|
Packit |
fd8b60 |
.. _krb5.conf(5):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5.conf
|
|
Packit |
fd8b60 |
=========
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5.conf file contains Kerberos configuration information,
|
|
Packit |
fd8b60 |
including the locations of KDCs and admin servers for the Kerberos
|
|
Packit |
fd8b60 |
realms of interest, defaults for the current realm and for Kerberos
|
|
Packit |
fd8b60 |
applications, and mappings of hostnames onto Kerberos realms.
|
|
Packit |
fd8b60 |
Normally, you should install your krb5.conf file in the directory
|
|
Packit |
fd8b60 |
``/etc``. You can override the default location by setting the
|
|
Packit |
fd8b60 |
environment variable **KRB5_CONFIG**. Multiple colon-separated
|
|
Packit |
fd8b60 |
filenames may be specified in **KRB5_CONFIG**; all files which are
|
|
Packit |
fd8b60 |
present will be read. Starting in release 1.14, directory names can
|
|
Packit |
fd8b60 |
also be specified in **KRB5_CONFIG**; all files within the directory
|
|
Packit |
fd8b60 |
whose names consist solely of alphanumeric characters, dashes, or
|
|
Packit |
fd8b60 |
underscores will be read.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Structure
|
|
Packit |
fd8b60 |
---------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5.conf file is set up in the style of a Windows INI file.
|
|
Packit |
fd8b60 |
Lines beginning with '#' or ';' (possibly after initial whitespace)
|
|
Packit |
fd8b60 |
are ignored as comments. Sections are headed by the section name, in
|
|
Packit |
fd8b60 |
square brackets. Each section may contain zero or more relations, of
|
|
Packit |
fd8b60 |
the form::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
foo = bar
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
or::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
fubar = {
|
|
Packit |
fd8b60 |
foo = bar
|
|
Packit |
fd8b60 |
baz = quux
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Placing a '\*' after the closing bracket of a section name indicates
|
|
Packit |
fd8b60 |
that the section is *final*, meaning that if the same section appears
|
|
Packit |
fd8b60 |
within a later file specified in **KRB5_CONFIG**, it will be ignored.
|
|
Packit |
fd8b60 |
A subsection can be marked as final by placing a '\*' after either the
|
|
Packit |
fd8b60 |
tag name or the closing brace.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5.conf file can include other files using either of the
|
|
Packit |
fd8b60 |
following directives at the beginning of a line::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
include FILENAME
|
|
Packit |
fd8b60 |
includedir DIRNAME
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*FILENAME* or *DIRNAME* should be an absolute path. The named file or
|
|
Packit |
fd8b60 |
directory must exist and be readable. Including a directory includes
|
|
Packit |
fd8b60 |
all files within the directory whose names consist solely of
|
|
Packit |
fd8b60 |
alphanumeric characters, dashes, or underscores. Starting in release
|
|
Packit |
fd8b60 |
1.15, files with names ending in ".conf" are also included, unless the
|
|
Packit |
fd8b60 |
name begins with ".". Included profile files are syntactically
|
|
Packit |
fd8b60 |
independent of their parents, so each included file must begin with a
|
|
Packit |
fd8b60 |
section header. Starting in release 1.17, files are read in
|
|
Packit |
fd8b60 |
alphanumeric order; in previous releases, they may be read in any
|
|
Packit |
fd8b60 |
order.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5.conf file can specify that configuration should be obtained
|
|
Packit |
fd8b60 |
from a loadable module, rather than the file itself, using the
|
|
Packit |
fd8b60 |
following directive at the beginning of a line before any section
|
|
Packit |
fd8b60 |
headers::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
module MODULEPATH:RESIDUAL
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*MODULEPATH* may be relative to the library path of the krb5
|
|
Packit |
fd8b60 |
installation, or it may be an absolute path. *RESIDUAL* is provided
|
|
Packit |
fd8b60 |
to the module at initialization time. If krb5.conf uses a module
|
|
Packit |
fd8b60 |
directive, :ref:`kdc.conf(5)` should also use one if it exists.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sections
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5.conf file may contain the following sections:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
=================== =======================================================
|
|
Packit |
fd8b60 |
:ref:`libdefaults` Settings used by the Kerberos V5 library
|
|
Packit |
fd8b60 |
:ref:`realms` Realm-specific contact information and settings
|
|
Packit |
fd8b60 |
:ref:`domain_realm` Maps server hostnames to Kerberos realms
|
|
Packit |
fd8b60 |
:ref:`capaths` Authentication paths for non-hierarchical cross-realm
|
|
Packit |
fd8b60 |
:ref:`appdefaults` Settings used by some Kerberos V5 applications
|
|
Packit |
fd8b60 |
:ref:`plugins` Controls plugin module registration
|
|
Packit |
fd8b60 |
=================== =======================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Additionally, krb5.conf may include any of the relations described in
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)`, but it is not a recommended practice.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _libdefaults:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The libdefaults section may contain any of the following relations:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**allow_weak_crypto**
|
|
Packit |
fd8b60 |
If this flag is set to false, then weak encryption types (as noted
|
|
Packit |
fd8b60 |
in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
|
|
Packit |
fd8b60 |
out of the lists **default_tgs_enctypes**,
|
|
Packit |
fd8b60 |
**default_tkt_enctypes**, and **permitted_enctypes**. The default
|
|
Packit |
fd8b60 |
value for this tag is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**canonicalize**
|
|
Packit |
fd8b60 |
If this flag is set to true, initial ticket requests to the KDC
|
|
Packit |
fd8b60 |
will request canonicalization of the client principal name, and
|
|
Packit |
fd8b60 |
answers with different client principals than the requested
|
|
Packit |
fd8b60 |
principal will be accepted. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ccache_type**
|
|
Packit |
fd8b60 |
This parameter determines the format of credential cache types
|
|
Packit |
fd8b60 |
created by :ref:`kinit(1)` or other programs. The default value
|
|
Packit |
fd8b60 |
is 4, which represents the most current format. Smaller values
|
|
Packit |
fd8b60 |
can be used for compatibility with very old implementations of
|
|
Packit |
fd8b60 |
Kerberos which interact with credential caches on the same host.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**clockskew**
|
|
Packit |
fd8b60 |
Sets the maximum allowable amount of clockskew in seconds that the
|
|
Packit |
fd8b60 |
library will tolerate before assuming that a Kerberos message is
|
|
Packit |
fd8b60 |
invalid. The default value is 300 seconds, or five minutes.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The clockskew setting is also used when evaluating ticket start
|
|
Packit |
fd8b60 |
and expiration times. For example, tickets that have reached
|
|
Packit |
fd8b60 |
their expiration time can still be used (and renewed if they are
|
|
Packit |
fd8b60 |
renewable tickets) if they have been expired for a shorter
|
|
Packit |
fd8b60 |
duration than the **clockskew** setting.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_ccache_name**
|
|
Packit |
fd8b60 |
This relation specifies the name of the default credential cache.
|
|
Packit |
fd8b60 |
The default is |ccache|. This relation is subject to parameter
|
|
Packit |
fd8b60 |
expansion (see below). New in release 1.11.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_client_keytab_name**
|
|
Packit |
fd8b60 |
This relation specifies the name of the default keytab for
|
|
Packit |
fd8b60 |
obtaining client credentials. The default is |ckeytab|. This
|
|
Packit |
fd8b60 |
relation is subject to parameter expansion (see below).
|
|
Packit |
fd8b60 |
New in release 1.11.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_keytab_name**
|
|
Packit |
fd8b60 |
This relation specifies the default keytab name to be used by
|
|
Packit |
fd8b60 |
application servers such as sshd. The default is |keytab|. This
|
|
Packit |
fd8b60 |
relation is subject to parameter expansion (see below).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_rcache_name**
|
|
Packit |
fd8b60 |
This relation specifies the name of the default replay cache.
