|
Packit |
fd8b60 |
.. _kdc.conf(5):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kdc.conf
|
|
Packit |
fd8b60 |
========
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which
|
|
Packit |
fd8b60 |
are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and
|
|
Packit |
fd8b60 |
:ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program.
|
|
Packit |
fd8b60 |
Relations documented here may also be specified in krb5.conf; for the
|
|
Packit |
fd8b60 |
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
|
|
Packit |
fd8b60 |
single configuration profile.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Normally, the kdc.conf file is found in the KDC state directory,
|
|
Packit |
fd8b60 |
|kdcdir|. You can override the default location by setting the
|
|
Packit |
fd8b60 |
environment variable **KRB5_KDC_PROFILE**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Please note that you need to restart the KDC daemon for any configuration
|
|
Packit |
fd8b60 |
changes to take effect.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Structure
|
|
Packit |
fd8b60 |
---------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kdc.conf file is set up in the same format as the
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)` file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sections
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kdc.conf file may contain the following sections:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
==================== =================================================
|
|
Packit |
fd8b60 |
:ref:`kdcdefaults` Default values for KDC behavior
|
|
Packit |
fd8b60 |
:ref:`kdc_realms` Realm-specific database configuration and settings
|
|
Packit |
fd8b60 |
:ref:`dbdefaults` Default database settings
|
|
Packit |
fd8b60 |
:ref:`dbmodules` Per-database settings
|
|
Packit |
fd8b60 |
:ref:`logging` Controls how Kerberos daemons perform logging
|
|
Packit |
fd8b60 |
==================== =================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdcdefaults:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[kdcdefaults]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Some relations in the [kdcdefaults] section specify default values for
|
|
Packit |
fd8b60 |
realm variables, to be used if the [realms] subsection does not
|
|
Packit |
fd8b60 |
contain a relation for the tag. See the :ref:`kdc_realms` section for
|
|
Packit |
fd8b60 |
the definitions of these relations.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* **host_based_services**
|
|
Packit |
fd8b60 |
* **kdc_listen**
|
|
Packit |
fd8b60 |
* **kdc_ports**
|
|
Packit |
fd8b60 |
* **kdc_tcp_listen**
|
|
Packit |
fd8b60 |
* **kdc_tcp_ports**
|
|
Packit |
fd8b60 |
* **no_host_referral**
|
|
Packit |
fd8b60 |
* **restrict_anonymous_to_tgt**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following [kdcdefaults] variables have no per-realm equivalent:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_max_dgram_reply_size**
|
|
Packit |
fd8b60 |
Specifies the maximum packet size that can be sent over UDP. The
|
|
Packit |
fd8b60 |
default value is 4096 bytes.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_tcp_listen_backlog**
|
|
Packit |
fd8b60 |
(Integer.) Set the size of the listen queue length for the KDC
|
|
Packit |
fd8b60 |
daemon. The value may be limited by OS settings. The default
|
|
Packit |
fd8b60 |
value is 5.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**spake_preauth_kdc_challenge**
|
|
Packit |
fd8b60 |
(String.) Specifies the group for a SPAKE optimistic challenge.
|
|
Packit |
fd8b60 |
See the **spake_preauth_groups** variable in :ref:`libdefaults`
|
|
Packit |
fd8b60 |
for possible values. The default is not to issue an optimistic
|
|
Packit |
fd8b60 |
challenge. (New in release 1.17.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdc_realms:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each tag in the [realms] section is the name of a Kerberos realm. The
|
|
Packit |
fd8b60 |
value of the tag is a subsection where the relations define KDC
|
|
Packit |
fd8b60 |
parameters for that particular realm. The following example shows how
|
|
Packit |
fd8b60 |
to define one parameter for the ATHENA.MIT.EDU realm::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
max_renewable_life = 7d 0h 0m 0s
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following tags may be specified in a [realms] subsection:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**acl_file**
|
|
Packit |
fd8b60 |
(String.) Location of the access control list file that
|
|
Packit |
fd8b60 |
:ref:`kadmind(8)` uses to determine which principals are allowed
|
|
Packit |
fd8b60 |
which permissions on the Kerberos database. To operate without an
|
|
Packit |
fd8b60 |
ACL file, set this relation to the empty string with ``acl_file =
|
|
Packit |
fd8b60 |
""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more
|
|
Packit |
fd8b60 |
information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**database_module**
|
|
Packit |
fd8b60 |
(String.) This relation indicates the name of the configuration
|
|
Packit |
fd8b60 |
section under :ref:`dbmodules` for database-specific parameters
|
|
Packit |
fd8b60 |
used by the loadable database library. The default value is the
|
|
Packit |
fd8b60 |
realm name. If this configuration section does not exist, default
|
|
Packit |
fd8b60 |
values will be used for all database parameters.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**database_name**
|
|
Packit |
fd8b60 |
(String, deprecated.) This relation specifies the location of the
|
|
Packit |
fd8b60 |
Kerberos database for this realm, if the DB2 module is being used
|
|
Packit |
fd8b60 |
and the :ref:`dbmodules` configuration section does not specify a
|
|
Packit |
fd8b60 |
database name. The default value is |kdcdir|\ ``/principal``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_principal_expiration**
|
|
Packit |
fd8b60 |
(:ref:`abstime` string.) Specifies the default expiration date of
|
|
Packit |
fd8b60 |
principals created in this realm. The default value is 0, which
|
|
Packit |
fd8b60 |
