1 '\" te
2 .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KRB5.CONF 4 "Nov 26, 2017"
7 .SH NAME
8 krb5.conf \- Kerberos configuration file
9 .SH SYNOPSIS
10 .LP
11 .nf
12 /etc/krb5/krb5.conf
13 .fi
14
15 .SH DESCRIPTION
16 .LP
17 The \fBkrb5.conf\fR file contains Kerberos configuration information, including
18 the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
19 of interest, defaults for the current realm and for Kerberos applications, and
20 mappings of host names onto Kerberos realms. This file must reside on all
21 Kerberos clients.
22 .sp
23 .LP
24 The format of the \fBkrb5.conf\fR consists of sections headings in square
25 brackets. Each section can contain zero or more configuration variables (called
26 \fIrelations\fR), of the form:
27 .sp
28 .LP
29 \fIrelation\fR= \fIrelation-value\fR
30 .sp
31 .LP
32 or
33 .sp
34 .LP
35 \fIrelation-subsection\fR = {
36 .br
37 .in +2
38 \fIrelation\fR= \fIrelation-value\fR
39 .in -2
40 .br
41 .in +2
42 \fIrelation\fR= \fIrelation-value\fR
43 .in -2
44 .sp
45 .LP
46 }
47 .sp
48 .LP
49 The \fBkrb5.conf\fR file can contain any or all of the following sections:
50 .sp
51 .ne 2
52 .na
53 \fB\fBlibdefaults\fR\fR
54 .ad
55 .sp .6
56 .RS 4n
57 Contains default values used by the Kerberos V5 library.
58 .RE
59
60 .sp
61 .ne 2
62 .na
63 \fB\fBappdefaults\fR\fR
64 .ad
65 .sp .6
66 .RS 4n
67 Contains subsections for Kerberos V5 applications, where
68 \fIrelation-subsection\fR is the name of an application. Each subsection
69 describes application-specific defaults.
70 .RE
71
72 .sp
73 .ne 2
74 .na
75 \fB\fBrealms\fR\fR
76 .ad
77 .sp .6
78 .RS 4n
79 Contains subsections for Kerberos realms, where \fIrelation-subsection\fR is
80 the name of a realm. Each subsection contains relations that define the
81 properties for that particular realm.
82 .RE
83
84 .sp
85 .ne 2
86 .na
87 \fB\fBdomain_realm\fR\fR
88 .ad
89 .sp .6
90 .RS 4n
91 Contains relations which map domain names and subdomains onto Kerberos realm
92 names. This is used by programs to determine what realm a host should be in,
93 given its fully qualified domain name.
94 .RE
95
96 .sp
97 .ne 2
98 .na
99 \fB\fBlogging\fR\fR
100 .ad
101 .sp .6
102 .RS 4n
103 Contains relations which determine how Kerberos programs are to perform
104 logging.
105 .RE
106
107 .sp
108 .ne 2
109 .na
110 \fB\fBcapaths\fR\fR
111 .ad
112 .sp .6
113 .RS 4n
114 Contains the authentication paths used with direct (nonhierarchical)
115 cross-realm authentication. Entries in this section are used by the client to
116 determine the intermediate realms which can be used in cross-realm
117 authentication. It is also used by the end-service when checking the transited
118 field for trusted intermediate realms.
119 .RE
120
121 .sp
122 .ne 2
123 .na
124 \fB\fBdbmodules\fR\fR
125 .ad
126 .sp .6
127 .RS 4n
128 Contains relations for Kerberos database plug-in-specific configuration
129 information.
130 .RE
131
132 .sp
133 .ne 2
134 .na
135 \fB\fBkdc\fR\fR
136 .ad
137 .sp .6
138 .RS 4n
139 For a Key Distribution Center (\fBKDC\fR), can contain the location of the
140 \fBkdc.conf\fR file.
141 .RE
142
143 .SS "The \fB[libdefaults]\fR Section"
144 .LP
145 The \fB[libdefaults]\fR section can contain any of the following relations:
146 .sp
147 .ne 2
148 .na
149 \fB\fBdatabase_module\fR\fR
150 .ad
151 .sp .6
152 .RS 4n
153 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
154 database. If this parameter is not present the code uses the standard
155 \fBdb2\fR-based Kerberos database.
156 .RE
157
158 .sp
159 .ne 2
160 .na
161 \fB\fBdefault_keytab_name\fR\fR
162 .ad
163 .sp .6
164 .RS 4n
165 Specifies the default keytab name to be used by application servers such as
166 \fBtelnetd\fR and \fBrlogind\fR. The default is \fB/etc/krb5/krb5.keytab\fR.
167 .RE
168
169 .sp
170 .ne 2
171 .na
172 \fB\fBdefault_realm\fR\fR
173 .ad
174 .sp .6
175 .RS 4n
176 Identifies the default Kerberos realm for the client. Set its value to your
177 Kerberos realm.
178 .RE
179
180 .sp
181 .ne 2
182 .na
183 \fB\fBdefault_tgs_enctypes\fR\fR
184 .ad
185 .sp .6
186 .RS 4n
187 Identifies the supported list of session key encryption types that should be
188 returned by the \fBKDC\fR. The list can be delimited with commas or whitespace.
189 The supported encryption types are \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR,
190 \fBdes-cbc-md5\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
191 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
192 .RE
193
194 .sp
195 .ne 2
196 .na
197 \fB\fBdefault_tkt_enctypes\fR\fR
198 .ad
199 .sp .6
200 .RS 4n
201 Identifies the supported list of session key encryption types that should be
202 requested by the client. The format is the same as for
203 \fBdefault_tgs_enctypes\fR. The supported encryption types are
204 \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR, \fBdes-cbc-md5\fR,
205 \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
206 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
207 .RE
208
209 .sp
210 .ne 2
211 .na
212 \fB\fBclockskew\fR\fR
213 .ad
214 .sp .6
215 .RS 4n
216 Sets the maximum allowable amount of clock skew in seconds that the library
217 tolerates before assuming that a Kerberos message is invalid. The default value
218 is 300 seconds, or five minutes.
219 .RE
220
221 .sp
222 .ne 2
223 .na
224 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
225 .ad
226 .sp .6
227 .RS 4n
228 Sets the "\fBforwardable\fR" flag in all tickets. This allows users to transfer
229 their credentials from one host to another without reauthenticating. This
230 option can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section
231 (see below) to limit its use in particular applications or just to a specific
232 realm.
233 .RE
234
235 .sp
236 .ne 2
237 .na
238 \fB\fBpermitted_enctypes\fR\fR
239 .ad
240 .sp .6
241 .RS 4n
242 This relation controls the encryption types for session keys permitted by
243 server applications that use Kerberos for authentication. In addition, it
244 controls the encryption types of keys added to a \fBkeytab\fR by means of the
245 \fBkadmin\fR(1M) \fBktadd\fR command. The default is:
246 \fBaes256-cts-hmac-sha1-96\fR, \fBaes128-cts-hmac-sha1-96\fR,
247 \fBdes3-hmac-sha1-kd\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
248 \fBdes-cbc-md5\fR, \fBdes-cbc-crc\fR.
249 .RE
250
251 .sp
252 .ne 2
253 .na
254 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
255 .ad
256 .sp .6
257 .RS 4n
258 Sets the \fBproxiable\fR flag in all tickets. This allows users to create a
259 proxy ticket that can be transferred to a kerberized service to allow that
260 service to perform some function on behalf of the original user. This option
261 can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section (see
262 below) to limit its use in particular applications or just to a specific realm.
