1 '\" te
2 .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KRB5.CONF 4 "Nov 26, 2017"
7 .SH NAME
8 krb5.conf \- Kerberos configuration file
9 .SH SYNOPSIS
10 .LP
11 .nf
12 /etc/krb5/krb5.conf
13 .fi
14
15 .SH DESCRIPTION
16 .LP
17 The \fBkrb5.conf\fR file contains Kerberos configuration information, including
18 the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
19 of interest, defaults for the current realm and for Kerberos applications, and
20 mappings of host names onto Kerberos realms. This file must reside on all
21 Kerberos clients.
22 .sp
23 .LP
24 The format of the \fBkrb5.conf\fR consists of sections headings in square
25 brackets. Each section can contain zero or more configuration variables (called
26 \fIrelations\fR), of the form:
27 .sp
28 .LP
29 \fIrelation\fR= \fIrelation-value\fR
30 .sp
31 .LP
32 or
33 .sp
34 .LP
35 \fIrelation-subsection\fR = {
36 .br
124 \fB\fBdbmodules\fR\fR
125 .ad
126 .sp .6
127 .RS 4n
128 Contains relations for Kerberos database plug-in-specific configuration
129 information.
130 .RE
131
132 .sp
133 .ne 2
134 .na
135 \fB\fBkdc\fR\fR
136 .ad
137 .sp .6
138 .RS 4n
139 For a Key Distribution Center (\fBKDC\fR), can contain the location of the
140 \fBkdc.conf\fR file.
141 .RE
142
143 .SS "The \fB[libdefaults]\fR Section"
144 .LP
145 The \fB[libdefaults]\fR section can contain any of the following relations:
146 .sp
147 .ne 2
148 .na
149 \fB\fBdatabase_module\fR\fR
150 .ad
151 .sp .6
152 .RS 4n
153 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
154 database. If this parameter is not present the code uses the standard
155 \fBdb2\fR-based Kerberos database.
156 .RE
157
158 .sp
159 .ne 2
160 .na
161 \fB\fBdefault_keytab_name\fR\fR
162 .ad
163 .sp .6
164 .RS 4n
329 .na
330 \fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
331 .ad
332 .sp .6
333 .RS 4n
334 Sets the requested maximum lifetime of the ticket. The values for
335 \fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
336 above.
337 .RE
338
339 .sp
340 .ne 2
341 .na
342 \fB\fBdns_lookup_kdc\fR\fR
343 .ad
344 .sp .6
345 .RS 4n
346 Indicates whether DNS SRV records need to be used to locate the KDCs and the
347 other servers for a realm, if they have not already been listed in the
348 \fB[realms]\fR section. This option makes the machine vulnerable to a certain
349 type of DoS attack if somone spoofs the DNS records and does a redirect to
350 another server. This is, however, no worse than a DoS, since the bogus KDC is
351 unable to decode anything sent (excepting the initial ticket request, which has
352 no encrypted data). Also, anything the fake KDC sends out isl not trusted
353 without verification (the local machine is unaware of the secret key to be
354 used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
355 that value is used instead. In either case, values (if present) in the
356 \fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
357 default.
358 .RE
359
360 .sp
361 .ne 2
362 .na
363 \fB\fBdns_lookup_realm\fR\fR
364 .ad
365 .sp .6
366 .RS 4n
367 Indicates whether DNS TXT records need to be used to determine the Kerberos
368 realm information and/or the host/domain name-to-realm mapping of a host, if
369 this information is not already present in the \fBkrb5.conf\fR file. Enabling
390
391 .sp
392 .ne 2
393 .na
394 \fB\fBverify_ap_req_nofail [true | false]\fR\fR
395 .ad
396 .sp .6
397 .RS 4n
398 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
399 an entry for the local \fBhost\fR principal, for example,
400 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
401 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
402 the host principal. If undefined, the behavior is as if this option were set to
403 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
404 \fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
405 to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
406 to make it a network-wide setting for all realms.
407 .RE
408
409 .SS "The \fB[appdefaults]\fR Section"
410 .LP
411 This section contains subsections for Kerberos V5 applications, where
412 \fIrelation-subsection\fR is the name of an application. Each subsection
413 contains relations that define the default behaviors for that application.
