1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>krb5.conf — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> 13 <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> 14 <script src="../../_static/jquery.js"></script> 15 <script src="../../_static/underscore.js"></script> 16 <script src="../../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../../about.html" /> 18 <link rel="index" title="Index" href="../../genindex.html" /> 19 <link rel="search" title="Search" href="../../search.html" /> 20 <link rel="copyright" title="Copyright" href="../../copyright.html" /> 21 <link rel="next" title="kdc.conf" href="kdc_conf.html" /> 22 <link rel="prev" title="Configuration Files" href="index.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="index.html" title="Configuration Files" 35 accesskey="P">previous</a> | 36 <a href="kdc_conf.html" title="kdc.conf" 37 accesskey="N">next</a> | 38 <a href="../../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="krb5-conf"> 56<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1> 57<p>The krb5.conf file contains Kerberos configuration information, 58including the locations of KDCs and admin servers for the Kerberos 59realms of interest, defaults for the current realm and for Kerberos 60applications, and mappings of hostnames onto Kerberos realms. 61Normally, you should install your krb5.conf file in the directory 62<code class="docutils literal notranslate"><span class="pre">/etc</span></code>. You can override the default location by setting the 63environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated 64filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are 65present will be read. Starting in release 1.14, directory names can 66also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory 67whose names consist solely of alphanumeric characters, dashes, or 68underscores will be read.</p> 69<section id="structure"> 70<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> 71<p>The krb5.conf file is set up in the style of a Windows INI file. 72Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace) 73are ignored as comments. Sections are headed by the section name, in 74square brackets. Each section may contain zero or more relations, of 75the form:</p> 76<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> 77</pre></div> 78</div> 79<p>or:</p> 80<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span> 81 <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> 82 <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span> 83<span class="p">}</span> 84</pre></div> 85</div> 86<p>Placing a ‘*’ after the closing bracket of a section name indicates 87that the section is <em>final</em>, meaning that if the same section appears 88within a later file specified in <strong>KRB5_CONFIG</strong>, it will be ignored. 89A subsection can be marked as final by placing a ‘*’ after either the 90tag name or the closing brace.</p> 91<p>The krb5.conf file can include other files using either of the 92following directives at the beginning of a line:</p> 93<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span> 94<span class="n">includedir</span> <span class="n">DIRNAME</span> 95</pre></div> 96</div> 97<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or 98directory must exist and be readable. Including a directory includes 99all files within the directory whose names consist solely of 100alphanumeric characters, dashes, or underscores. Starting in release 1011.15, files with names ending in “.conf” are also included, unless the 102name begins with “.”. Included profile files are syntactically 103independent of their parents, so each included file must begin with a 104section header. Starting in release 1.17, files are read in 105alphanumeric order; in previous releases, they may be read in any 106order.</p> 107<p>The krb5.conf file can specify that configuration should be obtained 108from a loadable module, rather than the file itself, using the 109following directive at the beginning of a line before any section 110headers:</p> 111<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span> 112</pre></div> 113</div> 114<p><em>MODULEPATH</em> may be relative to the library path of the krb5 115installation, or it may be an absolute path. <em>RESIDUAL</em> is provided 116to the module at initialization time. If krb5.conf uses a module 117directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p> 118</section> 119<section id="sections"> 120<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> 121<p>The krb5.conf file may contain the following sections:</p> 122<table class="docutils align-default"> 123<colgroup> 124<col style="width: 26%" /> 125<col style="width: 74%" /> 126</colgroup> 127<tbody> 128<tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td> 129<td><p>Settings used by the Kerberos V5 library</p></td> 130</tr> 131<tr class="row-even"><td><p><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></p></td> 132<td><p>Realm-specific contact information and settings</p></td> 133</tr> 134<tr class="row-odd"><td><p><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></p></td> 135<td><p>Maps server hostnames to Kerberos realms</p></td> 136</tr> 137<tr class="row-even"><td><p><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></p></td> 138<td><p>Authentication paths for non-hierarchical cross-realm</p></td> 139</tr> 140<tr class="row-odd"><td><p><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></p></td> 141<td><p>Settings used by some Kerberos V5 applications</p></td> 142</tr> 143<tr class="row-even"><td><p><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></p></td> 144<td><p>Controls plugin module registration</p></td> 145</tr> 146</tbody> 147</table> 148<p>Additionally, krb5.conf may include any of the relations described in 149<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p> 150<section id="libdefaults"> 151<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3> 152<p>The libdefaults section may contain any of the following relations:</p> 153<dl> 154<dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys. 155In future releases, this flag will allow des3-cbc-sha1 to be used 156at all. The default value for this tag is false. (Added in 157release 1.21.)</p> 158</dd> 159<dt><strong>allow_rc4</strong></dt><dd><p>Permit the KDC to issue tickets with arcfour-hmac session keys. 160In future releases, this flag will allow arcfour-hmac to be used 161at all. The default value for this tag is false. (Added in 162release 1.21.)</p> 163</dd> 164<dt><strong>allow_weak_crypto</strong></dt><dd><p>If this flag is set to false, then weak encryption types (as noted 165in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered 166out of the lists <strong>default_tgs_enctypes</strong>, 167<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default 168value for this tag is false.</p> 169</dd> 170<dt><strong>canonicalize</strong></dt><dd><p>If this flag is set to true, initial ticket requests to the KDC 171will request canonicalization of the client principal name, and 172answers with different client principals than the requested 173principal will be accepted. The default value is false.</p> 174</dd> 175<dt><strong>ccache_type</strong></dt><dd><p>This parameter determines the format of credential cache types 176created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value 177is 4, which represents the most current format. Smaller values 178can be used for compatibility with very old implementations of 179Kerberos which interact with credential caches on the same host.</p> 180</dd> 181<dt><strong>clockskew</strong></dt><dd><p>Sets the maximum allowable amount of clockskew in seconds that the 182library will tolerate before assuming that a Kerberos message is 183invalid. The default value is 300 seconds, or five minutes.</p> 184<p>The clockskew setting is also used when evaluating ticket start 185and expiration times. For example, tickets that have reached 186their expiration time can still be used (and renewed if they are 187renewable tickets) if they have been expired for a shorter 188duration than the <strong>clockskew</strong> setting.</p> 189</dd> 190<dt><strong>default_ccache_name</strong></dt><dd><p>This relation specifies the name of the default credential cache. 191The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter 192expansion (see below). New in release 1.11.</p> 193</dd> 194<dt><strong>default_client_keytab_name</strong></dt><dd><p>This relation specifies the name of the default keytab for 195obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This 196relation is subject to parameter expansion (see below). 197New in release 1.11.</p> 198</dd> 199<dt><strong>default_keytab_name</strong></dt><dd><p>This relation specifies the default keytab name to be used by 200application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This 201relation is subject to parameter expansion (see below).