1krb5.conf(4)                     File Formats                     krb5.conf(4)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7

SYNOPSIS

9       /etc/krb5/krb5.conf
10
11

DESCRIPTION

13       The krb5.conf file contains Kerberos configuration information, includ‐
14       ing the locations of KDCs and administration daemons for  the  Kerberos
15       realms  of  interest,  defaults  for the current realm and for Kerberos
16       applications, and mappings of host names  onto  Kerberos  realms.  This
17       file must reside on all Kerberos clients.
18
19
20       The  format  of  the  krb5.conf consists of sections headings in square
21       brackets. Each section can contain zero or more configuration variables
22       (called relations), of the form:
23
24
25       relation= relation-value
26
27
28       or
29
30
31       relation-subsection = {
32         relation= relation-value
33         relation= relation-value
34
35
36       }
37
38
39       The krb5.conf file can contain any or all of the following sections:
40
41       libdefaults
42
43           Contains default values used by the Kerberos V5 library.
44
45
46       appdefaults
47
48           Contains  subsections for Kerberos V5 applications, where relation-
49           subsection is the name of an application. Each subsection describes
50           application-specific defaults.
51
52
53       realms
54
55           Contains subsections for Kerberos realms, where relation-subsection
56           is the name of a realm. Each  subsection  contains  relations  that
57           define the properties for that particular realm.
58
59
60       domain_realm
61
62           Contains  relations which map domain names and subdomains onto Ker‐
63           beros realm names. This is used by programs to determine what realm
64           a host should be in, given its fully qualified domain name.
65
66
67       logging
68
69           Contains  relations  which  determine  how Kerberos programs are to
70           perform logging.
71
72
73       capaths
74
75           Contains the authentication paths used with  direct  (nonhierarchi‐
76           cal)  cross-realm  authentication. Entries in this section are used
77           by the client to determine the intermediate  realms  which  can  be
78           used in cross-realm authentication. It is also used by the end-ser‐
79           vice when checking the transited  field  for  trusted  intermediate
80           realms.
81
82
83       dbmodules
84
85           Contains  relations for Kerberos database plug-in-specific configu‐
86           ration information.
87
88
89       kdc
90
91           For a Key Distribution Center (KDC), can contain  the  location  of
92           the kdc.conf file.
93
94
95   The [libdefaults] Section
96       The [libdefaults] section can contain any of the following relations:
97
98       database_module
99
100           Selects  the  dbmodule  section entry to use to access the Kerberos
101           database. If this parameter is not present the code uses the  stan‐
102           dard db2-based Kerberos database.
103
104
105       default_keytab_name
106
107           Specifies the default keytab name to be used by application servers
108           such as telnetd and rlogind. The default is /etc/krb5/krb5.keytab.
109
110
111       default_realm
112
113           Identifies the default Kerberos realm for the client. Set its value
114           to your Kerberos realm.
115
116
117       default_tgs_enctypes
118
119           Identifies  the supported list of session key encryption types that
120           should be returned by the KDC. The list can be delimited with  com‐
121           mas  or  whitespace.  The  supported encryption types are des3-cbc-
122           sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5,  arcfour-hmac-
123           md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
124
125
126       default_tkt_enctypes
127
128           Identifies  the supported list of session key encryption types that
129           should be requested by the client. The format is the  same  as  for
130           default_tgs_enctypes.  The supported encryption types are des3-cbc-
131           sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5,  arcfour-hmac-
132           md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
133
134
135       clockskew
136
137           Sets the maximum allowable amount of clock skew in seconds that the
138           library tolerates  before  assuming  that  a  Kerberos  message  is
139           invalid. The default value is 300 seconds, or five minutes.
140
141
142       forwardable = [true | false]
143
144           Sets  the  "forwardable"  flag in all tickets. This allows users to
145           transfer their credentials from one host to another  without  reau‐
146           thenticating.  This  option can also be set in the [appdefaults] or
147           [realms] section (see below) to limit its use in particular  appli‐
148           cations or just to a specific realm.
149
150
151       permitted_enctypes
152
153           This  relation  controls the encryption types for session keys per‐
154           mitted by server applications that use Kerberos for authentication.
155           In  addition,  it  controls the encryption types of keys added to a
156           keytab by means of the kadmin(1M) ktadd command.  The  default  is:
157           aes256-cts-hmac-sha1-96,     aes128-cts-hmac-sha1-96,    des3-hmac-
158           sha1-kd, arcfour-hmac-md5, arcfour-hmac-md5-exp, des-cbc-md5,  des-
159           cbc-crc.
160
161
162       proxiable = [true | false]
163
164           Sets the proxiable flag in all tickets. This allows users to create
165           a proxy ticket that can be transferred to a kerberized  service  to
166           allow that service to perform some function on behalf of the origi‐
167           nal user. This option can also  be  set  in  the  [appdefaults]  or
168           [realms]  section (see below) to limit its use in particular appli‐
169           cations or just to a specific realm.
170
171
172       renew_lifetime =lifetime
173
174           Requests renewable tickets, with a total lifetime of lifetime.  The
175           value  for lifetime must be followed immediately by one of the fol‐
176           lowing delimiters:
177
178           s
179
180               seconds
181
182
183           m
184
185               minutes
186
187
188           h
189
190               hours
191
192
193           d
194
195               days
196
197           Example:
198
199             renew_lifetime = 90m
200
201
202           Do not mix units. A value of "3h30m" results in an error.
203
204
205       max_lifetime =lifetime
206
207           Sets the requested maximum lifetime of the ticket. The  values  for
208           lifetime follow the format described for the renew_lifetime option,
209           above.
