1krb5.conf(4) File Formats krb5.conf(4)
2
3
4
6 krb5.conf - Kerberos configuration file
7
9 /etc/krb5/krb5.conf
10
11
13 The krb5.conf file contains Kerberos configuration information, includ‐
14 ing the locations of KDCs and administration daemons for the Kerberos
15 realms of interest, defaults for the current realm and for Kerberos
16 applications, and mappings of host names onto Kerberos realms. This
17 file must reside on all Kerberos clients.
18
19
20 The format of the krb5.conf consists of sections headings in square
21 brackets. Each section can contain zero or more configuration variables
22 (called relations), of the form:
23
24
25 relation= relation-value
26
27
28 or
29
30
31 relation-subsection = {
32 relation= relation-value
33 relation= relation-value
34
35
36 }
37
38
39 The krb5.conf file can contain any or all of the following sections:
40
41 libdefaults
42
43 Contains default values used by the Kerberos V5 library.
44
45
46 appdefaults
47
48 Contains subsections for Kerberos V5 applications, where relation-
49 subsection is the name of an application. Each subsection describes
50 application-specific defaults.
51
52
53 realms
54
55 Contains subsections for Kerberos realms, where relation-subsection
56 is the name of a realm. Each subsection contains relations that
57 define the properties for that particular realm.
58
59
60 domain_realm
61
62 Contains relations which map domain names and subdomains onto Ker‐
63 beros realm names. This is used by programs to determine what realm
64 a host should be in, given its fully qualified domain name.
65
66
67 logging
68
69 Contains relations which determine how Kerberos programs are to
70 perform logging.
71
72
73 capaths
74
75 Contains the authentication paths used with direct (nonhierarchi‐
76 cal) cross-realm authentication. Entries in this section are used
77 by the client to determine the intermediate realms which can be
78 used in cross-realm authentication. It is also used by the end-ser‐
79 vice when checking the transited field for trusted intermediate
80 realms.
81
82
83 dbmodules
84
85 Contains relations for Kerberos database plug-in-specific configu‐
86 ration information.
87
88
89 kdc
90
91 For a Key Distribution Center (KDC), can contain the location of
92 the kdc.conf file.
93
94
95 The [libdefaults] Section
96 The [libdefaults] section can contain any of the following relations:
97
98 database_module
99
100 Selects the dbmodule section entry to use to access the Kerberos
101 database. If this parameter is not present the code uses the stan‐
102 dard db2-based Kerberos database.
103
104
105 default_keytab_name
106
107 Specifies the default keytab name to be used by application servers
108 such as telnetd and rlogind. The default is /etc/krb5/krb5.keytab.
109
110
111 default_realm
112
113 Identifies the default Kerberos realm for the client. Set its value
114 to your Kerberos realm.
115
116
117 default_tgs_enctypes
118
119 Identifies the supported list of session key encryption types that
120 should be returned by the KDC. The list can be delimited with com‐
121 mas or whitespace. The supported encryption types are des3-cbc-
122 sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5, arcfour-hmac-
123 md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
124
125
126 default_tkt_enctypes
127
128 Identifies the supported list of session key encryption types that
129 should be requested by the client. The format is the same as for
130 default_tgs_enctypes. The supported encryption types are des3-cbc-
131 sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5, arcfour-hmac-
132 md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
133
134
135 clockskew
136
137 Sets the maximum allowable amount of clock skew in seconds that the
138 library tolerates before assuming that a Kerberos message is
139 invalid. The default value is 300 seconds, or five minutes.
140
141
142 forwardable = [true | false]
143
144 Sets the "forwardable" flag in all tickets. This allows users to
145 transfer their credentials from one host to another without reau‐
146 thenticating. This option can also be set in the [appdefaults] or
147 [realms] section (see below) to limit its use in particular appli‐
148 cations or just to a specific realm.
149
150
151 permitted_enctypes
152
153 This relation controls the encryption types for session keys per‐
154 mitted by server applications that use Kerberos for authentication.
155 In addition, it controls the encryption types of keys added to a
156 keytab by means of the kadmin(1M) ktadd command. The default is:
157 aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-hmac-
158 sha1-kd, arcfour-hmac-md5, arcfour-hmac-md5-exp, des-cbc-md5, des-
159 cbc-crc.
160
161
162 proxiable = [true | false]
163
164 Sets the proxiable flag in all tickets. This allows users to create
165 a proxy ticket that can be transferred to a kerberized service to
166 allow that service to perform some function on behalf of the origi‐
167 nal user. This option can also be set in the [appdefaults] or
168 [realms] section (see below) to limit its use in particular appli‐
169 cations or just to a specific realm.
170
171
172 renew_lifetime =lifetime
173
174 Requests renewable tickets, with a total lifetime of lifetime. The
175 value for lifetime must be followed immediately by one of the fol‐
176 lowing delimiters:
177
178 s
179
180 seconds
181
182
183 m
184
185 minutes
186
187
188 h
189
190 hours
191
192
193 d
194
195 days
196
197 Example:
198
199 renew_lifetime = 90m
200
201
202 Do not mix units. A value of "3h30m" results in an error.
203
204
205 max_lifetime =lifetime
206
207 Sets the requested maximum lifetime of the ticket. The values for
208 lifetime follow the format described for the renew_lifetime option,
209 above.