</p> 202</dd> 203<dt><strong>default_rcache_name</strong></dt><dd><p>This relation specifies the name of the default replay cache. 204The default is <code class="docutils literal notranslate"><span class="pre">dfl:</span></code>. This relation is subject to parameter 205expansion (see below). New in release 1.18.</p> 206</dd> 207<dt><strong>default_realm</strong></dt><dd><p>Identifies the default Kerberos realm for the client. Set its 208value to your Kerberos realm. If this value is not set, then a 209realm must be specified with every Kerberos principal when 210invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</p> 211</dd> 212<dt><strong>default_tgs_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that 213the client should request when making a TGS-REQ, in order of 214preference from highest to lowest. The list may be delimited with 215commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in 216<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag. 217Starting in release 1.18, the default value is the value of 218<strong>permitted_enctypes</strong>. For previous releases or if 219<strong>permitted_enctypes</strong> is not set, the default value is 220<code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> 221<p>Do not set this unless required for specific backward 222compatibility purposes; stale values of this setting can prevent 223clients from taking advantage of new stronger enctypes when the 224libraries are upgraded.</p> 225</dd> 226<dt><strong>default_tkt_enctypes</strong></dt><dd><p>Identifies the supported list of session key encryption types that 227the client should request when making an AS-REQ, in order of 228preference from highest to lowest. The format is the same as for 229default_tgs_enctypes. Starting in release 1.18, the default 230value is the value of <strong>permitted_enctypes</strong>. For previous 231releases or if <strong>permitted_enctypes</strong> is not set, the default 232value is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> 233<p>Do not set this unless required for specific backward 234compatibility purposes; stale values of this setting can prevent 235clients from taking advantage of new stronger enctypes when the 236libraries are upgraded.</p> 237</dd> 238<dt><strong>dns_canonicalize_hostname</strong></dt><dd><p>Indicate whether name lookups will be used to canonicalize 239hostnames for use in service principal names. Setting this flag 240to false can improve security by reducing reliance on DNS, but 241means that short hostnames will not be canonicalized to 242fully-qualified hostnames. If this option is set to <code class="docutils literal notranslate"><span class="pre">fallback</span></code> (new 243in release 1.18), DNS canonicalization will only be performed the 244server hostname is not found with the original name when 245requesting credentials. The default value is true.</p> 246</dd> 247<dt><strong>dns_lookup_kdc</strong></dt><dd><p>Indicate whether DNS SRV records should be used to locate the KDCs 248and other servers for a realm, if they are not listed in the 249krb5.conf information for the realm. (Note that the admin_server 250entry must be in the krb5.conf realm information in order to 251contact kadmind, because the DNS implementation for kadmin is 252incomplete.)</p> 253<p>Enabling this option does open up a type of denial-of-service 254attack, if someone spoofs the DNS records and redirects you to 255another server. However, it’s no worse than a denial of service, 256because that fake KDC will be unable to decode anything you send 257it (besides the initial ticket request, which has no encrypted 258data), and anything the fake KDC sends will not be trusted without 259verification using some secret that it won’t know.</p> 260</dd> 261<dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs 262and other servers for a realm, if they are not listed in the 263krb5.conf information for the realm. SRV records are used as a 264fallback if no URI records were found. The default value is true. 265New in release 1.15.</p> 266</dd> 267<dt><strong>enforce_ok_as_delegate</strong></dt><dd><p>If this flag to true, GSSAPI credential delegation will be 268disabled when the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> flag is not set in the 269service ticket. If this flag is false, the <code class="docutils literal notranslate"><span class="pre">ok-as-delegate</span></code> 270ticket flag is only enforced when an application specifically 271requests enforcement. The default value is false.</p> 272</dd> 273<dt><strong>err_fmt</strong></dt><dd><p>This relation allows for custom error message formatting. If a 274value is set, error messages will be formatted by substituting a 275normal error message for %M and an error code for %C in the value.</p> 276</dd> 277<dt><strong>extra_addresses</strong></dt><dd><p>This allows a computer to use multiple local addresses, in order 278to allow Kerberos to work in a network that uses NATs while still 279using address-restricted tickets. The addresses should be in a 280comma-separated list. This option has no effect if 281<strong>noaddresses</strong> is true.</p> 282</dd> 283<dt><strong>forwardable</strong></dt><dd><p>If this flag is true, initial tickets will be forwardable by 284default, if allowed by the KDC. The default value is false.</p> 285</dd> 286<dt><strong>ignore_acceptor_hostname</strong></dt><dd><p>When accepting GSSAPI or krb5 security contexts for host-based 287service principals, ignore any hostname passed by the calling 288application, and allow clients to authenticate to any service 289principal in the keytab matching the service name and realm name 290(if given). This option can improve the administrative 291flexibility of server applications on multihomed hosts, but could 292compromise the security of virtual hosting environments. The 293default value is false. New in release 1.10.</p> 294</dd> 295<dt><strong>k5login_authoritative</strong></dt><dd><p>If this flag is true, principals must be listed in a local user’s 296k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> 297file exists. If this flag is false, a principal may still be 298granted login access through other mechanisms even if a k5login 299file exists but does not list the principal. The default value is 300true.</p> 301</dd> 302<dt><strong>k5login_directory</strong></dt><dd><p>If set, the library will look for a local user’s k5login file 303within the named directory, with a filename corresponding to the 304local username. If not set, the library will look for k5login 305files in the user’s home directory, with the filename .k5login. 306For security reasons, .k5login files must be owned by 307the local user or by root.</p> 308</dd> 309<dt><strong>kcm_mach_service</strong></dt><dd><p>On macOS only, determines the name of the bootstrap service used to 310contact the KCM daemon for the KCM credential cache type. If the 311value is <code class="docutils literal notranslate"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM 312daemon. The default value is <code class="docutils literal notranslate"><span class="pre">org.h5l.kcm</span></code>.</p> 313</dd> 314<dt><strong>kcm_socket</strong></dt><dd><p>Determines the path to the Unix domain socket used to access the 315KCM daemon for the KCM credential cache type. If the value is 316<code class="docutils literal notranslate"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM 317daemon. The default value is 318<code class="docutils literal notranslate"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</p> 319</dd> 320<dt><strong>kdc_default_options</strong></dt><dd><p>Default KDC options (Xored for multiple values) when requesting 321initial tickets. By default it is set to 0x00000010 322(KDC_OPT_RENEWABLE_OK).</p> 323</dd> 324<dt><strong>kdc_timesync</strong></dt><dd><p>Accepted values for this relation are 1 or 0. If it is nonzero, 325client machines will compute the difference between their time and 326the time returned by the KDC in the timestamps in the tickets and 327use this value to correct for an inaccurate system clock when 328requesting service tickets or authenticating to services. This 329corrective factor is only used by the Kerberos library; it is not 330used to change the system clock. The default value is 1.</p> 331</dd> 332<dt><strong>noaddresses</strong></dt><dd><p>If this flag is true, requests for initial tickets will not be 333made with address restrictions set, allowing the tickets to be 334used across NATs. The default value is true.