1 '\" te
2 .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KRB5.CONF 4 "May 16, 2020"
7 .SH NAME
8 krb5.conf \- Kerberos configuration file
9 .SH SYNOPSIS
10 .nf
11 /etc/krb5/krb5.conf
12 .fi
13
14 .SH DESCRIPTION
15 The \fBkrb5.conf\fR file contains Kerberos configuration information, including
16 the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
17 of interest, defaults for the current realm and for Kerberos applications, and
18 mappings of host names onto Kerberos realms. This file must reside on all
19 Kerberos clients.
20 .sp
21 .LP
22 The format of the \fBkrb5.conf\fR consists of sections headings in square
23 brackets. Each section can contain zero or more configuration variables (called
24 \fIrelations\fR), of the form:
25 .sp
26 .LP
27 \fIrelation\fR= \fIrelation-value\fR
28 .sp
29 .LP
30 or
31 .sp
32 .LP
33 \fIrelation-subsection\fR = {
34 .br
35 .in +2
36 \fIrelation\fR= \fIrelation-value\fR
37 .in -2
38 .br
39 .in +2
40 \fIrelation\fR= \fIrelation-value\fR
41 .in -2
42 .sp
43 .LP
44 }
45 .sp
46 .LP
47 The \fBkrb5.conf\fR file can contain any or all of the following sections:
48 .sp
49 .ne 2
50 .na
51 \fB\fBlibdefaults\fR\fR
52 .ad
53 .sp .6
54 .RS 4n
55 Contains default values used by the Kerberos V5 library.
56 .RE
57
58 .sp
59 .ne 2
60 .na
61 \fB\fBappdefaults\fR\fR
62 .ad
63 .sp .6
64 .RS 4n
65 Contains subsections for Kerberos V5 applications, where
66 \fIrelation-subsection\fR is the name of an application. Each subsection
67 describes application-specific defaults.
68 .RE
69
70 .sp
71 .ne 2
72 .na
73 \fB\fBrealms\fR\fR
74 .ad
75 .sp .6
76 .RS 4n
77 Contains subsections for Kerberos realms, where \fIrelation-subsection\fR is
78 the name of a realm. Each subsection contains relations that define the
79 properties for that particular realm.
80 .RE
81
82 .sp
83 .ne 2
84 .na
85 \fB\fBdomain_realm\fR\fR
86 .ad
87 .sp .6
88 .RS 4n
89 Contains relations which map domain names and subdomains onto Kerberos realm
90 names. This is used by programs to determine what realm a host should be in,
91 given its fully qualified domain name.
92 .RE
93
94 .sp
95 .ne 2
96 .na
97 \fB\fBlogging\fR\fR
98 .ad
99 .sp .6
100 .RS 4n
101 Contains relations which determine how Kerberos programs are to perform
102 logging.
103 .RE
104
105 .sp
106 .ne 2
107 .na
108 \fB\fBcapaths\fR\fR
109 .ad
110 .sp .6
111 .RS 4n
112 Contains the authentication paths used with direct (nonhierarchical)
113 cross-realm authentication. Entries in this section are used by the client to
114 determine the intermediate realms which can be used in cross-realm
115 authentication. It is also used by the end-service when checking the transited
116 field for trusted intermediate realms.
117 .RE
118
119 .sp
120 .ne 2
121 .na
122 \fB\fBdbmodules\fR\fR
123 .ad
124 .sp .6
125 .RS 4n
126 Contains relations for Kerberos database plug-in-specific configuration
127 information.
128 .RE
129
130 .sp
131 .ne 2
132 .na
133 \fB\fBkdc\fR\fR
134 .ad
135 .sp .6
136 .RS 4n
137 For a Key Distribution Center (\fBKDC\fR), can contain the location of the
138 \fBkdc.conf\fR file.
139 .RE
140
141 .SS "The \fB[libdefaults]\fR Section"
142 The \fB[libdefaults]\fR section can contain any of the following relations:
143 .sp
144 .ne 2
145 .na
146 \fB\fBdatabase_module\fR\fR
147 .ad
148 .sp .6
149 .RS 4n
150 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
151 database. If this parameter is not present the code uses the standard
152 \fBdb2\fR-based Kerberos database.
153 .RE
154
155 .sp
156 .ne 2
157 .na
158 \fB\fBdefault_keytab_name\fR\fR
159 .ad
160 .sp .6
161 .RS 4n
162 Specifies the default keytab name to be used by application servers such as
163 \fBtelnetd\fR and \fBrlogind\fR. The default is \fB/etc/krb5/krb5.keytab\fR.
164 .RE
165
166 .sp
167 .ne 2
168 .na
169 \fB\fBdefault_realm\fR\fR
170 .ad
171 .sp .6
172 .RS 4n
173 Identifies the default Kerberos realm for the client. Set its value to your
174 Kerberos realm.
175 .RE
176
177 .sp
178 .ne 2
179 .na
180 \fB\fBdefault_tgs_enctypes\fR\fR
181 .ad
182 .sp .6
183 .RS 4n
184 Identifies the supported list of session key encryption types that should be
185 returned by the \fBKDC\fR. The list can be delimited with commas or whitespace.
186 The supported encryption types are \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR,
187 \fBdes-cbc-md5\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
188 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
189 .RE
190
191 .sp
192 .ne 2
193 .na
194 \fB\fBdefault_tkt_enctypes\fR\fR
195 .ad
196 .sp .6
197 .RS 4n
198 Identifies the supported list of session key encryption types that should be
199 requested by the client. The format is the same as for
200 \fBdefault_tgs_enctypes\fR. The supported encryption types are
201 \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR, \fBdes-cbc-md5\fR,
202 \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
203 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
204 .RE
205
206 .sp
207 .ne 2
208 .na
209 \fB\fBclockskew\fR\fR
210 .ad
211 .sp .6
212 .RS 4n
213 Sets the maximum allowable amount of clock skew in seconds that the library
214 tolerates before assuming that a Kerberos message is invalid. The default value
215 is 300 seconds, or five minutes.
216 .RE
217
218 .sp
219 .ne 2
220 .na
221 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
222 .ad
223 .sp .6
224 .RS 4n
225 Sets the "\fBforwardable\fR" flag in all tickets. This allows users to transfer
226 their credentials from one host to another without reauthenticating. This
227 option can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section
228 (see below) to limit its use in particular applications or just to a specific
229 realm.
230 .RE
231
232 .sp
233 .ne 2
234 .na
235 \fB\fBpermitted_enctypes\fR\fR
236 .ad
237 .sp .6
238 .RS 4n
239 This relation controls the encryption types for session keys permitted by
240 server applications that use Kerberos for authentication. In addition, it
241 controls the encryption types of keys added to a \fBkeytab\fR by means of the
242 \fBkadmin\fR(1M) \fBktadd\fR command. The default is:
243 \fBaes256-cts-hmac-sha1-96\fR, \fBaes128-cts-hmac-sha1-96\fR,
244 \fBdes3-hmac-sha1-kd\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
245 \fBdes-cbc-md5\fR, \fBdes-cbc-crc\fR.
246 .RE
247
248 .sp
249 .ne 2
250 .na
251 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
252 .ad
253 .sp .6
254 .RS 4n
255 Sets the \fBproxiable\fR flag in all tickets. This allows users to create a
256 proxy ticket that can be transferred to a kerberized service to allow that
257 service to perform some function on behalf of the original user. This option
258 can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section (see
259 below) to limit its use in particular applications or just to a specific realm.