414 .sp
415 .LP
416 The following relations can be found in the \fB[appdefaults]\fR section, though
417 not all relations are recognized by all kerberized applications. Some are
418 specific to particular applications.
419 .sp
420 .ne 2
421 .na
422 \fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
423 .ad
424 .sp .6
425 .RS 4n
426 Forces the application to attempt automatic login by presenting Kerberos
427 credentials. This is valid for the following applications: \fBrlogin\fR,
428 \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
429 .RE
430
572 .nf
573 [appdefaults]
574 kinit = {
575 forwardable = true
576 }
577
578 telnet = {
579 forward = true
580 encrypt = true
581 autologin = true
582 }
583 .fi
584 .in -2
585 .sp
586
587 .sp
588 .LP
589 The application defaults specified here are overridden by those specified in
590 the \fB[realms]\fR section.
591 .SS "The \fB[realms]\fR Section"
592 .LP
593 This section contains subsections for Kerberos realms, where
594 \fIrelation-subsection\fR is the name of a realm. Each subsection contains
595 relations that define the properties for that particular realm. The following
596 relations can be specified in each \fB[realms]\fR subsection:
597 .sp
598 .ne 2
599 .na
600 \fB\fBadmin_server\fR\fR
601 .ad
602 .sp .6
603 .RS 4n
604 Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
605 running. Typically, this is the master \fBKDC\fR.
606 .RE
607
608 .sp
609 .ne 2
610 .na
611 \fB\fIapplication defaults\fR\fR
612 .ad
852 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
853 the host principal. If undefined, the behavior is as if this option were set to
854 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
855 \fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
856 section to set it on a per-realm basis, or it might be in the
857 \fB[libdefaults]\fR section to make it a network-wide setting for all realms.
858 .RE
859
860 .sp
861 .LP
862 The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
863 "\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
864 above) are also valid in the \fB[realms]\fR section.
865 .sp
866 .LP
867 Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
868 parameters. Most often, you need to specify them only when using a
869 non-Solaris-based Kerberos server. Otherwise, the change request is sent over
870 \fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
871 .SS "The \fB[domain_realm]\fR Section"
872 .LP
873 This section provides a translation from a domain name or hostname to a
874 Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
875 where domain names are indicated by a period (`\fB\&.\fR') prefix.
876 \fIrelation-value\fR is the Kerberos realm name for that particular host or
877 domain. Host names and domain names should be in lower case.
878 .sp
879 .LP
880 If no translation entry applies, the host's realm is considered to be the
881 hostname's domain portion converted to upper case. For example, the following
882 \fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
883 \fBTEST.ATHENA.MIT.EDU\fR realm:
884 .sp
885 .in +2
886 .nf
887 [domain_realm]
888 .mit.edu = ATHENA.MIT.EDU
889 mit.edu = ATHENA.MIT.EDU
890 crash.mit.edu = TEST.ATHENA.MIT.EDU
891 .fubar.org = FUBAR.ORG
892 fubar.org = FUBAR.ORG
893 .fi
894 .in -2
895 .sp
896
897 .sp
898 .LP
899 All other hosts in the \fBmit.edu\fR domain maps by default to the
900 \fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
901 default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
902 and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
903 the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
904 .SS "The \fB[logging]\fR Section"
905 .LP
906 This section indicates how Kerberos programs are to perform logging. There are
907 two types of relations for this section: relations to specify how to log and a
908 relation to specify how to rotate \fBkdc\fR log files.
909 .sp
910 .LP
911 The following relations can be defined to specify how to log. The same relation
912 can be repeated if you want to assign it multiple logging methods.
913 .sp
914 .ne 2
915 .na
916 \fB\fBadmin_server\fR\fR
917 .ad
918 .sp .6
919 .RS 4n
920 Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
921 default is \fBFILE:/var/krb5/kadmin.log.\fR
922 .RE
923
924 .sp
925 .ne 2
1094 .LP
1095 In the following example, the logging messages from the Kerberos administration
1096 daemon goes to the console. The logging messages from the \fBKDC\fR is appended
1097 to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
1098 with a specified time interval of a day.
1099 .sp
1100 .in +2
1101 .nf
1102 [logging]
1103 admin_server = CONSOLE
1104 kdc = FILE:/export/logging/kadmin.log
1105 kdc_rotate = {
1106 period = 1d
1107 versions = 20
1108 }
1109 .fi
1110 .in -2
1111 .sp
1112
1113 .SS "The \fB[capaths]\fR Section"
1114 .LP
1115 In order to perform direct (non-hierarchical) cross-realm authentication, a
1116 database is needed to construct the authentication paths between the realms.