means no expiration date.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_principal_flags**
|
|
Packit |
fd8b60 |
(Flag string.) Specifies the default attributes of principals
|
|
Packit |
fd8b60 |
created in this realm. The format for this string is a
|
|
Packit |
fd8b60 |
comma-separated list of flags, with '+' before each flag that
|
|
Packit |
fd8b60 |
should be enabled and '-' before each flag that should be
|
|
Packit |
fd8b60 |
disabled. The **postdateable**, **forwardable**, **tgt-based**,
|
|
Packit |
fd8b60 |
**renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and
|
|
Packit |
fd8b60 |
**service** flags default to enabled.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
There are a number of possible flags:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**allow-tickets**
|
|
Packit |
fd8b60 |
Enabling this flag means that the KDC will issue tickets for
|
|
Packit |
fd8b60 |
this principal. Disabling this flag essentially deactivates
|
|
Packit |
fd8b60 |
the principal within this realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dup-skey**
|
|
Packit |
fd8b60 |
Enabling this flag allows the KDC to issue user-to-user
|
|
Packit |
fd8b60 |
service tickets for this principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**forwardable**
|
|
Packit |
fd8b60 |
Enabling this flag allows the principal to obtain forwardable
|
|
Packit |
fd8b60 |
tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**hwauth**
|
|
Packit |
fd8b60 |
If this flag is enabled, then the principal is required to
|
|
Packit |
fd8b60 |
preauthenticate using a hardware device before receiving any
|
|
Packit |
fd8b60 |
tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**no-auth-data-required**
|
|
Packit |
fd8b60 |
Enabling this flag prevents PAC or AD-SIGNEDPATH data from
|
|
Packit |
fd8b60 |
being added to service tickets for the principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ok-as-delegate**
|
|
Packit |
fd8b60 |
If this flag is enabled, it hints the client that credentials
|
|
Packit |
fd8b60 |
can and should be delegated when authenticating to the
|
|
Packit |
fd8b60 |
service.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ok-to-auth-as-delegate**
|
|
Packit |
fd8b60 |
Enabling this flag allows the principal to use S4USelf tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**postdateable**
|
|
Packit |
fd8b60 |
Enabling this flag allows the principal to obtain postdateable
|
|
Packit |
fd8b60 |
tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**preauth**
|
|
Packit |
fd8b60 |
If this flag is enabled on a client principal, then that
|
|
Packit |
fd8b60 |
principal is required to preauthenticate to the KDC before
|
|
Packit |
fd8b60 |
receiving any tickets. On a service principal, enabling this
|
|
Packit |
fd8b60 |
flag means that service tickets for this principal will only
|
|
Packit |
fd8b60 |
be issued to clients with a TGT that has the preauthenticated
|
|
Packit |
fd8b60 |
bit set.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**proxiable**
|
|
Packit |
fd8b60 |
Enabling this flag allows the principal to obtain proxy
|
|
Packit |
fd8b60 |
tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pwchange**
|
|
Packit |
fd8b60 |
Enabling this flag forces a password change for this
|
|
Packit |
fd8b60 |
principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pwservice**
|
|
Packit |
fd8b60 |
If this flag is enabled, it marks this principal as a password
|
|
Packit |
fd8b60 |
change service. This should only be used in special cases,
|
|
Packit |
fd8b60 |
for example, if a user's password has expired, then the user
|
|
Packit |
fd8b60 |
has to get tickets for that principal without going through
|
|
Packit |
fd8b60 |
the normal password authentication in order to be able to
|
|
Packit |
fd8b60 |
change the password.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**renewable**
|
|
Packit |
fd8b60 |
Enabling this flag allows the principal to obtain renewable
|
|
Packit |
fd8b60 |
tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**service**
|
|
Packit |
fd8b60 |
Enabling this flag allows the the KDC to issue service tickets
|
|
Packit |
fd8b60 |
for this principal. In release 1.17 and later, user-to-user
|
|
Packit |
fd8b60 |
service tickets are still allowed if the **dup-skey** flag is
|
|
Packit |
fd8b60 |
set.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**tgt-based**
|
|
Packit |
fd8b60 |
Enabling this flag allows a principal to obtain tickets based
|
|
Packit |
fd8b60 |
on a ticket-granting-ticket, rather than repeating the
|
|
Packit |
fd8b60 |
authentication process that was used to obtain the TGT.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dict_file**
|
|
Packit |
fd8b60 |
(String.) Location of the dictionary file containing strings that
|
|
Packit |
fd8b60 |
are not allowed as passwords. The file should contain one string
|
|
Packit |
fd8b60 |
per line, with no additional whitespace. If none is specified or
|
|
Packit |
fd8b60 |
if there is no policy assigned to the principal, no dictionary
|
|
Packit |
fd8b60 |
checks of passwords will be performed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**encrypted_challenge_indicator**
|
|
Packit |
fd8b60 |
(String.) Specifies the authentication indicator value that the KDC
|
|
Packit |
fd8b60 |
asserts into tickets obtained using FAST encrypted challenge
|
|
Packit |
fd8b60 |
pre-authentication. New in 1.16.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**host_based_services**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Lists services which will
|
|
Packit |
fd8b60 |
get host-based referral processing even if the server principal is
|
|
Packit |
fd8b60 |
not marked as host-based by the client.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_enable**
|
|
Packit |
fd8b60 |
(Boolean value.) Specifies whether incremental database
|
|
Packit |
fd8b60 |
propagation is enabled. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_master_ulogsize**
|
|
Packit |
fd8b60 |
(Integer.) Specifies the maximum number of log entries to be
|
|
Packit |
fd8b60 |
retained for incremental propagation. The default value is 1000.
