string, substituting the
439 realm of the principal for $0 and the n'th component of
440 the principal for $n (e.g., if the principal was john‐
441 doe/admin then [2:$2$1foo] would result in the string ad‐
442 minjohndoefoo). If this string matches regexp, then the
443 s//[g] substitution command will be run over the string.
444 The optional g will cause the substitution to be global
445 over the string, instead of replacing only the first
446 match in the string.
447 DEFAULT
449 The principal name will be used as the local user name.
450 If the principal has more than one component or is not in
451 the default realm, this rule is not applicable and the
452 conversion will fail.
453 For example:
455 [realms]
457 ATHENA.MIT.EDU = {
458 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
459 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
460 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
461 auth_to_local = DEFAULT
462 }
463 would result in any principal without root or admin as the sec‐
465 ond component to be translated with the default rule. A princi‐
466 pal with a second component of admin will become its first com‐
467 ponent. root will be used as the local name for any principal
468 with a second component of root. The exception to these two
469 rules are any principals johndoe/*, which will always get the
470 local name guest.
471 auth_to_local_names
473 This subsection allows you to set explicit mappings from princi‐
474 pal names to local user names. The tag is the mapping name, and
475 the value is the corresponding local user name.
476 default_domain
478 This tag specifies the domain used to expand hostnames when
479 translating Kerberos 4 service principals to Kerberos 5 princi‐
480 pals (for example, when converting rcmd.hostname to host/host‐
481 name.domain).
482 disable_encrypted_timestamp
484 If this flag is true, the client will not perform encrypted
485 timestamp preauthentication if requested by the KDC. Setting
486 this flag can help to prevent dictionary attacks by active at‐
487 tackers, if the realm's KDCs support SPAKE preauthentication or
488 if initial authentication always uses another mechanism or al‐
489 ways uses FAST. This flag persists across client referrals dur‐
490 ing initial authentication. This flag does not prevent the KDC
491 from offering encrypted timestamp. New in release 1.17.
492 http_anchors
494 When KDCs and kpasswd servers are accessed through HTTPS prox‐
495 ies, this tag can be used to specify the location of the CA cer‐
496 tificate which should be trusted to issue the certificate for a
497 proxy server. If left unspecified, the system-wide default set
498 of CA certificates is used.
499 The syntax for values is similar to that of values for the
501 pkinit_anchors tag:
502 FILE: filename
504 filename is assumed to be the name of an OpenSSL-style ca-bundle
506 file.
507 DIR: dirname
509 dirname is assumed to be an directory which contains CA certifi‐
511 cates. All files in the directory will be examined; if they
512 contain certificates (in PEM format), they will be used.
513 ENV: envvar
515 envvar specifies the name of an environment variable which has
517 been set to a value conforming to one of the previous values.
518 For example, ENV:X509_PROXY_CA, where environment variable
519 X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
520 kdc The name or address of a host running a KDC for that realm. An
522 optional port number, separated from the hostname by a colon,
523 may be included. If the name or address contains colons (for
524 example, if it is an IPv6 address), enclose it in square brack‐
525 ets to distinguish the colon from a port separator. For your
526 computer to be able to communicate with the KDC for each realm,
527 this tag must be given a value in each realm subsection in the
528 configuration file, or there must be DNS SRV records specifying
529 the KDCs.
530 kpasswd_server
532 Points to the server where all the password changes are per‐
533 formed. If there is no such entry, DNS will be queried (unless
534 forbidden by dns_lookup_kdc). Finally, port 464 on the ad‐
535 min_server host will be tried.
536 master_kdc
538 The name for primary_kdc prior to release 1.19. Its value is
539 used as a fallback if primary_kdc is not specified.
540 primary_kdc
542 Identifies the primary KDC(s). Currently, this tag is used in
543 only one case: If an attempt to get credentials fails because of
544 an invalid password, the client software will attempt to contact
545 the primary KDC, in case the user's password has just been
546 changed, and the updated database has not been propagated to the
547 replica servers yet. New in release 1.19.