210
211
212 dns_lookup_kdc
213
214 Indicates whether DNS SRV records need to be used to locate the
215 KDCs and the other servers for a realm, if they have not already
216 been listed in the [realms] section. This option makes the machine
217 vulnerable to a certain type of DoS attack if somone spoofs the DNS
218 records and does a redirect to another server. This is, however, no
219 worse than a DoS, since the bogus KDC is unable to decode anything
220 sent (excepting the initial ticket request, which has no encrypted
221 data). Also, anything the fake KDC sends out isl not trusted with‐
222 out verification (the local machine is unaware of the secret key to
223 be used). If dns_lookup_kdc is not specified but dns_fallback is,
224 then that value is used instead. In either case, values (if
225 present) in the [realms] section override DNS. dns_lookup_kdc is
226 enabled by default.
227
228
229 dns_lookup_realm
230
231 Indicates whether DNS TXT records need to be used to determine the
232 Kerberos realm information and/or the host/domain name-to-realm
233 mapping of a host, if this information is not already present in
234 the krb5.conf file. Enabling this option might make the host vul‐
235 nerable to a redirection attack, wherein spoofed DNS replies per‐
236 suade a client to authenticate to the wrong realm. In a realm with
237 no cross-realm trusts, this a DoS attack. If dns_lookup_realm is
238 not specified but dns_fallback is, then that value is used instead.
239 In either case, values (if present) in the [libdefaults] and
240 [domain_realm] sections override DNS.
241
242
243 dns_fallback
244
245 Generic flag controlling the use of DNS for retrieval of informa‐
246 tion about Kerberos servers and host/domain name-to-realm mapping.
247 If both dns_lookup_kdc and dns_lookup_realm have been specified,
248 this option has no effect.
249
250
251 verify_ap_req_nofail [true | false]
252
253 If true, the local keytab file (/etc/krb5/krb5.keytab) must contain
254 an entry for the local host principal, for example,
255 host/foo.bar.com@FOO.COM. This entry is needed to verify that the
256 TGT requested was issued by the same KDC that issued the key for
257 the host principal. If undefined, the behavior is as if this option
258 were set to true. Setting this value to false leaves the system
259 vulnerable to DNS spoofing attacks. This parameter can be in the
260 [realms] section to set it on a per-realm basis, or it can be in
261 the [libdefaults] section to make it a network-wide setting for all
262 realms.
263
264
265 The [appdefaults] Section
266 This section contains subsections for Kerberos V5 applications, where
267 relation-subsection is the name of an application. Each subsection con‐
268 tains relations that define the default behaviors for that application.
269
270
271 The following relations can be found in the [appdefaults] section,
272 though not all relations are recognized by all kerberized applications.
273 Some are specific to particular applications.
274
275 autologin = [true | false]
276
277 Forces the application to attempt automatic login by presenting
278 Kerberos credentials. This is valid for the following applications:
279 rlogin, rsh, rcp, rdist, and telnet.
280
281
282 encrypt = [true | false]
283
284 Forces applications to use encryption by default (after authentica‐
285 tion) to protect the privacy of the sessions. This is valid for the
286 following applications: rlogin, rsh, rcp, rdist, and telnet.
287
288
289 forward = [true | false]
290
291 Forces applications to forward the user'ss credentials (after
292 authentication) to the remote server. This is valid for the follow‐
293 ing applications: rlogin, rsh, rcp, rdist, and telnet.
294
295
296 forwardable = [true | false]
297
298 See the description in the [libdefaults] section above. This is
299 used by any application that creates a ticket granting ticket and
300 also by applications that can forward tickets to a remote server.
301
302
303 proxiable = [true | false]
304
305 See the description in the [libdefaults] section above. This is
306 used by any application that creates a ticket granting ticket.
307
308
309 renewable = [true | false]
310
311 Creates a TGT that can be renewed (prior to the ticket expiration
312 time). This is used by any application that creates a ticket grant‐
313 ing ticket.
314
315
316 no_addresses = [true | false]
317
318 Creates tickets with no address bindings. This is to allow tickets
319 to be used across a NAT boundary or when using multi-homed systems.
320 This option is valid in the kinit [appdefault] section only.
321
322
323 max_life =lifetime
324
325 Sets the maximum lifetime of the ticket, with a total lifetime of
326 lifetime. The values for lifetime follow the format described in
327 the [libdefaults] section above. This option is obsolete and is
328 removed in a future release of the Solaris operating system.
329
330
331 max_renewable_life =lifetime
332
333 Requests renewable tickets, with a total lifetime of lifetime. The
334 values for lifetime follow the format described in the [libde‐
335 faults] section above. This option is obsolete and is removed in a
336 future release of the Solaris operating system.