263 .RE
264
265 .sp
266 .ne 2
267 .na
268 \fB\fBrenew_lifetime =\fR\fIlifetime\fR\fR
269 .ad
270 .sp .6
271 .RS 4n
272 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The value
273 for \fIlifetime\fR must be followed immediately by one of the following
274 delimiters:
275 .sp
276 .ne 2
277 .na
278 \fB\fBs\fR\fR
279 .ad
280 .sp .6
281 .RS 4n
282 seconds
283 .RE
284
285 .sp
286 .ne 2
287 .na
288 \fB\fBm\fR\fR
289 .ad
290 .sp .6
291 .RS 4n
292 minutes
293 .RE
294
295 .sp
296 .ne 2
297 .na
298 \fB\fBh\fR\fR
299 .ad
300 .sp .6
301 .RS 4n
302 hours
303 .RE
304
305 .sp
306 .ne 2
307 .na
308 \fB\fBd\fR\fR
309 .ad
310 .sp .6
311 .RS 4n
312 days
313 .RE
314
315 Example:
316 .sp
317 .in +2
318 .nf
319 \fBrenew_lifetime = 90m\fR
320 .fi
321 .in -2
322 .sp
323
324 Do not mix units. A value of "\fB3h30m\fR" results in an error.
325 .RE
326
327 .sp
328 .ne 2
329 .na
330 \fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
331 .ad
332 .sp .6
333 .RS 4n
334 Sets the requested maximum lifetime of the ticket. The values for
335 \fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
336 above.
337 .RE
338
339 .sp
340 .ne 2
341 .na
342 \fB\fBdns_lookup_kdc\fR\fR
343 .ad
344 .sp .6
345 .RS 4n
346 Indicates whether DNS SRV records need to be used to locate the KDCs and the
347 other servers for a realm, if they have not already been listed in the
348 \fB[realms]\fR section. This option makes the machine vulnerable to a certain
349 type of DoS attack if somone spoofs the DNS records and does a redirect to
350 another server. This is, however, no worse than a DoS, since the bogus KDC is
351 unable to decode anything sent (excepting the initial ticket request, which has
352 no encrypted data). Also, anything the fake KDC sends out isl not trusted
353 without verification (the local machine is unaware of the secret key to be
354 used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
355 that value is used instead. In either case, values (if present) in the
356 \fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
357 default.
358 .RE
359
360 .sp
361 .ne 2
362 .na
363 \fB\fBdns_lookup_realm\fR\fR
364 .ad
365 .sp .6
366 .RS 4n
367 Indicates whether DNS TXT records need to be used to determine the Kerberos
368 realm information and/or the host/domain name-to-realm mapping of a host, if
369 this information is not already present in the \fBkrb5.conf\fR file. Enabling
370 this option might make the host vulnerable to a redirection attack, wherein
371 spoofed DNS replies persuade a client to authenticate to the wrong realm. In a
372 realm with no cross-realm trusts, this a DoS attack. If \fBdns_lookup_realm\fR
373 is not specified but \fBdns_fallback\fR is, then that value is used instead. In
374 either case, values (if present) in the \fB[libdefaults]\fR and
375 \fB[domain_realm]\fR sections override DNS.
376 .RE
377
378 .sp
379 .ne 2
380 .na
381 \fB\fBdns_fallback\fR\fR
382 .ad
383 .sp .6
384 .RS 4n
385 Generic flag controlling the use of DNS for retrieval of information about
386 Kerberos servers and host/domain name-to-realm mapping. If both
387 \fBdns_lookup_kdc\fR and \fBdns_lookup_realm\fR have been specified, this
388 option has no effect.
389 .RE
390
391 .sp
392 .ne 2
393 .na
394 \fB\fBverify_ap_req_nofail [true | false]\fR\fR
395 .ad
396 .sp .6
397 .RS 4n
398 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
399 an entry for the local \fBhost\fR principal, for example,
400 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
401 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
402 the host principal. If undefined, the behavior is as if this option were set to
403 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
404 \fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
405 to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
406 to make it a network-wide setting for all realms.
407 .RE
408
409 .SS "The \fB[appdefaults]\fR Section"
410 .LP
411 This section contains subsections for Kerberos V5 applications, where
412 \fIrelation-subsection\fR is the name of an application. Each subsection
413 contains relations that define the default behaviors for that application.
414 .sp
415 .LP
416 The following relations can be found in the \fB[appdefaults]\fR section, though
417 not all relations are recognized by all kerberized applications. Some are
418 specific to particular applications.
419 .sp
420 .ne 2
421 .na
422 \fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
423 .ad
424 .sp .6
425 .RS 4n
426 Forces the application to attempt automatic login by presenting Kerberos
427 credentials. This is valid for the following applications: \fBrlogin\fR,
428 \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
429 .RE
430
431 .sp
432 .ne 2
433 .na
434 \fB\fBencrypt =\fR [\fBtrue\fR | \fBfalse\fR]\fR
435 .ad
436 .sp .6
437 .RS 4n
438 Forces applications to use encryption by default (after authentication) to
439 protect the privacy of the sessions. This is valid for the following
440 applications: \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and
441 \fBtelnet\fR.
442 .RE
443
444 .sp
445 .ne 2
446 .na
447 \fB\fBforward =\fR [\fBtrue\fR | \fBfalse\fR]\fR
448 .ad
449 .sp .6
450 .RS 4n
451 Forces applications to forward the user'ss credentials (after authentication)
452 to the remote server. This is valid for the following applications:
453 \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
454 .RE
455
456 .sp
457 .ne 2
458 .na
459 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
460 .ad
461 .sp .6
462 .RS 4n
463 See the description in the \fB[libdefaults]\fR section above. This is used by
464 any application that creates a ticket granting ticket and also by applications
465 that can forward tickets to a remote server.
466 .RE
467
468 .sp
469 .ne 2
470 .na
471 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
472 .ad
473 .sp .6
474 .RS 4n
475 See the description in the \fB[libdefaults]\fR section above. This is used by
476 any application that creates a ticket granting ticket.
477 .RE
478
479 .sp
480 .ne 2
481 .na
482 \fB\fBrenewable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
483 .ad
484 .sp .6
485 .RS 4n
486 Creates a TGT that can be renewed (prior to the ticket expiration time). This
487 is used by any application that creates a ticket granting ticket.
488 .RE
489
490 .sp
491 .ne 2
492 .na
493 \fB\fBno_addresses =\fR [\fBtrue\fR | \fBfalse\fR]\fR
494 .ad
495 .sp .6
496 .RS 4n
497 Creates tickets with no address bindings. This is to allow tickets to be used
498 across a \fBNAT\fR boundary or when using multi-homed systems. This option is
499 valid in the \fBkinit\fR \fB[appdefault]\fR section only.
500 .RE
501
502 .sp
503 .ne 2
504 .na
505 \fB\fBmax_life =\fR\fIlifetime\fR\fR
506 .ad
507 .sp .6
508 .RS 4n
509 Sets the maximum lifetime of the ticket, with a total lifetime of
510 \fIlifetime\fR. The values for \fIlifetime\fR follow the format described in
511 the \fB[libdefaults]\fR section above. This option is obsolete and is removed
512 in a future release of the Solaris operating system.
513 .RE
514
515 .sp
516 .ne 2
517 .na
518 \fB\fBmax_renewable_life =\fR\fIlifetime\fR\fR
519 .ad
520 .sp .6
521 .RS 4n
522 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The values
523 for \fIlifetime\fR follow the format described in the \fB[libdefaults]\fR
524 section above. This option is obsolete and is removed in a future release of
525 the Solaris operating system.