548 v4_instance_convert
550 This subsection allows the administrator to configure exceptions
551 to the default_domain mapping rule. It contains V4 instances
552 (the tag name) which should be translated to some specific host‐
553 name (the tag value) as the second component in a Kerberos V5
554 principal name.
555 v4_realm
557 This relation is used by the krb524 library routines when con‐
558 verting a V5 principal name to a V4 principal name. It is used
559 when the V4 realm name and the V5 realm name are not the same,
560 but still share the same principal names and passwords. The tag
561 value is the Kerberos V4 realm name.
562 [domain_realm]
564 The [domain_realm] section provides a translation from a domain name or
565 hostname to a Kerberos realm name. The tag name can be a host name or
566 domain name, where domain names are indicated by a prefix of a period
567 (.). The value of the relation is the Kerberos realm name for that
568 particular host or domain. A host name relation implicitly provides
569 the corresponding domain name relation, unless an explicit domain name
570 relation is provided. The Kerberos realm may be identified either in
571 the realms section or using DNS SRV records. Host names and domain
572 names should be in lower case. For example:
573 [domain_realm]
575 crash.mit.edu = TEST.ATHENA.MIT.EDU
576 .dev.mit.edu = TEST.ATHENA.MIT.EDU
577 mit.edu = ATHENA.MIT.EDU
578 maps the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
580 realm. The second entry maps all hosts under the domain dev.mit.edu
581 into the TEST.ATHENA.MIT.EDU realm, but not the host with the name
582 dev.mit.edu. That host is matched by the third entry, which maps the
583 host mit.edu and all hosts under the domain mit.edu that do not match a
584 preceding rule into the realm ATHENA.MIT.EDU.
585 If no translation entry applies to a hostname used for a service prin‐
587 cipal for a service ticket request, the library will try to get a re‐
588 ferral to the appropriate realm from the client realm's KDC. If that
589 does not succeed, the host's realm is considered to be the hostname's
590 domain portion converted to uppercase, unless the realm_try_domains
591 setting in [libdefaults] causes a different parent domain to be used.
592 [capaths]
594 In order to perform direct (non-hierarchical) cross-realm authentica‐
595 tion, configuration is needed to determine the authentication paths be‐
596 tween realms.
597 A client will use this section to find the authentication path between
599 its realm and the realm of the server. The server will use this sec‐
600 tion to verify the authentication path used by the client, by checking
601 the transited field of the received ticket.
602 There is a tag for each participating client realm, and each tag has
604 subtags for each of the server realms. The value of the subtags is an
605 intermediate realm which may participate in the cross-realm authentica‐
606 tion. The subtags may be repeated if there is more then one intermedi‐
607 ate realm. A value of "." means that the two realms share keys di‐
608 rectly, and no intermediate realms should be allowed to participate.
609 Only those entries which will be needed on the client or the server
611 need to be present. A client needs a tag for its local realm with sub‐
612 tags for all the realms of servers it will need to authenticate to. A
613 server needs a tag for each realm of the clients it will serve, with a
614 subtag of the server realm.
615 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
617 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
618 which will authenticate with NERSC.GOV but not PNL.GOV. The [capaths]
619 section for ANL.GOV systems would look like this:
620 [capaths]