210
211
212       dns_lookup_kdc
213
214           Indicates whether DNS SRV records need to be  used  to  locate  the
215           KDCs  and  the  other servers for a realm, if they have not already
216           been listed in the [realms] section. This option makes the  machine
217           vulnerable to a certain type of DoS attack if somone spoofs the DNS
218           records and does a redirect to another server. This is, however, no
219           worse  than a DoS, since the bogus KDC is unable to decode anything
220           sent (excepting the initial ticket request, which has no  encrypted
221           data).  Also, anything the fake KDC sends out isl not trusted with‐
222           out verification (the local machine is unaware of the secret key to
223           be  used).  If dns_lookup_kdc is not specified but dns_fallback is,
224           then that value  is  used  instead.  In  either  case,  values  (if
225           present)  in  the  [realms] section override DNS. dns_lookup_kdc is
226           enabled by default.
227
228
229       dns_lookup_realm
230
231           Indicates whether DNS TXT records need to be used to determine  the
232           Kerberos  realm  information  and/or  the host/domain name-to-realm
233           mapping of a host, if this information is not  already  present  in
234           the  krb5.conf  file. Enabling this option might make the host vul‐
235           nerable to a redirection attack, wherein spoofed DNS  replies  per‐
236           suade  a client to authenticate to the wrong realm. In a realm with
237           no cross-realm trusts, this a DoS attack.  If  dns_lookup_realm  is
238           not specified but dns_fallback is, then that value is used instead.
239           In either case,  values  (if  present)  in  the  [libdefaults]  and
240           [domain_realm] sections override DNS.
241
242
243       dns_fallback
244
245           Generic  flag  controlling the use of DNS for retrieval of informa‐
246           tion about Kerberos servers and host/domain name-to-realm  mapping.
247           If  both  dns_lookup_kdc  and dns_lookup_realm have been specified,
248           this option has no effect.
249
250
251       verify_ap_req_nofail [true | false]
252
253           If true, the local keytab file (/etc/krb5/krb5.keytab) must contain
254           an   entry   for   the   local   host   principal,   for   example,
255           host/foo.bar.com@FOO.COM. This entry is needed to verify  that  the
256           TGT  requested  was  issued by the same KDC that issued the key for
257           the host principal. If undefined, the behavior is as if this option
258           were  set  to  true.  Setting this value to false leaves the system
259           vulnerable to DNS spoofing attacks. This parameter can  be  in  the
260           [realms]  section  to  set it on a per-realm basis, or it can be in
261           the [libdefaults] section to make it a network-wide setting for all
262           realms.
263
264
265   The [appdefaults] Section
266       This  section  contains subsections for Kerberos V5 applications, where
267       relation-subsection is the name of an application. Each subsection con‐
268       tains relations that define the default behaviors for that application.
269
270
271       The  following  relations  can  be  found in the [appdefaults] section,
272       though not all relations are recognized by all kerberized applications.
273       Some are specific to particular applications.
274
275       autologin = [true | false]
276
277           Forces  the  application  to  attempt automatic login by presenting
278           Kerberos credentials. This is valid for the following applications:
279           rlogin, rsh, rcp, rdist, and telnet.
280
281
282       encrypt = [true | false]
283
284           Forces applications to use encryption by default (after authentica‐
285           tion) to protect the privacy of the sessions. This is valid for the
286           following applications: rlogin, rsh, rcp, rdist, and telnet.
287
288
289       forward = [true | false]
290
291           Forces  applications  to  forward  the  user'ss  credentials (after
292           authentication) to the remote server. This is valid for the follow‐
293           ing applications: rlogin, rsh, rcp, rdist, and telnet.
294
295
296       forwardable = [true | false]
297
298           See  the  description  in  the [libdefaults] section above. This is
299           used by any application that creates a ticket granting  ticket  and
300           also by applications that can forward tickets to a remote server.
301
302
303       proxiable = [true | false]
304
305           See  the  description  in  the [libdefaults] section above. This is
306           used by any application that creates a ticket granting ticket.
307
308
309       renewable = [true | false]
310
311           Creates a TGT that can be renewed (prior to the  ticket  expiration
312           time). This is used by any application that creates a ticket grant‐
313           ing ticket.
314
315
316       no_addresses = [true | false]
317
318           Creates tickets with no address bindings. This is to allow  tickets
319           to be used across a NAT boundary or when using multi-homed systems.
320           This option is valid in the kinit [appdefault] section only.
321
322
323       max_life =lifetime
324
325           Sets the maximum lifetime of the ticket, with a total  lifetime  of
326           lifetime.  The  values  for lifetime follow the format described in
327           the [libdefaults] section above. This option  is  obsolete  and  is
328           removed in a future release of the Solaris operating system.
329
330
331       max_renewable_life =lifetime
332
333           Requests  renewable tickets, with a total lifetime of lifetime. The
334           values for lifetime follow the  format  described  in  the  [libde‐
335           faults]  section above. This option is obsolete and is removed in a
336           future release of the Solaris operating system.
