197 Example:
198
199 renew_lifetime = 90m
200
201
202 Do not mix units. A value of "3h30m" results in an error.
203
204
205 max_lifetime =lifetime
206
207 Sets the requested maximum lifetime of the ticket. The values for
208 lifetime follow the format described for the renew_lifetime option,
209 above.
210
211
212 dns_lookup_kdc
213
214 Indicates whether DNS SRV records need to be used to locate the
215 KDCs and the other servers for a realm, if they have not already
216 been listed in the [realms] section. This option makes the machine
217 vulnerable to a certain type of DoS attack if somone spoofs the DNS
218 records and does a redirect to another server. This is, however, no
219 worse than a DoS, since the bogus KDC is unable to decode anything
220 sent (excepting the initial ticket request, which has no encrypted
221 data). Also, anything the fake KDC sends out isl not trusted
222 without verification (the local machine is unaware of the secret
223 key to be used). If dns_lookup_kdc is not specified but
224 dns_fallback is, then that value is used instead. In either case,
225 values (if present) in the [realms] section override DNS.
226 dns_lookup_kdc is enabled by default.
227
228
229 dns_lookup_realm
230
231 Indicates whether DNS TXT records need to be used to determine the
232 Kerberos realm information and/or the host/domain name-to-realm
233 mapping of a host, if this information is not already present in
234 the krb5.conf file. Enabling this option might make the host
235 vulnerable to a redirection attack, wherein spoofed DNS replies
236 persuade a client to authenticate to the wrong realm. In a realm
237 with no cross-realm trusts, this a DoS attack. If dns_lookup_realm
238 is not specified but dns_fallback is, then that value is used
239 instead. In either case, values (if present) in the [libdefaults]
240 and [domain_realm] sections override DNS.
241
242
243 dns_fallback
1300 NOTES
1301 If the krb5.conf file is not formatted properly, the telnet command
1302 fails. However, the dtlogin and login commands still succeed, even if
1303 the krb5.conf file is specified as required for the commands. If this
1304 occurs, the following error message is displayed:
1305
1306 Error initializing krb5: Improper format of item
1307
1308
1309
1310
1311 To bypass any other problems that might occur, you should fix the file
1312 as soon as possible.
1313
1314
1315 The max_life and max_renewable_life options are obsolete and is removed
1316 in a future release of the Solaris operating system.
1317
1318
1319
1320 November 26, 2017 KRB5.CONF(4)
|
197 Example:
198
199 renew_lifetime = 90m
200
201
202 Do not mix units. A value of "3h30m" results in an error.
203
204
205 max_lifetime =lifetime
206
207 Sets the requested maximum lifetime of the ticket. The values for
208 lifetime follow the format described for the renew_lifetime option,
209 above.
210
211
212 dns_lookup_kdc
213
214 Indicates whether DNS SRV records need to be used to locate the
215 KDCs and the other servers for a realm, if they have not already
216 been listed in the [realms] section. This option makes the machine
217 vulnerable to a certain type of DoS attack if someone spoofs the
218 DNS records and does a redirect to another server. This is,
219 however, no worse than a DoS, since the bogus KDC is unable to
220 decode anything sent (excepting the initial ticket request, which
221 has no encrypted data). Also, anything the fake KDC sends out isl
222 not trusted without verification (the local machine is unaware of
223 the secret key to be used). If dns_lookup_kdc is not specified but
224 dns_fallback is, then that value is used instead. In either case,
225 values (if present) in the [realms] section override DNS.
226 dns_lookup_kdc is enabled by default.
227
228
229 dns_lookup_realm
230
231 Indicates whether DNS TXT records need to be used to determine the
232 Kerberos realm information and/or the host/domain name-to-realm
233 mapping of a host, if this information is not already present in
234 the krb5.conf file. Enabling this option might make the host
235 vulnerable to a redirection attack, wherein spoofed DNS replies
236 persuade a client to authenticate to the wrong realm. In a realm
237 with no cross-realm trusts, this a DoS attack. If dns_lookup_realm
238 is not specified but dns_fallback is, then that value is used
239 instead. In either case, values (if present) in the [libdefaults]
240 and [domain_realm] sections override DNS.
241
242
243 dns_fallback
1300 NOTES
1301 If the krb5.conf file is not formatted properly, the telnet command
1302 fails. However, the dtlogin and login commands still succeed, even if
1303 the krb5.conf file is specified as required for the commands. If this
1304 occurs, the following error message is displayed:
1305
1306 Error initializing krb5: Improper format of item
1307
1308
1309
1310
1311 To bypass any other problems that might occur, you should fix the file
1312 as soon as possible.
1313
1314
1315 The max_life and max_renewable_life options are obsolete and is removed
1316 in a future release of the Solaris operating system.
1317
1318
1319
1320 May 16, 2020 KRB5.CONF(4)
|