</p> 335</dd> 336<dt><strong>permitted_enctypes</strong></dt><dd><p>Identifies the encryption types that servers will permit for 337session keys and for ticket and authenticator encryption, ordered 338by preference from highest to lowest. Starting in release 1.18, 339this tag also acts as the default value for 340<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The 341default value for this tag is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> 342</dd> 343<dt><strong>plugin_base_dir</strong></dt><dd><p>If set, determines the base directory where krb5 plugins are 344located. The default value is the <code class="docutils literal notranslate"><span class="pre">krb5/plugins</span></code> subdirectory 345of the krb5 library directory. This relation is subject to 346parameter expansion (see below) in release 1.17 and later.</p> 347</dd> 348<dt><strong>preferred_preauth_types</strong></dt><dd><p>This allows you to set the preferred preauthentication types which 349the client will attempt before others which may be advertised by a 350KDC. The default value for this setting is “17, 16, 15, 14”, 351which forces libkrb5 to attempt to use PKINIT if it is supported.</p> 352</dd> 353<dt><strong>proxiable</strong></dt><dd><p>If this flag is true, initial tickets will be proxiable by 354default, if allowed by the KDC. The default value is false.</p> 355</dd> 356<dt><strong>qualify_shortname</strong></dt><dd><p>If this string is set, it determines the domain suffix for 357single-component hostnames when DNS canonicalization is not used 358(either because <strong>dns_canonicalize_hostname</strong> is false or because 359forward canonicalization failed). The default value is the first 360search domain of the system’s DNS configuration. To disable 361qualification of shortnames, set this relation to the empty string 362with <code class="docutils literal notranslate"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">""</span></code>. (New in release 1.18.)</p> 363</dd> 364<dt><strong>rdns</strong></dt><dd><p>If this flag is true, reverse name lookup will be used in addition 365to forward name lookup to canonicalizing hostnames for use in 366service principal names. If <strong>dns_canonicalize_hostname</strong> is set 367to false, this flag has no effect. The default value is true.</p> 368</dd> 369<dt><strong>realm_try_domains</strong></dt><dd><p>Indicate whether a host’s domain components should be used to 370determine the Kerberos realm of the host. The value of this 371variable is an integer: -1 means not to search, 0 means to try the 372host’s domain itself, 1 means to also try the domain’s immediate 373parent, and so forth. The library’s usual mechanism for locating 374Kerberos realms is used to determine whether a domain is a valid 375realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is 376set. The default is not to search domain components.</p> 377</dd> 378<dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime 379for initial ticket requests. The default value is 0.</p> 380</dd> 381<dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the 382groups allowed for SPAKE preauthentication. The possible values 383are:</p> 384<table class="docutils align-default"> 385<colgroup> 386<col style="width: 27%" /> 387<col style="width: 73%" /> 388</colgroup> 389<tbody> 390<tr class="row-odd"><td><p>edwards25519</p></td> 391<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td> 392</tr> 393<tr class="row-even"><td><p>P-256</p></td> 394<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> 395</tr> 396<tr class="row-odd"><td><p>P-384</p></td> 397<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> 398</tr> 399<tr class="row-even"><td><p>P-521</p></td> 400<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> 401</tr> 402</tbody> 403</table> 404<p>The default value for the client is <code class="docutils literal notranslate"><span class="pre">edwards25519</span></code>. The default 405value for the KDC is empty. New in release 1.17.</p> 406</dd> 407<dt><strong>ticket_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial 408ticket requests. The default value is 1 day.</p> 409</dd> 410<dt><strong>udp_preference_limit</strong></dt><dd><p>When sending a message to the KDC, the library will try using TCP 411before UDP if the size of the message is above 412<strong>udp_preference_limit</strong>. If the message is smaller than 413<strong>udp_preference_limit</strong>, then UDP will be tried before TCP. 414Regardless of the size, both protocols will be tried if the first 415attempt fails.</p> 416</dd> 417<dt><strong>verify_ap_req_nofail</strong></dt><dd><p>If this flag is true, then an attempt to verify initial 418credentials will fail if the client machine does not have a 419keytab. The default value is false.</p> 420</dd> 421<dt><strong>client_aware_channel_bindings</strong></dt><dd><p>If this flag is true, then all application protocol authentication 422requests will be flagged to indicate that the application supports 423channel bindings when operating over a secure channel. The 424default value is false.</p> 425</dd> 426</dl> 427</section> 428<section id="realms"> 429<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3> 430<p>Each tag in the [realms] section of the file is the name of a Kerberos 431realm. The value of the tag is a subsection with relations that 432define the properties of that particular realm. For each realm, the 433following tags may be specified in the realm’s subsection:</p> 434<dl> 435<dt><strong>admin_server</strong></dt><dd><p>Identifies the host where the administration server is running. 436Typically, this is the primary Kerberos server. This tag must be 437given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> 438server for the realm.</p> 439</dd> 440<dt><strong>auth_to_local</strong></dt><dd><p>This tag allows you to set a general rule for mapping principal 441names to local user names. It will be used if there is not an 442explicit mapping for the principal name that is being 443translated. The possible values are:</p> 444<dl> 445<dt><strong>RULE:</strong><em>exp</em></dt><dd><p>The local name will be formulated from <em>exp</em>.</p> 446<p>The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>. 447The integer <em>n</em> indicates how many components the target 448principal should have. If this matches, then a string will be 449formed from <em>string</em>, substituting the realm of the principal 450for <code class="docutils literal notranslate"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for 451<code class="docutils literal notranslate"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal notranslate"><span class="pre">johndoe/admin</span></code> then 452<code class="docutils literal notranslate"><span class="pre">[2:$2$1foo]</span></code> would result in the string 453<code class="docutils literal notranslate"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then 454the <code class="docutils literal notranslate"><span class="pre">s//[g]</span></code> substitution command will be run over the 455string. The optional <strong>g</strong> will cause the substitution to be 456global over the <em>string</em>, instead of replacing only the first 457match in the <em>string</em>.</p> 458</dd> 459<dt><strong>DEFAULT</strong></dt><dd><p>The principal name will be used as the local user name. If 460the principal has more than one component or is not in the 461default realm, this rule is not applicable and the conversion 462will fail.</p> 463</dd> 464</dl> 465<p>For example:</p> 466<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>[realms] 467 ATHENA.MIT.EDU = { 468 auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ 469 auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// 470 auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ 471 auth_to_local = DEFAULT 472 } 473</pre></div> 474</div> 475<p>would result in any principal without <code class="docutils literal notranslate"><span class="pre">root</span></code> or <code class="docutils literal notranslate"><span class="pre">admin</span></code> as the 476second component to be translated with the default rule. A 477principal with a second component of <code class="docutils literal notranslate"><span class="pre">admin</span></code> will become its 478first component. <code class="docutils literal notranslate"><span class="pre">root</span></code> will be used as the local name for any 479principal with a second component of <code class="docutils literal notranslate"><span class="pre">root</span></code>. The exception to 480these two rules are any principals <code class="docutils literal notranslate"><span class="pre">johndoe/*</span></code>, which will 481always get the local name <code class="docutils literal notranslate"><span class="pre">guest</span></code>.</p> 482</dd> 483<dt><strong>auth_to_local_names</strong></dt><dd><p>This subsection allows you to set explicit mappings from principal 484names to local user names. The tag is the mapping name, and the 485value is the corresponding local user name.