337
338
339       rcmd_protocol = [ rcmdv1 | rcmdv2 ]
340
341           Specifies which Kerberized "rcmd" protocol to use  when  using  the
342           Kerberized  rlogin(1),  rsh(1),  rcp(1),  or rdist(1) programs. The
343           default is to use rcmdv2 by default, as this is the more secure and
344           more  recent update of the protocol. However, when talking to older
345           MIT or SEAM-based "rcmd" servers, it can be necessary to force  the
346           new  clients to use the older rcmdv1 protocol. This option is valid
347           only for the following applications: rlogin, rcp, rsh, and rdist.
348
349
350         gkadmin = {
351               help_url = \
352         http://docs.sun.com/app/docs/doc/816-4557/6maosrjmr?q=gkadmin&a=view
353         }
354
355
356
357
358       The preceding URL is subject to change. On the docs.sun.com  web  site,
359       view  the  chapter on the Solaris Kerberos implementation in the System
360       Administration Guide: Security Services.
361
362
363       The following application defaults can be set to true or false:
364
365         kinit
366            forwardable = true
367            proxiable = true
368            renewable = true
369            no_addresses = true
370            max_life = delta_time
371            max_renewable_life = delta_time
372
373
374
375
376       See kinit(1) for the valid time duration formats you  can  specify  for
377       delta_time.
378
379
380       In the following example, kinit gets forwardable tickets by default and
381       telnet has three default behaviors specified:
382
383         [appdefaults]
384            kinit = {
385               forwardable = true
386            }
387
388            telnet = {
389               forward = true
390               encrypt = true
391               autologin = true
392            }
393
394
395
396
397       The application defaults specified here are overridden by those  speci‐
398       fied in the [realms] section.
399
400   The [realms] Section
401       This  section contains subsections for Kerberos realms, where relation-
402       subsection is the name of a realm. Each subsection  contains  relations
403       that  define  the  properties  for that particular realm. The following
404       relations can be specified in each [realms] subsection:
405
406       admin_server
407
408           Identifies the host where the Kerberos administration daemon  (kad‐
409           mind) is running. Typically, this is the master KDC.
410
411
412       application defaults
413
414           Application defaults that are specific to a particular realm can be
415           specified within a [realms] subsection. Realm-specific  application
416           defaults  override  the  global  defaults  specified in the [appde‐
417           faults] section.
418
419
420       auth_to_local_realm
421
422           For use in the default realm, non-default  realms  can  be  equated
423           with  the  default  realm for authenticated name-to-local name map‐
424           ping.
425
426
427       auth_to_local_names
428
429           This subsection allows you to set explicit mappings from  principal
430           names  to  local  user  names.  The tag is the mapping name and the
431           value is the corresponding local user name.
432
433
434       auth_to_local
435
436           This tag allows you to set a general  rule  for  mapping  principal
437           names  to  local user names. It is used if there is not an explicit
438           mapping for the principal name that is being translated. The possi‐
439           ble values are:
440
441             RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
442
443           Each rule has three parts:
444
445           First part—Formulate the string on which to perform operations:
446
447               If  not present then the string defaults to the fully flattened
448               principal minus the realm name. Otherwise the syntax is as fol‐
449               lows:
450
451                 "[" <ncomps> ":" <format> "]"
452
453               Where:
454
455               <ncomps> is the number of expected components for this rule. If
456               the particular principal does not have this  number  of  compo‐
457               nents, then this rule does not apply.
458
459               <format>  is  a string of <component> or verbatim characters to
460               be inserted.
461
462               <component> is of the form "$"<number> to select the <number>th
463               component. <number> begins from 1.
464
465
466           Second part—select rule validity:
467
468               If  not  present, this rule can apply to all selections. Other‐
469               wise the syntax is as follows:
470
471                 "(" <regex> ")"
472
473               Where:
474
475               <regex> is a  selector  regular  expression.  If  this  regular
476               expression  matches  the whole pattern generated from the first
477               part, then this rule still applies.
478
479
480           Third part—Transform rule:
481
482               If not present, then the selection string  is  passed  verbatim
483               and is matched. Otherwise, the syntax is as follows:
484
485                 <rule> ...
486
487               Where:
488
489               <rule> is of the form:
490
491                 "s/" <regex> "/" <text> "/" ["g"]
492
493               Regular expressions are defined in regex(5).
494
495               For example:
496
497               auth_to_local = RULE:[1:$1@$0](.*@.*ACME.COM)s/@.*//
498
499               The  preceding  maps  username@ACME.COM  and  all sub-realms of
500               ACME.COM to username.
501
502
503           DEFAULT
504
505               The principal name is used as the local name. If the  principal
506               has  more  than  one  component or is not in the default realm,
507               this rule is not applicable and the conversion fails.
508
509
510
511       database_module
512
513           Selects the dbmodule section entry to use to  access  the  Kerberos
514           database.
515
516
517       extra_addresses...
518
519           This  allows  a  computer to use multiple local addresses, to allow
520           Kerberos to work in a network that uses NATs. The addresses  should
521           be in a comma-separated list.
522
523
524       kdc
525
526           The  name  of a host running a KDC for that realm. An optional port
527           number (separated from the hostname by a colon) can be included.