622 ANL.GOV = {
623 TEST.ANL.GOV = .
624 PNL.GOV = ES.NET
625 NERSC.GOV = ES.NET
626 ES.NET = .
627 }
628 TEST.ANL.GOV = {
629 ANL.GOV = .
630 }
631 PNL.GOV = {
632 ANL.GOV = ES.NET
633 }
634 NERSC.GOV = {
635 ANL.GOV = ES.NET
636 }
637 ES.NET = {
638 ANL.GOV = .
639 }
640 The [capaths] section of the configuration file used on NERSC.GOV sys‐
642 tems would look like this:
643 [capaths]
645 NERSC.GOV = {
646 ANL.GOV = ES.NET
647 TEST.ANL.GOV = ES.NET
648 TEST.ANL.GOV = ANL.GOV
649 PNL.GOV = ES.NET
650 ES.NET = .
651 }
652 ANL.GOV = {
653 NERSC.GOV = ES.NET
654 }
655 PNL.GOV = {
656 NERSC.GOV = ES.NET
657 }
658 ES.NET = {
659 NERSC.GOV = .
660 }
661 TEST.ANL.GOV = {
662 NERSC.GOV = ANL.GOV
663 NERSC.GOV = ES.NET
664 }
665 When a subtag is used more than once within a tag, clients will use the
667 order of values to determine the path. The order of values is not im‐
668 portant to servers.
669 [appdefaults]
671 Each tag in the [appdefaults] section names a Kerberos V5 application
672 or an option that is used by some Kerberos V5 application[s]. The
673 value of the tag defines the default behaviors for that application.
674 For example:
676 [appdefaults]
678 telnet = {
679 ATHENA.MIT.EDU = {
680 option1 = false
681 }
682 }
683 telnet = {
684 option1 = true
685 option2 = true
686 }
687 ATHENA.MIT.EDU = {
688 option2 = false
689 }
690 option2 = true
691 The above four ways of specifying the value of an option are shown in
693 order of decreasing precedence. In this example, if telnet is running
694 in the realm EXAMPLE.COM, it should, by default, have option1 and op‐
695 tion2 set to true. However, a telnet program in the realm
696 ATHENA.MIT.EDU should have option1 set to false and option2 set to
697 true. Any other programs in ATHENA.MIT.EDU should have option2 set to
698 false by default. Any programs running in other realms should have op‐
699 tion2 set to true.
700 The list of specifiable options for each application may be found in
702 that application's man pages. The application defaults specified here
703 are overridden by those specified in the realms section.
704 [plugins]
706 • pwqual interface
707 • kadm5_hook interface
709 • clpreauth and kdcpreauth interfaces
711 Tags in the [plugins] section can be used to register dynamic plugin
713 modules and to turn modules on and off. Not every krb5 pluggable in‐
714 terface uses the [plugins] section; the ones that do are documented
715 here.
716 New in release 1.9.
718 Each pluggable interface corresponds to a subsection of [plugins]. All
720 subsections support the same tags:
721 disable
723 This tag may have multiple values. If there are values for this
724 tag, then the named modules will be disabled for the pluggable
725 interface.
726 enable_only
728 This tag may have multiple values. If there are values for this
729 tag, then only the named modules will be enabled for the plug‐
730 gable interface.
731 module This tag may have multiple values. Each value is a string of
733 the form modulename:pathname, which causes the shared object lo‐
734 cated at pathname to be registered as a dynamic module named
735 modulename for the pluggable interface. If pathname is not an
736 absolute path, it will be treated as relative to the
737 plugin_base_dir value from [libdefaults].
738 For pluggable interfaces where module order matters, modules registered
740 with a module tag normally come first, in the order they are regis‐
741 tered, followed by built-in modules in the order they are documented
742 below. If enable_only tags are used, then the order of those tags
743 overrides the normal module order.
744 The following subsections are currently supported within the [plugins]
746 section:
747 ccselect interface
749 The ccselect subsection controls modules for credential cache selection
750 within a cache collection. In addition to any registered dynamic mod‐
751 ules, the following built-in modules exist (and may be disabled with
752 the disable tag):
753 k5identity
755 Uses a .k5identity file in the user's home directory to select a
756 client principal
757 realm Uses the service realm to guess an appropriate cache from the
759 collection
760 hostname
762 If the service principal is host-based, uses the service host‐
763 name to guess an appropriate cache from the collection
764 pwqual interface
766 The pwqual subsection controls modules for the password quality inter‐
767 face, which is used to reject weak passwords when passwords are
768 changed. The following built-in modules exist for this interface:
769 dict Checks against the realm dictionary file
771 empty Rejects empty passwords
773 hesiod Checks against user information stored in Hesiod (only if Ker‐
775 beros was built with Hesiod support)
776 princ Checks against components of the principal name
778 kadm5_hook interface
780 The kadm5_hook interface provides plugins with information on principal
781 creation, modification, password changes and deletion. This interface
782 can be used to write a plugin to synchronize MIT Kerberos with another
783 database such as Active Directory. No plugins are built in for this
784 interface.