|
|
Packit |
fd8b60 |
Prior to release 1.11, the maximum value was 2500.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_replica_poll**
|
|
Packit |
fd8b60 |
(Delta time string.) Specifies how often the replica KDC polls
|
|
Packit |
fd8b60 |
for new updates from the master. The default value is ``2m``
|
|
Packit |
fd8b60 |
(that is, two minutes). New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_slave_poll**
|
|
Packit |
fd8b60 |
(Delta time string.) The name for **iprop_replica_poll** prior to
|
|
Packit |
fd8b60 |
release 1.17. Its value is used as a fallback if
|
|
Packit |
fd8b60 |
**iprop_replica_poll** is not specified.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_listen**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Specifies the iprop RPC
|
|
Packit |
fd8b60 |
listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
|
|
Packit |
fd8b60 |
Each entry may be an interface address, a port number, or an
|
|
Packit |
fd8b60 |
address and port number separated by a colon. If the address
|
|
Packit |
fd8b60 |
contains colons, enclose it in square brackets. If no address is
|
|
Packit |
fd8b60 |
specified, the wildcard address is used. If kadmind fails to bind
|
|
Packit |
fd8b60 |
to any of the specified addresses, it will fail to start. The
|
|
Packit |
fd8b60 |
default (when **iprop_enable** is true) is to bind to the wildcard
|
|
Packit |
fd8b60 |
address at the port specified in **iprop_port**. New in release
|
|
Packit |
fd8b60 |
1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_port**
|
|
Packit |
fd8b60 |
(Port number.) Specifies the port number to be used for
|
|
Packit |
fd8b60 |
incremental propagation. When **iprop_enable** is true, this
|
|
Packit |
fd8b60 |
relation is required in the replica KDC configuration file, and
|
|
Packit |
fd8b60 |
this relation or **iprop_listen** is required in the master
|
|
Packit |
fd8b60 |
configuration file, as there is no default port number. Port
|
|
Packit |
fd8b60 |
numbers specified in **iprop_listen** entries will override this
|
|
Packit |
fd8b60 |
port number for the :ref:`kadmind(8)` daemon.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_resync_timeout**
|
|
Packit |
fd8b60 |
(Delta time string.) Specifies the amount of time to wait for a
|
|
Packit |
fd8b60 |
full propagation to complete. This is optional in configuration
|
|
Packit |
fd8b60 |
files, and is used by replica KDCs only. The default value is 5
|
|
Packit |
fd8b60 |
minutes (``5m``). New in release 1.11.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**iprop_logfile**
|
|
Packit |
fd8b60 |
(File name.) Specifies where the update log file for the realm
|
|
Packit |
fd8b60 |
database is to be stored. The default is to use the
|
|
Packit |
fd8b60 |
**database_name** entry from the realms section of the krb5 config
|
|
Packit |
fd8b60 |
file, with ``.ulog`` appended. (NOTE: If **database_name** isn't
|
|
Packit |
fd8b60 |
specified in the realms section, perhaps because the LDAP database
|
|
Packit |
fd8b60 |
back end is being used, or the file name is specified in the
|
|
Packit |
fd8b60 |
[dbmodules] section, then the hard-coded default for
|
|
Packit |
fd8b60 |
**database_name** is used. Determination of the **iprop_logfile**
|
|
Packit |
fd8b60 |
default value will not use values from the [dbmodules] section.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kadmind_listen**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Specifies the kadmin RPC
|
|
Packit |
fd8b60 |
listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
|
|
Packit |
fd8b60 |
Each entry may be an interface address, a port number, or an
|
|
Packit |
fd8b60 |
address and port number separated by a colon. If the address
|
|
Packit |
fd8b60 |
contains colons, enclose it in square brackets. If no address is
|
|
Packit |
fd8b60 |
specified, the wildcard address is used. If kadmind fails to bind
|
|
Packit |
fd8b60 |
to any of the specified addresses, it will fail to start. The
|
|
Packit |
fd8b60 |
default is to bind to the wildcard address at the port specified
|
|
Packit |
fd8b60 |
in **kadmind_port**, or the standard kadmin port (749). New in
|
|
Packit |
fd8b60 |
release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kadmind_port**
|
|
Packit |
fd8b60 |
(Port number.) Specifies the port on which the :ref:`kadmind(8)`
|
|
Packit |
fd8b60 |
daemon is to listen for this realm. Port numbers specified in
|
|
Packit |
fd8b60 |
**kadmind_listen** entries will override this port number. The
|
|
Packit |
fd8b60 |
assigned port for kadmind is 749, which is used by default.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**key_stash_file**
|
|
Packit |
fd8b60 |
(String.) Specifies the location where the master key has been
|
|
Packit |
fd8b60 |
stored (via kdb5_util stash). The default is |kdcdir|\
|
|
Packit |
fd8b60 |
``/.k5.REALM``, where *REALM* is the Kerberos realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_listen**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Specifies the UDP
|
|
Packit |
fd8b60 |
listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
|
|
Packit |
fd8b60 |
Each entry may be an interface address, a port number, or an
|
|
Packit |
fd8b60 |
address and port number separated by a colon. If the address
|
|
Packit |
fd8b60 |
contains colons, enclose it in square brackets. If no address is
|
|
Packit |
fd8b60 |
specified, the wildcard address is used. If no port is specified,
|
|
Packit |
fd8b60 |
the standard port (88) is used. If the KDC daemon fails to bind
|
|
Packit |
fd8b60 |
to any of the specified addresses, it will fail to start. The
|
|
Packit |
fd8b60 |
default is to bind to the wildcard address on the standard port.
|
|
Packit |
fd8b60 |
New in release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_ports**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list, deprecated.) Prior to
|
|
Packit |
fd8b60 |
release 1.15, this relation lists the ports for the
|
|
Packit |
fd8b60 |
:ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
|
|
Packit |
fd8b60 |
release 1.15 and later, it has the same meaning as **kdc_listen**
|
|
Packit |
fd8b60 |
if that relation is not defined.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_tcp_listen**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Specifies the TCP
|
|
Packit |
fd8b60 |
listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
|
|
Packit |
fd8b60 |
Each entry may be an interface address, a port number, or an
|
|
Packit |
fd8b60 |
address and port number separated by a colon. If the address
|
|
Packit |
fd8b60 |
contains colons, enclose it in square brackets. If no address is
|
|
Packit |
fd8b60 |
specified, the wildcard address is used. If no port is specified,
|
|
Packit |
fd8b60 |
the standard port (88) is used. To disable listening on TCP, set
|
|
Packit |
fd8b60 |
this relation to the empty string with ``kdc_tcp_listen = ""``.
|
|
Packit |
fd8b60 |
If the KDC daemon fails to bind to any of the specified addresses,
|
|
Packit |
fd8b60 |
it will fail to start. The default is to bind to the wildcard
|
|
Packit |
fd8b60 |
address on the standard port. New in release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_tcp_ports**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list, deprecated.) Prior to
|
|
Packit |
fd8b60 |
release 1.15, this relation lists the ports for the
|
|
Packit |
fd8b60 |
:ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
|
|
Packit |
fd8b60 |
release 1.15 and later, it has the same meaning as
|
|
Packit |
fd8b60 |
**kdc_tcp_listen** if that relation is not defined.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpasswd_listen**
|
|
Packit |
fd8b60 |
(Comma-separated list.) Specifies the kpasswd listening addresses
|
|
Packit |
fd8b60 |
and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be
|
|
Packit |
fd8b60 |
an interface address, a port number, or an address and port number
|
|
Packit |
fd8b60 |
separated by a colon. If the address contains colons, enclose it
|
|
Packit |
fd8b60 |
in square brackets. If no address is specified, the wildcard
|
|
Packit |
fd8b60 |
address is used. If kadmind fails to bind to any of the specified
|
|
Packit |
fd8b60 |
addresses, it will fail to start. The default is to bind to the
|
|
Packit |
fd8b60 |
wildcard address at the port specified in **kpasswd_port**, or the
|
|
Packit |
fd8b60 |
standard kpasswd port (464). New in release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpasswd_port**
|
|
Packit |
fd8b60 |
(Port number.) Specifies the port on which the :ref:`kadmind(8)`
|
|
Packit |
fd8b60 |
daemon is to listen for password change requests for this realm.