526 .RE
527
528 .sp
529 .ne 2
530 .na
531 \fB\fBrcmd_protocol =\fR [ \fBrcmdv1\fR | \fBrcmdv2\fR ]\fR
532 .ad
533 .sp .6
534 .RS 4n
535 Specifies which Kerberized "\fBrcmd\fR" protocol to use when using the
536 Kerberized \fBrlogin\fR(1), \fBrsh\fR(1), \fBrcp\fR(1), or \fBrdist\fR(1)
537 programs. The default is to use \fBrcmdv2\fR by default, as this is the more
538 secure and more recent update of the protocol. However, when talking to older
539 \fBMIT\fR or \fBSEAM\fR-based "\fBrcmd\fR" servers, it can be necessary to
540 force the new clients to use the older \fBrcmdv1\fR protocol. This option is
541 valid only for the following applications: \fBrlogin\fR, \fBrcp\fR, \fBrsh\fR,
542 and \fBrdist\fR.
543 .RE
544
545 .sp
546 .LP
547 The following application defaults can be set to \fBtrue\fR or \fBfalse\fR:
548 .sp
549 .in +2
550 .nf
551 kinit
552 forwardable = true
553 proxiable = true
554 renewable = true
555 no_addresses = true
556 max_life = \fIdelta_time\fR
557 max_renewable_life = \fIdelta_time\fR
558 .fi
559 .in -2
560 .sp
561
562 .sp
563 .LP
564 See \fBkinit\fR(1) for the valid time duration formats you can specify for
565 \fIdelta_time\fR.
566 .sp
567 .LP
568 In the following example, \fBkinit\fR gets forwardable tickets by default and
569 \fBtelnet\fR has three default behaviors specified:
570 .sp
571 .in +2
572 .nf
573 [appdefaults]
574 kinit = {
575 forwardable = true
576 }
577
578 telnet = {
579 forward = true
580 encrypt = true
581 autologin = true
582 }
583 .fi
584 .in -2
585 .sp
586
587 .sp
588 .LP
589 The application defaults specified here are overridden by those specified in
590 the \fB[realms]\fR section.
591 .SS "The \fB[realms]\fR Section"
592 .LP
593 This section contains subsections for Kerberos realms, where
594 \fIrelation-subsection\fR is the name of a realm. Each subsection contains
595 relations that define the properties for that particular realm. The following
596 relations can be specified in each \fB[realms]\fR subsection:
597 .sp
598 .ne 2
599 .na
600 \fB\fBadmin_server\fR\fR
601 .ad
602 .sp .6
603 .RS 4n
604 Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
605 running. Typically, this is the master \fBKDC\fR.
606 .RE
607
608 .sp
609 .ne 2
610 .na
611 \fB\fIapplication defaults\fR\fR
612 .ad
613 .sp .6
614 .RS 4n
615 Application defaults that are specific to a particular realm can be specified
616 within a \fB[realms]\fR subsection. Realm-specific application defaults
617 override the global defaults specified in the \fB[appdefaults]\fR section.
618 .RE
619
620 .sp
621 .ne 2
622 .na
623 \fB\fBauth_to_local_realm\fR\fR
624 .ad
625 .sp .6
626 .RS 4n
627 For use in the default realm, non-default realms can be equated with the
628 default realm for authenticated name-to-local name mapping.
629 .RE
630
631 .sp
632 .ne 2
633 .na
634 \fB\fBauth_to_local_names\fR\fR
635 .ad
636 .sp .6
637 .RS 4n
638 This subsection allows you to set explicit mappings from principal names to
639 local user names. The tag is the mapping name and the value is the
640 corresponding local user name.
641 .RE
642
643 .sp
644 .ne 2
645 .na
646 \fB\fBauth_to_local\fR\fR
647 .ad
648 .sp .6
649 .RS 4n
650 This tag allows you to set a general rule for mapping principal names to local
651 user names. It is used if there is not an explicit mapping for the principal
652 name that is being translated. The possible values are:
653 .sp
654 .in +2
655 .nf
656 RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
657 .fi
658 .in -2
659
660 Each rule has three parts:
661 .sp
662 .ne 2
663 .na
664 \fBFirst part\(emFormulate the string on which to perform operations:\fR
665 .ad
666 .sp .6
667 .RS 4n
668 If not present then the string defaults to the fully flattened principal minus
669 the realm name. Otherwise the syntax is as follows:
670 .sp
671 .in +2
672 .nf
673 "[" \fI<ncomps>\fR ":" \fI<format>\fR "]"
674 .fi
675 .in -2
676
677 Where:
678 .sp
679 \fI<ncomps>\fR is the number of expected components for this rule. If the
680 particular principal does not have this number of components, then this rule
681 does not apply.
682 .sp
683 \fI<format>\fR is a string of \fI<component>\fR or verbatim characters to be
684 inserted.
685 .sp
686 \fI<component>\fR is of the form "\fB$\fR"\fI<number>\fR to select the
687 \fI<number>\fRth component. \fI<number>\fR begins from 1.
688 .RE
689
690 .sp
691 .ne 2
692 .na
693 \fBSecond part\(emselect rule validity:\fR
694 .ad
695 .sp .6
696 .RS 4n
697 If not present, this rule can apply to all selections. Otherwise the syntax is
698 as follows:
699 .sp
700 .in +2
701 .nf
702 "(" \fI<regex>\fR ")"
703 .fi
704 .in -2
705
706 Where:
707 .sp
708 \fI<regex>\fR is a selector regular expression. If this regular expression
709 matches the whole pattern generated from the first part, then this rule still
710 applies.
711 .RE
712
713 .sp
714 .ne 2
715 .na
716 \fBThird part\(emTransform rule:\fR
717 .ad
718 .sp .6
719 .RS 4n
720 If not present, then the selection string is passed verbatim and is matched.
721 Otherwise, the syntax is as follows:
722 .sp
723 .in +2
724 .nf
725 \fI<rule>\fR ...
726 .fi
727 .in -2
728
729 Where:
730 .sp
731 \fI<rule>\fR is of the form:
732 .sp
733 .in +2
734 .nf
735 "s/" <regex> "/" <text> "/" ["g"]
736 .fi
737 .in -2
738
739 Regular expressions are defined in \fBregex\fR(5).
740 .sp
741 For example:
742 .sp
743 auth_to_local = RULE:[1:$1@$0](.*@.*ACME\.COM)s/@.*//
744 .sp
745 The preceding maps \fB\fIusername\fR@ACME.COM\fR and all sub-realms of
746 \fBACME.COM\fR to \fIusername\fR.
747 .RE
748
749 .sp
750 .ne 2
751 .na
752 \fBDEFAULT\fR
753 .ad
754 .sp .6
755 .RS 4n
756 The principal name is used as the local name. If the principal has more than
757 one component or is not in the default realm, this rule is not applicable and
758 the conversion fails.
759 .RE
760
761 .RE
762
763 .sp
764 .ne 2
765 .na
766 \fB\fBdatabase_module\fR\fR
767 .ad
768 .sp .6
769 .RS 4n
770 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
771 database.
772 .RE
773
774 .sp
775 .ne 2
776 .na
777 \fB\fBextra_addresses\fR...\fR
778 .ad
779 .sp .6
780 .RS 4n
781 This allows a computer to use multiple local addresses, to allow Kerberos to
782 work in a network that uses NATs. The addresses should be in a comma-separated
783 list.