337
338
339 rcmd_protocol = [ rcmdv1 | rcmdv2 ]
340
341 Specifies which Kerberized "rcmd" protocol to use when using the
342 Kerberized rlogin(1), rsh(1), rcp(1), or rdist(1) programs. The
343 default is to use rcmdv2 by default, as this is the more secure and
344 more recent update of the protocol. However, when talking to older
345 MIT or SEAM-based "rcmd" servers, it can be necessary to force the
346 new clients to use the older rcmdv1 protocol. This option is valid
347 only for the following applications: rlogin, rcp, rsh, and rdist.
348
349
350 gkadmin = {
351 help_url = \
352 http://docs.sun.com/app/docs/doc/816-4557/6maosrjmr?q=gkadmin&a=view
353 }
354
355
356
357
358 The preceding URL is subject to change. On the docs.sun.com web site,
359 view the chapter on the Solaris Kerberos implementation in the System
360 Administration Guide: Security Services.
361
362
363 The following application defaults can be set to true or false:
364
365 kinit
366 forwardable = true
367 proxiable = true
368 renewable = true
369 no_addresses = true
370 max_life = delta_time
371 max_renewable_life = delta_time
372
373
374
375
376 See kinit(1) for the valid time duration formats you can specify for
377 delta_time.
378
379
380 In the following example, kinit gets forwardable tickets by default and
381 telnet has three default behaviors specified:
382
383 [appdefaults]
384 kinit = {
385 forwardable = true
386 }
387
388 telnet = {
389 forward = true
390 encrypt = true
391 autologin = true
392 }
393
394
395
396
397 The application defaults specified here are overridden by those speci‐
398 fied in the [realms] section.
399
400 The [realms] Section
401 This section contains subsections for Kerberos realms, where relation-
402 subsection is the name of a realm. Each subsection contains relations
403 that define the properties for that particular realm. The following
404 relations can be specified in each [realms] subsection:
405
406 admin_server
407
408 Identifies the host where the Kerberos administration daemon (kad‐
409 mind) is running. Typically, this is the master KDC.
410
411
412 application defaults
413
414 Application defaults that are specific to a particular realm can be
415 specified within a [realms] subsection. Realm-specific application
416 defaults override the global defaults specified in the [appde‐
417 faults] section.
418
419
420 auth_to_local_realm
421
422 For use in the default realm, non-default realms can be equated
423 with the default realm for authenticated name-to-local name map‐
424 ping.
425
426
427 auth_to_local_names
428
429 This subsection allows you to set explicit mappings from principal
430 names to local user names. The tag is the mapping name and the
431 value is the corresponding local user name.
432
433
434 auth_to_local
435
436 This tag allows you to set a general rule for mapping principal
437 names to local user names. It is used if there is not an explicit
438 mapping for the principal name that is being translated. The possi‐
439 ble values are:
440
441 RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
442
443 Each rule has three parts:
444
445 First part—Formulate the string on which to perform operations:
446
447 If not present then the string defaults to the fully flattened
448 principal minus the realm name. Otherwise the syntax is as fol‐
449 lows:
450
451 "[" <ncomps> ":" <format> "]"
452
453 Where:
454
455 <ncomps> is the number of expected components for this rule. If
456 the particular principal does not have this number of compo‐
457 nents, then this rule does not apply.
458
459 <format> is a string of <component> or verbatim characters to
460 be inserted.
461
462 <component> is of the form "$"<number> to select the <number>th
463 component. <number> begins from 1.
464
465
466 Second part—select rule validity:
467
468 If not present, this rule can apply to all selections. Other‐
469 wise the syntax is as follows:
470
471 "(" <regex> ")"
472
473 Where:
474
475 <regex> is a selector regular expression. If this regular
476 expression matches the whole pattern generated from the first
477 part, then this rule still applies.
478
479
480 Third part—Transform rule:
481
482 If not present, then the selection string is passed verbatim
483 and is matched. Otherwise, the syntax is as follows:
484
485 <rule> ...
486
487 Where:
488
489 <rule> is of the form:
490
491 "s/" <regex> "/" <text> "/" ["g"]
492
493 Regular expressions are defined in regex(5).
494
495 For example:
496
497 auth_to_local = RULE:[1:$1@$0](.*@.*ACME.COM)s/@.*//
498
499 The preceding maps username@ACME.COM and all sub-realms of
500 ACME.COM to username.
501
502
503 DEFAULT
504
505 The principal name is used as the local name. If the principal
506 has more than one component or is not in the default realm,
507 this rule is not applicable and the conversion fails.
508
509
510
511 database_module
512
513 Selects the dbmodule section entry to use to access the Kerberos
514 database.
515
516
517 extra_addresses...
518
519 This allows a computer to use multiple local addresses, to allow
520 Kerberos to work in a network that uses NATs. The addresses should
521 be in a comma-separated list.
522
523
524 kdc
525
526 The name of a host running a KDC for that realm. An optional port
527 number (separated from the hostname by a colon) can be included.