|
|
Packit |
fd8b60 |
Port numbers specified in **kpasswd_listen** entries will override
|
|
Packit |
fd8b60 |
this port number. The assigned port for password change requests
|
|
Packit |
fd8b60 |
is 464, which is used by default.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**master_key_name**
|
|
Packit |
fd8b60 |
(String.) Specifies the name of the principal associated with the
|
|
Packit |
fd8b60 |
master key. The default is ``K/M``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**master_key_type**
|
|
Packit |
fd8b60 |
(Key type string.) Specifies the master key's key type. The
|
|
Packit |
fd8b60 |
default value for this is |defmkey|. For a list of all possible
|
|
Packit |
fd8b60 |
values, see :ref:`Encryption_types`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**max_life**
|
|
Packit |
fd8b60 |
(:ref:`duration` string.) Specifies the maximum time period for
|
|
Packit |
fd8b60 |
which a ticket may be valid in this realm. The default value is
|
|
Packit |
fd8b60 |
24 hours.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**max_renewable_life**
|
|
Packit |
fd8b60 |
(:ref:`duration` string.) Specifies the maximum time period
|
|
Packit |
fd8b60 |
during which a valid ticket may be renewed in this realm.
|
|
Packit |
fd8b60 |
The default value is 0.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**no_host_referral**
|
|
Packit |
fd8b60 |
(Whitespace- or comma-separated list.) Lists services to block
|
|
Packit |
fd8b60 |
from getting host-based referral processing, even if the client
|
|
Packit |
fd8b60 |
marks the server principal as host-based or the service is also
|
|
Packit |
fd8b60 |
listed in **host_based_services**. ``no_host_referral = *`` will
|
|
Packit |
fd8b60 |
disable referral processing altogether.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**reject_bad_transit**
|
|
Packit |
fd8b60 |
(Boolean value.) If set to true, the KDC will check the list of
|
|
Packit |
fd8b60 |
transited realms for cross-realm tickets against the transit path
|
|
Packit |
fd8b60 |
computed from the realm names and the capaths section of its
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)` file; if the path in the ticket to be issued
|
|
Packit |
fd8b60 |
contains any realms not in the computed path, the ticket will not
|
|
Packit |
fd8b60 |
be issued, and an error will be returned to the client instead.
|
|
Packit |
fd8b60 |
If this value is set to false, such tickets will be issued
|
|
Packit |
fd8b60 |
anyways, and it will be left up to the application server to
|
|
Packit |
fd8b60 |
validate the realm transit path.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the disable-transited-check flag is set in the incoming
|
|
Packit |
fd8b60 |
request, this check is not performed at all. Having the
|
|
Packit |
fd8b60 |
**reject_bad_transit** option will cause such ticket requests to
|
|
Packit |
fd8b60 |
be rejected always.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This transit path checking and config file option currently apply
|
|
Packit |
fd8b60 |
only to TGS requests.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default value is true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**restrict_anonymous_to_tgt**
|
|
Packit |
fd8b60 |
(Boolean value.) If set to true, the KDC will reject ticket
|
|
Packit |
fd8b60 |
requests from anonymous principals to service principals other
|
|
Packit |
fd8b60 |
than the realm's ticket-granting service. This option allows
|
|
Packit |
fd8b60 |
anonymous PKINIT to be enabled for use as FAST armor tickets
|
|
Packit |
fd8b60 |
without allowing anonymous authentication to services. The
|
|
Packit |
fd8b60 |
default value is false. New in release 1.9.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**spake_preauth_indicator**
|
|
Packit |
fd8b60 |
(String.) Specifies an authentication indicator value that the
|
|
Packit |
fd8b60 |
KDC asserts into tickets obtained using SPAKE pre-authentication.
|
|
Packit |
fd8b60 |
The default is not to add any indicators. This option may be
|
|
Packit |
fd8b60 |
specified multiple times. New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**supported_enctypes**
|
|
Packit |
fd8b60 |
(List of *key*:*salt* strings.) Specifies the default key/salt
|
|
Packit |
fd8b60 |
combinations of principals for this realm. Any principals created
|
|
Packit |
fd8b60 |
through :ref:`kadmin(1)` will have keys of these types. The
|
|
Packit |
fd8b60 |
default value for this tag is |defkeysalts|. For lists of
|
|
Packit |
fd8b60 |
possible values, see :ref:`Keysalt_lists`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _dbdefaults:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[dbdefaults]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The [dbdefaults] section specifies default values for some database
|
|
Packit |
fd8b60 |
parameters, to be used if the [dbmodules] subsection does not contain
|
|
Packit |
fd8b60 |
a relation for the tag. See the :ref:`dbmodules` section for the
|
|
Packit |
fd8b60 |
definitions of these relations.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* **ldap_kerberos_container_dn**
|
|
Packit |
fd8b60 |
* **ldap_kdc_dn**
|
|
Packit |
fd8b60 |
* **ldap_kdc_sasl_authcid**
|
|
Packit |
fd8b60 |
* **ldap_kdc_sasl_authzid**
|
|
Packit |
fd8b60 |
* **ldap_kdc_sasl_mech**
|
|
Packit |
fd8b60 |
* **ldap_kdc_sasl_realm**
|
|
Packit |
fd8b60 |
* **ldap_kadmind_dn**
|
|
Packit |
fd8b60 |
* **ldap_kadmind_sasl_authcid**
|
|
Packit |
fd8b60 |
* **ldap_kadmind_sasl_authzid**
|
|
Packit |
fd8b60 |
* **ldap_kadmind_sasl_mech**
|
|
Packit |
fd8b60 |
* **ldap_kadmind_sasl_realm**
|
|
Packit |
fd8b60 |
* **ldap_service_password_file**
|
|
Packit |
fd8b60 |
* **ldap_conns_per_server**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _dbmodules:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[dbmodules]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The [dbmodules] section contains parameters used by the KDC database
|
|
Packit |
fd8b60 |
library and database modules. Each tag in the [dbmodules] section is
|
|
Packit |
fd8b60 |
the name of a Kerberos realm or a section name specified by a realm's
|
|
Packit |
fd8b60 |
**database_module** parameter. The following example shows how to
|
|
Packit |
fd8b60 |
define one database parameter for the ATHENA.MIT.EDU realm::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[dbmodules]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
disable_last_success = true
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following tags may be specified in a [dbmodules] subsection:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**database_name**
|
|
Packit |
fd8b60 |
This DB2-specific tag indicates the location of the database in
|
|
Packit |
fd8b60 |
the filesystem. The default is |kdcdir|\ ``/principal``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**db_library**
|
|
Packit |
fd8b60 |
This tag indicates the name of the loadable database module. The
|
|
Packit |
fd8b60 |
value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB
|
|
Packit |
fd8b60 |
module, or ``kldap`` for the LDAP module.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**disable_last_success**
|
|
Packit |
fd8b60 |
If set to ``true``, suppresses KDC updates to the "Last successful
|
|
Packit |
fd8b60 |
authentication" field of principal entries requiring
|
|
Packit |
fd8b60 |
preauthentication. Setting this flag may improve performance.