785 kadm5_auth interface
787 The kadm5_auth section (introduced in release 1.16) controls modules
788 for the kadmin authorization interface, which determines whether a
789 client principal is allowed to perform a kadmin operation. The follow‐
790 ing built-in modules exist for this interface:
791 acl This module reads the kadm5.acl file, and authorizes operations
793 which are allowed according to the rules in the file.
794 self This module authorizes self-service operations including pass‐
796 word changes, creation of new random keys, fetching the client's
797 principal record or string attributes, and fetching the policy
798 record associated with the client principal.
799 clpreauth and kdcpreauth interfaces
801 The clpreauth and kdcpreauth interfaces allow plugin modules to provide
802 client and KDC preauthentication mechanisms. The following built-in
803 modules exist for these interfaces:
804 pkinit This module implements the PKINIT preauthentication mechanism.
806 encrypted_challenge
808 This module implements the encrypted challenge FAST factor.
809 encrypted_timestamp
811 This module implements the encrypted timestamp mechanism.
812 hostrealm interface
814 The hostrealm section (introduced in release 1.12) controls modules for
815 the host-to-realm interface, which affects the local mapping of host‐
816 names to realm names and the choice of default realm. The following
817 built-in modules exist for this interface:
818 profile
820 This module consults the [domain_realm] section of the profile
821 for authoritative host-to-realm mappings, and the default_realm
822 variable for the default realm.
823 dns This module looks for DNS records for fallback host-to-realm
825 mappings and the default realm. It only operates if the
826 dns_lookup_realm variable is set to true.
827 domain This module applies heuristics for fallback host-to-realm map‐
829 pings. It implements the realm_try_domains variable, and uses
830 the uppercased parent domain of the hostname if that does not
831 produce a result.
832 localauth interface
834 The localauth section (introduced in release 1.12) controls modules for
835 the local authorization interface, which affects the relationship be‐
836 tween Kerberos principals and local system accounts. The following
837 built-in modules exist for this interface:
838 default
840 This module implements the DEFAULT type for auth_to_local val‐
841 ues.
842 rule This module implements the RULE type for auth_to_local values.
844 names This module looks for an auth_to_local_names mapping for the
846 principal name.
847 auth_to_local
849 This module processes auth_to_local values in the default
850 realm's section, and applies the default method if no
851 auth_to_local values exist.
852 k5login
854 This module authorizes a principal to a local account according
855 to the account's .k5login file.
856 an2ln This module authorizes a principal to a local account if the
858 principal name maps to the local account name.
859 certauth interface
861 The certauth section (introduced in release 1.16) controls modules for
862 the certificate authorization interface, which determines whether a
863 certificate is allowed to preauthenticate a user via PKINIT. The fol‐
864 lowing built-in modules exist for this interface:
865 pkinit_san
867 This module authorizes the certificate if it contains a PKINIT
868 Subject Alternative Name for the requested client principal, or
869 a Microsoft UPN SAN matching the principal if pkinit_allow_upn
870 is set to true for the realm.
871 pkinit_eku
873 This module rejects the certificate if it does not contain an
874 Extended Key Usage attribute consistent with the
875 pkinit_eku_checking value for the realm.
876 dbmatch
878 This module authorizes or rejects the certificate according to
879 whether it matches the pkinit_cert_match string attribute on the
880 client principal, if that attribute is present.