528
529
530 kpasswd_server
531
532 Identifies the host where the Kerberos password-changing server is
533 running. Typically, this is the same as host indicated in the
534 admin_server. If this parameter is omitted, the host in
535 admin_server is used. You can also specify a port number if the
536 server indicated by kpasswd_server runs on a port other than 464
537 (the default). The format of this parameter is: hostname[:port].
538
539
540 kpasswd_protocol
541
542 Identifies the protocol to be used when communicating with the
543 server indicated by kpasswd_server. By default, this parameter is
544 defined to be RPCSEC_GSS, which is the protocol used by Solaris-
545 based administration servers. To be able to change a principal's
546 password stored on non-Solaris Kerberos server, such as Microsoft
547 Active Directory or MIT Kerberos, this value should be SET_CHANGE.
548 This indicates that a non-RPC- based protocol is used to communi‐
549 cate the password change request to the server in the
550 kpasswd_server entry.
551
552
553 udp_preference_limit
554
555 When sending a message to the KDC, the library tries using TCP
556 before UDP if the size of the message is above udp_prefer‐
557 ence_limit. If the message is smaller than udp_preference_limit,
558 then UDP is tried before TCP. Regardless of the size, both proto‐
559 cols are tried if the first attempt fails.
560
561
562 verify_ap_req_nofail [true | false]
563
564 If true, the local keytab file (/etc/krb5/krb5.keytab) must contain
565 an entry for the local host principal, for example,
566 host/foo.bar.com@FOO.COM. This entry is needed to verify that the
567 TGT requested was issued by the same KDC that issued the key for
568 the host principal. If undefined, the behavior is as if this option
569 were set to true. Setting this value to false leaves the system
570 vulnerable to DNS spoofing attacks. This parameter might be in the
571 [realms] section to set it on a per-realm basis, or it might be in
572 the [libdefaults] section to make it a network-wide setting for all
573 realms.
574
575
576
577 The parameters "forwardable", "proxiable", and "renew_lifetime" as
578 described in the [libdefaults] section (see above) are also valid in
579 the [realms] section.
580
581
582 Notice that kpasswd_server and kpasswd_protocol are realm-specific
583 parameters. Most often, you need to specify them only when using a non-
584 Solaris-based Kerberos server. Otherwise, the change request is sent
585 over RPCSEC_GSS to the Solaris Kerberos administration server.
586
587 The [domain_realm] Section
588 This section provides a translation from a domain name or hostname to a
589 Kerberos realm name. The relation can be a host name, or a domain name,
590 where domain names are indicated by a period (`.') prefix. relation-
591 value is the Kerberos realm name for that particular host or domain.
592 Host names and domain names should be in lower case.
593
594
595 If no translation entry applies, the host's realm is considered to be
596 the hostname's domain portion converted to upper case. For example, the
597 following [domain_realm] section maps crash.mit.edu into the
598 TEST.ATHENA.MIT.EDU realm:
599
600 [domain_realm]
601 .mit.edu = ATHENA.MIT.EDU
602 mit.edu = ATHENA.MIT.EDU
603 crash.mit.edu = TEST.ATHENA.MIT.EDU
604 .fubar.org = FUBAR.ORG
605 fubar.org = FUBAR.ORG
606
607
608
609
610 All other hosts in the mit.edu domain maps by default to the
611 ATHENA.MIT.EDU realm, and all hosts in the fubar.org domain maps by
612 default into the FUBAR.ORG realm. The entries for the hosts mit.edu and
613 fubar.org. Without these entries, these hosts would be mapped into the
614 Kerberos realms EDU and ORG, respectively.
615
616 The [logging] Section
617 This section indicates how Kerberos programs are to perform logging.
618 There are two types of relations for this section: relations to specify
619 how to log and a relation to specify how to rotate kdc log files.
620
621
622 The following relations can be defined to specify how to log. The same
623 relation can be repeated if you want to assign it multiple logging
624 methods.
625
626 admin_server
627
628 Specifies how to log the Kerberos administration daemon (kadmind).
629 The default is FILE:/var/krb5/kadmin.log.
630
631
632 default
633
634 Specifies how to perform logging in the absence of explicit speci‐
635 fications otherwise.
636
637
638 kdc
639
640 Specifies how the KDC is to perform its logging. The default is
641 FILE:/var/krb5/kdc.log.
642
643
644
645 The admin_server, default, and kdc relations can have the following
646 values:
647
648 FILE:filename
649 FILE=filename
650
651 This value causes the entity's logging messages to go to the speci‐
652 fied file. If the `=' form is used, the file is overwritten. If the
653 `:' form is used, the file is appended to.
654
655
656 STDERR
657
658 This value causes the entity's logging messages to go to its stan‐
659 dard error stream.
660
661
662 CONSOLE
663
664 This value causes the entity's logging messages to go to the con‐
665 sole, if the system supports it.
666
667
668 DEVICE=devicename
669
670 This causes the entity's logging messages to go to the specified
671 device.
