|
Packit |
fd8b60 |
Host configuration
|
|
Packit |
fd8b60 |
==================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
All hosts running Kerberos software, whether they are clients,
|
|
Packit |
fd8b60 |
application servers, or KDCs, can be configured using
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`. Here we describe some of the behavior changes
|
|
Packit |
fd8b60 |
you might want to make.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Default realm
|
|
Packit |
fd8b60 |
-------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In the :ref:`libdefaults` section, the **default_realm** realm
|
|
Packit |
fd8b60 |
relation sets the default Kerberos realm. For example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[libdefaults]
|
|
Packit |
fd8b60 |
default_realm = ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default realm affects Kerberos behavior in the following ways:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* When a principal name is parsed from text, the default realm is used
|
|
Packit |
fd8b60 |
if no ``@REALM`` component is specified.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* The default realm affects login authorization as described below.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* For programs which operate on a Kerberos database, the default realm
|
|
Packit |
fd8b60 |
is used to determine which database to operate on, unless the **-r**
|
|
Packit |
fd8b60 |
parameter is given to specify a realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* A server program may use the default realm when looking up its key
|
|
Packit |
fd8b60 |
in a :ref:`keytab file <keytab_file>`, if its realm is not
|
|
Packit |
fd8b60 |
determined by :ref:`domain_realm` configuration or by the server
|
|
Packit |
fd8b60 |
program itself.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous
|
|
Packit |
fd8b60 |
tickets from the default realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In some situations, these uses of the default realm might conflict.
|
|
Packit |
fd8b60 |
For example, it might be desirable for principal name parsing to use
|
|
Packit |
fd8b60 |
one realm by default, but for login authorization to use a second
|
|
Packit |
fd8b60 |
realm. In this situation, the first realm can be configured as the
|
|
Packit |
fd8b60 |
default realm, and **auth_to_local** relations can be used as
|
|
Packit |
fd8b60 |
described below to use the second realm for login authorization.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _login_authorization:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Login authorization
|
|
Packit |
fd8b60 |
-------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If a host runs a Kerberos-enabled login service such as OpenSSH with
|
|
Packit |
fd8b60 |
GSSAPIAuthentication enabled, login authorization rules determine
|
|
Packit |
fd8b60 |
whether a Kerberos principal is allowed to access a local account.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
By default, a Kerberos principal is allowed access to an account if
|
|
Packit |
fd8b60 |
its realm matches the default realm and its name matches the account
|
|
Packit |
fd8b60 |
name. (For historical reasons, access is also granted by default if
|
|
Packit |
fd8b60 |
the name has two components and the second component matches the
|
|
Packit |
fd8b60 |
default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU``
|
|
Packit |
fd8b60 |
is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is
|
|
Packit |
fd8b60 |
the default realm.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The simplest way to control local access is using :ref:`.k5login(5)`
|
|
Packit |
fd8b60 |
files. To use these, place a ``.k5login`` file in the home directory
|
|
Packit |
fd8b60 |
of each account listing the principal names which should have login
|
|
Packit |
fd8b60 |
access to that account. If it is not desirable to use ``.k5login``
|
|
Packit |
fd8b60 |
files located in account home directories, the **k5login_directory**
|
|
Packit |
fd8b60 |
relation in the :ref:`libdefaults` section can specify a directory
|
|
Packit |
fd8b60 |
containing one file per account uname.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
By default, if a ``.k5login`` file is present, it controls
|
|
Packit |
fd8b60 |
authorization both positively and negatively--any principal name
|
|
Packit |
fd8b60 |
contained in the file is granted access and any other principal name
|
|
Packit |
fd8b60 |
is denied access, even if it would have had access if the ``.k5login``
|
|
Packit |
fd8b60 |
file didn't exist. The **k5login_authoritative** relation in the
|
|
Packit |
fd8b60 |
:ref:`libdefaults` section can be set to false to make ``.k5login``
|
|
Packit |
fd8b60 |
files provide positive authorization only.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **auth_to_local** relation in the :ref:`realms` section for the
|
|
Packit |
fd8b60 |
default realm can specify pattern-matching rules to control login
|
|
Packit |
fd8b60 |
authorization. For example, the following configuration allows access
|
|
Packit |
fd8b60 |
to principals from a different realm than the default realm::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
DEFAULT.REALM = {
|
|
Packit |
fd8b60 |
# Allow access to principals from OTHER.REALM.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# [1:$1@$0] matches single-component principal names and creates
|
|
Packit |
fd8b60 |
# a selection string containing the principal name and realm.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# (.*@OTHER\.REALM) matches against the selection string, so that
|
|
Packit |
fd8b60 |
# only principals in OTHER.REALM are matched.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# s/@OTHER\.REALM$// removes the realm name, leaving behind the