|
|
Packit |
fd8b60 |
The default is ``dfl:``. This relation is subject to parameter
|
|
Packit |
fd8b60 |
expansion (see below). New in release 1.18.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_realm**
|
|
Packit |
fd8b60 |
Identifies the default Kerberos realm for the client. Set its
|
|
Packit |
fd8b60 |
value to your Kerberos realm. If this value is not set, then a
|
|
Packit |
fd8b60 |
realm must be specified with every Kerberos principal when
|
|
Packit |
fd8b60 |
invoking programs such as :ref:`kinit(1)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_tgs_enctypes**
|
|
Packit |
fd8b60 |
Identifies the supported list of session key encryption types that
|
|
Packit |
fd8b60 |
the client should request when making a TGS-REQ, in order of
|
|
Packit |
fd8b60 |
preference from highest to lowest. The list may be delimited with
|
|
Packit |
fd8b60 |
commas or whitespace. See :ref:`Encryption_types` in
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
|
|
Packit |
fd8b60 |
Starting in release 1.18, the default value is the value of
|
|
Packit |
fd8b60 |
**permitted_enctypes**. For previous releases or if
|
|
Packit |
fd8b60 |
**permitted_enctypes** is not set, the default value is
|
|
Packit |
fd8b60 |
|defetypes|.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Do not set this unless required for specific backward
|
|
Packit |
fd8b60 |
compatibility purposes; stale values of this setting can prevent
|
|
Packit |
fd8b60 |
clients from taking advantage of new stronger enctypes when the
|
|
Packit |
fd8b60 |
libraries are upgraded.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_tkt_enctypes**
|
|
Packit |
fd8b60 |
Identifies the supported list of session key encryption types that
|
|
Packit |
fd8b60 |
the client should request when making an AS-REQ, in order of
|
|
Packit |
fd8b60 |
preference from highest to lowest. The format is the same as for
|
|
Packit |
fd8b60 |
default_tgs_enctypes. Starting in release 1.18, the default
|
|
Packit |
fd8b60 |
value is the value of **permitted_enctypes**. For previous
|
|
Packit |
fd8b60 |
releases or if **permitted_enctypes** is not set, the default
|
|
Packit |
fd8b60 |
value is |defetypes|.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Do not set this unless required for specific backward
|
|
Packit |
fd8b60 |
compatibility purposes; stale values of this setting can prevent
|
|
Packit |
fd8b60 |
clients from taking advantage of new stronger enctypes when the
|
|
Packit |
fd8b60 |
libraries are upgraded.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dns_canonicalize_hostname**
|
|
Packit |
fd8b60 |
Indicate whether name lookups will be used to canonicalize
|
|
Packit |
fd8b60 |
hostnames for use in service principal names. Setting this flag
|
|
Packit |
fd8b60 |
to false can improve security by reducing reliance on DNS, but
|
|
Packit |
fd8b60 |
means that short hostnames will not be canonicalized to
|
|
Packit |
fd8b60 |
fully-qualified hostnames. The default value is true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If this option is set to ``fallback`` (new in release 1.18), DNS
|
|
Packit |
fd8b60 |
canonicalization will only be performed the server hostname is not
|
|
Packit |
fd8b60 |
found with the original name when requesting credentials.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dns_lookup_kdc**
|
|
Packit |
fd8b60 |
Indicate whether DNS SRV records should be used to locate the KDCs
|
|
Packit |
fd8b60 |
and other servers for a realm, if they are not listed in the
|
|
Packit |
fd8b60 |
krb5.conf information for the realm. (Note that the admin_server
|
|
Packit |
fd8b60 |
entry must be in the krb5.conf realm information in order to
|
|
Packit |
fd8b60 |
contact kadmind, because the DNS implementation for kadmin is
|
|
Packit |
fd8b60 |
incomplete.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Enabling this option does open up a type of denial-of-service
|
|
Packit |
fd8b60 |
attack, if someone spoofs the DNS records and redirects you to
|
|
Packit |
fd8b60 |
another server. However, it's no worse than a denial of service,
|
|
Packit |
fd8b60 |
because that fake KDC will be unable to decode anything you send
|
|
Packit |
fd8b60 |
it (besides the initial ticket request, which has no encrypted
|
|
Packit |
fd8b60 |
data), and anything the fake KDC sends will not be trusted without
|
|
Packit |
fd8b60 |
verification using some secret that it won't know.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dns_uri_lookup**
|
|
Packit |
fd8b60 |
Indicate whether DNS URI records should be used to locate the KDCs
|
|
Packit |
fd8b60 |
and other servers for a realm, if they are not listed in the
|
|
Packit |
fd8b60 |
krb5.conf information for the realm. SRV records are used as a
|
|
Packit |
fd8b60 |
fallback if no URI records were found. The default value is true.
|
|
Packit |
fd8b60 |
New in release 1.15.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**enforce_ok_as_delegate**
|
|
Packit |
fd8b60 |
If this flag to true, GSSAPI credential delegation will be
|
|
Packit |
fd8b60 |
disabled when the ``ok-as-delegate`` flag is not set in the
|
|
Packit |
fd8b60 |
service ticket. If this flag is false, the ``ok-as-delegate``
|
|
Packit |
fd8b60 |
ticket flag is only enforced when an application specifically
|
|
Packit |
fd8b60 |
requests enforcement. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**err_fmt**
|
|
Packit |
fd8b60 |
This relation allows for custom error message formatting. If a
|
|
Packit |
fd8b60 |
value is set, error messages will be formatted by substituting a
|
|
Packit |
fd8b60 |
normal error message for %M and an error code for %C in the value.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**extra_addresses**
|
|
Packit |
fd8b60 |
This allows a computer to use multiple local addresses, in order
|
|
Packit |
fd8b60 |
to allow Kerberos to work in a network that uses NATs while still
|
|
Packit |
fd8b60 |
using address-restricted tickets. The addresses should be in a
|
|
Packit |
fd8b60 |
comma-separated list. This option has no effect if
|
|
Packit |
fd8b60 |
**noaddresses** is true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**forwardable**
|
|
Packit |
fd8b60 |
If this flag is true, initial tickets will be forwardable by
|
|
Packit |
fd8b60 |
default, if allowed by the KDC. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ignore_acceptor_hostname**
|
|
Packit |
fd8b60 |
When accepting GSSAPI or krb5 security contexts for host-based
|
|
Packit |
fd8b60 |
service principals, ignore any hostname passed by the calling
|
|
Packit |
fd8b60 |
application, and allow clients to authenticate to any service
|
|
Packit |
fd8b60 |
principal in the keytab matching the service name and realm name
|
|
Packit |
fd8b60 |
(if given). This option can improve the administrative
|
|
Packit |
fd8b60 |
flexibility of server applications on multihomed hosts, but could
|
|
Packit |
fd8b60 |
compromise the security of virtual hosting environments. The
|
|
Packit |
fd8b60 |
default value is false. New in release 1.10.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**k5login_authoritative**
|
|
Packit |
fd8b60 |
If this flag is true, principals must be listed in a local user's
|
|
Packit |
fd8b60 |
k5login file to be granted login access, if a :ref:`.k5login(5)`
|
|
Packit |
fd8b60 |
file exists. If this flag is false, a principal may still be
|
|
Packit |
fd8b60 |
granted login access through other mechanisms even if a k5login
|
|
Packit |
fd8b60 |
file exists but does not list the principal. The default value is
|
|
Packit |
fd8b60 |
true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**k5login_directory**
|
|
Packit |
fd8b60 |
If set, the library will look for a local user's k5login file
|
|
Packit |
fd8b60 |
within the named directory, with a filename corresponding to the
|
|
Packit |
fd8b60 |
local username. If not set, the library will look for k5login
|
|
Packit |
fd8b60 |
files in the user's home directory, with the filename .k5login.