672
673
674 SYSLOG[:severity[:facility]]
675
676 This causes the entity's logging messages to go to the system log.
677
678
679
680 The severity argument specifies the default severity of system log mes‐
681 sages. This can be any of the following severities supported by the
682 syslog(3C) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT,
683 LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example,
684 a value of CRIT would specify LOG_CRIT severity.
685
686
687 The facility argument specifies the facility under which the messages
688 are logged. This can be any of the following facilities supported by
689 the syslog(3C) call minus the LOG_ prefix: LOG_KERN, LOG_USER,
690 LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON,
691 and LOG_LOCAL0 through LOG_LOCAL7.
692
693
694 If no severity is specified, the default is ERR. If no facility is
695 specified, the default is AUTH.
696
697
698 The following relation can be defined to specify how to rotate kdc log
699 files if the FILE: value is being used to log:
700
701 kdc_rotate
702
703 A relation subsection that enables kdc logging to be rotated to
704 multiple files based on a time interval. This can be used to avoid
705 logging to one file, which might grow too large and bring the KDC
706 to a halt.
707
708
709
710 The time interval for the rotation is specified by the period relation.
711 The number of log files to be rotated is specified by the versions
712 relation. Both the period and versions (described below) should be
713 included in this subsection. And, this subsection applies only if the
714 kdc relation has a FILE: value.
715
716
717 The following relations can be specified for the kdc_rotate relation
718 subsection:
719
720 period=delta_time
721
722 Specifies the time interval before a new log file is created. See
723 the TimeFormats section in kinit(1) for the valid time duration
724 formats you can specify for delta_time. If period is not specified
725 or set to never, no rotation occurs.
726
727
728
729 Specifying a time interval does not mean that the log files are rotated
730 at the time interval based on real time. This is because the time
731 interval is checked at each attempt to write a record to the log, or
732 when logging is actually occurring. Therefore, rotation occurs only
733 when logging has actually occurred for the specified time interval.
734
735 versions=number
736
737 Specifies how many previous versions are saved before the rotation
738 begins. A number is appended to the log file, starting with 0 and
739 ending with (number - 1). For example, if versions is set to 2, up
740 to three logging files are created (filename, filename.0, and file‐
741 name.1) before the first one is overwritten to begin the rotation.
742
743
744
745 Notice that if versions is not specified or set to 0, only one log file
746 is created, but it is overwritten whenever the time interval is met.
747
748
749 In the following example, the logging messages from the Kerberos admin‐
750 istration daemon goes to the console. The logging messages from the KDC
751 is appended to the /var/krb5/kdc.log, which is rotated between twenty-
752 one log files with a specified time interval of a day.
753
754 [logging]
755 admin_server = CONSOLE
756 kdc = FILE:/export/logging/kadmin.log
757 kdc_rotate = {
758 period = 1d
759 versions = 20
760 }
761
762
763
764 The [capaths] Section
765 In order to perform direct (non-hierarchical) cross-realm authentica‐
766 tion, a database is needed to construct the authentication paths
767 between the realms. This section defines that database.
768
769
770 A client uses this section to find the authentication path between its
771 realm and the realm of the server. The server uses this section to ver‐
772 ify the authentication path used by the client, by checking the tran‐
773 sited field of the received ticket.
774
775
776 There is a subsection for each participating realm, and each subsection
777 has relations named for each of the realms. The relation-value is an
778 intermediate realm which can participate in the cross-realm authentica‐
779 tion. The relations can be repeated if there is more than one interme‐
780 diate realm. A value of '.' means that the two realms share keys
781 directly, and no intermediate realms should be allowed to participate.
782
783
784 There are n**2 possible entries in this table, but only those entries
785 which is needed on the client or the server need to be present. The
786 client needs a subsection named for its local realm, with relations
787 named for all the realms of servers it needs to authenticate with. A
788 server needs a subsection named for each realm of the clients it
789 serves.
790
791
792 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
793 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV,
794 which authenticates with NERSC.GOV but not PNL.GOV. The [capath] sec‐
795 tion for ANL.GOV systems would look like this:
796
797 [capaths]
798 ANL.GOV = {
799 TEST.ANL.GOV = .
800 PNL.GOV = ES.NET
801 NERSC.GOV = ES.NET
802 ES.NET = .
803 }
804
805 TEST.ANL.GOV = {
806 ANL.GOV = .
807 }
808
809 PNL.GOV = {
810 ANL.GOV = ES.NET
811 }
812
813 NERSC.GOV = {
814 ANL.GOV = ES.NET
815 }
816
817 ES.NET = {
818 ANL.GOV = .
819 }
820
821
822
823
824 The [capath] section of the configuration file used on NERSC.GOV sys‐
825 tems would look like this:
826
827 [capaths]
828 NERSC.GOV = {
829 ANL.GOV = ES.NET
830 TEST.ANL.GOV = ES.NET
831 TEST.ANL.GOV = ANL.GOV
832 PNL.GOV = ES.NET
833 ES.NET = .
834 }
835
836 ANL.GOV = {
837 NERSC.GOV = ES.NET
838 }
839
840 PNL.GOV = {
841 NERSC.GOV = ES.NET
842 }
843
844 ES.NET = {
845 NERSC.GOV = .
846 }
847
848 TEST.ANL.GOV = {
849 NERSC.GOV = ANL.GOV
850 NERSC.GOV = ES.NET
851 }
852
853
854
855
856 In the above examples, the ordering is not important, except when the
857 same relation is used more than once. The client uses this to determine
858 the path. (It is not important to the server, since the transited field
859 is not sorted.)