528
529
530       kpasswd_server
531
532           Identifies the host where the Kerberos password-changing server  is
533           running.  Typically,  this  is  the  same  as host indicated in the
534           admin_server.  If  this  parameter  is   omitted,   the   host   in
535           admin_server  is  used.  You  can also specify a port number if the
536           server indicated by kpasswd_server runs on a port  other  than  464
537           (the default). The format of this parameter is: hostname[:port].
538
539
540       kpasswd_protocol
541
542           Identifies  the  protocol  to  be  used when communicating with the
543           server indicated by kpasswd_server. By default, this  parameter  is
544           defined  to  be  RPCSEC_GSS, which is the protocol used by Solaris-
545           based administration servers. To be able to  change  a  principal's
546           password  stored  on non-Solaris Kerberos server, such as Microsoft
547           Active Directory or MIT Kerberos, this value should be  SET_CHANGE.
548           This  indicates  that a non-RPC- based protocol is used to communi‐
549           cate  the  password  change  request   to   the   server   in   the
550           kpasswd_server entry.
551
552
553       udp_preference_limit
554
555           When  sending  a  message  to  the KDC, the library tries using TCP
556           before UDP  if  the  size  of  the  message  is  above  udp_prefer‐
557           ence_limit.  If  the  message is smaller than udp_preference_limit,
558           then UDP is tried before TCP. Regardless of the size,  both  proto‐
559           cols are tried if the first attempt fails.
560
561
562       verify_ap_req_nofail [true | false]
563
564           If true, the local keytab file (/etc/krb5/krb5.keytab) must contain
565           an   entry   for   the   local   host   principal,   for   example,
566           host/foo.bar.com@FOO.COM.  This  entry is needed to verify that the
567           TGT requested was issued by the same KDC that issued  the  key  for
568           the host principal. If undefined, the behavior is as if this option
569           were set to true. Setting this value to  false  leaves  the  system
570           vulnerable  to DNS spoofing attacks. This parameter might be in the
571           [realms] section to set it on a per-realm basis, or it might be  in
572           the [libdefaults] section to make it a network-wide setting for all
573           realms.
574
575
576
577       The parameters  "forwardable",  "proxiable",  and  "renew_lifetime"  as
578       described  in  the  [libdefaults] section (see above) are also valid in
579       the [realms] section.
580
581
582       Notice that  kpasswd_server  and  kpasswd_protocol  are  realm-specific
583       parameters. Most often, you need to specify them only when using a non-
584       Solaris-based Kerberos server. Otherwise, the change  request  is  sent
585       over RPCSEC_GSS to the Solaris Kerberos administration server.
586
587   The [domain_realm] Section
588       This section provides a translation from a domain name or hostname to a
589       Kerberos realm name. The relation can be a host name, or a domain name,
590       where  domain  names  are indicated by a period (`.') prefix. relation-
591       value is the Kerberos realm name for that particular  host  or  domain.
592       Host names and domain names should be in lower case.
593
594
595       If  no  translation entry applies, the host's realm is considered to be
596       the hostname's domain portion converted to upper case. For example, the
597       following   [domain_realm]   section   maps   crash.mit.edu   into  the
598       TEST.ATHENA.MIT.EDU realm:
599
600         [domain_realm]
601            .mit.edu = ATHENA.MIT.EDU
602            mit.edu = ATHENA.MIT.EDU
603            crash.mit.edu = TEST.ATHENA.MIT.EDU
604            .fubar.org = FUBAR.ORG
605            fubar.org = FUBAR.ORG
606
607
608
609
610       All  other  hosts  in  the  mit.edu  domain  maps  by  default  to  the
611       ATHENA.MIT.EDU  realm,  and  all  hosts in the fubar.org domain maps by
612       default into the FUBAR.ORG realm. The entries for the hosts mit.edu and
613       fubar.org.  Without these entries, these hosts would be mapped into the
614       Kerberos realms EDU and ORG, respectively.
615
616   The [logging] Section
617       This section indicates how Kerberos programs are  to  perform  logging.
618       There are two types of relations for this section: relations to specify
619       how to log and a relation to specify how to rotate kdc log files.
620
621
622       The following relations can be defined to specify how to log. The  same
623       relation  can  be  repeated  if  you want to assign it multiple logging
624       methods.
625
626       admin_server
627
628           Specifies how to log the Kerberos administration daemon  (kadmind).
629           The default is FILE:/var/krb5/kadmin.log.
630
631
632       default
633
634           Specifies  how to perform logging in the absence of explicit speci‐
635           fications otherwise.
636
637
638       kdc
639
640           Specifies how the KDC is to perform its  logging.  The  default  is
641           FILE:/var/krb5/kdc.log.
642
643
644
645       The  admin_server,  default,  and  kdc relations can have the following
646       values:
647
648       FILE:filename
649       FILE=filename
650
651           This value causes the entity's logging messages to go to the speci‐
652           fied file. If the `=' form is used, the file is overwritten. If the
653           `:' form is used, the file is appended to.
654
655
656       STDERR
657
658           This value causes the entity's logging messages to go to its  stan‐
659           dard error stream.
660
661
662       CONSOLE
663
664           This  value  causes the entity's logging messages to go to the con‐
665           sole, if the system supports it.
666
667
668       DEVICE=devicename
669
670           This causes the entity's logging messages to go  to  the  specified
671           device.