881
883 NOTE:
884 The following are PKINIT-specific options. These values may be
885 specified in [libdefaults] as global defaults, or within a
886 realm-specific subsection of [libdefaults], or may be specified as
887 realm-specific values in the [realms] section. A realm-specific
888 value overrides, not adds to, a generic [libdefaults] specification.
889 The search order is:
890 1. realm-specific subsection of [libdefaults]:
892 [libdefaults]
894 EXAMPLE.COM = {
895 pkinit_anchors = FILE:/usr/local/example.com.crt
896 }
897 2. realm-specific value in the [realms] section:
899 [realms]
901 OTHERREALM.ORG = {
902 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
903 }
904 3. generic value in the [libdefaults] section:
906 [libdefaults]
908 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
909 Specifying PKINIT identity information
911 The syntax for specifying Public Key identity, trust, and revocation
912 information for PKINIT is as follows:
913 FILE:filename[,keyfilename]
915 This option has context-specific behavior.
916 In pkinit_identity or pkinit_identities, filename specifies the
918 name of a PEM-format file containing the user's certificate. If
919 keyfilename is not specified, the user's private key is expected
920 to be in filename as well. Otherwise, keyfilename is the name
921 of the file containing the private key.
922 In pkinit_anchors or pkinit_pool, filename is assumed to be the
924 name of an OpenSSL-style ca-bundle file.
925 DIR:dirname
927 This option has context-specific behavior.
928 In pkinit_identity or pkinit_identities, dirname specifies a di‐
930 rectory with files named *.crt and *.key where the first part of
931 the file name is the same for matching pairs of certificate and
932 private key files. When a file with a name ending with .crt is
933 found, a matching file ending with .key is assumed to contain
934 the private key. If no such file is found, then the certificate
935 in the .crt is not used.
936 In pkinit_anchors or pkinit_pool, dirname is assumed to be an
938 OpenSSL-style hashed CA directory where each CA cert is stored
939 in a file named hash-of-ca-cert.#. This infrastructure is en‐
940 couraged, but all files in the directory will be examined and if
941 they contain certificates (in PEM format), they will be used.
942 In pkinit_revoke, dirname is assumed to be an OpenSSL-style
944 hashed CA directory where each revocation list is stored in a
945 file named hash-of-ca-cert.r#. This infrastructure is encour‐
946 aged, but all files in the directory will be examined and if
947 they contain a revocation list (in PEM format), they will be
948 used.
949 PKCS12:filename
951 filename is the name of a PKCS #12 format file, containing the
952 user's certificate and private key.
953 PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
955 tid=cert-id][:certlabel=cert-label]
956 All keyword/values are optional. modname specifies the location
957 of a library implementing PKCS #11. If a value is encountered
958 with no keyword, it is assumed to be the modname. If no mod‐
959 ule-name is specified, the default is p11-kit-proxy.so. slotid=
960 and/or token= may be specified to force the use of a particular
961 smard card reader or token if there is more than one available.
962 certid= and/or certlabel= may be specified to force the selec‐
963 tion of a particular certificate on the device. See the
964 pkinit_cert_match configuration option for more ways to select a
965 particular certificate to use for PKINIT.
966 ENV:envvar
968 envvar specifies the name of an environment variable which has
969 been set to a value conforming to one of the previous values.
970 For example, ENV:X509_PROXY, where environment variable
971 X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
972 PKINIT krb5.conf options
974 pkinit_anchors
975 Specifies the location of trusted anchor (root) certificates
976 which the client trusts to sign KDC certificates. This option
977 may be specified multiple times. These values from the config
978 file are not used if the user specifies X509_anchors on the com‐
979 mand line.
980 pkinit_cert_match
982 Specifies matching rules that the client certificate must match
983 before it is used to attempt PKINIT authentication. If a user
984 has multiple certificates available (on a smart card, or via
985 other media), there must be exactly one certificate chosen be‐
986 fore attempting PKINIT authentication. This option may be spec‐
987 ified multiple times. All the available certificates are
988 checked against each rule in order until there is a match of ex‐
989 actly one certificate.