260 .RE
261
262 .sp
263 .ne 2
264 .na
265 \fB\fBrenew_lifetime =\fR\fIlifetime\fR\fR
266 .ad
267 .sp .6
268 .RS 4n
269 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The value
270 for \fIlifetime\fR must be followed immediately by one of the following
271 delimiters:
272 .sp
273 .ne 2
274 .na
275 \fB\fBs\fR\fR
276 .ad
277 .sp .6
278 .RS 4n
279 seconds
280 .RE
281
282 .sp
283 .ne 2
284 .na
285 \fB\fBm\fR\fR
286 .ad
287 .sp .6
288 .RS 4n
289 minutes
290 .RE
291
292 .sp
293 .ne 2
294 .na
295 \fB\fBh\fR\fR
296 .ad
297 .sp .6
298 .RS 4n
299 hours
300 .RE
301
302 .sp
303 .ne 2
304 .na
305 \fB\fBd\fR\fR
306 .ad
307 .sp .6
308 .RS 4n
309 days
310 .RE
311
312 Example:
313 .sp
314 .in +2
315 .nf
316 \fBrenew_lifetime = 90m\fR
317 .fi
318 .in -2
319 .sp
320
321 Do not mix units. A value of "\fB3h30m\fR" results in an error.
322 .RE
323
324 .sp
325 .ne 2
326 .na
327 \fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
328 .ad
329 .sp .6
330 .RS 4n
331 Sets the requested maximum lifetime of the ticket. The values for
332 \fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
333 above.
334 .RE
335
336 .sp
337 .ne 2
338 .na
339 \fB\fBdns_lookup_kdc\fR\fR
340 .ad
341 .sp .6
342 .RS 4n
343 Indicates whether DNS SRV records need to be used to locate the KDCs and the
344 other servers for a realm, if they have not already been listed in the
345 \fB[realms]\fR section. This option makes the machine vulnerable to a certain
346 type of DoS attack if someone spoofs the DNS records and does a redirect to
347 another server. This is, however, no worse than a DoS, since the bogus KDC is
348 unable to decode anything sent (excepting the initial ticket request, which has
349 no encrypted data). Also, anything the fake KDC sends out isl not trusted
350 without verification (the local machine is unaware of the secret key to be
351 used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
352 that value is used instead. In either case, values (if present) in the
353 \fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
354 default.
355 .RE
356
357 .sp
358 .ne 2
359 .na
360 \fB\fBdns_lookup_realm\fR\fR
361 .ad
362 .sp .6
363 .RS 4n
364 Indicates whether DNS TXT records need to be used to determine the Kerberos
365 realm information and/or the host/domain name-to-realm mapping of a host, if
366 this information is not already present in the \fBkrb5.conf\fR file. Enabling
367 this option might make the host vulnerable to a redirection attack, wherein
368 spoofed DNS replies persuade a client to authenticate to the wrong realm. In a
369 realm with no cross-realm trusts, this a DoS attack. If \fBdns_lookup_realm\fR
370 is not specified but \fBdns_fallback\fR is, then that value is used instead. In
371 either case, values (if present) in the \fB[libdefaults]\fR and
372 \fB[domain_realm]\fR sections override DNS.
373 .RE
374
375 .sp
376 .ne 2
377 .na
378 \fB\fBdns_fallback\fR\fR
379 .ad
380 .sp .6
381 .RS 4n
382 Generic flag controlling the use of DNS for retrieval of information about
383 Kerberos servers and host/domain name-to-realm mapping. If both
384 \fBdns_lookup_kdc\fR and \fBdns_lookup_realm\fR have been specified, this
385 option has no effect.
386 .RE
387
388 .sp
389 .ne 2
390 .na
391 \fB\fBverify_ap_req_nofail [true | false]\fR\fR
392 .ad
393 .sp .6
394 .RS 4n
395 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
396 an entry for the local \fBhost\fR principal, for example,
397 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
398 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
399 the host principal. If undefined, the behavior is as if this option were set to
400 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
401 \fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
402 to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
403 to make it a network-wide setting for all realms.
404 .RE
405
406 .SS "The \fB[appdefaults]\fR Section"
407 This section contains subsections for Kerberos V5 applications, where
408 \fIrelation-subsection\fR is the name of an application. Each subsection
409 contains relations that define the default behaviors for that application.
410 .sp
411 .LP
412 The following relations can be found in the \fB[appdefaults]\fR section, though
413 not all relations are recognized by all kerberized applications. Some are
414 specific to particular applications.
415 .sp
416 .ne 2
417 .na
418 \fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
419 .ad
420 .sp .6
421 .RS 4n
422 Forces the application to attempt automatic login by presenting Kerberos
423 credentials. This is valid for the following applications: \fBrlogin\fR,
424 \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
425 .RE
426
427 .sp
428 .ne 2
429 .na
430 \fB\fBencrypt =\fR [\fBtrue\fR | \fBfalse\fR]\fR
431 .ad
432 .sp .6
433 .RS 4n
434 Forces applications to use encryption by default (after authentication) to
435 protect the privacy of the sessions. This is valid for the following
436 applications: \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and
437 \fBtelnet\fR.
438 .RE
439
440 .sp
441 .ne 2
442 .na
443 \fB\fBforward =\fR [\fBtrue\fR | \fBfalse\fR]\fR
444 .ad
445 .sp .6
446 .RS 4n
447 Forces applications to forward the user'ss credentials (after authentication)
448 to the remote server. This is valid for the following applications:
449 \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
450 .RE
451
452 .sp
453 .ne 2
454 .na
455 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
456 .ad
457 .sp .6
458 .RS 4n
459 See the description in the \fB[libdefaults]\fR section above. This is used by
460 any application that creates a ticket granting ticket and also by applications
461 that can forward tickets to a remote server.
462 .RE
463
464 .sp
465 .ne 2
466 .na
467 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
468 .ad
469 .sp .6
470 .RS 4n
471 See the description in the \fB[libdefaults]\fR section above. This is used by
472 any application that creates a ticket granting ticket.
473 .RE
474
475 .sp
476 .ne 2
477 .na
478 \fB\fBrenewable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
479 .ad
480 .sp .6
481 .RS 4n
482 Creates a TGT that can be renewed (prior to the ticket expiration time). This
483 is used by any application that creates a ticket granting ticket.
484 .RE
485
486 .sp
487 .ne 2
488 .na
489 \fB\fBno_addresses =\fR [\fBtrue\fR | \fBfalse\fR]\fR
490 .ad
491 .sp .6
492 .RS 4n
493 Creates tickets with no address bindings. This is to allow tickets to be used
494 across a \fBNAT\fR boundary or when using multi-homed systems. This option is
495 valid in the \fBkinit\fR \fB[appdefault]\fR section only.
496 .RE
497
498 .sp
499 .ne 2
500 .na
501 \fB\fBmax_life =\fR\fIlifetime\fR\fR
502 .ad
503 .sp .6
504 .RS 4n
505 Sets the maximum lifetime of the ticket, with a total lifetime of
506 \fIlifetime\fR. The values for \fIlifetime\fR follow the format described in
507 the \fB[libdefaults]\fR section above. This option is obsolete and is removed
508 in a future release of the Solaris operating system.
509 .RE
510
511 .sp
512 .ne 2
513 .na
514 \fB\fBmax_renewable_life =\fR\fIlifetime\fR\fR
515 .ad
516 .sp .6
517 .RS 4n
518 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The values
519 for \fIlifetime\fR follow the format described in the \fB[libdefaults]\fR
520 section above. This option is obsolete and is removed in a future release of
521 the Solaris operating system.