784 .RE
785
786 .sp
787 .ne 2
788 .na
789 \fB\fBkdc\fR\fR
790 .ad
791 .sp .6
792 .RS 4n
793 The name of a host running a \fBKDC\fR for that realm. An optional port number
794 (separated from the hostname by a colon) can be included.
795 .RE
796
797 .sp
798 .ne 2
799 .na
800 \fB\fBkpasswd_server\fR\fR
801 .ad
802 .sp .6
803 .RS 4n
804 Identifies the host where the Kerberos password-changing server is running.
805 Typically, this is the same as host indicated in the \fBadmin_server\fR. If
806 this parameter is omitted, the host in \fBadmin_server\fR is used. You can also
807 specify a port number if the server indicated by \fBkpasswd_server\fR runs on a
808 port other than 464 (the default). The format of this parameter is:
809 \fIhostname\fR[:\fIport\fR].
810 .RE
811
812 .sp
813 .ne 2
814 .na
815 \fB\fBkpasswd_protocol\fR\fR
816 .ad
817 .sp .6
818 .RS 4n
819 Identifies the protocol to be used when communicating with the server indicated
820 by \fBkpasswd_server\fR. By default, this parameter is defined to be
821 \fBRPCSEC_GSS\fR, which is the protocol used by Solaris-based administration
822 servers. To be able to change a principal's password stored on non-Solaris
823 Kerberos server, such as Microsoft Active Directory or \fBMIT\fR Kerberos, this
824 value should be \fBSET_CHANGE\fR. This indicates that a non-RPC- based protocol
825 is used to communicate the password change request to the server in the
826 \fBkpasswd_server\fR entry.
827 .RE
828
829 .sp
830 .ne 2
831 .na
832 \fB\fBudp_preference_limit\fR\fR
833 .ad
834 .sp .6
835 .RS 4n
836 When sending a message to the KDC, the library tries using TCP before UDP if
837 the size of the message is above \fBudp_preference_limit\fR. If the message is
838 smaller than \fBudp_preference_limit\fR, then UDP is tried before TCP.
839 Regardless of the size, both protocols are tried if the first attempt fails.
840 .RE
841
842 .sp
843 .ne 2
844 .na
845 \fB\fBverify_ap_req_nofail\fR [\fBtrue\fR | \fBfalse\fR]\fR
846 .ad
847 .sp .6
848 .RS 4n
849 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
850 an entry for the local \fBhost\fR principal, for example,
851 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
852 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
853 the host principal. If undefined, the behavior is as if this option were set to
854 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
855 \fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
856 section to set it on a per-realm basis, or it might be in the
857 \fB[libdefaults]\fR section to make it a network-wide setting for all realms.
858 .RE
859
860 .sp
861 .LP
862 The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
863 "\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
864 above) are also valid in the \fB[realms]\fR section.
865 .sp
866 .LP
867 Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
868 parameters. Most often, you need to specify them only when using a
869 non-Solaris-based Kerberos server. Otherwise, the change request is sent over
870 \fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
871 .SS "The \fB[domain_realm]\fR Section"
872 .LP
873 This section provides a translation from a domain name or hostname to a
874 Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
875 where domain names are indicated by a period (`\fB\&.\fR') prefix.
876 \fIrelation-value\fR is the Kerberos realm name for that particular host or
877 domain. Host names and domain names should be in lower case.
878 .sp
879 .LP
880 If no translation entry applies, the host's realm is considered to be the
881 hostname's domain portion converted to upper case. For example, the following
882 \fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
883 \fBTEST.ATHENA.MIT.EDU\fR realm:
884 .sp
885 .in +2
886 .nf
887 [domain_realm]
888 .mit.edu = ATHENA.MIT.EDU
889 mit.edu = ATHENA.MIT.EDU
890 crash.mit.edu = TEST.ATHENA.MIT.EDU
891 .fubar.org = FUBAR.ORG
892 fubar.org = FUBAR.ORG
893 .fi
894 .in -2
895 .sp
896
897 .sp
898 .LP
899 All other hosts in the \fBmit.edu\fR domain maps by default to the
900 \fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
901 default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
902 and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
903 the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
904 .SS "The \fB[logging]\fR Section"
905 .LP
906 This section indicates how Kerberos programs are to perform logging. There are
907 two types of relations for this section: relations to specify how to log and a
908 relation to specify how to rotate \fBkdc\fR log files.
909 .sp
910 .LP
911 The following relations can be defined to specify how to log. The same relation
912 can be repeated if you want to assign it multiple logging methods.
913 .sp
914 .ne 2
915 .na
916 \fB\fBadmin_server\fR\fR
917 .ad
918 .sp .6
919 .RS 4n
920 Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
921 default is \fBFILE:/var/krb5/kadmin.log.\fR
922 .RE
923
924 .sp
925 .ne 2
926 .na
927 \fB\fBdefault\fR\fR
928 .ad
929 .sp .6
930 .RS 4n
931 Specifies how to perform logging in the absence of explicit specifications
932 otherwise.
933 .RE
934
935 .sp
936 .ne 2
937 .na
938 \fB\fBkdc\fR\fR
939 .ad
940 .sp .6
941 .RS 4n
942 Specifies how the \fBKDC\fR is to perform its logging. The default is
943 \fBFILE:/var/krb5/kdc.log\fR.
944 .RE
945
946 .sp
947 .LP
948 The \fBadmin_server\fR, \fBdefault\fR, and \fBkdc\fR relations can have the
949 following values:
950 .sp
951 .ne 2
952 .na
953 \fB\fBFILE:\fR\fIfilename\fR\fR
954 .ad
955 .br
956 .na
957 \fB\fBFILE=\fR\fIfilename\fR\fR
958 .ad
959 .sp .6
960 .RS 4n
961 This value causes the entity's logging messages to go to the specified file. If
962 the `=' form is used, the file is overwritten. If the `:' form is used, the
963 file is appended to.
964 .RE
965
966 .sp
967 .ne 2
968 .na
969 \fB\fBSTDERR\fR\fR
970 .ad
971 .sp .6
972 .RS 4n
973 This value causes the entity's logging messages to go to its standard error
974 stream.
975 .RE
976
977 .sp
978 .ne 2
979 .na
980 \fB\fBCONSOLE\fR\fR
981 .ad
982 .sp .6
983 .RS 4n
984 This value causes the entity's logging messages to go to the console, if the
985 system supports it.
986 .RE
987
988 .sp
989 .ne 2
990 .na
991 \fB\fBDEVICE=\fR\fIdevicename\fR\fR
992 .ad
993 .sp .6
994 .RS 4n
995 This causes the entity's logging messages to go to the specified device.
996 .RE
997
998 .sp
999 .ne 2
1000 .na
1001 \fB\fBSYSLOG[:\fR\fIseverity\fR\fB[:\fR\fIfacility\fR\fB]]\fR\fR
1002 .ad
1003 .sp .6
1004 .RS 4n
1005 This causes the entity's logging messages to go to the system log.
1006 .RE
1007
1008 .sp
1009 .LP
1010 The \fIseverity\fR argument specifies the default severity of system log
1011 messages. This can be any of the following severities supported by the
1012 \fBsyslog\fR(3C) call, minus the \fBLOG_\fR prefix: \fBLOG_EMERG\fR,
1013 \fBLOG_ALERT\fR, \fBLOG_CRIT\fR, \fBLOG_ERR\fR, \fBLOG_WARNING\fR,
1014 \fBLOG_NOTICE\fR, \fBLOG_INFO\fR, and \fBLOG_DEBUG\fR. For example, a value of
1015 \fBCRIT\fR would specify \fBLOG_CRIT\fR severity.