672
673
674       SYSLOG[:severity[:facility]]
675
676           This causes the entity's logging messages to go to the system log.
677
678
679
680       The severity argument specifies the default severity of system log mes‐
681       sages. This can be any of the following  severities  supported  by  the
682       syslog(3C) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT,
683       LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example,
684       a value of CRIT would specify LOG_CRIT severity.
685
686
687       The  facility  argument specifies the facility under which the messages
688       are logged. This can be any of the following  facilities  supported  by
689       the   syslog(3C)  call  minus  the  LOG_  prefix:  LOG_KERN,  LOG_USER,
690       LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP,  LOG_CRON,
691       and LOG_LOCAL0 through LOG_LOCAL7.
692
693
694       If  no  severity  is  specified,  the default is ERR. If no facility is
695       specified, the default is AUTH.
696
697
698       The following relation can be defined to specify how to rotate kdc  log
699       files if the FILE: value is being used to log:
700
701       kdc_rotate
702
703           A  relation  subsection  that  enables kdc logging to be rotated to
704           multiple files based on a time interval. This can be used to  avoid
705           logging  to  one file, which might grow too large and bring the KDC
706           to a halt.
707
708
709
710       The time interval for the rotation is specified by the period relation.
711       The  number  of  log  files  to be rotated is specified by the versions
712       relation. Both the period and  versions  (described  below)  should  be
713       included  in  this subsection. And, this subsection applies only if the
714       kdc relation has a FILE: value.
715
716
717       The following relations can be specified for  the  kdc_rotate  relation
718       subsection:
719
720       period=delta_time
721
722           Specifies  the  time interval before a new log file is created. See
723           the TimeFormats section in kinit(1) for  the  valid  time  duration
724           formats  you can specify for delta_time. If period is not specified
725           or set to never, no rotation occurs.
726
727
728
729       Specifying a time interval does not mean that the log files are rotated
730       at  the  time  interval  based  on  real time. This is because the time
731       interval is checked at each attempt to write a record to  the  log,  or
732       when  logging  is  actually  occurring. Therefore, rotation occurs only
733       when logging has actually occurred for the specified time interval.
734
735       versions=number
736
737           Specifies how many previous versions are saved before the  rotation
738           begins.  A  number is appended to the log file, starting with 0 and
739           ending with (number - 1). For example, if versions is set to 2,  up
740           to three logging files are created (filename, filename.0, and file‐
741           name.1) before the first one is overwritten to begin the rotation.
742
743
744
745       Notice that if versions is not specified or set to 0, only one log file
746       is created, but it is overwritten whenever the time interval is met.
747
748
749       In the following example, the logging messages from the Kerberos admin‐
750       istration daemon goes to the console. The logging messages from the KDC
751       is  appended to the /var/krb5/kdc.log, which is rotated between twenty-
752       one log files with a specified time interval of a day.
753
754         [logging]
755            admin_server = CONSOLE
756            kdc = FILE:/export/logging/kadmin.log
757            kdc_rotate = {
758               period = 1d
759               versions = 20
760            }
761
762
763
764   The [capaths] Section
765       In order to perform direct (non-hierarchical)  cross-realm  authentica‐
766       tion,  a  database  is  needed  to  construct  the authentication paths
767       between the realms. This section defines that database.
768
769
770       A client uses this section to find the authentication path between  its
771       realm and the realm of the server. The server uses this section to ver‐
772       ify the authentication path used by the client, by checking  the  tran‐
773       sited field of the received ticket.
774
775
776       There is a subsection for each participating realm, and each subsection
777       has relations named for each of the realms. The  relation-value  is  an
778       intermediate realm which can participate in the cross-realm authentica‐
779       tion. The relations can be repeated if there is more than one  interme‐
780       diate  realm.  A  value  of  '.'  means  that the two realms share keys
781       directly, and no intermediate realms should be allowed to participate.
782
783
784       There are n**2 possible entries in this table, but only  those  entries
785       which  is  needed  on  the client or the server need to be present. The
786       client needs a subsection named for its  local  realm,  with  relations
787       named  for  all  the realms of servers it needs to authenticate with. A
788       server needs a subsection named  for  each  realm  of  the  clients  it
789       serves.
790
791
792       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
793       realm as an intermediate realm. ANL has a sub  realm  of  TEST.ANL.GOV,
794       which  authenticates  with NERSC.GOV but not PNL.GOV. The [capath] sec‐
795       tion for ANL.GOV systems would look like this:
796
797         [capaths]
798            ANL.GOV = {
799                TEST.ANL.GOV = .
800                PNL.GOV = ES.NET
801                NERSC.GOV = ES.NET
802                ES.NET = .
803            }
804
805            TEST.ANL.GOV = {
806                ANL.GOV = .
807            }
808
809            PNL.GOV = {
810                ANL.GOV = ES.NET
811            }
812
813            NERSC.GOV = {
814               ANL.GOV = ES.NET
815            }
816
817            ES.NET = {
818               ANL.GOV = .
819            }
820
821
822
823
824       The [capath] section of the configuration file used on  NERSC.GOV  sys‐
825       tems would look like this:
826
827         [capaths]
828            NERSC.GOV = {
829               ANL.GOV = ES.NET
830               TEST.ANL.GOV = ES.NET
831               TEST.ANL.GOV = ANL.GOV
832               PNL.GOV = ES.NET
833               ES.NET = .
834            }
835
836            ANL.GOV = {
837               NERSC.GOV = ES.NET
838            }
839
840            PNL.GOV = {
841               NERSC.GOV = ES.NET
842            }
843
844            ES.NET = {
845               NERSC.GOV = .
846            }
847
848            TEST.ANL.GOV = {
849               NERSC.GOV = ANL.GOV
850               NERSC.GOV = ES.NET
851            }
852
853
854
855
856       In  the  above examples, the ordering is not important, except when the
857       same relation is used more than once. The client uses this to determine
858       the path. (It is not important to the server, since the transited field
859       is not sorted.)