860
861 PKINIT-specific Options
862 The following are pkinit-specific options. These values can be speci‐
863 fied in [libdefaults] as global defaults, or within a realm-specific
864 subsection of [libdefaults], or can be specified as realm-specific val‐
865 ues in the [realms] section. A realm-specific value overrides, does not
866 add to, a generic [libdefaults] specification.
867
868
869 The search order is:
870
871 1. realm-specific subsection of [libdefaults]
872
873 [libdefaults]
874 EXAMPLE.COM = {
875 pkinit_anchors = FILE:/usr/local/example.com.crt
876
877
878 2. realm-specific value in the [realms] section
879
880 [realms]
881 OTHERREALM.ORG = {
882 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
883
884
885 3. generic value in the [libdefaults] section
886
887 [libdefaults]
888 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
889
890
891
892 The syntax for specifying Public Key identity, trust, and revocation
893 information for pkinit is as follows:
894
895 pkinit_identities = URI
896
897 Specifies the location(s) to be used to find the user's X.509 iden‐
898 tity information. This option can be specified multiple times.
899 Each value is attempted in order until identity information is
900 found and authentication is attempted. These values are not used if
901 the user specifies X509_user_identity on the command line.
902
903 Valid URI types are FILE, DIR, PKCS11, PKCS12, and ENV. See the
904 PKINIT URI Types section for more details.
905
906
907 pkinit_anchors = URI
908
909 Specifies the location of trusted anchor (root) certificates which
910 the client trusts to sign KDC certificates. This option can be
911 specified multiple times. These values from the config file are
912 not used if the user specifies X509_anchors on the command line.
913
914 Valid URI types are FILE and DIR. See the PKINIT URI Types section
915 for more details.
916
917
918 pkinit_pool = URI
919
920 Specifies the location of intermediate certificates which can be
921 used by the client to complete the trust chain between a KDC cer‐
922 tificate and a trusted anchor. This option can be specified multi‐
923 ple times.
924
925 Valid URI types are FILE and DIR. See the PKINIT URI Types
926 section for more details.
927
928
929 pkinit_revoke = URI
930
931 Specifies the location of Certificate Revocation List (CRL) infor‐
932 mation to be used by the client when verifying the validity of the
933 KDC certificate presented. This option can be specified multiple
934 times.
935
936 The only valid URI type is DIR. See the PKINIT URI Types section
937 for more details.
938
939
940 pkinit_require_crl_checking = value
941
942 The default certificate verification process always checks the
943 available revocation information to see if a certificate has been
944 revoked. If a match is found for the certificate in a CRL, verifi‐
945 cation fails. If the certificate being verified is not listed in a
946 CRL, or there is no CRL present for its issuing CA, and
947 pkinit_require_crl_checking is false, then verification succeeds.
948 However, if pkinit_require_crl_checking is true and there is no CRL
949 information available for the issuing CA, then verification fails.
950 pkinit_require_crl_checking should be set to true if the policy is
951 such that up-to-date CRLs must be present for every CA.
952
953
954 pkinit_dh_min_bits = value
955
956 Specifies the size of the Diffie-Hellman key the client attempts to
957 use. The acceptable values are currently 1024, 2048, and 4096. The
958 default is 2048.
959
960
961 pkinit_win2k = value
962
963 This flag specifies whether the target realm is assumed to support
964 only the old, pre-RFC version of the protocol. The default is
965 false.
966
967
968 pkinit_win2k_require_binding = value
969
970 If this flag is set to true, it expects that the target KDC is
971 patched to return a reply with a checksum rather than a nonce. The
972 default is false.
973
974
975 pkinit_eku_checking = value
976
977 This option specifies what Extended Key Usage value the KDC cer‐
978 tificate presented to the client must contain. If the KDC certifi‐
979 cate has the pkinit SubjectAlternativeName encoded as the Kerberos
980 TGS name, EKU checking is not necessary since the issuing CA has
981 certified this as a KDC certificate. The values recognized in the
982 krb5.conf file are:
983
984 kpKDC This is the default value and specifies that the
985 KDC must have the id-pkinit-KPKdc EKU as defined in
986 RFC4556.
987
988
989 kpServerAuth If kpServerAuth is specified, a KDC certificate
990 with the id-kp-serverAuth EKU as used by Microsoft
991 is accepted.
992
993
994 none If none is specified, then the KDC certificate is
995 not checked to verify it has an acceptable EKU. The
996 use of this option is not recommended.