990 The Subject and Issuer comparison strings are the RFC 2253
992 string representations from the certificate Subject DN and Is‐
993 suer DN values.
994 The syntax of the matching rules is:
996 [relation-operator]component-rule ...
997 where:
999 relation-operator
1001 can be either &&, meaning all component rules must match,
1002 or ||, meaning only one component rule must match. The
1003 default is &&.
1004 component-rule
1006 can be one of the following. Note that there is no punc‐
1007 tuation or whitespace between component rules.
1008 <SUBJECT>regular-expression
1009 <ISSUER>regular-expression
1010 <SAN>regular-expression
1011 <EKU>extended-key-usage-list
1012 <KU>key-usage-list
1013 extended-key-usage-list is a comma-separated list of re‐
1016 quired Extended Key Usage values. All values in the list
1017 must be present in the certificate. Extended Key Usage
1018 values can be:
1019 • pkinit
1021 • msScLogin
1023 • clientAuth
1025 • emailProtection
1027 key-usage-list is a comma-separated list of required Key
1029 Usage values. All values in the list must be present in
1030 the certificate. Key Usage values can be:
1031 • digitalSignature
1033 • keyEncipherment
1035 Examples:
1037 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1039 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1040 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1041 pkinit_eku_checking
1043 This option specifies what Extended Key Usage value the KDC cer‐
1044 tificate presented to the client must contain. (Note that if
1045 the KDC certificate has the pkinit SubjectAlternativeName en‐
1046 coded as the Kerberos TGS name, EKU checking is not necessary
1047 since the issuing CA has certified this as a KDC certificate.)
1048 The values recognized in the krb5.conf file are:
1049 kpKDC This is the default value and specifies that the KDC must
1051 have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1052 kpServerAuth
1054 If kpServerAuth is specified, a KDC certificate with the
1055 id-kp-serverAuth EKU will be accepted. This key usage
1056 value is used in most commercially issued server certifi‐
1057 cates.
1058 none If none is specified, then the KDC certificate will not
1060 be checked to verify it has an acceptable EKU. The use
1061 of this option is not recommended.
1062 pkinit_dh_min_bits
1064 Specifies the size of the Diffie-Hellman key the client will at‐
1065 tempt to use. The acceptable values are 1024, 2048, and 4096.
1066 The default is 2048.
1067 pkinit_identities
1069 Specifies the location(s) to be used to find the user's X.509
1070 identity information. If this option is specified multiple
1071 times, each value is attempted in order until certificates are
1072 found. Note that these values are not used if the user speci‐
1073 fies X509_user_identity on the command line.
1074 pkinit_kdc_hostname
1076 The presence of this option indicates that the client is willing
1077 to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1078 tive Name) rather than requiring the id-pkinit-san as defined in
1079 RFC 4556. This option may be specified multiple times. Its
1080 value should contain the acceptable hostname for the KDC (as
1081 contained in its certificate).
1082 pkinit_pool
1084 Specifies the location of intermediate certificates which may be
1085 used by the client to complete the trust chain between a KDC
1086 certificate and a trusted anchor. This option may be specified
1087 multiple times.
1088 pkinit_require_crl_checking
1090 The default certificate verification process will always check
1091 the available revocation information to see if a certificate has
1092 been revoked. If a match is found for the certificate in a CRL,
1093 verification fails. If the certificate being verified is not
1094 listed in a CRL, or there is no CRL present for its issuing CA,
1095 and pkinit_require_crl_checking is false, then verification suc‐
1096 ceeds.
1097 However, if pkinit_require_crl_checking is true and there is no
1099 CRL information available for the issuing CA, then verification
1100 fails.
1101 pkinit_require_crl_checking should be set to true if the policy
1103 is such that up-to-date CRLs must be present for every CA.