522 .RE
523
524 .sp
525 .ne 2
526 .na
527 \fB\fBrcmd_protocol =\fR [ \fBrcmdv1\fR | \fBrcmdv2\fR ]\fR
528 .ad
529 .sp .6
530 .RS 4n
531 Specifies which Kerberized "\fBrcmd\fR" protocol to use when using the
532 Kerberized \fBrlogin\fR(1), \fBrsh\fR(1), \fBrcp\fR(1), or \fBrdist\fR(1)
533 programs. The default is to use \fBrcmdv2\fR by default, as this is the more
534 secure and more recent update of the protocol. However, when talking to older
535 \fBMIT\fR or \fBSEAM\fR-based "\fBrcmd\fR" servers, it can be necessary to
536 force the new clients to use the older \fBrcmdv1\fR protocol. This option is
537 valid only for the following applications: \fBrlogin\fR, \fBrcp\fR, \fBrsh\fR,
538 and \fBrdist\fR.
539 .RE
540
541 .sp
542 .LP
543 The following application defaults can be set to \fBtrue\fR or \fBfalse\fR:
544 .sp
545 .in +2
546 .nf
547 kinit
548 forwardable = true
549 proxiable = true
550 renewable = true
551 no_addresses = true
552 max_life = \fIdelta_time\fR
553 max_renewable_life = \fIdelta_time\fR
554 .fi
555 .in -2
556 .sp
557
558 .sp
559 .LP
560 See \fBkinit\fR(1) for the valid time duration formats you can specify for
561 \fIdelta_time\fR.
562 .sp
563 .LP
564 In the following example, \fBkinit\fR gets forwardable tickets by default and
565 \fBtelnet\fR has three default behaviors specified:
566 .sp
567 .in +2
568 .nf
569 [appdefaults]
570 kinit = {
571 forwardable = true
572 }
573
574 telnet = {
575 forward = true
576 encrypt = true
577 autologin = true
578 }
579 .fi
580 .in -2
581 .sp
582
583 .sp
584 .LP
585 The application defaults specified here are overridden by those specified in
586 the \fB[realms]\fR section.
587 .SS "The \fB[realms]\fR Section"
588 This section contains subsections for Kerberos realms, where
589 \fIrelation-subsection\fR is the name of a realm. Each subsection contains
590 relations that define the properties for that particular realm. The following
591 relations can be specified in each \fB[realms]\fR subsection:
592 .sp
593 .ne 2
594 .na
595 \fB\fBadmin_server\fR\fR
596 .ad
597 .sp .6
598 .RS 4n
599 Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
600 running. Typically, this is the master \fBKDC\fR.
601 .RE
602
603 .sp
604 .ne 2
605 .na
606 \fB\fIapplication defaults\fR\fR
607 .ad
608 .sp .6
609 .RS 4n
610 Application defaults that are specific to a particular realm can be specified
611 within a \fB[realms]\fR subsection. Realm-specific application defaults
612 override the global defaults specified in the \fB[appdefaults]\fR section.
613 .RE
614
615 .sp
616 .ne 2
617 .na
618 \fB\fBauth_to_local_realm\fR\fR
619 .ad
620 .sp .6
621 .RS 4n
622 For use in the default realm, non-default realms can be equated with the
623 default realm for authenticated name-to-local name mapping.
624 .RE
625
626 .sp
627 .ne 2
628 .na
629 \fB\fBauth_to_local_names\fR\fR
630 .ad
631 .sp .6
632 .RS 4n
633 This subsection allows you to set explicit mappings from principal names to
634 local user names. The tag is the mapping name and the value is the
635 corresponding local user name.
636 .RE
637
638 .sp
639 .ne 2
640 .na
641 \fB\fBauth_to_local\fR\fR
642 .ad
643 .sp .6
644 .RS 4n
645 This tag allows you to set a general rule for mapping principal names to local
646 user names. It is used if there is not an explicit mapping for the principal
647 name that is being translated. The possible values are:
648 .sp
649 .in +2
650 .nf
651 RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
652 .fi
653 .in -2
654
655 Each rule has three parts:
656 .sp
657 .ne 2
658 .na
659 \fBFirst part\(emFormulate the string on which to perform operations:\fR
660 .ad
661 .sp .6
662 .RS 4n
663 If not present then the string defaults to the fully flattened principal minus
664 the realm name. Otherwise the syntax is as follows:
665 .sp
666 .in +2
667 .nf
668 "[" \fI<ncomps>\fR ":" \fI<format>\fR "]"
669 .fi
670 .in -2
671
672 Where:
673 .sp
674 \fI<ncomps>\fR is the number of expected components for this rule. If the
675 particular principal does not have this number of components, then this rule
676 does not apply.
677 .sp
678 \fI<format>\fR is a string of \fI<component>\fR or verbatim characters to be
679 inserted.
680 .sp
681 \fI<component>\fR is of the form "\fB$\fR"\fI<number>\fR to select the
682 \fI<number>\fRth component. \fI<number>\fR begins from 1.
683 .RE
684
685 .sp
686 .ne 2
687 .na
688 \fBSecond part\(emselect rule validity:\fR
689 .ad
690 .sp .6
691 .RS 4n
692 If not present, this rule can apply to all selections. Otherwise the syntax is
693 as follows:
694 .sp
695 .in +2
696 .nf
697 "(" \fI<regex>\fR ")"
698 .fi
699 .in -2
700
701 Where:
702 .sp
703 \fI<regex>\fR is a selector regular expression. If this regular expression
704 matches the whole pattern generated from the first part, then this rule still
705 applies.
706 .RE
707
708 .sp
709 .ne 2
710 .na
711 \fBThird part\(emTransform rule:\fR
712 .ad
713 .sp .6
714 .RS 4n
715 If not present, then the selection string is passed verbatim and is matched.
716 Otherwise, the syntax is as follows:
717 .sp
718 .in +2
719 .nf
720 \fI<rule>\fR ...
721 .fi
722 .in -2
723
724 Where:
725 .sp
726 \fI<rule>\fR is of the form:
727 .sp
728 .in +2
729 .nf
730 "s/" <regex> "/" <text> "/" ["g"]
731 .fi
732 .in -2
733
734 Regular expressions are defined in \fBregex\fR(5).
735 .sp
736 For example:
737 .sp
738 auth_to_local = RULE:[1:$1@$0](.*@.*ACME\.COM)s/@.*//
739 .sp
740 The preceding maps \fB\fIusername\fR@ACME.COM\fR and all sub-realms of
741 \fBACME.COM\fR to \fIusername\fR.
742 .RE
743
744 .sp
745 .ne 2
746 .na
747 \fBDEFAULT\fR
748 .ad
749 .sp .6
750 .RS 4n
751 The principal name is used as the local name. If the principal has more than
752 one component or is not in the default realm, this rule is not applicable and
753 the conversion fails.
754 .RE
755
756 .RE
757
758 .sp
759 .ne 2
760 .na
761 \fB\fBdatabase_module\fR\fR
762 .ad
763 .sp .6
764 .RS 4n
765 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
766 database.
767 .RE
768
769 .sp
770 .ne 2
771 .na
772 \fB\fBextra_addresses\fR...\fR
773 .ad
774 .sp .6
775 .RS 4n
776 This allows a computer to use multiple local addresses, to allow Kerberos to
777 work in a network that uses NATs. The addresses should be in a comma-separated
778 list.