</p> 486</dd> 487<dt><strong>default_domain</strong></dt><dd><p>This tag specifies the domain used to expand hostnames when 488translating Kerberos 4 service principals to Kerberos 5 principals 489(for example, when converting <code class="docutils literal notranslate"><span class="pre">rcmd.hostname</span></code> to 490<code class="docutils literal notranslate"><span class="pre">host/hostname.domain</span></code>).</p> 491</dd> 492<dt><strong>disable_encrypted_timestamp</strong></dt><dd><p>If this flag is true, the client will not perform encrypted 493timestamp preauthentication if requested by the KDC. Setting this 494flag can help to prevent dictionary attacks by active attackers, 495if the realm’s KDCs support SPAKE preauthentication or if initial 496authentication always uses another mechanism or always uses FAST. 497This flag persists across client referrals during initial 498authentication. This flag does not prevent the KDC from offering 499encrypted timestamp. New in release 1.17.</p> 500</dd> 501<dt><strong>http_anchors</strong></dt><dd><p>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag 502can be used to specify the location of the CA certificate which should be 503trusted to issue the certificate for a proxy server. If left unspecified, 504the system-wide default set of CA certificates is used.</p> 505<p>The syntax for values is similar to that of values for the 506<strong>pkinit_anchors</strong> tag:</p> 507<p><strong>FILE:</strong> <em>filename</em></p> 508<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p> 509<p><strong>DIR:</strong> <em>dirname</em></p> 510<p><em>dirname</em> is assumed to be an directory which contains CA certificates. 511All files in the directory will be examined; if they contain certificates 512(in PEM format), they will be used.</p> 513<p><strong>ENV:</strong> <em>envvar</em></p> 514<p><em>envvar</em> specifies the name of an environment variable which has been set 515to a value conforming to one of the previous values. For example, 516<code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has 517been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> 518</dd> 519<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for that realm. An 520optional port number, separated from the hostname by a colon, may 521be included. If the name or address contains colons (for example, 522if it is an IPv6 address), enclose it in square brackets to 523distinguish the colon from a port separator. For your computer to 524be able to communicate with the KDC for each realm, this tag must 525be given a value in each realm subsection in the configuration 526file, or there must be DNS SRV records specifying the KDCs.</p> 527</dd> 528<dt><strong>kpasswd_server</strong></dt><dd><p>Points to the server where all the password changes are performed. 529If there is no such entry, DNS will be queried (unless forbidden 530by <strong>dns_lookup_kdc</strong>). Finally, port 464 on the <strong>admin_server</strong> 531host will be tried.</p> 532</dd> 533<dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is 534used as a fallback if <strong>primary_kdc</strong> is not specified.</p> 535</dd> 536<dt><strong>primary_kdc</strong></dt><dd><p>Identifies the primary KDC(s). Currently, this tag is used in only 537one case: If an attempt to get credentials fails because of an 538invalid password, the client software will attempt to contact the 539primary KDC, in case the user’s password has just been changed, and 540the updated database has not been propagated to the replica 541servers yet. New in release 1.19.</p> 542</dd> 543<dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions 544to the <strong>default_domain</strong> mapping rule. It contains V4 instances 545(the tag name) which should be translated to some specific 546hostname (the tag value) as the second component in a Kerberos V5 547principal name.</p> 548</dd> 549<dt><strong>v4_realm</strong></dt><dd><p>This relation is used by the krb524 library routines when 550converting a V5 principal name to a V4 principal name. It is used 551when the V4 realm name and the V5 realm name are not the same, but 552still share the same principal names and passwords. The tag value 553is the Kerberos V4 realm name.</p> 554</dd> 555</dl> 556</section> 557<section id="domain-realm"> 558<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3> 559<p>The [domain_realm] section provides a translation from hostnames to 560Kerberos realms. Each tag is a domain name, providing the mapping for 561that domain and all subdomains. If the tag begins with a period 562(<code class="docutils literal notranslate"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be 563identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records. 564Tag names should be in lower case. For example:</p> 565<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> 566 <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 567 <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 568 <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 569</pre></div> 570</div> 571<p>maps the host with the name <code class="docutils literal notranslate"><span class="pre">crash.mit.edu</span></code> into the 572<code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the 573domain <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal notranslate"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not 574the host with the name <code class="docutils literal notranslate"><span class="pre">dev.mit.edu</span></code>. That host is matched 575by the third entry, which maps the host <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> and all hosts 576under the domain <code class="docutils literal notranslate"><span class="pre">mit.edu</span></code> that do not match a preceding rule 577into the realm <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> 578<p>If no translation entry applies to a hostname used for a service 579principal for a service ticket request, the library will try to get a 580referral to the appropriate realm from the client realm’s KDC. If 581that does not succeed, the host’s realm is considered to be the 582hostname’s domain portion converted to uppercase, unless the 583<strong>realm_try_domains</strong> setting in [libdefaults] causes a different 584parent domain to be used.</p> 585</section> 586<section id="capaths"> 587<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3> 588<p>In order to perform direct (non-hierarchical) cross-realm 589authentication, configuration is needed to determine the 590authentication paths between realms.</p> 591<p>A client will use this section to find the authentication path between 592its realm and the realm of the server. The server will use this 593section to verify the authentication path used by the client, by 594checking the transited field of the received ticket.</p> 595<p>There is a tag for each participating client realm, and each tag has 596subtags for each of the server realms. The value of the subtags is an 597intermediate realm which may participate in the cross-realm 598authentication. The subtags may be repeated if there is more then one 599intermediate realm. A value of “.” means that the two realms share 600keys directly, and no intermediate realms should be allowed to 601participate.</p> 602<p>Only those entries which will be needed on the client or the server 603need to be present. A client needs a tag for its local realm with 604subtags for all the realms of servers it will need to authenticate to. 605A server needs a tag for each realm of the clients it will serve, with 606a subtag of the server realm.