997
998
999
1000 pkinit_kdc_hostname = value
1001
1002 The presense of this option indicates that the client is willing to
1003 accept a KDC certificate with a dNSName SAN (Subject Alternative
1004 Name) rather than requiring the id-pkinit-san as defined in
1005 RFC4556. This option can be specified multiple times. Its value
1006 should contain the acceptable hostname for the KDC (as contained in
1007 its certificate).
1008
1009
1010 pkinit_cert_match = rule
1011
1012 Specifies matching rules that the client certificate must match
1013 before it is used to attempt pkinit authentication. If a user has
1014 multiple certificates available (on a smart card, or by way of
1015 another media), there must be exactly one certificate chosen before
1016 attempting pkinit authentication. This option can be specified
1017 multiple times. All the available certificates are checked against
1018 each rule in order until there is a match of exactly one certifi‐
1019 cate.
1020
1021 The Subject and Issuer comparison strings are the RFC2253 string
1022 representations from the certificate Subject DN and Issuer DN val‐
1023 ues.
1024
1025 The syntax of the matching rules is:
1026
1027 [relation-operator]component-rule `...'
1028
1029 where
1030
1031 relation-operator Specify relation-operator as &&, meaning all
1032 component rules must match, or ||, meaning
1033 only one component rule must match. If rela‐
1034 tion-operator is not specified, the default is
1035 &&.
1036
1037
1038 component-rule There is no punctuation or white space between
1039 component rules.Specify component-rule as one
1040 of the following:
1041
1042 `<SUBJECT>'regular-expression
1043
1044 `<ISSUER>'regular-expression
1045
1046 `<SAN>'regular-expression
1047
1048 `<EKU>'extended-key-usage-list
1049 where extended-key-usage-list is a comma-separated list
1050 of required Extended Key Usage values. All values in
1051 the list must be present in the certificate.
1052 `pkinit'
1053 `msScLogin'
1054 `clientAuth'
1055 `emailProtection'
1056 `<KU>'key-usage-list
1057 where key-usage-list is a comma-separated list of
1058 required Key Usage values. All values in the list must
1059 be present in the certificate.
1060 `digitalSignature'
1061
1062
1063 Examples:
1064
1065 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1066 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1067 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1068
1069
1070
1071 PKINIT URI Types
1072 FILE:file-name[,key-file-name]
1073
1074 This option has context-specific behavior.
1075
1076 pkinit_identities file-name specifies the name of a PEM-format
1077 file containing the user's certificate. If
1078 key-file-name is not specified, the user's
1079 private key is expected to be in file-name as
1080 well. Otherwise, key-file-name is the name of
1081 the file containing the private key.
1082
1083
1084 pkinit_anchors file-name is assumed to be the name of an
1085 pkinit_pool OpenSSL-style ca-bundle file. The ca-bundle
1086 file should be base-64 encoded.
1087
1088
1089
1090 DIR:directory-name
1091
1092 This option has context-specific behavior.
1093
1094 pkinit_identities directory-name specifies a directory with
1095 files named *.crt and *.key, where the first
1096 part of the file name is the same for matching
1097 pairs of certificate and private key files.
1098 When a file with a name ending with .crt is
1099 found, a matching file ending with .key is
1100 assumed to contain the private key. If no such
1101 file is found, then the certificate in the
1102 .crt is not used.
1103
1104
1105 pkintit_anchors directory-name is assumed to be an OpenSSL-
1106 pkinit_pool style hashed CA directory where each CA cert
1107 is stored in a file named hash-of-ca-cert.#.
1108 This infrastructure is encouraged, but all
1109 files in the directory is examined and if they
1110 contain certificates (in PEM format), they are
1111 used.
1112
1113
1114
1115 PKCS12:pkcs12-file-name
1116
1117 pkcs12-file-name is the name of a PKCS #12 format file, containing
1118 the user's certificate and private key.
1119
1120
1121 PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
1122 bel=cert-label]
1123
1124 All keyword/values are optional. PKCS11 modules (for example,
1125 opensc-pkcs11.so) must be installed as a crypto provider under
1126 libpkcs11(3LIB). slotid= and/or token= can be specified to force
1127 the use of a particular smart card reader or token if there is more
1128 than one available. certid= and/or certlabel= can be specified to
1129 force the selection of a particular certificate on the device. See
1130 the pkinit_cert_match configuration option for more ways to select
1131 a particular certificate to use for pkinit.
1132
1133
1134 ENV:environment-variable-name
1135
1136 environment-variable-name specifies the name of an environment
1137 variable which has been set to a value conforming to one of the
1138 previous values. For example, ENV:X509_PROXY, where environment
1139 variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
1140
1141
1142 The [dbmodules] Section
1143 This section consists of relations that provide configuration informa‐
1144 tion for plug-in modules. In particular, the relations describe the
1145 configuration for LDAP KDB plug-in. Use of the db2 KDB plug-in is the
1146 default behavior and that this section does not need to be filled out
1147 in that case.