779 .RE
780
781 .sp
782 .ne 2
783 .na
784 \fB\fBkdc\fR\fR
785 .ad
786 .sp .6
787 .RS 4n
788 The name of a host running a \fBKDC\fR for that realm. An optional port number
789 (separated from the hostname by a colon) can be included.
790 .RE
791
792 .sp
793 .ne 2
794 .na
795 \fB\fBkpasswd_server\fR\fR
796 .ad
797 .sp .6
798 .RS 4n
799 Identifies the host where the Kerberos password-changing server is running.
800 Typically, this is the same as host indicated in the \fBadmin_server\fR. If
801 this parameter is omitted, the host in \fBadmin_server\fR is used. You can also
802 specify a port number if the server indicated by \fBkpasswd_server\fR runs on a
803 port other than 464 (the default). The format of this parameter is:
804 \fIhostname\fR[:\fIport\fR].
805 .RE
806
807 .sp
808 .ne 2
809 .na
810 \fB\fBkpasswd_protocol\fR\fR
811 .ad
812 .sp .6
813 .RS 4n
814 Identifies the protocol to be used when communicating with the server indicated
815 by \fBkpasswd_server\fR. By default, this parameter is defined to be
816 \fBRPCSEC_GSS\fR, which is the protocol used by Solaris-based administration
817 servers. To be able to change a principal's password stored on non-Solaris
818 Kerberos server, such as Microsoft Active Directory or \fBMIT\fR Kerberos, this
819 value should be \fBSET_CHANGE\fR. This indicates that a non-RPC- based protocol
820 is used to communicate the password change request to the server in the
821 \fBkpasswd_server\fR entry.
822 .RE
823
824 .sp
825 .ne 2
826 .na
827 \fB\fBudp_preference_limit\fR\fR
828 .ad
829 .sp .6
830 .RS 4n
831 When sending a message to the KDC, the library tries using TCP before UDP if
832 the size of the message is above \fBudp_preference_limit\fR. If the message is
833 smaller than \fBudp_preference_limit\fR, then UDP is tried before TCP.
834 Regardless of the size, both protocols are tried if the first attempt fails.
835 .RE
836
837 .sp
838 .ne 2
839 .na
840 \fB\fBverify_ap_req_nofail\fR [\fBtrue\fR | \fBfalse\fR]\fR
841 .ad
842 .sp .6
843 .RS 4n
844 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
845 an entry for the local \fBhost\fR principal, for example,
846 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
847 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
848 the host principal. If undefined, the behavior is as if this option were set to
849 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
850 \fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
851 section to set it on a per-realm basis, or it might be in the
852 \fB[libdefaults]\fR section to make it a network-wide setting for all realms.
853 .RE
854
855 .sp
856 .LP
857 The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
858 "\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
859 above) are also valid in the \fB[realms]\fR section.
860 .sp
861 .LP
862 Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
863 parameters. Most often, you need to specify them only when using a
864 non-Solaris-based Kerberos server. Otherwise, the change request is sent over
865 \fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
866 .SS "The \fB[domain_realm]\fR Section"
867 This section provides a translation from a domain name or hostname to a
868 Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
869 where domain names are indicated by a period (`\fB\&.\fR') prefix.
870 \fIrelation-value\fR is the Kerberos realm name for that particular host or
871 domain. Host names and domain names should be in lower case.
872 .sp
873 .LP
874 If no translation entry applies, the host's realm is considered to be the
875 hostname's domain portion converted to upper case. For example, the following
876 \fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
877 \fBTEST.ATHENA.MIT.EDU\fR realm:
878 .sp
879 .in +2
880 .nf
881 [domain_realm]
882 .mit.edu = ATHENA.MIT.EDU
883 mit.edu = ATHENA.MIT.EDU
884 crash.mit.edu = TEST.ATHENA.MIT.EDU
885 .fubar.org = FUBAR.ORG
886 fubar.org = FUBAR.ORG
887 .fi
888 .in -2
889 .sp
890
891 .sp
892 .LP
893 All other hosts in the \fBmit.edu\fR domain maps by default to the
894 \fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
895 default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
896 and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
897 the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
898 .SS "The \fB[logging]\fR Section"
899 This section indicates how Kerberos programs are to perform logging. There are
900 two types of relations for this section: relations to specify how to log and a
901 relation to specify how to rotate \fBkdc\fR log files.
902 .sp
903 .LP
904 The following relations can be defined to specify how to log. The same relation
905 can be repeated if you want to assign it multiple logging methods.
906 .sp
907 .ne 2
908 .na
909 \fB\fBadmin_server\fR\fR
910 .ad
911 .sp .6
912 .RS 4n
913 Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
914 default is \fBFILE:/var/krb5/kadmin.log.\fR
915 .RE
916
917 .sp
918 .ne 2
919 .na
920 \fB\fBdefault\fR\fR
921 .ad
922 .sp .6
923 .RS 4n
924 Specifies how to perform logging in the absence of explicit specifications
925 otherwise.
926 .RE
927
928 .sp
929 .ne 2
930 .na
931 \fB\fBkdc\fR\fR
932 .ad
933 .sp .6
934 .RS 4n
935 Specifies how the \fBKDC\fR is to perform its logging. The default is
936 \fBFILE:/var/krb5/kdc.log\fR.
937 .RE
938
939 .sp
940 .LP
941 The \fBadmin_server\fR, \fBdefault\fR, and \fBkdc\fR relations can have the
942 following values:
943 .sp
944 .ne 2
945 .na
946 \fB\fBFILE:\fR\fIfilename\fR\fR
947 .ad
948 .br
949 .na
950 \fB\fBFILE=\fR\fIfilename\fR\fR
951 .ad
952 .sp .6
953 .RS 4n
954 This value causes the entity's logging messages to go to the specified file. If
955 the `=' form is used, the file is overwritten. If the `:' form is used, the
956 file is appended to.
957 .RE
958
959 .sp
960 .ne 2
961 .na
962 \fB\fBSTDERR\fR\fR
963 .ad
964 .sp .6
965 .RS 4n
966 This value causes the entity's logging messages to go to its standard error
967 stream.
968 .RE
969
970 .sp
971 .ne 2
972 .na
973 \fB\fBCONSOLE\fR\fR
974 .ad
975 .sp .6
976 .RS 4n
977 This value causes the entity's logging messages to go to the console, if the
978 system supports it.
979 .RE
980
981 .sp
982 .ne 2
983 .na
984 \fB\fBDEVICE=\fR\fIdevicename\fR\fR
985 .ad
986 .sp .6
987 .RS 4n
988 This causes the entity's logging messages to go to the specified device.
989 .RE
990
991 .sp
992 .ne 2
993 .na
994 \fB\fBSYSLOG[:\fR\fIseverity\fR\fB[:\fR\fIfacility\fR\fB]]\fR\fR
995 .ad
996 .sp .6
997 .RS 4n
998 This causes the entity's logging messages to go to the system log.
999 .RE
1000
1001 .sp
1002 .LP
1003 The \fIseverity\fR argument specifies the default severity of system log
1004 messages. This can be any of the following severities supported by the
1005 \fBsyslog\fR(3C) call, minus the \fBLOG_\fR prefix: \fBLOG_EMERG\fR,
1006 \fBLOG_ALERT\fR, \fBLOG_CRIT\fR, \fBLOG_ERR\fR, \fBLOG_WARNING\fR,
1007 \fBLOG_NOTICE\fR, \fBLOG_INFO\fR, and \fBLOG_DEBUG\fR. For example, a value of
1008 \fBCRIT\fR would specify \fBLOG_CRIT\fR severity.