</p> 607<p>For example, <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> all wish to 608use the <code class="docutils literal notranslate"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub 609realm of <code class="docutils literal notranslate"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> 610but not <code class="docutils literal notranslate"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal notranslate"><span class="pre">ANL.GOV</span></code> systems 611would look like this:</p> 612<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> 613 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 614 <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> 615 <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 616 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 617 <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> 618 <span class="p">}</span> 619 <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 620 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> 621 <span class="p">}</span> 622 <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 623 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 624 <span class="p">}</span> 625 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 626 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 627 <span class="p">}</span> 628 <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> 629 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> 630 <span class="p">}</span> 631</pre></div> 632</div> 633<p>The [capaths] section of the configuration file used on <code class="docutils literal notranslate"><span class="pre">NERSC.GOV</span></code> 634systems would look like this:</p> 635<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> 636 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 637 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 638 <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 639 <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> 640 <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 641 <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> 642 <span class="p">}</span> 643 <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 644 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 645 <span class="p">}</span> 646 <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 647 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 648 <span class="p">}</span> 649 <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> 650 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> 651 <span class="p">}</span> 652 <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> 653 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> 654 <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> 655 <span class="p">}</span> 656</pre></div> 657</div> 658<p>When a subtag is used more than once within a tag, clients will use 659the order of values to determine the path. The order of values is not 660important to servers.</p> 661</section> 662<section id="appdefaults"> 663<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3> 664<p>Each tag in the [appdefaults] section names a Kerberos V5 application 665or an option that is used by some Kerberos V5 application[s]. The 666value of the tag defines the default behaviors for that application.</p> 667<p>For example:</p> 668<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span> 669 <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> 670 <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 671 <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span> 672 <span class="p">}</span> 673 <span class="p">}</span> 674 <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> 675 <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span> 676 <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> 677 <span class="p">}</span> 678 <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 679 <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span> 680 <span class="p">}</span> 681 <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> 682</pre></div> 683</div> 684<p>The above four ways of specifying the value of an option are shown in 685order of decreasing precedence. In this example, if telnet is running 686in the realm EXAMPLE.COM, it should, by default, have option1 and 687option2 set to true. However, a telnet program in the realm 688<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal notranslate"><span class="pre">option1</span></code> set to false and 689<code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should 690have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to false by default. Any programs running in 691other realms should have <code class="docutils literal notranslate"><span class="pre">option2</span></code> set to true.</p> 692<p>The list of specifiable options for each application may be found in 693that application’s man pages. The application defaults specified here 694are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p> 695</section> 696<section id="plugins"> 697<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3> 698<blockquote> 699<div><ul class="simple"> 700<li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li> 701<li><p><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</p></li> 702<li><p><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</p></li> 703</ul> 704</div></blockquote> 705<p>Tags in the [plugins] section can be used to register dynamic plugin 706modules and to turn modules on and off. Not every krb5 pluggable 707interface uses the [plugins] section; the ones that do are documented 708here.</p> 709<p>New in release 1.9.</p> 710<p>Each pluggable interface corresponds to a subsection of [plugins]. 711All subsections support the same tags:</p> 712<dl class="simple"> 713<dt><strong>disable</strong></dt><dd><p>This tag may have multiple values. If there are values for this 714tag, then the named modules will be disabled for the pluggable 715interface.</p> 716</dd> 717<dt><strong>enable_only</strong></dt><dd><p>This tag may have multiple values. If there are values for this 718tag, then only the named modules will be enabled for the pluggable 719interface.</p> 720</dd> 721<dt><strong>module</strong></dt><dd><p>This tag may have multiple values. Each value is a string of the 722form <code class="docutils literal notranslate"><span class="pre">modulename:pathname</span></code>, which causes the shared object 723located at <em>pathname</em> to be registered as a dynamic module named 724<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an 725absolute path, it will be treated as relative to the 726<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> 727</dd> 728</dl> 729<p>For pluggable interfaces where module order matters, modules 730registered with a <strong>module</strong> tag normally come first, in the order 731they are registered, followed by built-in modules in the order they 732are documented below. If <strong>enable_only</strong> tags are used, then the 733order of those tags overrides the normal module order.</p> 734<p>The following subsections are currently supported within the [plugins] 735section:</p> 736<section id="ccselect-interface"> 737<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4> 738<p>The ccselect subsection controls modules for credential cache 739selection within a cache collection. In addition to any registered 740dynamic modules, the following built-in modules exist (and may be 741disabled with the disable tag):</p> 742<dl class="simple"> 743<dt><strong>k5identity</strong></dt><dd><p>Uses a .k5identity file in the user’s home directory to select a 744client principal</p> 745</dd> 746<dt><strong>realm</strong></dt><dd><p>Uses the service realm to guess an appropriate cache from the 747collection</p> 748</dd> 749<dt><strong>hostname</strong></dt><dd><p>If the service principal is host-based, uses the service hostname 750to guess an appropriate cache from the collection</p> 751</dd> 752</dl> 753</section> 754<section id="pwqual-interface"> 755<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4> 756<p>The pwqual subsection controls modules for the password quality 757interface, which is used to reject weak passwords when passwords are 758changed. The following built-in modules exist for this interface:</p> 759<dl class="simple"> 760<dt><strong>dict</strong></dt><dd><p>Checks against the realm dictionary file</p> 761</dd> 762<dt><strong>empty</strong></dt><dd><p>Rejects empty passwords</p> 763</dd> 764<dt><strong>hesiod</strong></dt><dd><p>Checks against user information stored in Hesiod (only if Kerberos 765was built with Hesiod support)</p> 766</dd> 767<dt><strong>princ</strong></dt><dd><p>Checks against components of the principal name</p> 768</dd> 769</dl> 770</section> 771<section id="kadm5-hook-interface"> 772<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4> 773<p>The kadm5_hook interface provides plugins with information on 774principal creation, modification, password changes and deletion. This 775interface can be used to write a plugin to synchronize MIT Kerberos 776with another database such as Active Directory. No plugins are built 777in for this interface.</p> 778</section> 779<section id="kadm5-auth-interface"> 780<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4> 781<p>The kadm5_auth section (introduced in release 1.16) controls modules 782for the kadmin authorization interface, which determines whether a 783client principal is allowed to perform a kadmin operation. The 784following built-in modules exist for this interface:</p> 785<dl class="simple"> 786<dt><strong>acl</strong></dt><dd><p>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes 787operations which are allowed according to the rules in the file.</p> 788</dd> 789<dt><strong>self</strong></dt><dd><p>This module authorizes self-service operations including password 790changes, creation of new random keys, fetching the client’s 791principal record or string attributes, and fetching the policy 792record associated with the client principal.