1104 pkinit_revoke
1106 Specifies the location of Certificate Revocation List (CRL) in‐
1107 formation to be used by the client when verifying the validity
1108 of the KDC certificate presented. This option may be specified
1109 multiple times.
1110
1112 Starting with release 1.11, several variables, such as de‐
1113 fault_keytab_name, allow parameters to be expanded. Valid parameters
1114 are:
1115 ┌──────────────────┬────────────────────────────┐
1117 │%{TEMP} │ Temporary directory │
1118 ├──────────────────┼────────────────────────────┤
1119 │%{uid} │ Unix real UID or Windows │
1120 │ │ SID │
1121 ├──────────────────┼────────────────────────────┤
1122 │%{euid} │ Unix effective user ID or │
1123 │ │ Windows SID │
1124 ├──────────────────┼────────────────────────────┤
1125 │%{USERID} │ Same as %{uid} │
1126 ├──────────────────┼────────────────────────────┤
1127 │%{null} │ Empty string │
1128 ├──────────────────┼────────────────────────────┤
1129 │%{LIBDIR} │ Installation library di‐ │
1130 │ │ rectory │
1131 ├──────────────────┼────────────────────────────┤
1132 │%{BINDIR} │ Installation binary direc‐ │
1133 │ │ tory │
1134 ├──────────────────┼────────────────────────────┤
1135 │%{SBINDIR} │ Installation admin binary │
1136 │ │ directory │
1137 ├──────────────────┼────────────────────────────┤
1138 │%{username} │ (Unix) Username of effec‐ │
1139 │ │ tive user ID │
1140 ├──────────────────┼────────────────────────────┤
1141 │%{APPDATA} │ (Windows) Roaming applica‐ │
1142 │ │ tion data for current user │
1143 ├──────────────────┼────────────────────────────┤
1144 │%{COMMON_APPDATA} │ (Windows) Application data │
1145 │ │ for all users │
1146 ├──────────────────┼────────────────────────────┤
1147 │%{LOCAL_APPDATA} │ (Windows) Local applica‐ │
1148 │ │ tion data for current user │
1149 ├──────────────────┼────────────────────────────┤
1150 │%{SYSTEM} │ (Windows) Windows system │
1151 │ │ folder │
1152 ├──────────────────┼────────────────────────────┤
1153 │%{WINDOWS} │ (Windows) Windows folder │
1154 ├──────────────────┼────────────────────────────┤
1155 │%{USERCONFIG} │ (Windows) Per-user MIT │
1156 │ │ krb5 config file directory │
1157 ├──────────────────┼────────────────────────────┤
1158 │%{COMMONCONFIG} │ (Windows) Common MIT krb5 │
1159 │ │ config file directory │
1160 └──────────────────┴────────────────────────────┘
1161
1163 Here is an example of a generic krb5.conf file:
1164 [libdefaults]
1166 default_realm = ATHENA.MIT.EDU
1167 dns_lookup_kdc = true
1168 dns_lookup_realm = false
1169 [realms]
1171 ATHENA.MIT.EDU = {
1172 kdc = kerberos.mit.edu
1173 kdc = kerberos-1.mit.edu
1174 kdc = kerberos-2.mit.edu
1175 admin_server = kerberos.mit.edu
1176 primary_kdc = kerberos.mit.edu
1177 }
1178 EXAMPLE.COM = {
1179 kdc = kerberos.example.com
1180 kdc = kerberos-1.example.com
1181 admin_server = kerberos.example.com
1182 }
1183 [domain_realm]
1185 mit.edu = ATHENA.MIT.EDU
1186 [capaths]
1188 ATHENA.MIT.EDU = {
1189 EXAMPLE.COM = .
1190 }
1191 EXAMPLE.COM = {
1192 ATHENA.MIT.EDU = .
1193 }
1194
1196 /etc/krb5.conf
1197
1199 syslog(3)
1200
1202 MIT
1203
1205 1985-2022, MIT
12061.19.2 KRB5.CONF(5)