|
|
Packit |
fd8b60 |
For security reasons, .k5login files must be owned by
|
|
Packit |
fd8b60 |
the local user or by root.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kcm_mach_service**
|
|
Packit |
fd8b60 |
On macOS only, determines the name of the bootstrap service used to
|
|
Packit |
fd8b60 |
contact the KCM daemon for the KCM credential cache type. If the
|
|
Packit |
fd8b60 |
value is ``-``, Mach RPC will not be used to contact the KCM
|
|
Packit |
fd8b60 |
daemon. The default value is ``org.h5l.kcm``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kcm_socket**
|
|
Packit |
fd8b60 |
Determines the path to the Unix domain socket used to access the
|
|
Packit |
fd8b60 |
KCM daemon for the KCM credential cache type. If the value is
|
|
Packit |
fd8b60 |
``-``, Unix domain sockets will not be used to contact the KCM
|
|
Packit |
fd8b60 |
daemon. The default value is
|
|
Packit |
fd8b60 |
``/var/run/.heim_org.h5l.kcm-socket``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_default_options**
|
|
Packit |
fd8b60 |
Default KDC options (Xored for multiple values) when requesting
|
|
Packit |
fd8b60 |
initial tickets. By default it is set to 0x00000010
|
|
Packit |
fd8b60 |
(KDC_OPT_RENEWABLE_OK).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc_timesync**
|
|
Packit |
fd8b60 |
Accepted values for this relation are 1 or 0. If it is nonzero,
|
|
Packit |
fd8b60 |
client machines will compute the difference between their time and
|
|
Packit |
fd8b60 |
the time returned by the KDC in the timestamps in the tickets and
|
|
Packit |
fd8b60 |
use this value to correct for an inaccurate system clock when
|
|
Packit |
fd8b60 |
requesting service tickets or authenticating to services. This
|
|
Packit |
fd8b60 |
corrective factor is only used by the Kerberos library; it is not
|
|
Packit |
fd8b60 |
used to change the system clock. The default value is 1.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**noaddresses**
|
|
Packit |
fd8b60 |
If this flag is true, requests for initial tickets will not be
|
|
Packit |
fd8b60 |
made with address restrictions set, allowing the tickets to be
|
|
Packit |
fd8b60 |
used across NATs. The default value is true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**permitted_enctypes**
|
|
Packit |
fd8b60 |
Identifies the encryption types that servers will permit for
|
|
Packit |
fd8b60 |
session keys and for ticket and authenticator encryption, ordered
|
|
Packit |
fd8b60 |
by preference from highest to lowest. Starting in release 1.18,
|
|
Packit |
fd8b60 |
this tag also acts as the default value for
|
|
Packit |
fd8b60 |
**default_tgs_enctypes** and **default_tkt_enctypes**. The
|
|
Packit |
fd8b60 |
default value for this tag is |defetypes|.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**plugin_base_dir**
|
|
Packit |
fd8b60 |
If set, determines the base directory where krb5 plugins are
|
|
Packit |
fd8b60 |
located. The default value is the ``krb5/plugins`` subdirectory
|
|
Packit |
fd8b60 |
of the krb5 library directory. This relation is subject to
|
|
Packit |
fd8b60 |
parameter expansion (see below) in release 1.17 and later.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**preferred_preauth_types**
|
|
Packit |
fd8b60 |
This allows you to set the preferred preauthentication types which
|
|
Packit |
fd8b60 |
the client will attempt before others which may be advertised by a
|
|
Packit |
fd8b60 |
KDC. The default value for this setting is "17, 16, 15, 14",
|
|
Packit |
fd8b60 |
which forces libkrb5 to attempt to use PKINIT if it is supported.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**proxiable**
|
|
Packit |
fd8b60 |
If this flag is true, initial tickets will be proxiable by
|
|
Packit |
fd8b60 |
default, if allowed by the KDC. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**qualify_shortname**
|
|
Packit |
fd8b60 |
If this string is set, it determines the domain suffix for
|
|
Packit |
fd8b60 |
single-component hostnames when DNS canonicalization is not used
|
|
Packit |
fd8b60 |
(either because **dns_canonicalize_hostname** is false or because
|
|
Packit |
fd8b60 |
forward canonicalization failed). The default value is the first
|
|
Packit |
fd8b60 |
search domain of the system's DNS configuration. To disable
|
|
Packit |
fd8b60 |
qualification of shortnames, set this relation to the empty string
|
|
Packit |
fd8b60 |
with ``qualify_shortname = ""``. (New in release 1.18.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**rdns**
|
|
Packit |
fd8b60 |
If this flag is true, reverse name lookup will be used in addition
|
|
Packit |
fd8b60 |
to forward name lookup to canonicalizing hostnames for use in
|
|
Packit |
fd8b60 |
service principal names. If **dns_canonicalize_hostname** is set
|
|
Packit |
fd8b60 |
to false, this flag has no effect. The default value is true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**realm_try_domains**
|
|
Packit |
fd8b60 |
Indicate whether a host's domain components should be used to
|
|
Packit |
fd8b60 |
determine the Kerberos realm of the host. The value of this
|
|
Packit |
fd8b60 |
variable is an integer: -1 means not to search, 0 means to try the
|
|
Packit |
fd8b60 |
host's domain itself, 1 means to also try the domain's immediate
|
|
Packit |
fd8b60 |
parent, and so forth. The library's usual mechanism for locating
|
|
Packit |
fd8b60 |
Kerberos realms is used to determine whether a domain is a valid
|
|
Packit |
fd8b60 |
realm, which may involve consulting DNS if **dns_lookup_kdc** is
|
|
Packit |
fd8b60 |
set. The default is not to search domain components.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**renew_lifetime**
|
|
Packit |
fd8b60 |
(:ref:`duration` string.) Sets the default renewable lifetime
|
|
Packit |
fd8b60 |
for initial ticket requests. The default value is 0.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**spake_preauth_groups**
|
|
Packit |
fd8b60 |
A whitespace or comma-separated list of words which specifies the
|
|
Packit |
fd8b60 |
groups allowed for SPAKE preauthentication. The possible values
|
|
Packit |
fd8b60 |
are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
============ ================================
|
|
Packit |
fd8b60 |
edwards25519 Edwards25519 curve (:rfc:`7748`)
|
|
Packit |
fd8b60 |
P-256 NIST P-256 curve (:rfc:`5480`)
|
|
Packit |
fd8b60 |
P-384 NIST P-384 curve (:rfc:`5480`)
|
|
Packit |
fd8b60 |
P-521 NIST P-521 curve (:rfc:`5480`)
|
|
Packit |
fd8b60 |
============ ================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default value for the client is ``edwards25519``. The default
|
|
Packit |
fd8b60 |
value for the KDC is empty. New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ticket_lifetime**
|
|
Packit |
fd8b60 |
(:ref:`duration` string.) Sets the default lifetime for initial
|
|
Packit |
fd8b60 |
ticket requests. The default value is 1 day.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**udp_preference_limit**
|
|
Packit |
fd8b60 |
When sending a message to the KDC, the library will try using TCP
|
|
Packit |
fd8b60 |
before UDP if the size of the message is above
|
|
Packit |
fd8b60 |
**udp_preference_limit**. If the message is smaller than
|
|
Packit |
fd8b60 |
**udp_preference_limit**, then UDP will be tried before TCP.
|
|
Packit |
fd8b60 |
Regardless of the size, both protocols will be tried if the first
|
|
Packit |
fd8b60 |
attempt fails.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**verify_ap_req_nofail**
|
|
Packit |
fd8b60 |
If this flag is true, then an attempt to verify initial
|
|
Packit |
fd8b60 |
credentials will fail if the client machine does not have a
|
|
Packit |
fd8b60 |
keytab. The default value is false.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _realms:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each tag in the [realms] section of the file is the name of a Kerberos
|
|
Packit |
fd8b60 |
realm. The value of the tag is a subsection with relations that
|
|
Packit |
fd8b60 |
define the properties of that particular realm. For each realm, the
|
|
Packit |
fd8b60 |
following tags may be specified in the realm's subsection:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**admin_server**
|
|
Packit |
fd8b60 |
Identifies the host where the administration server is running.
|
|
Packit |
fd8b60 |
Typically, this is the master Kerberos server. This tag must be
|
|
Packit |
fd8b60 |
given a value in order to communicate with the :ref:`kadmind(8)`
|
|
Packit |
fd8b60 |
server for the realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**auth_to_local**
|
|
Packit |
fd8b60 |
This tag allows you to set a general rule for mapping principal
|
|
Packit |
fd8b60 |
names to local user names. It will be used if there is not an
|
|
Packit |
fd8b60 |
explicit mapping for the principal name that is being
|
|
Packit |
fd8b60 |
translated. The possible values are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**RULE:**\ *exp*
|
|
Packit |
fd8b60 |
The local name will be formulated from *exp*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\
|
|
Packit |
fd8b60 |
*regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**.