</p> 793</dd> 794</dl> 795</section> 796<section id="clpreauth-and-kdcpreauth-interfaces"> 797<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4> 798<p>The clpreauth and kdcpreauth interfaces allow plugin modules to 799provide client and KDC preauthentication mechanisms. The following 800built-in modules exist for these interfaces:</p> 801<dl class="simple"> 802<dt><strong>pkinit</strong></dt><dd><p>This module implements the PKINIT preauthentication mechanism.</p> 803</dd> 804<dt><strong>encrypted_challenge</strong></dt><dd><p>This module implements the encrypted challenge FAST factor.</p> 805</dd> 806<dt><strong>encrypted_timestamp</strong></dt><dd><p>This module implements the encrypted timestamp mechanism.</p> 807</dd> 808</dl> 809</section> 810<section id="hostrealm-interface"> 811<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4> 812<p>The hostrealm section (introduced in release 1.12) controls modules 813for the host-to-realm interface, which affects the local mapping of 814hostnames to realm names and the choice of default realm. The following 815built-in modules exist for this interface:</p> 816<dl class="simple"> 817<dt><strong>profile</strong></dt><dd><p>This module consults the [domain_realm] section of the profile for 818authoritative host-to-realm mappings, and the <strong>default_realm</strong> 819variable for the default realm.</p> 820</dd> 821<dt><strong>dns</strong></dt><dd><p>This module looks for DNS records for fallback host-to-realm 822mappings and the default realm. It only operates if the 823<strong>dns_lookup_realm</strong> variable is set to true.</p> 824</dd> 825<dt><strong>domain</strong></dt><dd><p>This module applies heuristics for fallback host-to-realm 826mappings. It implements the <strong>realm_try_domains</strong> variable, and 827uses the uppercased parent domain of the hostname if that does not 828produce a result.</p> 829</dd> 830</dl> 831</section> 832<section id="localauth-interface"> 833<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4> 834<p>The localauth section (introduced in release 1.12) controls modules 835for the local authorization interface, which affects the relationship 836between Kerberos principals and local system accounts. The following 837built-in modules exist for this interface:</p> 838<dl class="simple"> 839<dt><strong>default</strong></dt><dd><p>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong> 840values.</p> 841</dd> 842<dt><strong>rule</strong></dt><dd><p>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong> 843values.</p> 844</dd> 845<dt><strong>names</strong></dt><dd><p>This module looks for an <strong>auth_to_local_names</strong> mapping for the 846principal name.</p> 847</dd> 848<dt><strong>auth_to_local</strong></dt><dd><p>This module processes <strong>auth_to_local</strong> values in the default 849realm’s section, and applies the default method if no 850<strong>auth_to_local</strong> values exist.</p> 851</dd> 852<dt><strong>k5login</strong></dt><dd><p>This module authorizes a principal to a local account according to 853the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</p> 854</dd> 855<dt><strong>an2ln</strong></dt><dd><p>This module authorizes a principal to a local account if the 856principal name maps to the local account name.</p> 857</dd> 858</dl> 859</section> 860<section id="certauth-interface"> 861<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4> 862<p>The certauth section (introduced in release 1.16) controls modules for 863the certificate authorization interface, which determines whether a 864certificate is allowed to preauthenticate a user via PKINIT. The 865following built-in modules exist for this interface:</p> 866<dl class="simple"> 867<dt><strong>pkinit_san</strong></dt><dd><p>This module authorizes the certificate if it contains a PKINIT 868Subject Alternative Name for the requested client principal, or a 869Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong> 870is set to true for the realm.</p> 871</dd> 872<dt><strong>pkinit_eku</strong></dt><dd><p>This module rejects the certificate if it does not contain an 873Extended Key Usage attribute consistent with the 874<strong>pkinit_eku_checking</strong> value for the realm.</p> 875</dd> 876<dt><strong>dbmatch</strong></dt><dd><p>This module authorizes or rejects the certificate according to 877whether it matches the <strong>pkinit_cert_match</strong> string attribute on 878the client principal, if that attribute is present.</p> 879</dd> 880</dl> 881</section> 882</section> 883</section> 884<section id="pkinit-options"> 885<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2> 886<div class="admonition note"> 887<p class="admonition-title">Note</p> 888<p>The following are PKINIT-specific options. These values may 889be specified in [libdefaults] as global defaults, or within 890a realm-specific subsection of [libdefaults], or may be 891specified as realm-specific values in the [realms] section. 892A realm-specific value overrides, not adds to, a generic 893[libdefaults] specification. The search order is:</p> 894</div> 895<ol class="arabic"> 896<li><p>realm-specific subsection of [libdefaults]:</p> 897<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> 898 <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> 899 <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> 900 <span class="p">}</span> 901</pre></div> 902</div> 903</li> 904<li><p>realm-specific value in the [realms] section:</p> 905<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> 906 <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span> 907 <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span> 908 <span class="p">}</span> 909</pre></div> 910</div> 911</li> 912<li><p>generic value in the [libdefaults] section:</p> 913<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> 914 <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> 915</pre></div> 916</div> 917</li> 918</ol> 919<section id="specifying-pkinit-identity-information"> 920<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3> 921<p>The syntax for specifying Public Key identity, trust, and revocation 922information for PKINIT is as follows:</p> 923<dl> 924<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt><dd><p>This option has context-specific behavior.</p> 925<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em> 926specifies the name of a PEM-format file containing the user’s 927certificate. If <em>keyfilename</em> is not specified, the user’s 928private key is expected to be in <em>filename</em> as well. Otherwise, 929<em>keyfilename</em> is the name of the file containing the private key.</p> 930<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to 931be the name of an OpenSSL-style ca-bundle file.</p> 932</dd> 933<dt><strong>DIR:</strong><em>dirname</em></dt><dd><p>This option has context-specific behavior.</p> 934<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em> 935specifies a directory with files named <code class="docutils literal notranslate"><span class="pre">*.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">*.key</span></code> 936where the first part of the file name is the same for matching 937pairs of certificate and private key files. When a file with a 938name ending with <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is found, a matching file ending with 939<code class="docutils literal notranslate"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file 940is found, then the certificate in the <code class="docutils literal notranslate"><span class="pre">.crt</span></code> is not used.</p> 941<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to 942be an OpenSSL-style hashed CA directory where each CA cert is 943stored in a file named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure 944is encouraged, but all files in the directory will be examined and 945if they contain certificates (in PEM format), they will be used.</p> 946<p>In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style 947hashed CA directory where each revocation list is stored in a file 948named <code class="docutils literal notranslate"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged, 949but all files in the directory will be examined and if they 950contain a revocation list (in PEM format), they will be used.</p> 951</dd> 952<dt><strong>PKCS12:</strong><em>filename</em></dt><dd><p><em>filename</em> is the name of a PKCS #12 format file, containing the 953user’s certificate and private key.</p> 954</dd> 955<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt><dd><p>All keyword/values are optional. <em>modname</em> specifies the location 956of a library implementing PKCS #11. If a value is encountered 957with no keyword, it is assumed to be the <em>modname</em>. If no 958module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>. 