860
861   PKINIT-specific Options
862       The following are pkinit-specific options. These values can  be  speci‐
863       fied  in  [libdefaults]  as global defaults, or within a realm-specific
864       subsection of [libdefaults], or can be specified as realm-specific val‐
865       ues in the [realms] section. A realm-specific value overrides, does not
866       add to, a generic [libdefaults] specification.
867
868
869       The search order is:
870
871           1.     realm-specific subsection of [libdefaults]
872
873                              [libdefaults]
874                                  EXAMPLE.COM = {
875                                      pkinit_anchors = FILE:/usr/local/example.com.crt
876
877
878           2.     realm-specific value in the [realms] section
879
880                              [realms]
881                                  OTHERREALM.ORG = {
882                                      pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
883
884
885           3.     generic value in the [libdefaults] section
886
887                              [libdefaults]
888                                  pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
889
890
891
892       The syntax for specifying Public Key identity,  trust,  and  revocation
893       information for pkinit is as follows:
894
895       pkinit_identities = URI
896
897           Specifies the location(s) to be used to find the user's X.509 iden‐
898           tity information.  This option can  be  specified  multiple  times.
899           Each  value  is  attempted  in  order until identity information is
900           found and authentication is attempted. These values are not used if
901           the user specifies X509_user_identity on the command line.
902
903           Valid  URI  types  are  FILE, DIR, PKCS11, PKCS12, and ENV. See the
904           PKINIT URI Types section for more details.
905
906
907       pkinit_anchors = URI
908
909           Specifies the location of trusted anchor (root) certificates  which
910           the  client  trusts  to  sign  KDC certificates. This option can be
911           specified multiple times.  These values from the  config  file  are
912           not used if the user specifies X509_anchors on the command line.
913
914           Valid  URI types are FILE and DIR. See the PKINIT URI Types section
915           for more details.
916
917
918       pkinit_pool = URI
919
920           Specifies the location of intermediate certificates  which  can  be
921           used  by  the client to complete the trust chain between a KDC cer‐
922           tificate and a trusted anchor.  This option can be specified multi‐
923           ple times.
924
925           Valid  URI  types  are  FILE and DIR.      See the PKINIT URI Types
926           section for more details.
927
928
929       pkinit_revoke = URI
930
931           Specifies the location of Certificate Revocation List (CRL)  infor‐
932           mation  to be used by the client when verifying the validity of the
933           KDC certificate presented. This option can  be  specified  multiple
934           times.
935
936           The  only  valid  URI type is DIR. See the PKINIT URI Types section
937           for more details.
938
939
940       pkinit_require_crl_checking = value
941
942           The default certificate  verification  process  always  checks  the
943           available  revocation  information to see if a certificate has been
944           revoked. If a match is found for the certificate in a CRL,  verifi‐
945           cation  fails. If the certificate being verified is not listed in a
946           CRL,  or  there  is  no  CRL  present  for  its  issuing  CA,   and
947           pkinit_require_crl_checking  is  false, then verification succeeds.
948           However, if pkinit_require_crl_checking is true and there is no CRL
949           information available for the issuing CA, then verification  fails.
950           pkinit_require_crl_checking should be set to true if the policy  is
951           such that up-to-date CRLs must be present for every CA.
952
953
954       pkinit_dh_min_bits = value
955
956           Specifies the size of the Diffie-Hellman key the client attempts to
957           use. The acceptable values are currently 1024, 2048, and 4096.  The
958           default is 2048.
959
960
961       pkinit_win2k = value
962
963           This  flag specifies whether the target realm is assumed to support
964           only the old, pre-RFC version  of  the  protocol.  The  default  is
965           false.
966
967
968       pkinit_win2k_require_binding = value
969
970           If  this  flag  is  set  to true, it expects that the target KDC is
971           patched to return a reply with a checksum rather than a nonce.  The
972           default is false.
973
974
975       pkinit_eku_checking = value
976
977           This  option  specifies  what Extended Key Usage value the KDC cer‐
978           tificate presented to the client must contain. If the KDC  certifi‐
979           cate  has the pkinit SubjectAlternativeName encoded as the Kerberos
980           TGS name, EKU checking is not necessary since the  issuing  CA  has
981           certified  this  as a KDC certificate. The values recognized in the
982           krb5.conf file are:
983
984           kpKDC           This is the default value and  specifies  that  the
985                           KDC must have the id-pkinit-KPKdc EKU as defined in
986                           RFC4556.
987
988
989           kpServerAuth    If kpServerAuth is  specified,  a  KDC  certificate
990                           with  the id-kp-serverAuth EKU as used by Microsoft
991                           is accepted.
992
993
994           none            If none is specified, then the KDC  certificate  is
995                           not checked to verify it has an acceptable EKU. The
996                           use of this option is not recommended.