|
|
Packit |
fd8b60 |
# principal name as the account name.
|
|
Packit |
fd8b60 |
auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$//
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Also allow principals from the default realm. Omit this line
|
|
Packit |
fd8b60 |
# to only allow access to principals in OTHER.REALM.
|
|
Packit |
fd8b60 |
auth_to_local = DEFAULT
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **auth_to_local_names** subsection of the :ref:`realms` section
|
|
Packit |
fd8b60 |
for the default realm can specify explicit mappings from principal
|
|
Packit |
fd8b60 |
names to local accounts. The key used in this subsection is the
|
|
Packit |
fd8b60 |
principal name without realm, so it is only safe to use in a Kerberos
|
|
Packit |
fd8b60 |
environment with a single realm or a tightly controlled set of realms.
|
|
Packit |
fd8b60 |
An example use of **auth_to_local_names** might be::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU = {
|
|
Packit |
fd8b60 |
auth_to_local_names = {
|
|
Packit |
fd8b60 |
# Careful, these match principals in any realm!
|
|
Packit |
fd8b60 |
host/example.com = hostaccount
|
|
Packit |
fd8b60 |
fred = localfred
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Local authorization behavior can also be modified using plugin
|
|
Packit |
fd8b60 |
modules; see :ref:`hostrealm_plugin` for details.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _plugin_config:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Plugin module configuration
|
|
Packit |
fd8b60 |
---------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Many aspects of Kerberos behavior, such as client preauthentication
|
|
Packit |
fd8b60 |
and KDC service location, can be modified through the use of plugin
|
|
Packit |
fd8b60 |
modules. For most of these behaviors, you can use the :ref:`plugins`
|
|
Packit |
fd8b60 |
section of krb5.conf to register third-party modules, and to switch
|
|
Packit |
fd8b60 |
off registered or built-in modules.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A plugin module takes the form of a Unix shared object
|
|
Packit |
fd8b60 |
(``modname.so``) or Windows DLL (``modname.dll``). If you have
|
|
Packit |
fd8b60 |
installed a third-party plugin module and want to register it, you do
|
|
Packit |
fd8b60 |
so using the **module** relation in the appropriate subsection of the
|
|
Packit |
fd8b60 |
[plugins] section. The value for **module** must give the module name
|
|
Packit |
fd8b60 |
and the path to the module, separated by a colon. The module name
|
|
Packit |
fd8b60 |
will often be the same as the shared object's name, but in unusual
|
|
Packit |
fd8b60 |
cases (such as a shared object which implements multiple modules for
|
|
Packit |
fd8b60 |
the same interface) it might not be. For example, to register a
|
|
Packit |
fd8b60 |
client preauthentication module named ``mypreauth`` installed at
|
|
Packit |
fd8b60 |
``/path/to/mypreauth.so``, you could write::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[plugins]
|
|
Packit |
fd8b60 |
clpreauth = {
|
|
Packit |
fd8b60 |
module = mypreauth:/path/to/mypreauth.so
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Many of the pluggable behaviors in MIT krb5 contain built-in modules
|
|
Packit |
fd8b60 |
which can be switched off. You can disable a built-in module (or one
|
|
Packit |
fd8b60 |
you have registered) using the **disable** directive in the
|
|
Packit |
fd8b60 |
appropriate subsection of the [plugins] section. For example, to
|
|
Packit |
fd8b60 |
disable the use of .k5identity files to select credential caches, you
|
|
Packit |
fd8b60 |
could write::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[plugins]
|
|
Packit |
fd8b60 |
ccselect = {
|
|
Packit |
fd8b60 |
disable = k5identity
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If you want to disable multiple modules, specify the **disable**
|
|
Packit |