1117 This section defines that database.
1118 .sp
1119 .LP
1120 A client uses this section to find the authentication path between its realm
1121 and the realm of the server. The server uses this section to verify the
1122 authentication path used by the client, by checking the transited field of the
1123 received ticket.
1124 .sp
1125 .LP
1126 There is a subsection for each participating realm, and each subsection has
1127 relations named for each of the realms. The \fIrelation-value\fR is an
1128 intermediate realm which can participate in the cross-realm authentication. The
1129 relations can be repeated if there is more than one intermediate realm. A value
1130 of '.' means that the two realms share keys directly, and no intermediate
1131 realms should be allowed to participate.
1132 .sp
1133 .LP
1134 There are n**2 possible entries in this table, but only those entries which is
1198 }
1199
1200 ES.NET = {
1201 NERSC.GOV = .
1202 }
1203
1204 TEST.ANL.GOV = {
1205 NERSC.GOV = ANL.GOV
1206 NERSC.GOV = ES.NET
1207 }
1208 .fi
1209 .in -2
1210 .sp
1211
1212 .sp
1213 .LP
1214 In the above examples, the ordering is not important, except when the same
1215 relation is used more than once. The client uses this to determine the path.
1216 (It is not important to the server, since the transited field is not sorted.)
1217 .SS "PKINIT-specific Options"
1218 .LP
1219 The following are \fBpkinit-specific\fR options. These values can be specified
1220 in \fB[libdefaults]\fR as global defaults, or within a realm-specific
1221 subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
1222 in the \fB[realms]\fR section. A realm-specific value overrides, does not add
1223 to, a generic \fB[libdefaults]\fR specification.
1224 .sp
1225 .LP
1226 The search order is:
1227 .RS +4
1228 .TP
1229 1.
1230 realm-specific subsection of \fB[libdefaults]\fR
1231 .sp
1232 .in +2
1233 .nf
1234 [libdefaults]
1235 EXAMPLE.COM = {
1236 pkinit_anchors = FILE:/usr/local/example.com.crt
1237 .fi
1238 .in -2
1629 one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
1630 the selection of a particular certificate on the device. See the
1631 \fBpkinit_cert_match\fR configuration option for more ways to select a
1632 particular certificate to use for \fBpkinit\fR.
1633 .RE
1634
1635 .sp
1636 .ne 2
1637 .na
1638 \fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
1639 .ad
1640 .sp .6
1641 .RS 4n
1642 \fIenvironment-variable-name\fR specifies the name of an environment variable
1643 which has been set to a value conforming to one of the previous values. For
1644 example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
1645 been set to \fBFILE:/tmp/my_proxy.pem\fR.
1646 .RE
1647
1648 .SS "The \fB[dbmodules]\fR Section"
1649 .LP
1650 This section consists of relations that provide configuration information for
1651 plug-in modules. In particular, the relations describe the configuration for
1652 LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
1653 that this section does not need to be filled out in that case.
1654 .sp
1655 .ne 2
1656 .na
1657 \fB\fBdb_library\fR\fR
1658 .ad
1659 .sp .6
1660 .RS 4n
1661 Name of the plug-in library. To use the LDAP KDB plug-in the name must be
1662 \fBkdb_ldap\fR. The default value is \fBdb2\fR.
1663 .RE
1664
1665 .sp
1666 .ne 2
1667 .na
1668 \fB\fBdb_module_dir\fR\fR
1669 .ad
1744 \fB\fBldap_service_password_file\fR\fR
1745 .ad
1746 .sp .6
1747 .RS 4n
1748 File containing stashed passwords used by the KDC when binding to the LDAP
1749 Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
1750 created using \fBkdb5_ldap_util\fR(1M).