|
|
Packit |
fd8b60 |
(Principal entries which do not require preauthentication never
|
|
Packit |
fd8b60 |
update the "Last successful authentication" field.). First
|
|
Packit |
fd8b60 |
introduced in release 1.9.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**disable_lockout**
|
|
Packit |
fd8b60 |
If set to ``true``, suppresses KDC updates to the "Last failed
|
|
Packit |
fd8b60 |
authentication" and "Failed password attempts" fields of principal
|
|
Packit |
fd8b60 |
entries requiring preauthentication. Setting this flag may
|
|
Packit |
fd8b60 |
improve performance, but also disables account lockout. First
|
|
Packit |
fd8b60 |
introduced in release 1.9.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_conns_per_server**
|
|
Packit |
fd8b60 |
This LDAP-specific tag indicates the number of connections to be
|
|
Packit |
fd8b60 |
maintained per LDAP server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kdc_dn** and **ldap_kadmind_dn**
|
|
Packit |
fd8b60 |
These LDAP-specific tags indicate the default DN for binding to
|
|
Packit |
fd8b60 |
the LDAP server. The :ref:`krb5kdc(8)` daemon uses
|
|
Packit |
fd8b60 |
**ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other
|
|
Packit |
fd8b60 |
administrative programs use **ldap_kadmind_dn**. The kadmind DN
|
|
Packit |
fd8b60 |
must have the rights to read and write the Kerberos data in the
|
|
Packit |
fd8b60 |
LDAP database. The KDC DN must have the same rights, unless
|
|
Packit |
fd8b60 |
**disable_lockout** and **disable_last_success** are true, in
|
|
Packit |
fd8b60 |
which case it only needs to have rights to read the Kerberos data.
|
|
Packit |
fd8b60 |
These tags are ignored if a SASL mechanism is set with
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech**
|
|
Packit |
fd8b60 |
These LDAP-specific tags specify the SASL mechanism (such as
|
|
Packit |
fd8b60 |
``EXTERNAL``) to use when binding to the LDAP server. New in
|
|
Packit |
fd8b60 |
release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid**
|
|
Packit |
fd8b60 |
These LDAP-specific tags specify the SASL authentication identity
|
|
Packit |
fd8b60 |
to use when binding to the LDAP server. Not all SASL mechanisms
|
|
Packit |
fd8b60 |
require an authentication identity. If the SASL mechanism
|
|
Packit |
fd8b60 |
requires a secret (such as the password for ``DIGEST-MD5``), these
|
|
Packit |
fd8b60 |
tags also determine the name within the
|
|
Packit |
fd8b60 |
**ldap_service_password_file** where the secret is stashed. New
|
|
Packit |
fd8b60 |
in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid**
|
|
Packit |
fd8b60 |
These LDAP-specific tags specify the SASL authorization identity
|
|
Packit |
fd8b60 |
to use when binding to the LDAP server. In most circumstances
|
|
Packit |
fd8b60 |
they do not need to be specified. New in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm**
|
|
Packit |
fd8b60 |
These LDAP-specific tags specify the SASL realm to use when
|
|
Packit |
fd8b60 |
binding to the LDAP server. In most circumstances they do not
|
|
Packit |
fd8b60 |
need to be set. New in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_kerberos_container_dn**
|
|
Packit |
fd8b60 |
This LDAP-specific tag indicates the DN of the container object
|
|
Packit |
fd8b60 |
where the realm objects will be located.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_servers**
|
|
Packit |
fd8b60 |
This LDAP-specific tag indicates the list of LDAP servers that the
|
|
Packit |
fd8b60 |
Kerberos servers can connect to. The list of LDAP servers is
|
|
Packit |
fd8b60 |
whitespace-separated. The LDAP server is specified by a LDAP URI.
|
|
Packit |
fd8b60 |
It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect
|
|
Packit |
fd8b60 |
to the LDAP server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ldap_service_password_file**
|
|
Packit |
fd8b60 |
This LDAP-specific tag indicates the file containing the stashed
|
|
Packit |
fd8b60 |
passwords (created by ``kdb5_ldap_util stashsrvpw``) for the
|
|
Packit |
fd8b60 |
**ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the
|
|
Packit |
fd8b60 |
**ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names
|
|
Packit |
fd8b60 |
for SASL authentication. This file must be kept secure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**mapsize**
|
|
Packit |
fd8b60 |
This LMDB-specific tag indicates the maximum size of the two
|
|
Packit |
fd8b60 |
database environments in megabytes. The default value is 128.
|
|
Packit |
fd8b60 |
Increase this value to address "Environment mapsize limit reached"
|
|
Packit |
fd8b60 |
errors. New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**max_readers**
|
|
Packit |
fd8b60 |
This LMDB-specific tag indicates the maximum number of concurrent
|
|
Packit |
fd8b60 |
reading processes for the databases. The default value is 128.