|
|
Packit |
fd8b60 |
The integer *n* indicates how many components the target
|
|
Packit |
fd8b60 |
principal should have. If this matches, then a string will be
|
|
Packit |
fd8b60 |
formed from *string*, substituting the realm of the principal
|
|
Packit |
fd8b60 |
for ``$0`` and the *n*'th component of the principal for
|
|
Packit |
fd8b60 |
``$n`` (e.g., if the principal was ``johndoe/admin`` then
|
|
Packit |
fd8b60 |
``[2:$2$1foo]`` would result in the string
|
|
Packit |
fd8b60 |
``adminjohndoefoo``). If this string matches *regexp*, then
|
|
Packit |
fd8b60 |
the ``s//[g]`` substitution command will be run over the
|
|
Packit |
fd8b60 |
string. The optional **g** will cause the substitution to be
|
|
Packit |
fd8b60 |
global over the *string*, instead of replacing only the first
|
|
Packit |
fd8b60 |
match in the *string*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**DEFAULT**
|
|
Packit |
fd8b60 |
The principal name will be used as the local user name. If
|
|
Packit |
fd8b60 |
the principal has more than one component or is not in the
|
|
Packit |
fd8b60 |
default realm, this rule is not applicable and the conversion
|
|
Packit |
fd8b60 |
will fail.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
|
|
Packit |
fd8b60 |
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
|
|
Packit |
fd8b60 |
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
|
|
Packit |
fd8b60 |
auth_to_local = DEFAULT
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
would result in any principal without ``root`` or ``admin`` as the
|
|
Packit |
fd8b60 |
second component to be translated with the default rule. A
|
|
Packit |
fd8b60 |
principal with a second component of ``admin`` will become its
|
|
Packit |
fd8b60 |
first component. ``root`` will be used as the local name for any
|
|
Packit |
fd8b60 |
principal with a second component of ``root``. The exception to
|
|
Packit |
fd8b60 |
these two rules are any principals ``johndoe/*``, which will
|
|
Packit |
fd8b60 |
always get the local name ``guest``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**auth_to_local_names**
|
|
Packit |
fd8b60 |
This subsection allows you to set explicit mappings from principal
|
|
Packit |
fd8b60 |
names to local user names. The tag is the mapping name, and the
|
|
Packit |
fd8b60 |
value is the corresponding local user name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default_domain**
|
|
Packit |
fd8b60 |
This tag specifies the domain used to expand hostnames when
|
|
Packit |
fd8b60 |
translating Kerberos 4 service principals to Kerberos 5 principals
|
|
Packit |
fd8b60 |
(for example, when converting ``rcmd.hostname`` to
|
|
Packit |
fd8b60 |
``host/hostname.domain``).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**disable_encrypted_timestamp**
|
|
Packit |
fd8b60 |
If this flag is true, the client will not perform encrypted
|
|
Packit |
fd8b60 |
timestamp preauthentication if requested by the KDC. Setting this
|
|
Packit |
fd8b60 |
flag can help to prevent dictionary attacks by active attackers,
|
|
Packit |
fd8b60 |
if the realm's KDCs support SPAKE preauthentication or if initial
|
|
Packit |
fd8b60 |
authentication always uses another mechanism or always uses FAST.
|
|
Packit |
fd8b60 |
This flag persists across client referrals during initial
|
|
Packit |
fd8b60 |
authentication. This flag does not prevent the KDC from offering
|
|
Packit |
fd8b60 |
encrypted timestamp. New in release 1.17.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**http_anchors**
|
|
Packit |
fd8b60 |
When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
|
|
Packit |
fd8b60 |
can be used to specify the location of the CA certificate which should be
|
|
Packit |
fd8b60 |
trusted to issue the certificate for a proxy server. If left unspecified,
|
|
Packit |
fd8b60 |
the system-wide default set of CA certificates is used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The syntax for values is similar to that of values for the
|
|
Packit |
fd8b60 |
**pkinit_anchors** tag:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**FILE:** *filename*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*filename* is assumed to be the name of an OpenSSL-style ca-bundle file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**DIR:** *dirname*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*dirname* is assumed to be an directory which contains CA certificates.
|
|
Packit |
fd8b60 |
All files in the directory will be examined; if they contain certificates
|
|
Packit |
fd8b60 |
(in PEM format), they will be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ENV:** *envvar*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*envvar* specifies the name of an environment variable which has been set
|
|
Packit |
fd8b60 |
to a value conforming to one of the previous values. For example,
|
|
Packit |
fd8b60 |
``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has
|
|
Packit |
fd8b60 |
been set to ``FILE:/tmp/my_proxy.pem``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdc**
|
|
Packit |
fd8b60 |
The name or address of a host running a KDC for that realm. An
|
|
Packit |
fd8b60 |
optional port number, separated from the hostname by a colon, may
|
|
Packit |
fd8b60 |
be included. If the name or address contains colons (for example,
|
|
Packit |
fd8b60 |
if it is an IPv6 address), enclose it in square brackets to
|
|
Packit |
fd8b60 |
distinguish the colon from a port separator. For your computer to
|
|
Packit |
fd8b60 |
be able to communicate with the KDC for each realm, this tag must
|
|
Packit |
fd8b60 |
be given a value in each realm subsection in the configuration
|
|
Packit |
fd8b60 |
file, or there must be DNS SRV records specifying the KDCs.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpasswd_server**
|
|
Packit |
fd8b60 |
Points to the server where all the password changes are performed.
|
|
Packit |
fd8b60 |
If there is no such entry, DNS will be queried (unless forbidden
|
|
Packit |
fd8b60 |
by **dns_lookup_kdc**). Finally, port 464 on the **admin_server**
|
|
Packit |
fd8b60 |
host will be tried.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**master_kdc**
|
|
Packit |
fd8b60 |
Identifies the master KDC(s). Currently, this tag is used in only
|
|
Packit |
fd8b60 |
one case: If an attempt to get credentials fails because of an
|
|
Packit |
fd8b60 |
invalid password, the client software will attempt to contact the
|
|
Packit |
fd8b60 |
master KDC, in case the user's password has just been changed, and
|
|
Packit |
fd8b60 |
the updated database has not been propagated to the replica
|
|
Packit |
fd8b60 |
servers yet.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**v4_instance_convert**
|
|
Packit |
fd8b60 |
This subsection allows the administrator to configure exceptions
|
|
Packit |
fd8b60 |
to the **default_domain** mapping rule. It contains V4 instances
|
|
Packit |
fd8b60 |
(the tag name) which should be translated to some specific
|
|
Packit |
fd8b60 |
hostname (the tag value) as the second component in a Kerberos V5
|
|
Packit |
fd8b60 |
principal name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**v4_realm**
|
|
Packit |
fd8b60 |
This relation is used by the krb524 library routines when
|
|
Packit |
fd8b60 |
converting a V5 principal name to a V4 principal name. It is used
|
|
Packit |
fd8b60 |
when the V4 realm name and the V5 realm name are not the same, but
|
|
Packit |
fd8b60 |
still share the same principal names and passwords. The tag value
|
|
Packit |
fd8b60 |
is the Kerberos V4 realm name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _domain_realm:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[domain_realm]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The [domain_realm] section provides a translation from a domain name
|
|
Packit |
fd8b60 |
or hostname to a Kerberos realm name. The tag name can be a host name
|
|
Packit |
fd8b60 |
or domain name, where domain names are indicated by a prefix of a
|
|
Packit |
fd8b60 |
period (``.``). The value of the relation is the Kerberos realm name
|
|
Packit |
fd8b60 |
for that particular host or domain. A host name relation implicitly
|
|
Packit |
fd8b60 |
provides the corresponding domain name relation, unless an explicit domain
|
|
Packit |
fd8b60 |
name relation is provided. The Kerberos realm may be
|
|
Packit |
fd8b60 |
identified either in the realms_ section or using DNS SRV records.