1148
1149 db_library
1150
1151 Name of the plug-in library. To use the LDAP KDB plug-in the name
1152 must be kdb_ldap. The default value is db2.
1153
1154
1155 db_module_dir
1156
1157 Path to the plug-in libraries. The default is /usr/lib/krb5.
1158
1159
1160 ldap_cert_path
1161
1162 Path to the Network Security Services (NSS) trusted database for an
1163 SSL connection. This is a required parameter when using the LDAP
1164 KDB plug-in.
1165
1166
1167 ldap_conns_per_server
1168
1169 Number of connections per LDAP instance. The default is 5.
1170
1171
1172 ldap_kadmind_dn
1173
1174 Bind DN for kadmind. This specifies the DN that the kadmind service
1175 uses when binding to the LDAP Directory Server. The password for
1176 this bind DN should be in the ldap_service_password_file.
1177
1178
1179 ldap_kdc_dn
1180
1181 Bind DN for a Key Distribution Center (KDC). This specifies the DN
1182 that the krb5kdc service use when binding to the LDAP Directory
1183 Server. The password for this bind DN should be in the ldap_ser‐
1184 vice_password_file.
1185
1186
1187 ldap_servers
1188
1189 List of LDAP directory servers in URI format. Use of either of the
1190 following is acceptable.
1191
1192 ldap://<ds hostname>:<SSL port>
1193 ldap://<ds hostname>
1194
1195
1196 Each server URI should be separated by whitespace.
1197
1198
1199 ldap_service_password_file
1200
1201 File containing stashed passwords used by the KDC when binding to
1202 the LDAP Directory Server. The default is /var/krb5/service_passwd.
1203 This file is created using kdb5_ldap_util(1M).
1204
1205
1206 ldap_ssl_port
1207
1208 Port number for SSL connection with directory server. The default
1209 is 389.
1210
1211
1213 Example 1 Sample File
1214
1215
1216 The following is an example of a generic krb5.conf file:
1217
1218
1219 [libdefaults]
1220 default_realm = ATHENA.MIT.EDU
1221 default_tkt_enctypes = des-cbc-crc
1222 default_tgs_enctypes = des-cbc-crc
1223
1224 [realms]
1225 ATHENA.MIT.EDU = {
1226 kdc = kerberos.mit.edu
1227 kdc = kerberos-1.mit.edu
1228 kdc = kerberos-2.mit.edu
1229 admin_server = kerberos.mit.edu
1230 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1231 }
1232
1233 FUBAR.ORG = {
1234 kdc = kerberos.fubar.org
1235 kdc = kerberos-1.fubar.org
1236 admin_server = kerberos.fubar.org
1237 }
1238
1239 [domain_realm]
1240 .mit.edu = ATHENA.MIT.EDU
1241 mit.edu = ATHENA.MIT.EDU
1242
1243
1244
1245 Example 2 KDC Using the LDAP KDB plug-in, realms and dbmodules Sections
1246
1247
1248 The following is an example of the realms and dbmodules sections of a
1249 Kerberos configuration file when the KDC is using the LDAP KDB plug-in.
1250
1251
1252 [realms]
1253 SUN.COM = {
1254 kdc = kc-umpk-01.athena.mit.edu
1255 kdc = kc-umpk-02.athena.mit.edu
1256 admin_server = kc-umpk-01.athena.mit.edu
1257 database_module = LDAP
1258 }
1259
1260 [dbmodules]
1261 LDAP = {
1262 db_library = kdb_ldap
1263 ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
1264 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1265 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1266 ldap_cert_path = /var/ldap
1267 ldap_servers = ldaps://ds.mit.edu
1268 }
1269
1270
1271
1273 /var/krb5/kdc.log
1274
1275 KDC logging file
1276
1277
1279 See attributes(5) for descriptions of the following attributes:
1280
1281
1282
1283
1284 ┌─────────────────────────────┬─────────────────────────────┐
1285 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
1286 ├─────────────────────────────┼─────────────────────────────┤
1287 │Interface Stability │See below. │
1288 └─────────────────────────────┴─────────────────────────────┘
1289
1290
1291 All of the keywords are Committed, except for the PKINIT keywords,
1292 which are Volatile.
1293
1295 kinit(1), rcp(1), rdist(1), rlogin(1), rsh(1), telnet(1), syslog(3C),
1296 attributes(5), kerberos(5), regex(5)
1297
1299 If the krb5.conf file is not formatted properly, the telnet command
1300 fails. However, the dtlogin and login commands still succeed, even if
1301 the krb5.conf file is specified as required for the commands. If this
1302 occurs, the following error message is displayed:
1303
1304 Error initializing krb5: Improper format of item
1305
1306
1307
1308
1309 To bypass any other problems that might occur, you should fix the file
1310 as soon as possible.
1311
1312
1313 The max_life and max_renewable_life options are obsolete and is removed
1314 in a future release of the Solaris operating system.
1315
1316
1317
1318SunOS 5.11 5 Jan 2009 krb5.conf(4)