|
|
Packit |
fd8b60 |
New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**nosync**
|
|
Packit |
fd8b60 |
This LMDB-specific tag can be set to improve the throughput of
|
|
Packit |
fd8b60 |
kadmind and other administrative agents, at the expense of
|
|
Packit |
fd8b60 |
durability (recent database changes may not survive a power outage
|
|
Packit |
fd8b60 |
or other sudden reboot). It does not affect the throughput of the
|
|
Packit |
fd8b60 |
KDC. The default value is false. New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**unlockiter**
|
|
Packit |
fd8b60 |
If set to ``true``, this DB2-specific tag causes iteration
|
|
Packit |
fd8b60 |
operations to release the database lock while processing each
|
|
Packit |
fd8b60 |
principal. Setting this flag to ``true`` can prevent extended
|
|
Packit |
fd8b60 |
blocking of KDC or kadmin operations when dumps of large databases
|
|
Packit |
fd8b60 |
are in progress. First introduced in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following tag may be specified directly in the [dbmodules]
|
|
Packit |
fd8b60 |
section to control where database modules are loaded from:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**db_module_dir**
|
|
Packit |
fd8b60 |
This tag controls where the plugin system looks for database
|
|
Packit |
fd8b60 |
modules. The value should be an absolute path.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _logging:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[logging]
|
|
Packit |
fd8b60 |
~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The [logging] section indicates how :ref:`krb5kdc(8)` and
|
|
Packit |
fd8b60 |
:ref:`kadmind(8)` perform logging. It may contain the following
|
|
Packit |
fd8b60 |
relations:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**admin_server**
|
|
Packit |
fd8b60 |
Specifies how :ref:`kadmind(8)` performs logging.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc**
|
|
Packit |
fd8b60 |
Specifies how :ref:`krb5kdc(8)` performs logging.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default**
|
|
Packit |
fd8b60 |
Specifies how either daemon performs logging in the absence of
|
|
Packit |
fd8b60 |
relations specific to the daemon.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**debug**
|
|
Packit |
fd8b60 |
(Boolean value.) Specifies whether debugging messages are
|
|
Packit |
fd8b60 |
included in log outputs other than SYSLOG. Debugging messages are
|
|
Packit |
fd8b60 |
always included in the system log output because syslog performs
|
|
Packit |
fd8b60 |
its own priority filtering. The default value is false. New in
|
|
Packit |
fd8b60 |
release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Logging specifications may have the following forms:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**FILE=**\ *filename* or **FILE:**\ *filename*
|
|
Packit |
fd8b60 |
This value causes the daemon's logging messages to go to the
|
|
Packit |
fd8b60 |
*filename*. If the ``=`` form is used, the file is overwritten.
|
|
Packit |
fd8b60 |
If the ``:`` form is used, the file is appended to.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**STDERR**
|
|
Packit |
fd8b60 |
This value causes the daemon's logging messages to go to its
|
|
Packit |
fd8b60 |
standard error stream.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**CONSOLE**
|
|
Packit |
fd8b60 |
This value causes the daemon's logging messages to go to the
|
|
Packit |
fd8b60 |
console, if the system supports it.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**DEVICE=**\ *<devicename>*
|
|
Packit |
fd8b60 |
This causes the daemon's logging messages to go to the specified
|
|
Packit |
fd8b60 |
device.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]]
|
|
Packit |
fd8b60 |
This causes the daemon's logging messages to go to the system log.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For backward compatibility, a severity argument may be specified,
|
|
Packit |
fd8b60 |
and must be specified in order to specify a facility. This
|
|
Packit |
fd8b60 |
argument will be ignored.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The facility argument specifies the facility under which the
|
|
Packit |
fd8b60 |
messages are logged. This may be any of the following facilities
|
|
Packit |
fd8b60 |
supported by the syslog(3) call minus the LOG\_ prefix: **KERN**,
|
|
Packit |
fd8b60 |
**USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**,
|
|
Packit |
fd8b60 |
**UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no
|
|
Packit |
fd8b60 |
facility is specified, the default is **AUTH**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In the following example, the logging messages from the KDC will go to
|
|
Packit |
fd8b60 |
the console and to the system log under the facility LOG_DAEMON, and
|
|
Packit |
fd8b60 |
the logging messages from the administrative server will be appended
|
|
Packit |
fd8b60 |
to the file ``/var/adm/kadmin.log`` and sent to the device
|
|
Packit |
fd8b60 |
``/dev/tty04``. ::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[logging]
|
|
Packit |
fd8b60 |
kdc = CONSOLE
|
|
Packit |
fd8b60 |
kdc = SYSLOG:INFO:DAEMON
|
|
Packit |
fd8b60 |
admin_server = FILE:/var/adm/kadmin.log
|
|
Packit |
fd8b60 |
admin_server = DEVICE=/dev/tty04
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If no logging specification is given, the default is to use syslog.
|
|
Packit |
fd8b60 |
To disable logging entirely, specify ``default = DEVICE=/dev/null``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _otp:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[otp]
|
|
Packit |
fd8b60 |
~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each subsection of [otp] is the name of an OTP token type. The tags
|
|
Packit |
fd8b60 |
within the subsection define the configuration required to forward a
|
|
Packit |
fd8b60 |
One Time Password request to a RADIUS server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For each token type, the following tags may be specified:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**server**
|
|
Packit |
fd8b60 |
This is the server to send the RADIUS request to. It can be a
|
|
Packit |
fd8b60 |
hostname with optional port, an ip address with optional port, or
|
|
Packit |
fd8b60 |
a Unix domain socket address. The default is
|
|
Packit |
fd8b60 |
|kdcdir|\ ``/<name>.socket``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**secret**
|
|
Packit |
fd8b60 |
This tag indicates a filename (which may be relative to |kdcdir|)
|
|
Packit |
fd8b60 |
containing the secret used to encrypt the RADIUS packets. The
|
|
Packit |
fd8b60 |
secret should appear in the first line of the file by itself;
|
|
Packit |
fd8b60 |
leading and trailing whitespace on the line will be removed. If
|
|
Packit |
fd8b60 |
the value of **server** is a Unix domain socket address, this tag
|
|
Packit |
fd8b60 |
is optional, and an empty secret will be used if it is not
|
|
Packit |
fd8b60 |
specified. Otherwise, this tag is required.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**timeout**
|
|
Packit |
fd8b60 |
An integer which specifies the time in seconds during which the
|
|
Packit |
fd8b60 |
KDC should attempt to contact the RADIUS server. This tag is the
|
|
Packit |
fd8b60 |
total time across all retries and should be less than the time
|
|
Packit |
fd8b60 |
which an OTP value remains valid for. The default is 5 seconds.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**retries**
|
|
Packit |
fd8b60 |
This tag specifies the number of retries to make to the RADIUS
|
|
Packit |
fd8b60 |
server. The default is 3 retries (4 tries).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**strip_realm**
|
|
Packit |
fd8b60 |
If this tag is ``true``, the principal without the realm will be
|
|
Packit |
fd8b60 |