1751 .RE
1752
1753 .sp
1754 .ne 2
1755 .na
1756 \fB\fBldap_ssl_port\fR\fR
1757 .ad
1758 .sp .6
1759 .RS 4n
1760 Port number for SSL connection with directory server. The default is \fB389\fR.
1761 .RE
1762
1763 .SH EXAMPLES
1764 .LP
1765 \fBExample 1 \fRSample File
1766 .sp
1767 .LP
1768 The following is an example of a generic \fBkrb5.conf\fR file:
1769
1770 .sp
1771 .in +2
1772 .nf
1773 [libdefaults]
1774 default_realm = ATHENA.MIT.EDU
1775 default_tkt_enctypes = des-cbc-crc
1776 default_tgs_enctypes = des-cbc-crc
1777
1778 [realms]
1779 ATHENA.MIT.EDU = {
1780 kdc = kerberos.mit.edu
1781 kdc = kerberos-1.mit.edu
1782 kdc = kerberos-2.mit.edu
1783 admin_server = kerberos.mit.edu
1784 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1823 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1824 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1825 ldap_cert_path = /var/ldap
1826 ldap_servers = ldaps://ds.mit.edu
1827 }
1828 .fi
1829 .in -2
1830 .sp
1831
1832 .SH FILES
1833 .ne 2
1834 .na
1835 \fB\fB/var/krb5/kdc.log\fR\fR
1836 .ad
1837 .sp .6
1838 .RS 4n
1839 \fBKDC\fR logging file
1840 .RE
1841
1842 .SH ATTRIBUTES
1843 .LP
1844 See \fBattributes\fR(5) for descriptions of the following attributes:
1845 .sp
1846
1847 .sp
1848 .TS
1849 box;
1850 c | c
1851 l | l .
1852 ATTRIBUTE TYPE ATTRIBUTE VALUE
1853 _
1854 Interface Stability See below.
1855 .TE
1856
1857 .sp
1858 .LP
1859 All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
1860 are Volatile.
1861 .SH SEE ALSO
1862 .LP
1863 \fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
1864 \fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
1865 \fBregex\fR(5)
1866 .SH NOTES
1867 .LP
1868 If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
1869 fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
1870 if the \fBkrb5.conf\fR file is specified as required for the commands. If this
1871 occurs, the following error message is displayed:
1872 .sp
1873 .in +2
1874 .nf
1875 Error initializing krb5: Improper format of \fIitem\fR
1876 .fi
1877 .in -2
1878 .sp
1879
1880 .sp
1881 .LP
1882 To bypass any other problems that might occur, you should fix the file as soon
1883 as possible.
1884 .sp
1885 .LP
1886 The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
1887 removed in a future release of the Solaris operating system.
|
1 '\" te
2 .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KRB5.CONF 4 "May 16, 2020"
7 .SH NAME
8 krb5.conf \- Kerberos configuration file
9 .SH SYNOPSIS
10 .nf
11 /etc/krb5/krb5.conf
12 .fi
13
14 .SH DESCRIPTION
15 The \fBkrb5.conf\fR file contains Kerberos configuration information, including
16 the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
17 of interest, defaults for the current realm and for Kerberos applications, and
18 mappings of host names onto Kerberos realms. This file must reside on all
19 Kerberos clients.
20 .sp
21 .LP
22 The format of the \fBkrb5.conf\fR consists of sections headings in square
23 brackets. Each section can contain zero or more configuration variables (called
24 \fIrelations\fR), of the form:
25 .sp
26 .LP
27 \fIrelation\fR= \fIrelation-value\fR
28 .sp
29 .LP
30 or
31 .sp
32 .LP
33 \fIrelation-subsection\fR = {
34 .br
122 \fB\fBdbmodules\fR\fR
123 .ad
124 .sp .6
125 .RS 4n
126 Contains relations for Kerberos database plug-in-specific configuration
127 information.
128 .RE
129
130 .sp
131 .ne 2
132 .na
133 \fB\fBkdc\fR\fR
134 .ad
135 .sp .6
136 .RS 4n
137 For a Key Distribution Center (\fBKDC\fR), can contain the location of the
138 \fBkdc.conf\fR file.
139 .RE
140
141 .SS "The \fB[libdefaults]\fR Section"
142 The \fB[libdefaults]\fR section can contain any of the following relations:
143 .sp
144 .ne 2
145 .na
146 \fB\fBdatabase_module\fR\fR
147 .ad
148 .sp .6
149 .RS 4n
150 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
151 database. If this parameter is not present the code uses the standard
152 \fBdb2\fR-based Kerberos database.