997
998
999
1000       pkinit_kdc_hostname = value
1001
1002           The presense of this option indicates that the client is willing to
1003           accept  a  KDC  certificate with a dNSName SAN (Subject Alternative
1004           Name)  rather  than  requiring  the  id-pkinit-san  as  defined  in
1005           RFC4556.  This  option  can  be specified multiple times. Its value
1006           should contain the acceptable hostname for the KDC (as contained in
1007           its certificate).
1008
1009
1010       pkinit_cert_match = rule
1011
1012           Specifies  matching  rules  that  the client certificate must match
1013           before it is used to attempt pkinit authentication.  If a user  has
1014           multiple  certificates  available  (on  a  smart card, or by way of
1015           another media), there must be exactly one certificate chosen before
1016           attempting  pkinit  authentication.   This  option can be specified
1017           multiple times.  All the available certificates are checked against
1018           each  rule  in order until there is a match of exactly one certifi‐
1019           cate.
1020
1021           The Subject and Issuer comparison strings are  the  RFC2253  string
1022           representations  from the certificate Subject DN and Issuer DN val‐
1023           ues.
1024
1025           The syntax of the matching rules is:
1026
1027             [relation-operator]component-rule `...'
1028
1029           where
1030
1031           relation-operator    Specify relation-operator as &&,  meaning  all
1032                                component  rules  must  match,  or ||, meaning
1033                                only one component rule must match.  If  rela‐
1034                                tion-operator is not specified, the default is
1035                                &&.
1036
1037
1038           component-rule       There is no punctuation or white space between
1039                                component  rules.Specify component-rule as one
1040                                of the following:
1041
1042                                  `<SUBJECT>'regular-expression
1043
1044                                  `<ISSUER>'regular-expression
1045
1046                                  `<SAN>'regular-expression
1047
1048                                  `<EKU>'extended-key-usage-list
1049                                                 where extended-key-usage-list is a comma-separated list
1050                                                 of required Extended Key Usage values.  All values in
1051                                                 the list must be present in the certificate.
1052                                                      `pkinit'
1053                                                      `msScLogin'
1054                                                      `clientAuth'
1055                                                      `emailProtection'
1056                                  `<KU>'key-usage-list
1057                                                 where key-usage-list is a comma-separated list of
1058                                                 required Key Usage values.  All values in the list must
1059                                                 be present in the certificate.
1060                                                      `digitalSignature'
1061
1062
1063           Examples:
1064
1065             pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1066             pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1067             pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1068
1069
1070
1071   PKINIT URI Types
1072       FILE:file-name[,key-file-name]
1073
1074           This option has context-specific behavior.
1075
1076           pkinit_identities    file-name specifies the name of  a  PEM-format
1077                                file  containing  the  user's certificate.  If
1078                                key-file-name is  not  specified,  the  user's
1079                                private  key is expected to be in file-name as
1080                                well.  Otherwise, key-file-name is the name of
1081                                the file containing the private key.
1082
1083
1084           pkinit_anchors       file-name  is  assumed  to  be  the name of an
1085           pkinit_pool          OpenSSL-style ca-bundle  file.  The  ca-bundle
1086                                file should be base-64 encoded.
1087
1088
1089
1090       DIR:directory-name
1091
1092           This option has context-specific behavior.
1093
1094           pkinit_identities    directory-name   specifies  a  directory  with
1095                                files named *.crt and *.key, where  the  first
1096                                part of the file name is the same for matching
1097                                pairs of certificate and  private  key  files.
1098                                When  a  file  with a name ending with .crt is
1099                                found, a matching file  ending  with  .key  is
1100                                assumed to contain the private key. If no such
1101                                file is found, then  the  certificate  in  the
1102                                .crt is not used.
1103
1104
1105           pkintit_anchors      directory-name  is  assumed  to be an OpenSSL-
1106           pkinit_pool          style hashed CA directory where each  CA  cert
1107                                is  stored  in a file named hash-of-ca-cert.#.
1108                                This infrastructure  is  encouraged,  but  all
1109                                files in the directory is examined and if they
1110                                contain certificates (in PEM format), they are
1111                                used.
1112
1113
1114
1115       PKCS12:pkcs12-file-name
1116
1117           pkcs12-file-name  is the name of a PKCS #12 format file, containing
1118           the user's certificate and private key.
1119
1120
1121       PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
1122       bel=cert-label]
1123
1124           All  keyword/values  are  optional.  PKCS11  modules  (for example,
1125           opensc-pkcs11.so) must be installed  as  a  crypto  provider  under
1126           libpkcs11(3LIB).  slotid=  and/or  token= can be specified to force
1127           the use of a particular smart card reader or token if there is more
1128           than  one  available. certid= and/or certlabel= can be specified to
1129           force the selection of a particular certificate on the device.  See
1130           the  pkinit_cert_match configuration option for more ways to select
1131           a particular certificate to use for pkinit.
1132
1133
1134       ENV:environment-variable-name
1135
1136           environment-variable-name specifies  the  name  of  an  environment
1137           variable  which  has  been  set to a value conforming to one of the
1138           previous values. For  example,  ENV:X509_PROXY,  where  environment
1139           variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
1140
1141
1142   The [dbmodules] Section
1143       This  section consists of relations that provide configuration informa‐
1144       tion for plug-in modules. In particular,  the  relations  describe  the
1145       configuration  for  LDAP KDB plug-in. Use of the db2 KDB plug-in is the
1146       default behavior and that this section does not need to be  filled  out
1147       in that case.