passed to the RADIUS server. Otherwise, the realm will be
|
|
Packit |
fd8b60 |
included. The default value is ``true``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**indicator**
|
|
Packit |
fd8b60 |
This tag specifies an authentication indicator to be included in
|
|
Packit |
fd8b60 |
the ticket if this token type is used to authenticate. This
|
|
Packit |
fd8b60 |
option may be specified multiple times. (New in release 1.14.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In the following example, requests are sent to a remote server via UDP::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[otp]
|
|
Packit |
fd8b60 |
MyRemoteTokenType = {
|
|
Packit |
fd8b60 |
server = radius.mydomain.com:1812
|
|
Packit |
fd8b60 |
secret = SEmfiajf42$
|
|
Packit |
fd8b60 |
timeout = 15
|
|
Packit |
fd8b60 |
retries = 5
|
|
Packit |
fd8b60 |
strip_realm = true
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An implicit default token type named ``DEFAULT`` is defined for when
|
|
Packit |
fd8b60 |
the per-principal configuration does not specify a token type. Its
|
|
Packit |
fd8b60 |
configuration is shown below. You may override this token type to
|
|
Packit |
fd8b60 |
something applicable for your situation::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[otp]
|
|
Packit |
fd8b60 |
DEFAULT = {
|
|
Packit |
fd8b60 |
strip_realm = false
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
PKINIT options
|
|
Packit |
fd8b60 |
--------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following are pkinit-specific options. These values may
|
|
Packit |
fd8b60 |
be specified in [kdcdefaults] as global defaults, or within
|
|
Packit |
fd8b60 |
a realm-specific subsection of [realms]. Also note that a
|
|
Packit |
fd8b60 |
realm-specific value over-rides, does not add to, a generic
|
|
Packit |
fd8b60 |
[kdcdefaults] specification. The search order is:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
1. realm-specific subsection of [realms]::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
EXAMPLE.COM = {
|
|
Packit |
fd8b60 |
pkinit_anchors = FILE:/usr/local/example.com.crt
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
2. generic value in the [kdcdefaults] section::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[kdcdefaults]
|
|
Packit |
fd8b60 |
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For information about the syntax of some of these options, see
|
|
Packit |
fd8b60 |
:ref:`Specifying PKINIT identity information <pkinit_identity>` in
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_anchors**
|
|
Packit |
fd8b60 |
Specifies the location of trusted anchor (root) certificates which
|
|
Packit |
fd8b60 |
the KDC trusts to sign client certificates. This option is
|
|
Packit |
fd8b60 |
required if pkinit is to be supported by the KDC. This option may
|
|
Packit |
fd8b60 |
be specified multiple times.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_dh_min_bits**
|
|
Packit |
fd8b60 |
Specifies the minimum number of bits the KDC is willing to accept
|
|
Packit |
fd8b60 |
for a client's Diffie-Hellman key. The default is 2048.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_allow_upn**
|
|
Packit |
fd8b60 |
Specifies that the KDC is willing to accept client certificates
|
|
Packit |
fd8b60 |
with the Microsoft UserPrincipalName (UPN) Subject Alternative
|
|
Packit |
fd8b60 |
Name (SAN). This means the KDC accepts the binding of the UPN in
|
|
Packit |
fd8b60 |
the certificate to the Kerberos principal name. The default value
|
|
Packit |
fd8b60 |
is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Without this option, the KDC will only accept certificates with
|
|
Packit |
fd8b60 |
the id-pkinit-san as defined in :rfc:`4556`. There is currently
|
|
Packit |
fd8b60 |
no option to disable SAN checking in the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_eku_checking**
|
|
Packit |
fd8b60 |
This option specifies what Extended Key Usage (EKU) values the KDC
|
|
Packit |
fd8b60 |
is willing to accept in client certificates. The values
|
|
Packit |
fd8b60 |
recognized in the kdc.conf file are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpClientAuth**
|
|
Packit |
fd8b60 |
This is the default value and specifies that client
|
|
Packit |
fd8b60 |
certificates must have the id-pkinit-KPClientAuth EKU as
|
|
Packit |
fd8b60 |
defined in :rfc:`4556`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**scLogin**
|
|
Packit |
fd8b60 |
If scLogin is specified, client certificates with the
|
|
Packit |
fd8b60 |
Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
|
|
Packit |
fd8b60 |
accepted.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**none**
|
|
Packit |
fd8b60 |
If none is specified, then client certificates will not be
|
|
Packit |
fd8b60 |
checked to verify they have an acceptable EKU. The use of
|
|
Packit |
fd8b60 |
this option is not recommended.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_identity**
|
|
Packit |
fd8b60 |
Specifies the location of the KDC's X.509 identity information.
|
|
Packit |
fd8b60 |
This option is required if pkinit is to be supported by the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_indicator**
|
|
Packit |
fd8b60 |
Specifies an authentication indicator to include in the ticket if
|
|
Packit |
fd8b60 |
pkinit is used to authenticate. This option may be specified
|
|
Packit |
fd8b60 |
multiple times. (New in release 1.14.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_pool**
|
|
Packit |
fd8b60 |
Specifies the location of intermediate certificates which may be
|
|
Packit |
fd8b60 |
used by the KDC to complete the trust chain between a client's
|
|
Packit |
fd8b60 |
certificate and a trusted anchor. This option may be specified
|
|
Packit |
fd8b60 |
multiple times.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_revoke**
|
|
Packit |
fd8b60 |
Specifies the location of Certificate Revocation List (CRL)
|
|
Packit |
fd8b60 |
information to be used by the KDC when verifying the validity of
|
|
Packit |
fd8b60 |
client certificates. This option may be specified multiple times.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_require_crl_checking**
|
|
Packit |
fd8b60 |
The default certificate verification process will always check the
|
|
Packit |
fd8b60 |
available revocation information to see if a certificate has been
|
|
Packit |
fd8b60 |
revoked. If a match is found for the certificate in a CRL,
|
|
Packit |
fd8b60 |
verification fails. If the certificate being verified is not
|
|
Packit |
fd8b60 |
listed in a CRL, or there is no CRL present for its issuing CA,
|
|
Packit |
fd8b60 |
and **pkinit_require_crl_checking** is false, then verification
|
|
Packit |
fd8b60 |
succeeds.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
However, if **pkinit_require_crl_checking** is true and there is
|
|
Packit |
fd8b60 |
no CRL information available for the issuing CA, then verification
|
|
Packit |
fd8b60 |
fails.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_require_crl_checking** should be set to true if the
|
|
Packit |
fd8b60 |
policy is such that up-to-date CRLs must be present for every CA.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_require_freshness**
|
|
Packit |
fd8b60 |
Specifies whether to require clients to include a freshness token
|
|
Packit |
fd8b60 |
in PKINIT requests. The default value is false. (New in release
|
|
Packit |
fd8b60 |
1.17.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _Encryption_types:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Encryption types
|
|
Packit |
fd8b60 |
----------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Any tag in the configuration files which requires a list of encryption
|
|
Packit |
fd8b60 |
types can be set to some combination of the following strings.