|
|
Packit |
fd8b60 |
Host names and domain names should be in lower case. For example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[domain_realm]
|
|
Packit |
fd8b60 |
crash.mit.edu = TEST.ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
.dev.mit.edu = TEST.ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
mit.edu = ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
maps the host with the name ``crash.mit.edu`` into the
|
|
Packit |
fd8b60 |
``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the
|
|
Packit |
fd8b60 |
domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not
|
|
Packit |
fd8b60 |
the host with the name ``dev.mit.edu``. That host is matched
|
|
Packit |
fd8b60 |
by the third entry, which maps the host ``mit.edu`` and all hosts
|
|
Packit |
fd8b60 |
under the domain ``mit.edu`` that do not match a preceding rule
|
|
Packit |
fd8b60 |
into the realm ``ATHENA.MIT.EDU``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If no translation entry applies to a hostname used for a service
|
|
Packit |
fd8b60 |
principal for a service ticket request, the library will try to get a
|
|
Packit |
fd8b60 |
referral to the appropriate realm from the client realm's KDC. If
|
|
Packit |
fd8b60 |
that does not succeed, the host's realm is considered to be the
|
|
Packit |
fd8b60 |
hostname's domain portion converted to uppercase, unless the
|
|
Packit |
fd8b60 |
**realm_try_domains** setting in [libdefaults] causes a different
|
|
Packit |
fd8b60 |
parent domain to be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _capaths:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[capaths]
|
|
Packit |
fd8b60 |
~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In order to perform direct (non-hierarchical) cross-realm
|
|
Packit |
fd8b60 |
authentication, configuration is needed to determine the
|
|
Packit |
fd8b60 |
authentication paths between realms.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A client will use this section to find the authentication path between
|
|
Packit |
fd8b60 |
its realm and the realm of the server. The server will use this
|
|
Packit |
fd8b60 |
section to verify the authentication path used by the client, by
|
|
Packit |
fd8b60 |
checking the transited field of the received ticket.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
There is a tag for each participating client realm, and each tag has
|
|
Packit |
fd8b60 |
subtags for each of the server realms. The value of the subtags is an
|
|
Packit |
fd8b60 |
intermediate realm which may participate in the cross-realm
|
|
Packit |
fd8b60 |
authentication. The subtags may be repeated if there is more then one
|
|
Packit |
fd8b60 |
intermediate realm. A value of "." means that the two realms share
|
|
Packit |
fd8b60 |
keys directly, and no intermediate realms should be allowed to
|
|
Packit |
fd8b60 |
participate.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Only those entries which will be needed on the client or the server
|
|
Packit |
fd8b60 |
need to be present. A client needs a tag for its local realm with
|
|
Packit |
fd8b60 |
subtags for all the realms of servers it will need to authenticate to.
|
|
Packit |
fd8b60 |
A server needs a tag for each realm of the clients it will serve, with
|
|
Packit |
fd8b60 |
a subtag of the server realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to
|
|
Packit |
fd8b60 |
use the ``ES.NET`` realm as an intermediate realm. ANL has a sub
|
|
Packit |
fd8b60 |
realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
|
|
Packit |
fd8b60 |
but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
|
|
Packit |
fd8b60 |
would look like this::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[capaths]
|
|
Packit |
fd8b60 |
ANL.GOV = {
|
|
Packit |
fd8b60 |
TEST.ANL.GOV = .
|
|
Packit |
fd8b60 |
PNL.GOV = ES.NET
|
|
Packit |
fd8b60 |
NERSC.GOV = ES.NET
|
|
Packit |
fd8b60 |
ES.NET = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
TEST.ANL.GOV = {
|
|
Packit |
fd8b60 |
ANL.GOV = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
PNL.GOV = {
|
|
Packit |
fd8b60 |
ANL.GOV = ES.NET
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
NERSC.GOV = {
|
|
Packit |
fd8b60 |
ANL.GOV = ES.NET
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
ES.NET = {
|
|
Packit |
fd8b60 |
ANL.GOV = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The [capaths] section of the configuration file used on ``NERSC.GOV``
|
|
Packit |
fd8b60 |
systems would look like this::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[capaths]
|
|
Packit |
fd8b60 |
NERSC.GOV = {
|
|
Packit |
fd8b60 |
ANL.GOV = ES.NET
|
|
Packit |
fd8b60 |
TEST.ANL.GOV = ES.NET
|
|
Packit |
fd8b60 |
TEST.ANL.GOV = ANL.GOV
|
|
Packit |
fd8b60 |
PNL.GOV = ES.NET
|
|
Packit |
fd8b60 |
ES.NET = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
ANL.GOV = {
|
|
Packit |
fd8b60 |
NERSC.GOV = ES.NET
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
PNL.GOV = {
|
|
Packit |
fd8b60 |
NERSC.GOV = ES.NET
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
ES.NET = {
|
|
Packit |
fd8b60 |
NERSC.GOV = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
TEST.ANL.GOV = {
|
|
Packit |
fd8b60 |
NERSC.GOV = ANL.GOV
|
|
Packit |
fd8b60 |
NERSC.GOV = ES.NET
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
When a subtag is used more than once within a tag, clients will use
|
|
Packit |
fd8b60 |
the order of values to determine the path. The order of values is not
|
|
Packit |
fd8b60 |
important to servers.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _appdefaults:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[appdefaults]
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each tag in the [appdefaults] section names a Kerberos V5 application
|
|
Packit |
fd8b60 |
or an option that is used by some Kerberos V5 application[s]. The
|
|
Packit |
fd8b60 |
value of the tag defines the default behaviors for that application.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[appdefaults]
|
|
Packit |
fd8b60 |
telnet = {
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
option1 = false
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
telnet = {
|
|
Packit |
fd8b60 |
option1 = true
|
|
Packit |
fd8b60 |
option2 = true
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
option2 = false
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
option2 = true
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The above four ways of specifying the value of an option are shown in
|
|
Packit |
fd8b60 |
order of decreasing precedence. In this example, if telnet is running
|
|
Packit |
fd8b60 |
in the realm EXAMPLE.COM, it should, by default, have option1 and
|
|
Packit |
fd8b60 |
option2 set to true. However, a telnet program in the realm
|
|
Packit |
fd8b60 |
``ATHENA.MIT.EDU`` should have ``option1`` set to false and
|
|
Packit |
fd8b60 |
``option2`` set to true. Any other programs in ATHENA.MIT.EDU should
|
|
Packit |
fd8b60 |
have ``option2`` set to false by default. Any programs running in
|
|
Packit |
fd8b60 |
other realms should have ``option2`` set to true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The list of specifiable options for each application may be found in
|
|
Packit |
fd8b60 |
that application's man pages. The application defaults specified here
|
|
Packit |
fd8b60 |
are overridden by those specified in the realms_ section.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _plugins:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[plugins]
|
|
Packit |
fd8b60 |
~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* pwqual_ interface
|
|
Packit |
fd8b60 |
* kadm5_hook_ interface
|
|
Packit |
fd8b60 |
* clpreauth_ and kdcpreauth_ interfaces
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Tags in the [plugins] section can be used to register dynamic plugin
|
|
Packit |
fd8b60 |
modules and to turn modules on and off. Not every krb5 pluggable
|
|
Packit |
fd8b60 |
interface uses the [plugins] section; the ones that do are documented
|
|
Packit |
fd8b60 |
here.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
New in release 1.9.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each pluggable interface corresponds to a subsection of [plugins].