1009 .sp
1010 .LP
1011 The \fIfacility\fR argument specifies the facility under which the messages are
1012 logged. This can be any of the following facilities supported by the
1013 \fBsyslog\fR(3C) call minus the \fBLOG_\fR prefix: \fBLOG_KERN\fR,
1014 \fBLOG_USER\fR, \fBLOG_MAIL\fR, \fBLOG_DAEMON\fR, \fBLOG_AUTH\fR,
1015 \fBLOG_LPR\fR, \fBLOG_NEWS\fR, \fBLOG_UUCP\fR, \fBLOG_CRON\fR, and
1016 \fBLOG_LOCAL0\fR through \fBLOG_LOCAL7\fR.
1017 .sp
1018 .LP
1019 If no severity is specified, the default is \fBERR\fR. If no facility is
1020 specified, the default is \fBAUTH\fR.
1021 .sp
1022 .LP
1023 The following relation can be defined to specify how to rotate \fBkdc\fR log
1024 files if the \fBFILE:\fR value is being used to log:
1025 .sp
1026 .ne 2
1027 .na
1028 \fB\fBkdc_rotate\fR\fR
1029 .ad
1030 .sp .6
1031 .RS 4n
1032 A relation subsection that enables \fBkdc\fR logging to be rotated to multiple
1033 files based on a time interval. This can be used to avoid logging to one file,
1034 which might grow too large and bring the \fBKDC\fR to a halt.
1035 .RE
1036
1037 .sp
1038 .LP
1039 The time interval for the rotation is specified by the \fBperiod\fR relation.
1040 The number of log files to be rotated is specified by the \fBversions\fR
1041 relation. Both the \fBperiod\fR and \fBversions\fR (described below) should be
1042 included in this subsection. And, this subsection applies only if the \fBkdc\fR
1043 relation has a \fBFILE:\fR value.
1044 .sp
1045 .LP
1046 The following relations can be specified for the \fBkdc_rotate\fR relation
1047 subsection:
1048 .sp
1049 .ne 2
1050 .na
1051 \fB\fB\fR\fBperiod=\fIdelta_time\fR\fR\fR
1052 .ad
1053 .sp .6
1054 .RS 4n
1055 Specifies the time interval before a new log file is created. See the
1056 \fBTime\fR\fBFormats\fR section in \fBkinit\fR(1) for the valid time duration
1057 formats you can specify for \fIdelta_time\fR. If \fBperiod\fR is not specified
1058 or set to \fBnever\fR, no rotation occurs.
1059 .RE
1060
1061 .sp
1062 .LP
1063 Specifying a time interval does not mean that the log files are rotated at the
1064 time interval based on real time. This is because the time interval is checked
1065 at each attempt to write a record to the log, or when logging is actually
1066 occurring. Therefore, rotation occurs only when logging has actually occurred
1067 for the specified time interval.
1068 .sp
1069 .ne 2
1070 .na
1071 \fB\fBversions=\fR\fInumber\fR\fR
1072 .ad
1073 .sp .6
1074 .RS 4n
1075 Specifies how many previous versions are saved before the rotation begins. A
1076 number is appended to the log file, starting with 0 and ending with
1077 (\fInumber\fR - 1). For example, if \fBversions\fR is set to \fB2\fR, up to
1078 three logging files are created (\fIfilename\fR, \fIfilename\fR.0, and
1079 \fIfilename\fR.1) before the first one is overwritten to begin the rotation.
1080 .RE
1081
1082 .sp
1083 .LP
1084 Notice that if \fBversions\fR is not specified or set to \fB0\fR, only one log
1085 file is created, but it is overwritten whenever the time interval is met.
1086 .sp
1087 .LP
1088 In the following example, the logging messages from the Kerberos administration
1089 daemon goes to the console. The logging messages from the \fBKDC\fR is appended
1090 to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
1091 with a specified time interval of a day.
1092 .sp
1093 .in +2
1094 .nf
1095 [logging]
1096 admin_server = CONSOLE
1097 kdc = FILE:/export/logging/kadmin.log
1098 kdc_rotate = {
1099 period = 1d
1100 versions = 20
1101 }
1102 .fi
1103 .in -2
1104 .sp
1105
1106 .SS "The \fB[capaths]\fR Section"
1107 In order to perform direct (non-hierarchical) cross-realm authentication, a
1108 database is needed to construct the authentication paths between the realms.
1109 This section defines that database.
1110 .sp
1111 .LP
1112 A client uses this section to find the authentication path between its realm
1113 and the realm of the server. The server uses this section to verify the
1114 authentication path used by the client, by checking the transited field of the
1115 received ticket.
1116 .sp
1117 .LP
1118 There is a subsection for each participating realm, and each subsection has
1119 relations named for each of the realms. The \fIrelation-value\fR is an
1120 intermediate realm which can participate in the cross-realm authentication. The
1121 relations can be repeated if there is more than one intermediate realm. A value
1122 of '.' means that the two realms share keys directly, and no intermediate
1123 realms should be allowed to participate.
1124 .sp
1125 .LP
1126 There are n**2 possible entries in this table, but only those entries which is
1127 needed on the client or the server need to be present. The client needs a
1128 subsection named for its local realm, with relations named for all the realms
1129 of servers it needs to authenticate with. A server needs a subsection named for
1130 each realm of the clients it serves.
1131 .sp
1132 .LP
1133 For example, \fBANL.GOV\fR, \fBPNL.GOV\fR, and \fBNERSC.GOV\fR all wish to use
1134 the \fBES.NET\fR realm as an intermediate realm. \fBANL\fR has a sub realm of
1135 \fBTEST.ANL.GOV\fR, which authenticates with \fBNERSC.GOV\fR but not
1136 \fBPNL.GOV\fR. The \fB[capath]\fR section for \fBANL.GOV\fR systems would look
1137 like this:
1138 .sp
1139 .in +2
1140 .nf
1141 [capaths]
1142 ANL.GOV = {
1143 TEST.ANL.GOV = .
1144 PNL.GOV = ES.NET
1145 NERSC.GOV = ES.NET
1146 ES.NET = .
1147 }
1148
1149 TEST.ANL.GOV = {
1150 ANL.GOV = .
1151 }
1152
1153 PNL.GOV = {
1154 ANL.GOV = ES.NET
1155 }
1156
1157 NERSC.GOV = {
1158 ANL.GOV = ES.NET
1159 }
1160
1161 ES.NET = {
1162 ANL.GOV = .
1163 }
1164 .fi
1165 .in -2
1166 .sp
1167
1168 .sp
1169 .LP
1170 The \fB[capath]\fR section of the configuration file used on \fBNERSC.GOV\fR
1171 systems would look like this:
1172 .sp
1173 .in +2
1174 .nf
1175 [capaths]
1176 NERSC.GOV = {
1177 ANL.GOV = ES.NET
1178 TEST.ANL.GOV = ES.NET
1179 TEST.ANL.GOV = ANL.GOV
1180 PNL.GOV = ES.NET
1181 ES.NET = .
1182 }
1183
1184 ANL.GOV = {
1185 NERSC.GOV = ES.NET
1186 }
1187
1188 PNL.GOV = {
1189 NERSC.GOV = ES.NET
1190 }
1191
1192 ES.NET = {
1193 NERSC.GOV = .
1194 }
1195
1196 TEST.ANL.GOV = {
1197 NERSC.GOV = ANL.GOV
1198 NERSC.GOV = ES.NET
1199 }
1200 .fi
1201 .in -2
1202 .sp
1203
1204 .sp
1205 .LP
1206 In the above examples, the ordering is not important, except when the same
1207 relation is used more than once. The client uses this to determine the path.