|
|
Packit |
fd8b60 |
Encryption types marked as "weak" are available for compatibility but
|
|
Packit |
fd8b60 |
not recommended for use.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
==================================================== =========================================================
|
|
Packit Service |
e737ee |
des3-cbc-raw Triple DES cbc mode raw (weak)
|
|
Packit Service |
e737ee |
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
|
|
Packit |
fd8b60 |
aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
|
|
Packit |
fd8b60 |
aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
|
|
Packit |
fd8b60 |
aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
|
|
Packit |
fd8b60 |
aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC
|
|
Packit |
fd8b60 |
arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
|
|
Packit |
fd8b60 |
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
|
|
Packit |
fd8b60 |
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
|
|
Packit |
fd8b60 |
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
|
|
Packit Service |
e737ee |
des3 The triple DES family: des3-cbc-sha1
|
|
Packit |
fd8b60 |
aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
|
|
Packit |
fd8b60 |
rc4 The RC4 family: arcfour-hmac
|
|
Packit |
fd8b60 |
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
|
|
Packit |
fd8b60 |
==================================================== =========================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The string **DEFAULT** can be used to refer to the default set of
|
|
Packit |
fd8b60 |
types for the variable in question. Types or families can be removed
|
|
Packit |
fd8b60 |
from the current list by prefixing them with a minus sign ("-").
|
|
Packit |
fd8b60 |
Types or families can be prefixed with a plus sign ("+") for symmetry;
|
|
Packit |
fd8b60 |
it has the same meaning as just listing the type or family. For
|
|
Packit |
fd8b60 |
example, "``DEFAULT -rc4``" would be the default set of encryption
|
|
Packit Service |
e737ee |
types with RC4 types removed, and "``des3 DEFAULT``" would be the
|
|
Packit Service |
e737ee |
default set of encryption types with triple DES types moved to the
|
|
Packit |
fd8b60 |
front.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
|
|
Packit |
fd8b60 |
operations, they are not supported by very old versions of our GSSAPI
|
|
Packit |
fd8b60 |
implementation (krb5-1.3.1 and earlier). Services running versions of
|
|
Packit |
fd8b60 |
krb5 without AES support must not be given keys of these encryption
|
|
Packit |
fd8b60 |
types in the KDC database.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **aes128-sha2** and **aes256-sha2** encryption types are new in
|
|
Packit |
fd8b60 |
release 1.15. Services running versions of krb5 without support for
|
|
Packit |
fd8b60 |
these newer encryption types must not be given keys of these
|
|
Packit |
fd8b60 |
encryption types in the KDC database.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _Keysalt_lists:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Keysalt lists
|
|
Packit |
fd8b60 |
-------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Kerberos keys for users are usually derived from passwords. Kerberos
|
|
Packit |
fd8b60 |
commands and configuration parameters that affect generation of keys
|
|
Packit |
fd8b60 |
take lists of enctype-salttype ("keysalt") pairs, known as *keysalt
|
|
Packit |
fd8b60 |
lists*. Each keysalt pair is an enctype name followed by a salttype
|
|
Packit |
fd8b60 |
name, in the format *enc*:*salt*. Individual keysalt list members are
|
|
Packit |
fd8b60 |
separated by comma (",") characters or space characters. For example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin -e aes256-cts:normal,aes128-cts:normal
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
would start up kadmin so that by default it would generate
|
|
Packit |
fd8b60 |
password-derived keys for the **aes256-cts** and **aes128-cts**
|
|
Packit |
fd8b60 |
encryption types, using a **normal** salt.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To ensure that people who happen to pick the same password do not have
|
|
Packit |
fd8b60 |
the same key, Kerberos 5 incorporates more information into the key
|
|
Packit |
fd8b60 |
using something called a salt. The supported salt types are as
|
|
Packit |
fd8b60 |
follows:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
================= ============================================
|
|
Packit |
fd8b60 |
normal default for Kerberos Version 5
|
|
Packit |
fd8b60 |
norealm same as the default, without using realm information
|
|
Packit |
fd8b60 |
onlyrealm uses only realm information as the salt
|
|
Packit |
fd8b60 |
special generate a random salt
|
|
Packit |
fd8b60 |
================= ============================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sample kdc.conf File
|
|
Packit |
fd8b60 |
--------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Here's an example of a kdc.conf file::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[kdcdefaults]
|
|
Packit |
fd8b60 |
kdc_listen = 88
|
|
Packit |
fd8b60 |
kdc_tcp_listen = 88
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
kadmind_port = 749
|
|
Packit |
fd8b60 |
max_life = 12h 0m 0s
|
|
Packit |
fd8b60 |
max_renewable_life = 7d 0h 0m 0s
|
|
Packit |
fd8b60 |
master_key_type = aes256-cts-hmac-sha1-96
|
|
Packit |
fd8b60 |
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
|
|
Packit |
fd8b60 |
database_module = openldap_ldapconf
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[logging]
|
|
Packit |
fd8b60 |
kdc = FILE:/usr/local/var/krb5kdc/kdc.log
|
|
Packit |
fd8b60 |
admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[dbdefaults]
|
|
Packit |
fd8b60 |
ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[dbmodules]
|
|
Packit |
fd8b60 |
openldap_ldapconf = {
|
|
Packit |
fd8b60 |
db_library = kldap
|
|
Packit |
fd8b60 |
disable_last_success = true
|
|
Packit |
fd8b60 |
ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
|
|
Packit |
fd8b60 |
# this object needs to have read rights on
|
|
Packit |
fd8b60 |
# the realm container and principal subtrees
|
|
Packit |
fd8b60 |
ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
|
|
Packit |
fd8b60 |
# this object needs to have read and write rights on
|
|
Packit |
fd8b60 |
# the realm container and principal subtrees
|
|
Packit |
fd8b60 |
ldap_service_password_file = /etc/kerberos/service.keyfile
|
|
Packit |
fd8b60 |
ldap_servers = ldaps://kerberos.mit.edu
|
|
Packit |
fd8b60 |
ldap_conns_per_server = 5
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
FILES
|
|
Packit |
fd8b60 |
------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|kdcdir|\ ``/kdc.conf``
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
---------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)`
|