|
|
Packit |
fd8b60 |
All subsections support the same tags:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**disable**
|
|
Packit |
fd8b60 |
This tag may have multiple values. If there are values for this
|
|
Packit |
fd8b60 |
tag, then the named modules will be disabled for the pluggable
|
|
Packit |
fd8b60 |
interface.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**enable_only**
|
|
Packit |
fd8b60 |
This tag may have multiple values. If there are values for this
|
|
Packit |
fd8b60 |
tag, then only the named modules will be enabled for the pluggable
|
|
Packit |
fd8b60 |
interface.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**module**
|
|
Packit |
fd8b60 |
This tag may have multiple values. Each value is a string of the
|
|
Packit |
fd8b60 |
form ``modulename:pathname``, which causes the shared object
|
|
Packit |
fd8b60 |
located at *pathname* to be registered as a dynamic module named
|
|
Packit |
fd8b60 |
*modulename* for the pluggable interface. If *pathname* is not an
|
|
Packit |
fd8b60 |
absolute path, it will be treated as relative to the
|
|
Packit |
fd8b60 |
**plugin_base_dir** value from :ref:`libdefaults`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For pluggable interfaces where module order matters, modules
|
|
Packit |
fd8b60 |
registered with a **module** tag normally come first, in the order
|
|
Packit |
fd8b60 |
they are registered, followed by built-in modules in the order they
|
|
Packit |
fd8b60 |
are documented below. If **enable_only** tags are used, then the
|
|
Packit |
fd8b60 |
order of those tags overrides the normal module order.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following subsections are currently supported within the [plugins]
|
|
Packit |
fd8b60 |
section:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _ccselect:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ccselect interface
|
|
Packit |
fd8b60 |
##################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The ccselect subsection controls modules for credential cache
|
|
Packit |
fd8b60 |
selection within a cache collection. In addition to any registered
|
|
Packit |
fd8b60 |
dynamic modules, the following built-in modules exist (and may be
|
|
Packit |
fd8b60 |
disabled with the disable tag):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**k5identity**
|
|
Packit |
fd8b60 |
Uses a .k5identity file in the user's home directory to select a
|
|
Packit |
fd8b60 |
client principal
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**realm**
|
|
Packit |
fd8b60 |
Uses the service realm to guess an appropriate cache from the
|
|
Packit |
fd8b60 |
collection
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**hostname**
|
|
Packit |
fd8b60 |
If the service principal is host-based, uses the service hostname
|
|
Packit |
fd8b60 |
to guess an appropriate cache from the collection
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _pwqual:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
pwqual interface
|
|
Packit |
fd8b60 |
################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The pwqual subsection controls modules for the password quality
|
|
Packit |
fd8b60 |
interface, which is used to reject weak passwords when passwords are
|
|
Packit |
fd8b60 |
changed. The following built-in modules exist for this interface:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dict**
|
|
Packit |
fd8b60 |
Checks against the realm dictionary file
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**empty**
|
|
Packit |
fd8b60 |
Rejects empty passwords
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**hesiod**
|
|
Packit |
fd8b60 |
Checks against user information stored in Hesiod (only if Kerberos
|
|
Packit |
fd8b60 |
was built with Hesiod support)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ**
|
|
Packit |
fd8b60 |
Checks against components of the principal name
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadm5_hook:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadm5_hook interface
|
|
Packit |
fd8b60 |
####################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kadm5_hook interface provides plugins with information on
|
|
Packit |
fd8b60 |
principal creation, modification, password changes and deletion. This
|
|
Packit |
fd8b60 |
interface can be used to write a plugin to synchronize MIT Kerberos
|
|
Packit |
fd8b60 |
with another database such as Active Directory. No plugins are built
|
|
Packit |
fd8b60 |
in for this interface.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadm5_auth:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadm5_auth interface
|
|
Packit |
fd8b60 |
####################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kadm5_auth section (introduced in release 1.16) controls modules
|
|
Packit |
fd8b60 |
for the kadmin authorization interface, which determines whether a
|
|
Packit |
fd8b60 |
client principal is allowed to perform a kadmin operation. The
|
|
Packit |
fd8b60 |
following built-in modules exist for this interface:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**acl**
|
|
Packit |
fd8b60 |
This module reads the :ref:`kadm5.acl(5)` file, and authorizes
|
|
Packit |
fd8b60 |
operations which are allowed according to the rules in the file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**self**
|
|
Packit |
fd8b60 |
This module authorizes self-service operations including password
|
|
Packit |
fd8b60 |
changes, creation of new random keys, fetching the client's
|
|
Packit |
fd8b60 |
principal record or string attributes, and fetching the policy
|
|
Packit |
fd8b60 |
record associated with the client principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _clpreauth:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdcpreauth:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
clpreauth and kdcpreauth interfaces
|
|
Packit |
fd8b60 |
###################################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The clpreauth and kdcpreauth interfaces allow plugin modules to
|
|
Packit |
fd8b60 |
provide client and KDC preauthentication mechanisms. The following
|
|
Packit |
fd8b60 |
built-in modules exist for these interfaces:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit**
|
|
Packit |
fd8b60 |
This module implements the PKINIT preauthentication mechanism.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**encrypted_challenge**
|
|
Packit |
fd8b60 |
This module implements the encrypted challenge FAST factor.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**encrypted_timestamp**
|
|
Packit |
fd8b60 |
This module implements the encrypted timestamp mechanism.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _hostrealm:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
hostrealm interface
|
|
Packit |
fd8b60 |
###################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The hostrealm section (introduced in release 1.12) controls modules
|
|
Packit |
fd8b60 |
for the host-to-realm interface, which affects the local mapping of
|
|
Packit |
fd8b60 |
hostnames to realm names and the choice of default realm. The following
|
|
Packit |
fd8b60 |
built-in modules exist for this interface:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**profile**
|
|
Packit |
fd8b60 |
This module consults the [domain_realm] section of the profile for
|
|
Packit |
fd8b60 |
authoritative host-to-realm mappings, and the **default_realm**
|
|
Packit |
fd8b60 |
variable for the default realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dns**
|
|
Packit |
fd8b60 |
This module looks for DNS records for fallback host-to-realm
|
|
Packit |
fd8b60 |
mappings and the default realm. It only operates if the
|
|
Packit |
fd8b60 |
**dns_lookup_realm** variable is set to true.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**domain**
|
|
Packit |
fd8b60 |
This module applies heuristics for fallback host-to-realm
|
|
Packit |
fd8b60 |
mappings. It implements the **realm_try_domains** variable, and
|
|
Packit |
fd8b60 |
uses the uppercased parent domain of the hostname if that does not
|
|
Packit |
fd8b60 |
produce a result.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _localauth:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
localauth interface
|
|
Packit |
fd8b60 |
###################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The localauth section (introduced in release 1.12) controls modules
|
|
Packit |
fd8b60 |
for the local authorization interface, which affects the relationship
|
|
Packit |
fd8b60 |
between Kerberos principals and local system accounts. The following
|
|
Packit |
fd8b60 |
built-in modules exist for this interface:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**default**
|
|
Packit |
fd8b60 |
This module implements the **DEFAULT** type for **auth_to_local**
|
|
Packit |
fd8b60 |
values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**rule**
|
|
Packit |
fd8b60 |
This module implements the **RULE** type for **auth_to_local**
|
|
Packit |
fd8b60 |
values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**names**
|
|
Packit |
fd8b60 |
This module looks for an **auth_to_local_names** mapping for the
|
|
Packit |
fd8b60 |
principal name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**auth_to_local**
|
|
Packit |
fd8b60 |
This module processes **auth_to_local** values in the default
|
|
Packit |
fd8b60 |
realm's section, and applies the default method if no
|
|
Packit |
fd8b60 |
**auth_to_local** values exist.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**k5login**
|
|
Packit |
fd8b60 |
This module authorizes a principal to a local account according to
|
|
Packit |
fd8b60 |
the account's :ref:`.k5login(5)` file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**an2ln**
|
|
Packit |
fd8b60 |
This module authorizes a principal to a local account if the
|
|
Packit |
fd8b60 |
principal name maps to the local account name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _certauth:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
certauth interface
|
|
Packit |
fd8b60 |
##################
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The certauth section (introduced in release 1.16) controls modules for
|
|
Packit |
fd8b60 |
the certificate authorization interface, which determines whether a
|
|
Packit |
fd8b60 |
certificate is allowed to preauthenticate a user via PKINIT. The
|
|
Packit |
fd8b60 |
following built-in modules exist for this interface:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_san**
|
|
Packit |
fd8b60 |
This module authorizes the certificate if it contains a PKINIT
|
|
Packit |
fd8b60 |
Subject Alternative Name for the requested client principal, or a
|
|
Packit |
fd8b60 |
Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
|
|
Packit |
fd8b60 |
is set to true for the realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_eku**
|
|
Packit |
fd8b60 |
This module rejects the certificate if it does not contain an
|
|
Packit |
fd8b60 |
Extended Key Usage attribute consistent with the
|
|
Packit |
fd8b60 |
**pkinit_eku_checking** value for the realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dbmatch**
|
|
Packit |
fd8b60 |
This module authorizes or rejects the certificate according to
|
|
Packit |
fd8b60 |
whether it matches the **pkinit_cert_match** string attribute on
|
|
Packit |
fd8b60 |
the client principal, if that attribute is present.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
PKINIT options
|
|
Packit |
fd8b60 |
--------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following are PKINIT-specific options. These values may
|
|
Packit |
fd8b60 |
be specified in [libdefaults] as global defaults, or within
|
|
Packit |
fd8b60 |
a realm-specific subsection of [libdefaults], or may be
|
|
Packit |
fd8b60 |
specified as realm-specific values in the [realms] section.