1208 (It is not important to the server, since the transited field is not sorted.)
1209 .SS "PKINIT-specific Options"
1210 The following are \fBpkinit-specific\fR options. These values can be specified
1211 in \fB[libdefaults]\fR as global defaults, or within a realm-specific
1212 subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
1213 in the \fB[realms]\fR section. A realm-specific value overrides, does not add
1214 to, a generic \fB[libdefaults]\fR specification.
1215 .sp
1216 .LP
1217 The search order is:
1218 .RS +4
1219 .TP
1220 1.
1221 realm-specific subsection of \fB[libdefaults]\fR
1222 .sp
1223 .in +2
1224 .nf
1225 [libdefaults]
1226 EXAMPLE.COM = {
1227 pkinit_anchors = FILE:/usr/local/example.com.crt
1228 .fi
1229 .in -2
1230
1231 .RE
1232 .RS +4
1233 .TP
1234 2.
1235 realm-specific value in the \fB[realms]\fR section
1236 .sp
1237 .in +2
1238 .nf
1239 [realms]
1240 OTHERREALM.ORG = {
1241 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
1242 .fi
1243 .in -2
1244
1245 .RE
1246 .RS +4
1247 .TP
1248 3.
1249 generic value in the \fB[libdefaults]\fR section
1250 .sp
1251 .in +2
1252 .nf
1253 [libdefaults]
1254 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
1255 .fi
1256 .in -2
1257
1258 .RE
1259 .sp
1260 .LP
1261 The syntax for specifying Public Key identity, trust, and revocation
1262 information for \fBpkinit\fR is as follows:
1263 .sp
1264 .ne 2
1265 .na
1266 \fB\fBpkinit_identities\fR \fB=\fR \fIURI\fR\fR
1267 .ad
1268 .sp .6
1269 .RS 4n
1270 Specifies the location(s) to be used to find the user's X.509 identity
1271 information. This option can be specified multiple times. Each value is
1272 attempted in order until identity information is found and authentication is
1273 attempted. These values are not used if the user specifies
1274 \fBX509_user_identity\fR on the command line.
1275 .sp
1276 Valid \fIURI\fR types are \fBFILE\fR, \fBDIR\fR, \fBPKCS11\fR, \fBPKCS12\fR,
1277 and \fBENV\fR. See the \fBPKINIT URI Types\fR section for more details.
1278 .RE
1279
1280 .sp
1281 .ne 2
1282 .na
1283 \fB\fBpkinit_anchors\fR \fB=\fR \fIURI\fR\fR
1284 .ad
1285 .sp .6
1286 .RS 4n
1287 Specifies the location of trusted anchor (root) certificates which the client
1288 trusts to sign KDC certificates. This option can be specified multiple times.
1289 These values from the \fBconfig\fR file are not used if the user specifies
1290 \fBX509_anchors\fR on the command line.
1291 .sp
1292 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1293 Types\fR section for more details.
1294 .RE
1295
1296 .sp
1297 .ne 2
1298 .na
1299 \fB\fBpkinit_pool\fR \fB=\fR \fIURI\fR\fR
1300 .ad
1301 .sp .6
1302 .RS 4n
1303 Specifies the location of intermediate certificates which can be used by the
1304 client to complete the trust chain between a KDC certificate and a trusted
1305 anchor. This option can be specified multiple times.
1306 .sp
1307 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1308 Types\fR section for more details.
1309 .RE
1310
1311 .sp
1312 .ne 2
1313 .na
1314 \fB\fBpkinit_revoke\fR \fB=\fR \fIURI\fR\fR
1315 .ad
1316 .sp .6
1317 .RS 4n
1318 Specifies the location of Certificate Revocation List (CRL) information to be
1319 used by the client when verifying the validity of the KDC certificate
1320 presented. This option can be specified multiple times.
1321 .sp
1322 The only valid \fIURI\fR type is \fBDIR\fR. See the \fBPKINIT URI Types\fR
1323 section for more details.
1324 .RE
1325
1326 .sp
1327 .ne 2
1328 .na
1329 \fB\fBpkinit_require_crl_checking\fR \fB=\fR \fIvalue\fR\fR
1330 .ad
1331 .sp .6
1332 .RS 4n
1333 The default certificate verification process always checks the available
1334 revocation information to see if a certificate has been revoked. If a match is
1335 found for the certificate in a CRL, verification fails. If the certificate
1336 being verified is not listed in a CRL, or there is no CRL present for its
1337 issuing CA, and \fBpkinit_require_crl_checking\fR is \fBfalse\fR, then
1338 verification succeeds. However, if \fBpkinit_require_crl_checking\fR is
1339 \fBtrue\fR and there is no CRL information available for the issuing CA, then
1340 verification fails. \fBpkinit_require_crl_checking\fR should be set to
1341 \fBtrue\fR if the policy is such that up-to-date CRLs must be present for every
1342 CA.
1343 .RE
1344
1345 .sp
1346 .ne 2
1347 .na
1348 \fB\fBpkinit_dh_min_bits\fR \fB=\fR \fIvalue\fR\fR
1349 .ad
1350 .sp .6
1351 .RS 4n
1352 Specifies the size of the Diffie-Hellman key the client attempts to use. The
1353 acceptable values are currently 1024, 2048, and 4096. The default is 2048.
1354 .RE
1355
1356 .sp
1357 .ne 2
1358 .na
1359 \fB\fBpkinit_win2k\fR \fB=\fR \fIvalue\fR\fR
1360 .ad
1361 .sp .6
1362 .RS 4n
1363 This flag specifies whether the target realm is assumed to support only the
1364 old, pre-RFC version of the protocol. The default is \fBfalse\fR.
1365 .RE
1366
1367 .sp
1368 .ne 2
1369 .na
1370 \fB\fBpkinit_win2k_require_binding\fR \fB=\fR \fIvalue\fR\fR
1371 .ad
1372 .sp .6
1373 .RS 4n
1374 If this flag is set to \fBtrue\fR, it expects that the target KDC is patched to
1375 return a reply with a checksum rather than a nonce. The default is \fBfalse\fR.
1376 .RE
1377
1378 .sp
1379 .ne 2
1380 .na
1381 \fB\fBpkinit_eku_checking\fR \fB=\fR \fIvalue\fR\fR
1382 .ad
1383 .sp .6
1384 .RS 4n
1385 This option specifies what Extended Key Usage value the KDC certificate
1386 presented to the client must contain. If the KDC certificate has the \fBpkinit
1387 SubjectAlternativeName\fR encoded as the Kerberos TGS name, EKU checking is not
1388 necessary since the issuing CA has certified this as a KDC certificate. The
1389 values recognized in the \fBkrb5.conf\fR file are:
1390 .sp
1391 .ne 2
1392 .na
1393 \fB\fBkpKDC\fR\fR
1394 .ad
1395 .RS 16n
1396 This is the default value and specifies that the KDC must have the
1397 \fBid-pkinit-KPKdc EKU\fR as defined in RFC4556.
1398 .RE
1399
1400 .sp
1401 .ne 2
1402 .na
1403 \fB\fBkpServerAuth\fR\fR
1404 .ad
1405 .RS 16n
1406 If \fBkpServerAuth\fR is specified, a KDC certificate with the
1407 \fBid-kp-serverAuth EKU\fR as used by Microsoft is accepted.