959<code class="docutils literal notranslate"><span class="pre">slotid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">token=</span></code> may be specified to force the use of 960a particular smard card reader or token if there is more than one 961available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to 962force the selection of a particular certificate on the device. 963See the <strong>pkinit_cert_match</strong> configuration option for more ways 964to select a particular certificate to use for PKINIT.</p> 965</dd> 966<dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has 967been set to a value conforming to one of the previous values. For 968example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable 969<code class="docutils literal notranslate"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> 970</dd> 971</dl> 972</section> 973<section id="pkinit-krb5-conf-options"> 974<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3> 975<dl> 976<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which 977the client trusts to sign KDC certificates. This option may be 978specified multiple times. These values from the config file are 979not used if the user specifies X509_anchors on the command line.</p> 980</dd> 981<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies matching rules that the client certificate must match 982before it is used to attempt PKINIT authentication. If a user has 983multiple certificates available (on a smart card, or via other 984media), there must be exactly one certificate chosen before 985attempting PKINIT authentication. This option may be specified 986multiple times. All the available certificates are checked 987against each rule in order until there is a match of exactly one 988certificate.</p> 989<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a> 990string representations from the certificate Subject DN and Issuer 991DN values.</p> 992<p>The syntax of the matching rules is:</p> 993<blockquote> 994<div><p>[<em>relation-operator</em>]<em>component-rule</em> …</p> 995</div></blockquote> 996<p>where:</p> 997<dl> 998<dt><em>relation-operator</em></dt><dd><p>can be either <code class="docutils literal notranslate"><span class="pre">&&</span></code>, meaning all component rules must match, 999or <code class="docutils literal notranslate"><span class="pre">||</span></code>, meaning only one component rule must match. The 1000default is <code class="docutils literal notranslate"><span class="pre">&&</span></code>.</p> 1001</dd> 1002<dt><em>component-rule</em></dt><dd><p>can be one of the following. Note that there is no 1003punctuation or whitespace between component rules.</p> 1004<blockquote> 1005<div><div class="line-block"> 1006<div class="line"><strong><SUBJECT></strong><em>regular-expression</em></div> 1007<div class="line"><strong><ISSUER></strong><em>regular-expression</em></div> 1008<div class="line"><strong><SAN></strong><em>regular-expression</em></div> 1009<div class="line"><strong><EKU></strong><em>extended-key-usage-list</em></div> 1010<div class="line"><strong><KU></strong><em>key-usage-list</em></div> 1011</div> 1012</div></blockquote> 1013<p><em>extended-key-usage-list</em> is a comma-separated list of 1014required Extended Key Usage values. All values in the list 1015must be present in the certificate. Extended Key Usage values 1016can be:</p> 1017<ul class="simple"> 1018<li><p>pkinit</p></li> 1019<li><p>msScLogin</p></li> 1020<li><p>clientAuth</p></li> 1021<li><p>emailProtection</p></li> 1022</ul> 1023<p><em>key-usage-list</em> is a comma-separated list of required Key 1024Usage values. All values in the list must be present in the 1025certificate. Key Usage values can be:</p> 1026<ul class="simple"> 1027<li><p>digitalSignature</p></li> 1028<li><p>keyEncipherment</p></li> 1029</ul> 1030</dd> 1031</dl> 1032<p>Examples:</p> 1033<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||<</span><span class="n">SUBJECT</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*<</span><span class="n">SAN</span><span class="o">>.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 1034<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&&<</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">ISSUER</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*</span> 1035<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o"><</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">KU</span><span class="o">></span><span class="n">digitalSignature</span> 1036</pre></div> 1037</div> 1038</dd> 1039<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage value the KDC 1040certificate presented to the client must contain. (Note that if 1041the KDC certificate has the pkinit SubjectAlternativeName encoded 1042as the Kerberos TGS name, EKU checking is not necessary since the 1043issuing CA has certified this as a KDC certificate.) The values 1044recognized in the krb5.conf file are:</p> 1045<dl class="simple"> 1046<dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have 1047the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> 1048</dd> 1049<dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the 1050id-kp-serverAuth EKU will be accepted. This key usage value 1051is used in most commercially issued server certificates.</p> 1052</dd> 1053<dt><strong>none</strong></dt><dd><p>If <strong>none</strong> is specified, then the KDC certificate will not be 1054checked to verify it has an acceptable EKU. The use of this 1055option is not recommended.</p> 1056</dd> 1057</dl> 1058</dd> 1059<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the size of the Diffie-Hellman key the client will 1060attempt to use. The acceptable values are 1024, 2048, and 4096. 1061The default is 2048.</p> 1062</dd> 1063<dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509 1064identity information. If this option is specified multiple times, 1065each value is attempted in order until certificates are found. 1066Note that these values are not used if the user specifies 1067<strong>X509_user_identity</strong> on the command line.</p> 1068</dd> 1069<dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing 1070to accept a KDC certificate with a dNSName SAN (Subject 1071Alternative Name) rather than requiring the id-pkinit-san as 1072defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple 1073times. Its value should contain the acceptable hostname for the 1074KDC (as contained in its certificate).</p> 1075</dd> 1076<dt><strong>pkinit_pool</strong></dt><dd><p>Specifies the location of intermediate certificates which may be 1077used by the client to complete the trust chain between a KDC 1078certificate and a trusted anchor. This option may be specified 1079multiple times.</p> 1080</dd> 1081<dt><strong>pkinit_require_crl_checking</strong></dt><dd><p>The default certificate verification process will always check the 1082available revocation information to see if a certificate has been 1083revoked. If a match is found for the certificate in a CRL, 1084verification fails. If the certificate being verified is not 1085listed in a CRL, or there is no CRL present for its issuing CA, 1086and <strong>pkinit_require_crl_checking</strong> is false, then verification 1087succeeds.</p> 1088<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is 1089no CRL information available for the issuing CA, then verification 1090fails.</p> 1091<p><strong>pkinit_require_crl_checking</strong> should be set to true if the 1092policy is such that up-to-date CRLs must be present for every CA.</p> 1093</dd> 1094<dt><strong>pkinit_revoke</strong></dt><dd><p>Specifies the location of Certificate Revocation List (CRL) 1095information to be used by the client when verifying the validity 1096of the KDC certificate presented. This option may be specified 1097multiple times.</p> 1098</dd> 1099</dl> 1100</section> 1101</section> 1102<section id="parameter-expansion"> 1103<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2> 1104<p>Starting with release 1.11, several variables, such as 1105<strong>default_keytab_name</strong>, allow parameters to be expanded. 