|
|
Packit |
fd8b60 |
A realm-specific value overrides, not adds to, a generic
|
|
Packit |
fd8b60 |
[libdefaults] specification. The search order is:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
1. realm-specific subsection of [libdefaults]::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
EXAMPLE.COM = {
|
|
Packit |
fd8b60 |
pkinit_anchors = FILE:/usr/local/example.com.crt
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
2. realm-specific value in the [realms] section::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
OTHERREALM.ORG = {
|
|
Packit |
fd8b60 |
pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
3. generic value in the [libdefaults] section::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _pkinit_identity:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Specifying PKINIT identity information
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The syntax for specifying Public Key identity, trust, and revocation
|
|
Packit |
fd8b60 |
information for PKINIT is as follows:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**FILE:**\ *filename*\ [**,**\ *keyfilename*]
|
|
Packit |
fd8b60 |
This option has context-specific behavior.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In **pkinit_identity** or **pkinit_identities**, *filename*
|
|
Packit |
fd8b60 |
specifies the name of a PEM-format file containing the user's
|
|
Packit |
fd8b60 |
certificate. If *keyfilename* is not specified, the user's
|
|
Packit |
fd8b60 |
private key is expected to be in *filename* as well. Otherwise,
|
|
Packit |
fd8b60 |
*keyfilename* is the name of the file containing the private key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to
|
|
Packit |
fd8b60 |
be the name of an OpenSSL-style ca-bundle file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**DIR:**\ *dirname*
|
|
Packit |
fd8b60 |
This option has context-specific behavior.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In **pkinit_identity** or **pkinit_identities**, *dirname*
|
|
Packit |
fd8b60 |
specifies a directory with files named ``*.crt`` and ``*.key``
|
|
Packit |
fd8b60 |
where the first part of the file name is the same for matching
|
|
Packit |
fd8b60 |
pairs of certificate and private key files. When a file with a
|
|
Packit |
fd8b60 |
name ending with ``.crt`` is found, a matching file ending with
|
|
Packit |
fd8b60 |
``.key`` is assumed to contain the private key. If no such file
|
|
Packit |
fd8b60 |
is found, then the certificate in the ``.crt`` is not used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to
|
|
Packit |
fd8b60 |
be an OpenSSL-style hashed CA directory where each CA cert is
|
|
Packit |
fd8b60 |
stored in a file named ``hash-of-ca-cert.#``. This infrastructure
|
|
Packit |
fd8b60 |
is encouraged, but all files in the directory will be examined and
|
|
Packit |
fd8b60 |
if they contain certificates (in PEM format), they will be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style
|
|
Packit |
fd8b60 |
hashed CA directory where each revocation list is stored in a file
|
|
Packit |
fd8b60 |
named ``hash-of-ca-cert.r#``. This infrastructure is encouraged,
|
|
Packit |
fd8b60 |
but all files in the directory will be examined and if they
|
|
Packit |
fd8b60 |
contain a revocation list (in PEM format), they will be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**PKCS12:**\ *filename*
|
|
Packit |
fd8b60 |
*filename* is the name of a PKCS #12 format file, containing the
|
|
Packit |
fd8b60 |
user's certificate and private key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*]
|
|
Packit |
fd8b60 |
All keyword/values are optional. *modname* specifies the location
|
|
Packit |
fd8b60 |
of a library implementing PKCS #11. If a value is encountered
|
|
Packit |
fd8b60 |
with no keyword, it is assumed to be the *modname*. If no
|
|
Packit |
fd8b60 |
module-name is specified, the default is ``opensc-pkcs11.so``.
|
|
Packit |
fd8b60 |
``slotid=`` and/or ``token=`` may be specified to force the use of
|
|
Packit |
fd8b60 |
a particular smard card reader or token if there is more than one
|
|
Packit |
fd8b60 |
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
|
Packit |
fd8b60 |
force the selection of a particular certificate on the device.
|
|
Packit |
fd8b60 |
See the **pkinit_cert_match** configuration option for more ways
|
|
Packit |
fd8b60 |
to select a particular certificate to use for PKINIT.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ENV:**\ *envvar*
|
|
Packit |
fd8b60 |
*envvar* specifies the name of an environment variable which has
|
|
Packit |
fd8b60 |
been set to a value conforming to one of the previous values. For
|
|
Packit |
fd8b60 |
example, ``ENV:X509_PROXY``, where environment variable
|
|
Packit |
fd8b60 |
``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
PKINIT krb5.conf options
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_anchors**
|
|
Packit |
fd8b60 |
Specifies the location of trusted anchor (root) certificates which
|
|
Packit |
fd8b60 |
the client trusts to sign KDC certificates. This option may be
|
|
Packit |
fd8b60 |
specified multiple times. These values from the config file are
|
|
Packit |
fd8b60 |
not used if the user specifies X509_anchors on the command line.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_cert_match**
|
|
Packit |
fd8b60 |
Specifies matching rules that the client certificate must match
|
|
Packit |
fd8b60 |
before it is used to attempt PKINIT authentication. If a user has
|
|
Packit |
fd8b60 |
multiple certificates available (on a smart card, or via other
|
|
Packit |
fd8b60 |
media), there must be exactly one certificate chosen before
|
|
Packit |
fd8b60 |
attempting PKINIT authentication. This option may be specified
|
|
Packit |
fd8b60 |
multiple times. All the available certificates are checked
|
|
Packit |
fd8b60 |
against each rule in order until there is a match of exactly one
|
|
Packit |
fd8b60 |
certificate.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Subject and Issuer comparison strings are the :rfc:`2253`
|
|
Packit |
fd8b60 |
string representations from the certificate Subject DN and Issuer
|
|
Packit |
fd8b60 |
DN values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The syntax of the matching rules is:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[*relation-operator*\ ]\ *component-rule* ...