1016 .sp
1017 .LP
1018 The \fIfacility\fR argument specifies the facility under which the messages are
1019 logged. This can be any of the following facilities supported by the
1020 \fBsyslog\fR(3C) call minus the \fBLOG_\fR prefix: \fBLOG_KERN\fR,
1021 \fBLOG_USER\fR, \fBLOG_MAIL\fR, \fBLOG_DAEMON\fR, \fBLOG_AUTH\fR,
1022 \fBLOG_LPR\fR, \fBLOG_NEWS\fR, \fBLOG_UUCP\fR, \fBLOG_CRON\fR, and
1023 \fBLOG_LOCAL0\fR through \fBLOG_LOCAL7\fR.
1024 .sp
1025 .LP
1026 If no severity is specified, the default is \fBERR\fR. If no facility is
1027 specified, the default is \fBAUTH\fR.
1028 .sp
1029 .LP
1030 The following relation can be defined to specify how to rotate \fBkdc\fR log
1031 files if the \fBFILE:\fR value is being used to log:
1032 .sp
1033 .ne 2
1034 .na
1035 \fB\fBkdc_rotate\fR\fR
1036 .ad
1037 .sp .6
1038 .RS 4n
1039 A relation subsection that enables \fBkdc\fR logging to be rotated to multiple
1040 files based on a time interval. This can be used to avoid logging to one file,
1041 which might grow too large and bring the \fBKDC\fR to a halt.
1042 .RE
1043
1044 .sp
1045 .LP
1046 The time interval for the rotation is specified by the \fBperiod\fR relation.
1047 The number of log files to be rotated is specified by the \fBversions\fR
1048 relation. Both the \fBperiod\fR and \fBversions\fR (described below) should be
1049 included in this subsection. And, this subsection applies only if the \fBkdc\fR
1050 relation has a \fBFILE:\fR value.
1051 .sp
1052 .LP
1053 The following relations can be specified for the \fBkdc_rotate\fR relation
1054 subsection:
1055 .sp
1056 .ne 2
1057 .na
1058 \fB\fB\fR\fBperiod=\fIdelta_time\fR\fR\fR
1059 .ad
1060 .sp .6
1061 .RS 4n
1062 Specifies the time interval before a new log file is created. See the
1063 \fBTime\fR\fBFormats\fR section in \fBkinit\fR(1) for the valid time duration
1064 formats you can specify for \fIdelta_time\fR. If \fBperiod\fR is not specified
1065 or set to \fBnever\fR, no rotation occurs.
1066 .RE
1067
1068 .sp
1069 .LP
1070 Specifying a time interval does not mean that the log files are rotated at the
1071 time interval based on real time. This is because the time interval is checked
1072 at each attempt to write a record to the log, or when logging is actually
1073 occurring. Therefore, rotation occurs only when logging has actually occurred
1074 for the specified time interval.
1075 .sp
1076 .ne 2
1077 .na
1078 \fB\fBversions=\fR\fInumber\fR\fR
1079 .ad
1080 .sp .6
1081 .RS 4n
1082 Specifies how many previous versions are saved before the rotation begins. A
1083 number is appended to the log file, starting with 0 and ending with
1084 (\fInumber\fR - 1). For example, if \fBversions\fR is set to \fB2\fR, up to
1085 three logging files are created (\fIfilename\fR, \fIfilename\fR.0, and
1086 \fIfilename\fR.1) before the first one is overwritten to begin the rotation.
1087 .RE
1088
1089 .sp
1090 .LP
1091 Notice that if \fBversions\fR is not specified or set to \fB0\fR, only one log
1092 file is created, but it is overwritten whenever the time interval is met.
1093 .sp
1094 .LP
1095 In the following example, the logging messages from the Kerberos administration
1096 daemon goes to the console. The logging messages from the \fBKDC\fR is appended
1097 to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
1098 with a specified time interval of a day.
1099 .sp
1100 .in +2
1101 .nf
1102 [logging]
1103 admin_server = CONSOLE
1104 kdc = FILE:/export/logging/kadmin.log
1105 kdc_rotate = {
1106 period = 1d
1107 versions = 20
1108 }
1109 .fi
1110 .in -2
1111 .sp
1112
1113 .SS "The \fB[capaths]\fR Section"
1114 .LP
1115 In order to perform direct (non-hierarchical) cross-realm authentication, a
1116 database is needed to construct the authentication paths between the realms.
1117 This section defines that database.
1118 .sp
1119 .LP
1120 A client uses this section to find the authentication path between its realm
1121 and the realm of the server. The server uses this section to verify the
1122 authentication path used by the client, by checking the transited field of the
1123 received ticket.
1124 .sp
1125 .LP
1126 There is a subsection for each participating realm, and each subsection has
1127 relations named for each of the realms. The \fIrelation-value\fR is an
1128 intermediate realm which can participate in the cross-realm authentication. The
1129 relations can be repeated if there is more than one intermediate realm. A value
1130 of '.' means that the two realms share keys directly, and no intermediate
1131 realms should be allowed to participate.
1132 .sp
1133 .LP
1134 There are n**2 possible entries in this table, but only those entries which is
1135 needed on the client or the server need to be present. The client needs a
1136 subsection named for its local realm, with relations named for all the realms
1137 of servers it needs to authenticate with. A server needs a subsection named for
1138 each realm of the clients it serves.
1139 .sp
1140 .LP
1141 For example, \fBANL.GOV\fR, \fBPNL.GOV\fR, and \fBNERSC.GOV\fR all wish to use
1142 the \fBES.NET\fR realm as an intermediate realm. \fBANL\fR has a sub realm of
1143 \fBTEST.ANL.GOV\fR, which authenticates with \fBNERSC.GOV\fR but not
1144 \fBPNL.GOV\fR. The \fB[capath]\fR section for \fBANL.GOV\fR systems would look
1145 like this:
1146 .sp
1147 .in +2
1148 .nf
1149 [capaths]
1150 ANL.GOV = {
1151 TEST.ANL.GOV = .
1152 PNL.GOV = ES.NET
1153 NERSC.GOV = ES.NET
1154 ES.NET = .
1155 }
1156
1157 TEST.ANL.GOV = {
1158 ANL.GOV = .
1159 }
1160
1161 PNL.GOV = {
1162 ANL.GOV = ES.NET
1163 }
1164
1165 NERSC.GOV = {
1166 ANL.GOV = ES.NET
1167 }
1168
1169 ES.NET = {
1170 ANL.GOV = .
1171 }
1172 .fi
1173 .in -2
1174 .sp
1175
1176 .sp
1177 .LP
1178 The \fB[capath]\fR section of the configuration file used on \fBNERSC.GOV\fR
1179 systems would look like this:
1180 .sp
1181 .in +2
1182 .nf
1183 [capaths]
1184 NERSC.GOV = {
1185 ANL.GOV = ES.NET
1186 TEST.ANL.GOV = ES.NET
1187 TEST.ANL.GOV = ANL.GOV
1188 PNL.GOV = ES.NET
1189 ES.NET = .
1190 }
1191
1192 ANL.GOV = {
1193 NERSC.GOV = ES.NET
1194 }
1195
1196 PNL.GOV = {
1197 NERSC.GOV = ES.NET
1198 }
1199
1200 ES.NET = {
1201 NERSC.GOV = .
1202 }
1203
1204 TEST.ANL.GOV = {
1205 NERSC.GOV = ANL.GOV
1206 NERSC.GOV = ES.NET
1207 }
1208 .fi
1209 .in -2
1210 .sp
1211
1212 .sp
1213 .LP
1214 In the above examples, the ordering is not important, except when the same
1215 relation is used more than once. The client uses this to determine the path.