1148
1149       db_library
1150
1151           Name  of  the plug-in library. To use the LDAP KDB plug-in the name
1152           must be kdb_ldap. The default value is db2.
1153
1154
1155       db_module_dir
1156
1157           Path to the plug-in libraries. The default is /usr/lib/krb5.
1158
1159
1160       ldap_cert_path
1161
1162           Path to the Network Security Services (NSS) trusted database for an
1163           SSL  connection.  This  is a required parameter when using the LDAP
1164           KDB plug-in.
1165
1166
1167       ldap_conns_per_server
1168
1169           Number of connections per LDAP instance. The default is 5.
1170
1171
1172       ldap_kadmind_dn
1173
1174           Bind DN for kadmind. This specifies the DN that the kadmind service
1175           uses  when  binding  to the LDAP Directory Server. The password for
1176           this bind DN should be in the ldap_service_password_file.
1177
1178
1179       ldap_kdc_dn
1180
1181           Bind DN for a Key Distribution Center (KDC). This specifies the  DN
1182           that  the  krb5kdc  service  use when binding to the LDAP Directory
1183           Server. The password for this bind DN should be  in  the  ldap_ser‐
1184           vice_password_file.
1185
1186
1187       ldap_servers
1188
1189           List  of LDAP directory servers in URI format. Use of either of the
1190           following is acceptable.
1191
1192             ldap://<ds hostname>:<SSL port>
1193             ldap://<ds hostname>
1194
1195
1196           Each server URI should be separated by whitespace.
1197
1198
1199       ldap_service_password_file
1200
1201           File containing stashed passwords used by the KDC when  binding  to
1202           the LDAP Directory Server. The default is /var/krb5/service_passwd.
1203           This file is created using kdb5_ldap_util(1M).
1204
1205
1206       ldap_ssl_port
1207
1208           Port number for SSL connection with directory server.  The  default
1209           is 389.
1210
1211

EXAMPLES

1213       Example 1 Sample File
1214
1215
1216       The following is an example of a generic krb5.conf file:
1217
1218
1219         [libdefaults]
1220            default_realm = ATHENA.MIT.EDU
1221            default_tkt_enctypes = des-cbc-crc
1222            default_tgs_enctypes = des-cbc-crc
1223
1224         [realms]
1225            ATHENA.MIT.EDU = {
1226               kdc = kerberos.mit.edu
1227               kdc = kerberos-1.mit.edu
1228               kdc = kerberos-2.mit.edu
1229               admin_server = kerberos.mit.edu
1230               auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1231            }
1232
1233            FUBAR.ORG = {
1234               kdc = kerberos.fubar.org
1235               kdc = kerberos-1.fubar.org
1236               admin_server = kerberos.fubar.org
1237           }
1238
1239         [domain_realm]
1240            .mit.edu = ATHENA.MIT.EDU
1241            mit.edu = ATHENA.MIT.EDU
1242
1243
1244
1245       Example 2 KDC Using the LDAP KDB plug-in, realms and dbmodules Sections
1246
1247
1248       The  following  is an example of the realms and dbmodules sections of a
1249       Kerberos configuration file when the KDC is using the LDAP KDB plug-in.
1250
1251
1252         [realms]
1253             SUN.COM = {
1254                 kdc = kc-umpk-01.athena.mit.edu
1255                 kdc = kc-umpk-02.athena.mit.edu
1256                 admin_server = kc-umpk-01.athena.mit.edu
1257                 database_module = LDAP
1258             }
1259
1260         [dbmodules]
1261             LDAP = {
1262                 db_library = kdb_ldap
1263                 ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
1264                 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1265                 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1266                 ldap_cert_path = /var/ldap
1267                 ldap_servers = ldaps://ds.mit.edu
1268             }
1269
1270
1271

FILES

1273       /var/krb5/kdc.log
1274
1275           KDC logging file
1276
1277

ATTRIBUTES

1279       See attributes(5) for descriptions of the following attributes:
1280
1281
1282
1283
1284       ┌─────────────────────────────┬─────────────────────────────┐
1285       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
1286       ├─────────────────────────────┼─────────────────────────────┤
1287       │Interface Stability          │See below.                   │
1288       └─────────────────────────────┴─────────────────────────────┘
1289
1290
1291       All of the keywords are Committed,  except  for  the  PKINIT  keywords,
1292       which are Volatile.
1293

SEE ALSO

1295       kinit(1),  rcp(1),  rdist(1), rlogin(1), rsh(1), telnet(1), syslog(3C),
1296       attributes(5), kerberos(5), regex(5)
1297

NOTES

1299       If the krb5.conf file is not formatted  properly,  the  telnet  command
1300       fails.  However,  the dtlogin and login commands still succeed, even if
1301       the krb5.conf file is specified as required for the commands.  If  this
1302       occurs, the following error message is displayed:
1303
1304         Error initializing krb5: Improper format of item
1305
1306
1307
1308
1309       To  bypass any other problems that might occur, you should fix the file
1310       as soon as possible.
1311
1312
1313       The max_life and max_renewable_life options are obsolete and is removed
1314       in a future release of the Solaris operating system.
1315
1316
1317
1318SunOS 5.11                        5 Jan 2009                      krb5.conf(4)
Impressum