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
where:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*relation-operator*
|
|
Packit |
fd8b60 |
can be either ``&&``, meaning all component rules must match,
|
|
Packit |
fd8b60 |
or ``||``, meaning only one component rule must match. The
|
|
Packit |
fd8b60 |
default is ``&&``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*component-rule*
|
|
Packit |
fd8b60 |
can be one of the following. Note that there is no
|
|
Packit |
fd8b60 |
punctuation or whitespace between component rules.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
| **<SUBJECT>**\ *regular-expression*
|
|
Packit |
fd8b60 |
| **<ISSUER>**\ *regular-expression*
|
|
Packit |
fd8b60 |
| **<SAN>**\ *regular-expression*
|
|
Packit |
fd8b60 |
| **<EKU>**\ *extended-key-usage-list*
|
|
Packit |
fd8b60 |
| **<KU>**\ *key-usage-list*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*extended-key-usage-list* is a comma-separated list of
|
|
Packit |
fd8b60 |
required Extended Key Usage values. All values in the list
|
|
Packit |
fd8b60 |
must be present in the certificate. Extended Key Usage values
|
|
Packit |
fd8b60 |
can be:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* pkinit
|
|
Packit |
fd8b60 |
* msScLogin
|
|
Packit |
fd8b60 |
* clientAuth
|
|
Packit |
fd8b60 |
* emailProtection
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*key-usage-list* is a comma-separated list of required Key
|
|
Packit |
fd8b60 |
Usage values. All values in the list must be present in the
|
|
Packit |
fd8b60 |
certificate. Key Usage values can be:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* digitalSignature
|
|
Packit |
fd8b60 |
* keyEncipherment
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Examples::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
|
|
Packit |
fd8b60 |
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
|
|
Packit |
fd8b60 |
pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_eku_checking**
|
|
Packit |
fd8b60 |
This option specifies what Extended Key Usage value the KDC
|
|
Packit |
fd8b60 |
certificate presented to the client must contain. (Note that if
|
|
Packit |
fd8b60 |
the KDC certificate has the pkinit SubjectAlternativeName encoded
|
|
Packit |
fd8b60 |
as the Kerberos TGS name, EKU checking is not necessary since the
|
|
Packit |
fd8b60 |
issuing CA has certified this as a KDC certificate.) The values
|
|
Packit |
fd8b60 |
recognized in the krb5.conf file are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpKDC**
|
|
Packit |
fd8b60 |
This is the default value and specifies that the KDC must have
|
|
Packit |
fd8b60 |
the id-pkinit-KPKdc EKU as defined in :rfc:`4556`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kpServerAuth**
|
|
Packit |
fd8b60 |
If **kpServerAuth** is specified, a KDC certificate with the
|
|
Packit |
fd8b60 |
id-kp-serverAuth EKU will be accepted. This key usage value
|
|
Packit |
fd8b60 |
is used in most commercially issued server certificates.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**none**
|
|
Packit |
fd8b60 |
If **none** is specified, then the KDC certificate will not be
|
|
Packit |
fd8b60 |
checked to verify it has an acceptable EKU. The use of this
|
|
Packit |
fd8b60 |
option is not recommended.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_dh_min_bits**
|
|
Packit |
fd8b60 |
Specifies the size of the Diffie-Hellman key the client will
|
|
Packit |
fd8b60 |
attempt to use. The acceptable values are 1024, 2048, and 4096.
|
|
Packit |
fd8b60 |
The default is 2048.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_identities**
|
|
Packit |
fd8b60 |
Specifies the location(s) to be used to find the user's X.509
|
|
Packit |
fd8b60 |
identity information. If this option is specified multiple times,
|
|
Packit |
fd8b60 |
the first valid value is used; this can be used to specify an
|
|
Packit |
fd8b60 |
environment variable (with **ENV:**\ *envvar*) followed by a
|
|
Packit |
fd8b60 |
default value. Note that these values are not used if the user
|
|
Packit |
fd8b60 |
specifies **X509_user_identity** on the command line.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_kdc_hostname**
|
|
Packit |
fd8b60 |
The presence of this option indicates that the client is willing
|
|
Packit |
fd8b60 |
to accept a KDC certificate with a dNSName SAN (Subject
|
|
Packit |
fd8b60 |
Alternative Name) rather than requiring the id-pkinit-san as
|
|
Packit |
fd8b60 |
defined in :rfc:`4556`. This option may be specified multiple
|
|
Packit |
fd8b60 |
times. Its value should contain the acceptable hostname for the
|
|
Packit |
fd8b60 |
KDC (as contained in its certificate).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_pool**
|
|
Packit |
fd8b60 |
Specifies the location of intermediate certificates which may be
|
|
Packit |
fd8b60 |
used by the client to complete the trust chain between a KDC
|
|
Packit |
fd8b60 |
certificate and a trusted anchor. This option may be specified
|
|
Packit |
fd8b60 |
multiple times.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_require_crl_checking**
|
|
Packit |
fd8b60 |
The default certificate verification process will always check the
|
|
Packit |
fd8b60 |
available revocation information to see if a certificate has been
|
|
Packit |
fd8b60 |
revoked. If a match is found for the certificate in a CRL,
|
|
Packit |
fd8b60 |
verification fails. If the certificate being verified is not
|
|
Packit |
fd8b60 |
listed in a CRL, or there is no CRL present for its issuing CA,
|
|
Packit |
fd8b60 |
and **pkinit_require_crl_checking** is false, then verification
|
|
Packit |
fd8b60 |
succeeds.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
However, if **pkinit_require_crl_checking** is true and there is
|
|
Packit |
fd8b60 |
no CRL information available for the issuing CA, then verification
|
|
Packit |
fd8b60 |
fails.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_require_crl_checking** should be set to true if the
|
|
Packit |
fd8b60 |
policy is such that up-to-date CRLs must be present for every CA.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_revoke**
|
|
Packit |
fd8b60 |
Specifies the location of Certificate Revocation List (CRL)
|
|
Packit |
fd8b60 |
information to be used by the client when verifying the validity
|
|
Packit |
fd8b60 |
of the KDC certificate presented. This option may be specified
|
|
Packit |
fd8b60 |
multiple times.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _parameter_expansion:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Parameter expansion
|
|
Packit |
fd8b60 |
-------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Starting with release 1.11, several variables, such as
|
|
Packit |
fd8b60 |
**default_keytab_name**, allow parameters to be expanded.
|
|
Packit |
fd8b60 |
Valid parameters are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
================= ===================================================
|
|
Packit |
fd8b60 |
%{TEMP} Temporary directory
|
|
Packit |
fd8b60 |
%{uid} Unix real UID or Windows SID
|
|
Packit |
fd8b60 |
%{euid} Unix effective user ID or Windows SID
|
|
Packit |
fd8b60 |
%{USERID} Same as %{uid}
|
|
Packit |
fd8b60 |
%{null} Empty string
|
|
Packit |
fd8b60 |
%{LIBDIR} Installation library directory
|
|
Packit |
fd8b60 |
%{BINDIR} Installation binary directory
|
|
Packit |
fd8b60 |
%{SBINDIR} Installation admin binary directory
|
|
Packit |
fd8b60 |
%{username} (Unix) Username of effective user ID
|
|
Packit |
fd8b60 |
%{APPDATA} (Windows) Roaming application data for current user
|
|
Packit |
fd8b60 |
%{COMMON_APPDATA} (Windows) Application data for all users
|
|
Packit |
fd8b60 |
%{LOCAL_APPDATA} (Windows) Local application data for current user
|
|
Packit |
fd8b60 |
%{SYSTEM} (Windows) Windows system folder
|
|
Packit |
fd8b60 |
%{WINDOWS} (Windows) Windows folder
|
|
Packit |
fd8b60 |
%{USERCONFIG} (Windows) Per-user MIT krb5 config file directory
|
|
Packit |
fd8b60 |
%{COMMONCONFIG} (Windows) Common MIT krb5 config file directory
|
|
Packit |
fd8b60 |
================= ===================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sample krb5.conf file
|
|
Packit |
fd8b60 |
---------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Here is an example of a generic krb5.conf file::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
default_realm = ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
dns_lookup_kdc = true
|
|
Packit |
fd8b60 |
dns_lookup_realm = false
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
kdc = kerberos.mit.edu
|
|
Packit |
fd8b60 |
kdc = kerberos-1.mit.edu
|
|
Packit |
fd8b60 |
kdc = kerberos-2.mit.edu
|
|
Packit |
fd8b60 |
admin_server = kerberos.mit.edu
|
|
Packit |
fd8b60 |
master_kdc = kerberos.mit.edu
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
EXAMPLE.COM = {
|
|
Packit |
fd8b60 |
kdc = kerberos.example.com
|
|
Packit |
fd8b60 |
kdc = kerberos-1.example.com
|
|
Packit |
fd8b60 |
admin_server = kerberos.example.com
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[domain_realm]
|
|
Packit |
fd8b60 |
mit.edu = ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[capaths]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
EXAMPLE.COM = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
EXAMPLE.COM = {
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = .
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
FILES
|
|
Packit |
fd8b60 |
-----
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|krb5conf|
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
syslog(3)
|