1216 (It is not important to the server, since the transited field is not sorted.)
1217 .SS "PKINIT-specific Options"
1218 .LP
1219 The following are \fBpkinit-specific\fR options. These values can be specified
1220 in \fB[libdefaults]\fR as global defaults, or within a realm-specific
1221 subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
1222 in the \fB[realms]\fR section. A realm-specific value overrides, does not add
1223 to, a generic \fB[libdefaults]\fR specification.
1224 .sp
1225 .LP
1226 The search order is:
1227 .RS +4
1228 .TP
1229 1.
1230 realm-specific subsection of \fB[libdefaults]\fR
1231 .sp
1232 .in +2
1233 .nf
1234 [libdefaults]
1235 EXAMPLE.COM = {
1236 pkinit_anchors = FILE:/usr/local/example.com.crt
1237 .fi
1238 .in -2
1239
1240 .RE
1241 .RS +4
1242 .TP
1243 2.
1244 realm-specific value in the \fB[realms]\fR section
1245 .sp
1246 .in +2
1247 .nf
1248 [realms]
1249 OTHERREALM.ORG = {
1250 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
1251 .fi
1252 .in -2
1253
1254 .RE
1255 .RS +4
1256 .TP
1257 3.
1258 generic value in the \fB[libdefaults]\fR section
1259 .sp
1260 .in +2
1261 .nf
1262 [libdefaults]
1263 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
1264 .fi
1265 .in -2
1266
1267 .RE
1268 .sp
1269 .LP
1270 The syntax for specifying Public Key identity, trust, and revocation
1271 information for \fBpkinit\fR is as follows:
1272 .sp
1273 .ne 2
1274 .na
1275 \fB\fBpkinit_identities\fR \fB=\fR \fIURI\fR\fR
1276 .ad
1277 .sp .6
1278 .RS 4n
1279 Specifies the location(s) to be used to find the user's X.509 identity
1280 information. This option can be specified multiple times. Each value is
1281 attempted in order until identity information is found and authentication is
1282 attempted. These values are not used if the user specifies
1283 \fBX509_user_identity\fR on the command line.
1284 .sp
1285 Valid \fIURI\fR types are \fBFILE\fR, \fBDIR\fR, \fBPKCS11\fR, \fBPKCS12\fR,
1286 and \fBENV\fR. See the \fBPKINIT URI Types\fR section for more details.
1287 .RE
1288
1289 .sp
1290 .ne 2
1291 .na
1292 \fB\fBpkinit_anchors\fR \fB=\fR \fIURI\fR\fR
1293 .ad
1294 .sp .6
1295 .RS 4n
1296 Specifies the location of trusted anchor (root) certificates which the client
1297 trusts to sign KDC certificates. This option can be specified multiple times.
1298 These values from the \fBconfig\fR file are not used if the user specifies
1299 \fBX509_anchors\fR on the command line.
1300 .sp
1301 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1302 Types\fR section for more details.
1303 .RE
1304
1305 .sp
1306 .ne 2
1307 .na
1308 \fB\fBpkinit_pool\fR \fB=\fR \fIURI\fR\fR
1309 .ad
1310 .sp .6
1311 .RS 4n
1312 Specifies the location of intermediate certificates which can be used by the
1313 client to complete the trust chain between a KDC certificate and a trusted
1314 anchor. This option can be specified multiple times.
1315 .sp
1316 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1317 Types\fR section for more details.
1318 .RE
1319
1320 .sp
1321 .ne 2
1322 .na
1323 \fB\fBpkinit_revoke\fR \fB=\fR \fIURI\fR\fR
1324 .ad
1325 .sp .6
1326 .RS 4n
1327 Specifies the location of Certificate Revocation List (CRL) information to be
1328 used by the client when verifying the validity of the KDC certificate
1329 presented. This option can be specified multiple times.
1330 .sp
1331 The only valid \fIURI\fR type is \fBDIR\fR. See the \fBPKINIT URI Types\fR
1332 section for more details.
1333 .RE
1334
1335 .sp
1336 .ne 2
1337 .na
1338 \fB\fBpkinit_require_crl_checking\fR \fB=\fR \fIvalue\fR\fR
1339 .ad
1340 .sp .6
1341 .RS 4n
1342 The default certificate verification process always checks the available
1343 revocation information to see if a certificate has been revoked. If a match is
1344 found for the certificate in a CRL, verification fails. If the certificate
1345 being verified is not listed in a CRL, or there is no CRL present for its
1346 issuing CA, and \fBpkinit_require_crl_checking\fR is \fBfalse\fR, then
1347 verification succeeds. However, if \fBpkinit_require_crl_checking\fR is
1348 \fBtrue\fR and there is no CRL information available for the issuing CA, then
1349 verification fails. \fBpkinit_require_crl_checking\fR should be set to
1350 \fBtrue\fR if the policy is such that up-to-date CRLs must be present for every
1351 CA.
1352 .RE
1353
1354 .sp
1355 .ne 2
1356 .na
1357 \fB\fBpkinit_dh_min_bits\fR \fB=\fR \fIvalue\fR\fR
1358 .ad
1359 .sp .6
1360 .RS 4n
1361 Specifies the size of the Diffie-Hellman key the client attempts to use. The
1362 acceptable values are currently 1024, 2048, and 4096. The default is 2048.
1363 .RE
1364
1365 .sp
1366 .ne 2
1367 .na
1368 \fB\fBpkinit_win2k\fR \fB=\fR \fIvalue\fR\fR
1369 .ad
1370 .sp .6
1371 .RS 4n
1372 This flag specifies whether the target realm is assumed to support only the
1373 old, pre-RFC version of the protocol. The default is \fBfalse\fR.
1374 .RE
1375
1376 .sp
1377 .ne 2
1378 .na
1379 \fB\fBpkinit_win2k_require_binding\fR \fB=\fR \fIvalue\fR\fR
1380 .ad
1381 .sp .6
1382 .RS 4n
1383 If this flag is set to \fBtrue\fR, it expects that the target KDC is patched to
1384 return a reply with a checksum rather than a nonce. The default is \fBfalse\fR.
1385 .RE
1386
1387 .sp
1388 .ne 2
1389 .na
1390 \fB\fBpkinit_eku_checking\fR \fB=\fR \fIvalue\fR\fR
1391 .ad
1392 .sp .6
1393 .RS 4n
1394 This option specifies what Extended Key Usage value the KDC certificate
1395 presented to the client must contain. If the KDC certificate has the \fBpkinit
1396 SubjectAlternativeName\fR encoded as the Kerberos TGS name, EKU checking is not
1397 necessary since the issuing CA has certified this as a KDC certificate. The
1398 values recognized in the \fBkrb5.conf\fR file are:
1399 .sp
1400 .ne 2
1401 .na
1402 \fB\fBkpKDC\fR\fR
1403 .ad
1404 .RS 16n
1405 This is the default value and specifies that the KDC must have the
1406 \fBid-pkinit-KPKdc EKU\fR as defined in RFC4556.
1407 .RE
1408
1409 .sp
1410 .ne 2
1411 .na
1412 \fB\fBkpServerAuth\fR\fR
1413 .ad
1414 .RS 16n
1415 If \fBkpServerAuth\fR is specified, a KDC certificate with the
1416 \fBid-kp-serverAuth EKU\fR as used by Microsoft is accepted.
1417 .RE
1418
1419 .sp
1420 .ne 2
1421 .na
1422 \fB\fBnone\fR\fR
1423 .ad
1424 .RS 16n
1425 If \fBnone\fR is specified, then the KDC certificate is not checked to verify
1426 it has an acceptable EKU. The use of this option is not recommended.