1408 .RE
1409
1410 .sp
1411 .ne 2
1412 .na
1413 \fB\fBnone\fR\fR
1414 .ad
1415 .RS 16n
1416 If \fBnone\fR is specified, then the KDC certificate is not checked to verify
1417 it has an acceptable EKU. The use of this option is not recommended.
1418 .RE
1419
1420 .RE
1421
1422 .sp
1423 .ne 2
1424 .na
1425 \fB\fBpkinit_kdc_hostname\fR \fB=\fR \fIvalue\fR\fR
1426 .ad
1427 .sp .6
1428 .RS 4n
1429 The presence of this option indicates that the client is willing to accept a
1430 KDC certificate with a \fBdNSName\fR SAN (Subject Alternative Name) rather than
1431 requiring the \fBid-pkinit-san\fR as defined in RFC4556. This option can be
1432 specified multiple times. Its value should contain the acceptable hostname for
1433 the KDC (as contained in its certificate).
1434 .RE
1435
1436 .sp
1437 .ne 2
1438 .na
1439 \fB\fBpkinit_cert_match\fR \fB=\fR \fIrule\fR\fR
1440 .ad
1441 .sp .6
1442 .RS 4n
1443 Specifies matching rules that the client certificate must match before it is
1444 used to attempt \fBpkinit\fR authentication. If a user has multiple
1445 certificates available (on a smart card, or by way of another media), there
1446 must be exactly one certificate chosen before attempting \fBpkinit\fR
1447 authentication. This option can be specified multiple times. All the
1448 available certificates are checked against each rule in order until there is a
1449 match of exactly one certificate.
1450 .sp
1451 The Subject and Issuer comparison strings are the RFC2253 string
1452 representations from the certificate Subject DN and Issuer DN values.
1453 .sp
1454 The syntax of the matching rules is:
1455 .sp
1456 .in +2
1457 .nf
1458 [relation-operator]component-rule `...'
1459 .fi
1460 .in -2
1461
1462 where
1463 .sp
1464 .ne 2
1465 .na
1466 \fB\fIrelation-operator\fR\fR
1467 .ad
1468 .RS 21n
1469 Specify \fIrelation-operator\fR as \fB&&\fR, meaning all component rules must
1470 match, or \fB||\fR, meaning only one component rule must match. If
1471 \fIrelation-operator\fR is not specified, the default is \fB&&\fR\&.
1472 .RE
1473
1474 .sp
1475 .ne 2
1476 .na
1477 \fB\fIcomponent-rule\fR\fR
1478 .ad
1479 .RS 21n
1480 There is no punctuation or white space between component rules.Specify
1481 \fIcomponent-rule\fR as one of the following:
1482 .sp
1483 .in +2
1484 .nf
1485 `<SUBJECT>'regular-expression
1486
1487 `<ISSUER>'regular-expression
1488
1489 `<SAN>'regular-expression
1490
1491 `<EKU>'extended-key-usage-list
1492 where extended-key-usage-list is a comma-separated list
1493 of required Extended Key Usage values. All values in
1494 the list must be present in the certificate.
1495 `pkinit'
1496 `msScLogin'
1497 `clientAuth'
1498 `emailProtection'
1499 `<KU>'key-usage-list
1500 where key-usage-list is a comma-separated list of
1501 required Key Usage values. All values in the list must
1502 be present in the certificate.
1503 `digitalSignature'
1504 .fi
1505 .in -2
1506
1507 .RE
1508
1509 Examples:
1510 .sp
1511 .in +2
1512 .nf
1513 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1514 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1515 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1516 .fi
1517 .in -2
1518
1519 .RE
1520
1521 .SS "PKINIT URI Types"
1522 .ne 2
1523 .na
1524 \fB\fBFILE:\fR\fIfile-name[,key-file-name]\fR\fR
1525 .ad
1526 .sp .6
1527 .RS 4n
1528 This option has context-specific behavior.
1529 .sp
1530 .ne 2
1531 .na
1532 \fB\fBpkinit_identities\fR\fR
1533 .ad
1534 .RS 21n
1535 \fIfile-name\fR specifies the name of a PEM-format file containing the user's
1536 certificate. If \fIkey-file-name\fR is not specified, the user's private key
1537 is expected to be in \fIfile-name\fR as well. Otherwise, \fIkey-file-name\fR
1538 is the name of the file containing the private key.
1539 .RE
1540
1541 .sp
1542 .ne 2
1543 .na
1544 \fB\fBpkinit_anchors\fR\fR
1545 .ad
1546 .br
1547 .na
1548 \fB\fBpkinit_pool\fR\fR
1549 .ad
1550 .RS 21n
1551 \fIfile-name\fR is assumed to be the name of an \fBOpenSSL-style ca-bundle\fR
1552 file. The \fBca-bundle\fR file should be base-64 encoded.
1553 .RE
1554
1555 .RE
1556
1557 .sp
1558 .ne 2
1559 .na
1560 \fB\fBDIR:\fR\fIdirectory-name\fR\fR
1561 .ad
1562 .sp .6
1563 .RS 4n
1564 This option has context-specific behavior.
1565 .sp
1566 .ne 2
1567 .na
1568 \fB\fBpkinit_identities\fR\fR
1569 .ad
1570 .RS 21n
1571 \fIdirectory-name\fR specifies a directory with files named \fB*.crt\fR and
1572 \fB*.key\fR, where the first part of the file name is the same for matching
1573 pairs of certificate and private key files. When a file with a name ending with
1574 \&.\fBcrt\fR is found, a matching file ending with \fB\&.key\fR is assumed to
1575 contain the private key. If no such file is found, then the certificate in the
1576 \fB\&.crt\fR is not used.
1577 .RE
1578
1579 .sp
1580 .ne 2
1581 .na
1582 \fB\fBpkinit_anchors\fR\fR
1583 .ad
1584 .br
1585 .na
1586 \fB\fBpkinit_pool\fR\fR
1587 .ad
1588 .RS 21n
1589 \fIdirectory-name\fR is assumed to be an OpenSSL-style hashed CA directory
1590 where each CA cert is stored in a file named \fBhash-of-ca-cert\fR.\fI#\fR.
1591 This infrastructure is encouraged, but all files in the directory are examined
1592 and if they contain certificates (in PEM format), they are used.
1593 .RE
1594
1595 .RE
1596
1597 .sp
1598 .ne 2
1599 .na
1600 \fB\fBPKCS12:\fR\fIpkcs12-file-name\fR\fR
1601 .ad
1602 .sp .6
1603 .RS 4n
1604 \fIpkcs12-file-name\fR is the name of a \fBPKCS #12\fR format file, containing
1605 the user's certificate and private key.
1606 .RE
1607
1608 .sp
1609 .ne 2
1610 .na
1611 \fB\fBPKCS11:[slotid=\fR\fIslot-id\fR\fB][:token=\fR\fItoken-label\fR\fB][:cert
1612 id=\fR\fIcert-id\fR\fB][:certlabel=\fR\fIcert-label\fR\fB]\fR\fR
1613 .ad
1614 .sp .6
1615 .RS 4n
1616 All keyword/values are optional. PKCS11 modules (for example,
1617 \fBopensc-pkcs11.so\fR) must be installed as a \fBcrypto\fR provider under
1618 \fBlibpkcs11\fR(3LIB). \fBslotid=\fR and/or \fBtoken=\fR can be specified to
1619 force the use of a particular smart card reader or token if there is more than
1620 one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
1621 the selection of a particular certificate on the device. See the
1622 \fBpkinit_cert_match\fR configuration option for more ways to select a
1623 particular certificate to use for \fBpkinit\fR.