1106Valid parameters are:</p> 1107<blockquote> 1108<div><table class="docutils align-default"> 1109<colgroup> 1110<col style="width: 25%" /> 1111<col style="width: 75%" /> 1112</colgroup> 1113<tbody> 1114<tr class="row-odd"><td><p>%{TEMP}</p></td> 1115<td><p>Temporary directory</p></td> 1116</tr> 1117<tr class="row-even"><td><p>%{uid}</p></td> 1118<td><p>Unix real UID or Windows SID</p></td> 1119</tr> 1120<tr class="row-odd"><td><p>%{euid}</p></td> 1121<td><p>Unix effective user ID or Windows SID</p></td> 1122</tr> 1123<tr class="row-even"><td><p>%{USERID}</p></td> 1124<td><p>Same as %{uid}</p></td> 1125</tr> 1126<tr class="row-odd"><td><p>%{null}</p></td> 1127<td><p>Empty string</p></td> 1128</tr> 1129<tr class="row-even"><td><p>%{LIBDIR}</p></td> 1130<td><p>Installation library directory</p></td> 1131</tr> 1132<tr class="row-odd"><td><p>%{BINDIR}</p></td> 1133<td><p>Installation binary directory</p></td> 1134</tr> 1135<tr class="row-even"><td><p>%{SBINDIR}</p></td> 1136<td><p>Installation admin binary directory</p></td> 1137</tr> 1138<tr class="row-odd"><td><p>%{username}</p></td> 1139<td><p>(Unix) Username of effective user ID</p></td> 1140</tr> 1141<tr class="row-even"><td><p>%{APPDATA}</p></td> 1142<td><p>(Windows) Roaming application data for current user</p></td> 1143</tr> 1144<tr class="row-odd"><td><p>%{COMMON_APPDATA}</p></td> 1145<td><p>(Windows) Application data for all users</p></td> 1146</tr> 1147<tr class="row-even"><td><p>%{LOCAL_APPDATA}</p></td> 1148<td><p>(Windows) Local application data for current user</p></td> 1149</tr> 1150<tr class="row-odd"><td><p>%{SYSTEM}</p></td> 1151<td><p>(Windows) Windows system folder</p></td> 1152</tr> 1153<tr class="row-even"><td><p>%{WINDOWS}</p></td> 1154<td><p>(Windows) Windows folder</p></td> 1155</tr> 1156<tr class="row-odd"><td><p>%{USERCONFIG}</p></td> 1157<td><p>(Windows) Per-user MIT krb5 config file directory</p></td> 1158</tr> 1159<tr class="row-even"><td><p>%{COMMONCONFIG}</p></td> 1160<td><p>(Windows) Common MIT krb5 config file directory</p></td> 1161</tr> 1162</tbody> 1163</table> 1164</div></blockquote> 1165</section> 1166<section id="sample-krb5-conf-file"> 1167<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2> 1168<p>Here is an example of a generic krb5.conf file:</p> 1169<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> 1170 <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 1171 <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span> 1172 <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span> 1173 1174<span class="p">[</span><span class="n">realms</span><span class="p">]</span> 1175 <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 1176 <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 1177 <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 1178 <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 1179 <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 1180 <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 1181 <span class="p">}</span> 1182 <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> 1183 <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> 1184 <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> 1185 <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> 1186 <span class="p">}</span> 1187 1188<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> 1189 <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 1190 1191<span class="p">[</span><span class="n">capaths</span><span class="p">]</span> 1192 <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 1193 <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span> 1194 <span class="p">}</span> 1195 <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> 1196 <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span> 1197 <span class="p">}</span> 1198</pre></div> 1199</div> 1200</section> 1201<section id="files"> 1202<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> 1203<p><code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code></p> 1204</section> 1205<section id="see-also"> 1206<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> 1207<p>syslog(3)</p> 1208</section> 1209</section> 1210 1211 1212 <div class="clearer"></div> 1213 </div> 1214 </div> 1215 </div> 1216 </div> 1217 <div class="sidebar"> 1218 1219 <h2>On this page</h2> 1220 <ul> 1221<li><a class="reference internal" href="#">krb5.conf</a><ul> 1222<li><a class="reference internal" href="#structure">Structure</a></li> 1223<li><a class="reference internal" href="#sections">Sections</a><ul> 1224<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li> 1225<li><a class="reference internal" href="#realms">[realms]</a></li> 1226<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li> 1227<li><a class="reference internal" href="#capaths">[capaths]</a></li> 1228<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li> 1229<li><a class="reference internal" href="#plugins">[plugins]</a><ul> 1230<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li> 1231<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li> 1232<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li> 1233<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li> 1234<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li> 1235<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li> 1236<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li> 1237<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li> 1238</ul> 1239</li> 1240</ul> 1241</li> 1242<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul> 1243<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li> 1244<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li> 1245</ul> 1246</li> 1247<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li> 1248<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li> 1249<li><a class="reference internal" href="#files">FILES</a></li> 1250<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> 1251</ul> 1252</li> 1253</ul> 1254 1255 <br/> 1256 <h2>Table of contents</h2> 1257 <ul class="current"> 1258<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> 1259<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> 1260<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> 1261<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> 1262<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li> 1263<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> 1264<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> 1265</ul> 1266</li> 1267<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> 1268<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> 1269<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> 1270<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> 1271<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> 1272<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> 1273<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> 1274<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> 1275<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> 1276<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> 1277<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> 1278<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> 1279<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> 1280<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> 1281<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> 1282<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> 1283<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> 1284<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> 1285<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> 1286<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> 1287<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> 1288<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> 1289</ul> 1290</li> 1291<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> 1292<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> 1293<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> 1294<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> 1295<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> 1296<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> 1297<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> 1298<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> 1299<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> 1300</ul> 1301 1302 <br/> 1303 <h4><a href="../../index.html">Full Table of Contents</a></h4> 1304 <h4>Search</h4> 1305 <form class="search" action="../../search.html" method="get"> 1306 <input type="text" name="q" size="18" /> 1307 <input type="submit" value="Go" /> 1308 <input type="hidden" name="check_keywords" value="yes" /> 1309 <input type="hidden" name="area" value="default" /> 1310 </form> 1311 1312 </div> 1313 <div class="clearer"></div> 1314 </div> 1315 </div> 1316 1317 <div class="footer-wrapper"> 1318 <div class="footer" > 1319 <div class="right" ><i>Release: 1.21.3</i><br /> 1320 © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. 1321 </div> 1322 <div class="left"> 1323 1324 <a href="../../index.html" title="Full Table of Contents" 1325 >Contents</a> | 1326 <a href="index.html" title="Configuration Files" 1327 >previous</a> | 1328 <a href="kdc_conf.html" title="kdc.conf" 1329 >next</a> | 1330 <a href="../../genindex.html" title="General Index" 1331 >index</a> | 1332 <a href="../../search.html" title="Enter search criteria" 1333 >Search</a> | 1334 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a> 1335 </div> 1336 </div> 1337 </div> 1338 1339 </body> 1340</html>