1427 .RE
1428
1429 .RE
1430
1431 .sp
1432 .ne 2
1433 .na
1434 \fB\fBpkinit_kdc_hostname\fR \fB=\fR \fIvalue\fR\fR
1435 .ad
1436 .sp .6
1437 .RS 4n
1438 The presence of this option indicates that the client is willing to accept a
1439 KDC certificate with a \fBdNSName\fR SAN (Subject Alternative Name) rather than
1440 requiring the \fBid-pkinit-san\fR as defined in RFC4556. This option can be
1441 specified multiple times. Its value should contain the acceptable hostname for
1442 the KDC (as contained in its certificate).
1443 .RE
1444
1445 .sp
1446 .ne 2
1447 .na
1448 \fB\fBpkinit_cert_match\fR \fB=\fR \fIrule\fR\fR
1449 .ad
1450 .sp .6
1451 .RS 4n
1452 Specifies matching rules that the client certificate must match before it is
1453 used to attempt \fBpkinit\fR authentication. If a user has multiple
1454 certificates available (on a smart card, or by way of another media), there
1455 must be exactly one certificate chosen before attempting \fBpkinit\fR
1456 authentication. This option can be specified multiple times. All the
1457 available certificates are checked against each rule in order until there is a
1458 match of exactly one certificate.
1459 .sp
1460 The Subject and Issuer comparison strings are the RFC2253 string
1461 representations from the certificate Subject DN and Issuer DN values.
1462 .sp
1463 The syntax of the matching rules is:
1464 .sp
1465 .in +2
1466 .nf
1467 [relation-operator]component-rule `...'
1468 .fi
1469 .in -2
1470
1471 where
1472 .sp
1473 .ne 2
1474 .na
1475 \fB\fIrelation-operator\fR\fR
1476 .ad
1477 .RS 21n
1478 Specify \fIrelation-operator\fR as \fB&&\fR, meaning all component rules must
1479 match, or \fB||\fR, meaning only one component rule must match. If
1480 \fIrelation-operator\fR is not specified, the default is \fB&&\fR\&.
1481 .RE
1482
1483 .sp
1484 .ne 2
1485 .na
1486 \fB\fIcomponent-rule\fR\fR
1487 .ad
1488 .RS 21n
1489 There is no punctuation or white space between component rules.Specify
1490 \fIcomponent-rule\fR as one of the following:
1491 .sp
1492 .in +2
1493 .nf
1494 `<SUBJECT>'regular-expression
1495
1496 `<ISSUER>'regular-expression
1497
1498 `<SAN>'regular-expression
1499
1500 `<EKU>'extended-key-usage-list
1501 where extended-key-usage-list is a comma-separated list
1502 of required Extended Key Usage values. All values in
1503 the list must be present in the certificate.
1504 `pkinit'
1505 `msScLogin'
1506 `clientAuth'
1507 `emailProtection'
1508 `<KU>'key-usage-list
1509 where key-usage-list is a comma-separated list of
1510 required Key Usage values. All values in the list must
1511 be present in the certificate.
1512 `digitalSignature'
1513 .fi
1514 .in -2
1515
1516 .RE
1517
1518 Examples:
1519 .sp
1520 .in +2
1521 .nf
1522 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1523 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1524 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1525 .fi
1526 .in -2
1527
1528 .RE
1529
1530 .SS "PKINIT URI Types"
1531 .ne 2
1532 .na
1533 \fB\fBFILE:\fR\fIfile-name[,key-file-name]\fR\fR
1534 .ad
1535 .sp .6
1536 .RS 4n
1537 This option has context-specific behavior.
1538 .sp
1539 .ne 2
1540 .na
1541 \fB\fBpkinit_identities\fR\fR
1542 .ad
1543 .RS 21n
1544 \fIfile-name\fR specifies the name of a PEM-format file containing the user's
1545 certificate. If \fIkey-file-name\fR is not specified, the user's private key
1546 is expected to be in \fIfile-name\fR as well. Otherwise, \fIkey-file-name\fR
1547 is the name of the file containing the private key.
1548 .RE
1549
1550 .sp
1551 .ne 2
1552 .na
1553 \fB\fBpkinit_anchors\fR\fR
1554 .ad
1555 .br
1556 .na
1557 \fB\fBpkinit_pool\fR\fR
1558 .ad
1559 .RS 21n
1560 \fIfile-name\fR is assumed to be the name of an \fBOpenSSL-style ca-bundle\fR
1561 file. The \fBca-bundle\fR file should be base-64 encoded.
1562 .RE
1563
1564 .RE
1565
1566 .sp
1567 .ne 2
1568 .na
1569 \fB\fBDIR:\fR\fIdirectory-name\fR\fR
1570 .ad
1571 .sp .6
1572 .RS 4n
1573 This option has context-specific behavior.
1574 .sp
1575 .ne 2
1576 .na
1577 \fB\fBpkinit_identities\fR\fR
1578 .ad
1579 .RS 21n
1580 \fIdirectory-name\fR specifies a directory with files named \fB*.crt\fR and
1581 \fB*.key\fR, where the first part of the file name is the same for matching
1582 pairs of certificate and private key files. When a file with a name ending with
1583 \&.\fBcrt\fR is found, a matching file ending with \fB\&.key\fR is assumed to
1584 contain the private key. If no such file is found, then the certificate in the
1585 \fB\&.crt\fR is not used.
1586 .RE
1587
1588 .sp
1589 .ne 2
1590 .na
1591 \fB\fBpkinit_anchors\fR\fR
1592 .ad
1593 .br
1594 .na
1595 \fB\fBpkinit_pool\fR\fR
1596 .ad
1597 .RS 21n
1598 \fIdirectory-name\fR is assumed to be an OpenSSL-style hashed CA directory
1599 where each CA cert is stored in a file named \fBhash-of-ca-cert\fR.\fI#\fR.
1600 This infrastructure is encouraged, but all files in the directory are examined
1601 and if they contain certificates (in PEM format), they are used.
1602 .RE
1603
1604 .RE
1605
1606 .sp
1607 .ne 2
1608 .na
1609 \fB\fBPKCS12:\fR\fIpkcs12-file-name\fR\fR
1610 .ad
1611 .sp .6
1612 .RS 4n
1613 \fIpkcs12-file-name\fR is the name of a \fBPKCS #12\fR format file, containing
1614 the user's certificate and private key.
1615 .RE
1616
1617 .sp
1618 .ne 2
1619 .na
1620 \fB\fBPKCS11:[slotid=\fR\fIslot-id\fR\fB][:token=\fR\fItoken-label\fR\fB][:cert
1621 id=\fR\fIcert-id\fR\fB][:certlabel=\fR\fIcert-label\fR\fB]\fR\fR
1622 .ad
1623 .sp .6
1624 .RS 4n
1625 All keyword/values are optional. PKCS11 modules (for example,
1626 \fBopensc-pkcs11.so\fR) must be installed as a \fBcrypto\fR provider under
1627 \fBlibpkcs11\fR(3LIB). \fBslotid=\fR and/or \fBtoken=\fR can be specified to
1628 force the use of a particular smart card reader or token if there is more than
1629 one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
1630 the selection of a particular certificate on the device. See the
1631 \fBpkinit_cert_match\fR configuration option for more ways to select a
1632 particular certificate to use for \fBpkinit\fR.