fd8b60 |
directive multiple times, giving one module to disable each time.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alternatively, you can explicitly specify which modules you want to be
|
|
Packit |
fd8b60 |
enabled for that behavior using the **enable_only** directive. For
|
|
Packit |
fd8b60 |
example, to make :ref:`kadmind(8)` check password quality using only a
|
|
Packit |
fd8b60 |
module you have registered, and no other mechanism, you could write::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[plugins]
|
|
Packit |
fd8b60 |
pwqual = {
|
|
Packit |
fd8b60 |
module = mymodule:/path/to/mymodule.so
|
|
Packit |
fd8b60 |
enable_only = mymodule
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Again, if you want to specify multiple modules, specify the
|
|
Packit |
fd8b60 |
**enable_only** directive multiple times, giving one module to enable
|
|
Packit |
fd8b60 |
each time.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Some Kerberos interfaces use different mechanisms to register plugin
|
|
Packit |
fd8b60 |
modules.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
KDC location modules
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For historical reasons, modules to control how KDC servers are located
|
|
Packit |
fd8b60 |
are registered simply by placing the shared object or DLL into the
|
|
Packit |
fd8b60 |
"libkrb5" subdirectory of the krb5 plugin directory, which defaults to
|
|
Packit |
fd8b60 |
|libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5
|
|
Packit |
fd8b60 |
locator plugin would be registered by placing its shared object in
|
|
Packit |
fd8b60 |
|libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _gssapi_plugin_config:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
GSSAPI mechanism modules
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
GSSAPI mechanism modules are registered using the file
|
|
Packit |
fd8b60 |
|sysconfdir|\ ``/gss/mech`` or configuration files in the
|
|
Packit |
fd8b60 |
|sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf``
|
|
Packit |
fd8b60 |
suffix. Each line in these files has the form::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
name oid pathname [options] <type>
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Only the name, oid, and pathname are required. *name* is the
|
|
Packit |
fd8b60 |
mechanism name, which may be used for debugging or logging purposes.
|
|
Packit |
fd8b60 |
*oid* is the object identifier of the GSSAPI mechanism to be
|
|
Packit |
fd8b60 |
registered. *pathname* is a path to the module shared object or DLL.
|
|
Packit |
fd8b60 |
*options* (if present) are options provided to the plugin module,
|
|
Packit |
fd8b60 |
surrounded in square brackets. *type* (if present) can be used to
|
|
Packit |
fd8b60 |
indicate a special type of module. Currently the only special module
|
|
Packit |
fd8b60 |
type is "interposer", for a module designed to intercept calls to
|
|
Packit |
fd8b60 |
other mechanisms.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the environment variable **GSS_MECH_CONFIG** is set, its value is
|
|
Packit |
fd8b60 |
used as the sole mechanism configuration filename.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _profile_plugin_config:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Configuration profile modules
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A configuration profile module replaces the information source for
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf
|
|
Packit |
fd8b60 |
with the line::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
module PATHNAME:STRING
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
where *PATHNAME* is a path to the module shared object or DLL, and
|
|
Packit |
fd8b60 |
*STRING* is a string to provide to the module. The module will then
|
|
Packit |
fd8b60 |
take over, and the rest of krb5.conf will be ignored.
|