1624 .RE
1625
1626 .sp
1627 .ne 2
1628 .na
1629 \fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
1630 .ad
1631 .sp .6
1632 .RS 4n
1633 \fIenvironment-variable-name\fR specifies the name of an environment variable
1634 which has been set to a value conforming to one of the previous values. For
1635 example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
1636 been set to \fBFILE:/tmp/my_proxy.pem\fR.
1637 .RE
1638
1639 .SS "The \fB[dbmodules]\fR Section"
1640 This section consists of relations that provide configuration information for
1641 plug-in modules. In particular, the relations describe the configuration for
1642 LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
1643 that this section does not need to be filled out in that case.
1644 .sp
1645 .ne 2
1646 .na
1647 \fB\fBdb_library\fR\fR
1648 .ad
1649 .sp .6
1650 .RS 4n
1651 Name of the plug-in library. To use the LDAP KDB plug-in the name must be
1652 \fBkdb_ldap\fR. The default value is \fBdb2\fR.
1653 .RE
1654
1655 .sp
1656 .ne 2
1657 .na
1658 \fB\fBdb_module_dir\fR\fR
1659 .ad
1660 .sp .6
1661 .RS 4n
1662 Path to the plug-in libraries. The default is \fB/usr/lib/krb5\fR.
1663 .RE
1664
1665 .sp
1666 .ne 2
1667 .na
1668 \fB\fBldap_cert_path\fR\fR
1669 .ad
1670 .sp .6
1671 .RS 4n
1672 Path to the Network Security Services (NSS) trusted database for an SSL
1673 connection. This is a required parameter when using the LDAP KDB plug-in.
1674 .RE
1675
1676 .sp
1677 .ne 2
1678 .na
1679 \fB\fBldap_conns_per_server\fR\fR
1680 .ad
1681 .sp .6
1682 .RS 4n
1683 Number of connections per LDAP instance. The default is \fB5\fR.
1684 .RE
1685
1686 .sp
1687 .ne 2
1688 .na
1689 \fB\fBldap_kadmind_dn\fR\fR
1690 .ad
1691 .sp .6
1692 .RS 4n
1693 Bind DN for \fBkadmind\fR. This specifies the DN that the \fBkadmind\fR service
1694 uses when binding to the LDAP Directory Server. The password for this bind DN
1695 should be in the \fBldap_service_password_file\fR.
1696 .RE
1697
1698 .sp
1699 .ne 2
1700 .na
1701 \fB\fBldap_kdc_dn\fR\fR
1702 .ad
1703 .sp .6
1704 .RS 4n
1705 Bind DN for a Key Distribution Center (KDC). This specifies the DN that the
1706 \fBkrb5kdc\fR service use when binding to the LDAP Directory Server. The
1707 password for this bind DN should be in the \fBldap_service_password_file\fR.
1708 .RE
1709
1710 .sp
1711 .ne 2
1712 .na
1713 \fB\fBldap_servers\fR\fR
1714 .ad
1715 .sp .6
1716 .RS 4n
1717 List of LDAP directory servers in URI format. Use of either of the following is
1718 acceptable.
1719 .sp
1720 .in +2
1721 .nf
1722 ldap://\fI<ds hostname>\fR:\fI<SSL port>\fR
1723 ldap://\fI<ds hostname>\fR
1724 .fi
1725 .in -2
1726 .sp
1727
1728 Each server URI should be separated by whitespace.
1729 .RE
1730
1731 .sp
1732 .ne 2
1733 .na
1734 \fB\fBldap_service_password_file\fR\fR
1735 .ad
1736 .sp .6
1737 .RS 4n
1738 File containing stashed passwords used by the KDC when binding to the LDAP
1739 Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
1740 created using \fBkdb5_ldap_util\fR(1M).
1741 .RE
1742
1743 .sp
1744 .ne 2
1745 .na
1746 \fB\fBldap_ssl_port\fR\fR
1747 .ad
1748 .sp .6
1749 .RS 4n
1750 Port number for SSL connection with directory server. The default is \fB389\fR.
1751 .RE
1752
1753 .SH EXAMPLES
1754 \fBExample 1 \fRSample File
1755 .sp
1756 .LP
1757 The following is an example of a generic \fBkrb5.conf\fR file:
1758
1759 .sp
1760 .in +2
1761 .nf
1762 [libdefaults]
1763 default_realm = ATHENA.MIT.EDU
1764 default_tkt_enctypes = des-cbc-crc
1765 default_tgs_enctypes = des-cbc-crc
1766
1767 [realms]
1768 ATHENA.MIT.EDU = {
1769 kdc = kerberos.mit.edu
1770 kdc = kerberos-1.mit.edu
1771 kdc = kerberos-2.mit.edu
1772 admin_server = kerberos.mit.edu
1773 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1774 }
1775
1776 FUBAR.ORG = {
1777 kdc = kerberos.fubar.org
1778 kdc = kerberos-1.fubar.org
1779 admin_server = kerberos.fubar.org
1780 }
1781
1782 [domain_realm]
1783 .mit.edu = ATHENA.MIT.EDU
1784 mit.edu = ATHENA.MIT.EDU
1785 .fi
1786 .in -2
1787 .sp
1788
1789 .LP
1790 \fBExample 2 \fRKDC Using the LDAP KDB plug-in, \fBrealms\fR and
1791 \fBdbmodules\fR Sections
1792 .sp
1793 .LP
1794 The following is an example of the \fBrealms\fR and \fBdbmodules\fR sections of
1795 a Kerberos configuration file when the KDC is using the LDAP KDB plug-in.
1796
1797 .sp
1798 .in +2
1799 .nf
1800 [realms]
1801 SUN.COM = {
1802 kdc = kc-umpk-01.athena.mit.edu
1803 kdc = kc-umpk-02.athena.mit.edu
1804 admin_server = kc-umpk-01.athena.mit.edu
1805 database_module = LDAP
1806 }
1807
1808 [dbmodules]
1809 LDAP = {
1810 db_library = kdb_ldap
1811 ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
1812 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1813 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1814 ldap_cert_path = /var/ldap
1815 ldap_servers = ldaps://ds.mit.edu
1816 }
1817 .fi
1818 .in -2
1819 .sp
1820
1821 .SH FILES
1822 .ne 2
1823 .na
1824 \fB\fB/var/krb5/kdc.log\fR\fR
1825 .ad
1826 .sp .6
1827 .RS 4n
1828 \fBKDC\fR logging file
1829 .RE
1830
1831 .SH ATTRIBUTES
1832 See \fBattributes\fR(5) for descriptions of the following attributes:
1833 .sp
1834
1835 .sp
1836 .TS
1837 box;
1838 c | c
1839 l | l .
1840 ATTRIBUTE TYPE ATTRIBUTE VALUE
1841 _
1842 Interface Stability See below.
1843 .TE
1844
1845 .sp
1846 .LP
1847 All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
1848 are Volatile.
1849 .SH SEE ALSO
1850 \fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
1851 \fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
1852 \fBregex\fR(5)
1853 .SH NOTES
1854 If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
1855 fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
1856 if the \fBkrb5.conf\fR file is specified as required for the commands. If this
1857 occurs, the following error message is displayed:
1858 .sp
1859 .in +2
1860 .nf
1861 Error initializing krb5: Improper format of \fIitem\fR
1862 .fi
1863 .in -2
1864 .sp
1865
1866 .sp
1867 .LP
1868 To bypass any other problems that might occur, you should fix the file as soon
1869 as possible.
1870 .sp
1871 .LP
1872 The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
1873 removed in a future release of the Solaris operating system.