1633 .RE
1634
1635 .sp
1636 .ne 2
1637 .na
1638 \fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
1639 .ad
1640 .sp .6
1641 .RS 4n
1642 \fIenvironment-variable-name\fR specifies the name of an environment variable
1643 which has been set to a value conforming to one of the previous values. For
1644 example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
1645 been set to \fBFILE:/tmp/my_proxy.pem\fR.
1646 .RE
1647
1648 .SS "The \fB[dbmodules]\fR Section"
1649 .LP
1650 This section consists of relations that provide configuration information for
1651 plug-in modules. In particular, the relations describe the configuration for
1652 LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
1653 that this section does not need to be filled out in that case.
1654 .sp
1655 .ne 2
1656 .na
1657 \fB\fBdb_library\fR\fR
1658 .ad
1659 .sp .6
1660 .RS 4n
1661 Name of the plug-in library. To use the LDAP KDB plug-in the name must be
1662 \fBkdb_ldap\fR. The default value is \fBdb2\fR.
1663 .RE
1664
1665 .sp
1666 .ne 2
1667 .na
1668 \fB\fBdb_module_dir\fR\fR
1669 .ad
1670 .sp .6
1671 .RS 4n
1672 Path to the plug-in libraries. The default is \fB/usr/lib/krb5\fR.
1673 .RE
1674
1675 .sp
1676 .ne 2
1677 .na
1678 \fB\fBldap_cert_path\fR\fR
1679 .ad
1680 .sp .6
1681 .RS 4n
1682 Path to the Network Security Services (NSS) trusted database for an SSL
1683 connection. This is a required parameter when using the LDAP KDB plug-in.
1684 .RE
1685
1686 .sp
1687 .ne 2
1688 .na
1689 \fB\fBldap_conns_per_server\fR\fR
1690 .ad
1691 .sp .6
1692 .RS 4n
1693 Number of connections per LDAP instance. The default is \fB5\fR.
1694 .RE
1695
1696 .sp
1697 .ne 2
1698 .na
1699 \fB\fBldap_kadmind_dn\fR\fR
1700 .ad
1701 .sp .6
1702 .RS 4n
1703 Bind DN for \fBkadmind\fR. This specifies the DN that the \fBkadmind\fR service
1704 uses when binding to the LDAP Directory Server. The password for this bind DN
1705 should be in the \fBldap_service_password_file\fR.
1706 .RE
1707
1708 .sp
1709 .ne 2
1710 .na
1711 \fB\fBldap_kdc_dn\fR\fR
1712 .ad
1713 .sp .6
1714 .RS 4n
1715 Bind DN for a Key Distribution Center (KDC). This specifies the DN that the
1716 \fBkrb5kdc\fR service use when binding to the LDAP Directory Server. The
1717 password for this bind DN should be in the \fBldap_service_password_file\fR.
1718 .RE
1719
1720 .sp
1721 .ne 2
1722 .na
1723 \fB\fBldap_servers\fR\fR
1724 .ad
1725 .sp .6
1726 .RS 4n
1727 List of LDAP directory servers in URI format. Use of either of the following is
1728 acceptable.
1729 .sp
1730 .in +2
1731 .nf
1732 ldap://\fI<ds hostname>\fR:\fI<SSL port>\fR
1733 ldap://\fI<ds hostname>\fR
1734 .fi
1735 .in -2
1736 .sp
1737
1738 Each server URI should be separated by whitespace.
1739 .RE
1740
1741 .sp
1742 .ne 2
1743 .na
1744 \fB\fBldap_service_password_file\fR\fR
1745 .ad
1746 .sp .6
1747 .RS 4n
1748 File containing stashed passwords used by the KDC when binding to the LDAP
1749 Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
1750 created using \fBkdb5_ldap_util\fR(1M).
1751 .RE
1752
1753 .sp
1754 .ne 2
1755 .na
1756 \fB\fBldap_ssl_port\fR\fR
1757 .ad
1758 .sp .6
1759 .RS 4n
1760 Port number for SSL connection with directory server. The default is \fB389\fR.
1761 .RE
1762
1763 .SH EXAMPLES
1764 .LP
1765 \fBExample 1 \fRSample File
1766 .sp
1767 .LP
1768 The following is an example of a generic \fBkrb5.conf\fR file:
1769
1770 .sp
1771 .in +2
1772 .nf
1773 [libdefaults]
1774 default_realm = ATHENA.MIT.EDU
1775 default_tkt_enctypes = des-cbc-crc
1776 default_tgs_enctypes = des-cbc-crc
1777
1778 [realms]
1779 ATHENA.MIT.EDU = {
1780 kdc = kerberos.mit.edu
1781 kdc = kerberos-1.mit.edu
1782 kdc = kerberos-2.mit.edu
1783 admin_server = kerberos.mit.edu
1784 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1785 }
1786
1787 FUBAR.ORG = {
1788 kdc = kerberos.fubar.org
1789 kdc = kerberos-1.fubar.org
1790 admin_server = kerberos.fubar.org
1791 }
1792
1793 [domain_realm]
1794 .mit.edu = ATHENA.MIT.EDU
1795 mit.edu = ATHENA.MIT.EDU
1796 .fi
1797 .in -2
1798 .sp
1799
1800 .LP
1801 \fBExample 2 \fRKDC Using the LDAP KDB plug-in, \fBrealms\fR and
1802 \fBdbmodules\fR Sections
1803 .sp
1804 .LP
1805 The following is an example of the \fBrealms\fR and \fBdbmodules\fR sections of
1806 a Kerberos configuration file when the KDC is using the LDAP KDB plug-in.
1807
1808 .sp
1809 .in +2
1810 .nf
1811 [realms]
1812 SUN.COM = {
1813 kdc = kc-umpk-01.athena.mit.edu
1814 kdc = kc-umpk-02.athena.mit.edu
1815 admin_server = kc-umpk-01.athena.mit.edu
1816 database_module = LDAP
1817 }
1818
1819 [dbmodules]
1820 LDAP = {
1821 db_library = kdb_ldap
1822 ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
1823 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1824 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1825 ldap_cert_path = /var/ldap
1826 ldap_servers = ldaps://ds.mit.edu
1827 }
1828 .fi
1829 .in -2
1830 .sp
1831
1832 .SH FILES
1833 .ne 2
1834 .na
1835 \fB\fB/var/krb5/kdc.log\fR\fR
1836 .ad
1837 .sp .6
1838 .RS 4n
1839 \fBKDC\fR logging file
1840 .RE
1841
1842 .SH ATTRIBUTES
1843 .LP
1844 See \fBattributes\fR(5) for descriptions of the following attributes:
1845 .sp
1846
1847 .sp
1848 .TS
1849 box;
1850 c | c
1851 l | l .
1852 ATTRIBUTE TYPE ATTRIBUTE VALUE
1853 _
1854 Interface Stability See below.
1855 .TE
1856
1857 .sp
1858 .LP
1859 All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
1860 are Volatile.
1861 .SH SEE ALSO
1862 .LP
1863 \fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
1864 \fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
1865 \fBregex\fR(5)
1866 .SH NOTES
1867 .LP
1868 If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
1869 fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
1870 if the \fBkrb5.conf\fR file is specified as required for the commands. If this
1871 occurs, the following error message is displayed:
1872 .sp
1873 .in +2
1874 .nf
1875 Error initializing krb5: Improper format of \fIitem\fR
1876 .fi
1877 .in -2
1878 .sp
1879
1880 .sp
1881 .LP
1882 To bypass any other problems that might occur, you should fix the file as soon
1883 as possible.
1884 .sp
1885 .LP
1886 The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
1887 removed in a future release of the Solaris operating system.