153 .RE
154
155 .sp
156 .ne 2
157 .na
158 \fB\fBdefault_keytab_name\fR\fR
159 .ad
160 .sp .6
161 .RS 4n
326 .na
327 \fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
328 .ad
329 .sp .6
330 .RS 4n
331 Sets the requested maximum lifetime of the ticket. The values for
332 \fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
333 above.
334 .RE
335
336 .sp
337 .ne 2
338 .na
339 \fB\fBdns_lookup_kdc\fR\fR
340 .ad
341 .sp .6
342 .RS 4n
343 Indicates whether DNS SRV records need to be used to locate the KDCs and the
344 other servers for a realm, if they have not already been listed in the
345 \fB[realms]\fR section. This option makes the machine vulnerable to a certain
346 type of DoS attack if someone spoofs the DNS records and does a redirect to
347 another server. This is, however, no worse than a DoS, since the bogus KDC is
348 unable to decode anything sent (excepting the initial ticket request, which has
349 no encrypted data). Also, anything the fake KDC sends out isl not trusted
350 without verification (the local machine is unaware of the secret key to be
351 used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
352 that value is used instead. In either case, values (if present) in the
353 \fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
354 default.
355 .RE
356
357 .sp
358 .ne 2
359 .na
360 \fB\fBdns_lookup_realm\fR\fR
361 .ad
362 .sp .6
363 .RS 4n
364 Indicates whether DNS TXT records need to be used to determine the Kerberos
365 realm information and/or the host/domain name-to-realm mapping of a host, if
366 this information is not already present in the \fBkrb5.conf\fR file. Enabling
387
388 .sp
389 .ne 2
390 .na
391 \fB\fBverify_ap_req_nofail [true | false]\fR\fR
392 .ad
393 .sp .6
394 .RS 4n
395 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
396 an entry for the local \fBhost\fR principal, for example,
397 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
398 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
399 the host principal. If undefined, the behavior is as if this option were set to
400 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
401 \fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
402 to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
403 to make it a network-wide setting for all realms.
404 .RE
405
406 .SS "The \fB[appdefaults]\fR Section"
407 This section contains subsections for Kerberos V5 applications, where
408 \fIrelation-subsection\fR is the name of an application. Each subsection
409 contains relations that define the default behaviors for that application.
410 .sp
411 .LP
412 The following relations can be found in the \fB[appdefaults]\fR section, though
413 not all relations are recognized by all kerberized applications. Some are
414 specific to particular applications.
415 .sp
416 .ne 2
417 .na
418 \fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
419 .ad
420 .sp .6
421 .RS 4n
422 Forces the application to attempt automatic login by presenting Kerberos
423 credentials. This is valid for the following applications: \fBrlogin\fR,
424 \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
425 .RE
426
568 .nf
569 [appdefaults]
570 kinit = {
571 forwardable = true
572 }
573
574 telnet = {
575 forward = true
576 encrypt = true
577 autologin = true
578 }
579 .fi
580 .in -2
581 .sp
582
583 .sp
584 .LP
585 The application defaults specified here are overridden by those specified in
586 the \fB[realms]\fR section.
587 .SS "The \fB[realms]\fR Section"
588 This section contains subsections for Kerberos realms, where
589 \fIrelation-subsection\fR is the name of a realm. Each subsection contains
590 relations that define the properties for that particular realm. The following
591 relations can be specified in each \fB[realms]\fR subsection:
592 .sp
593 .ne 2
594 .na
595 \fB\fBadmin_server\fR\fR
596 .ad
597 .sp .6
598 .RS 4n
599 Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
600 running. Typically, this is the master \fBKDC\fR.
601 .RE
602
603 .sp
604 .ne 2
605 .na
606 \fB\fIapplication defaults\fR\fR
607 .ad
847 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
848 the host principal. If undefined, the behavior is as if this option were set to
849 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
850 \fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
851 section to set it on a per-realm basis, or it might be in the
852 \fB[libdefaults]\fR section to make it a network-wide setting for all realms.
853 .RE
854
855 .sp
856 .LP
857 The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
858 "\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
859 above) are also valid in the \fB[realms]\fR section.
860 .sp
861 .LP
862 Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
863 parameters. Most often, you need to specify them only when using a
864 non-Solaris-based Kerberos server. Otherwise, the change request is sent over
865 \fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
866 .SS "The \fB[domain_realm]\fR Section"
867 This section provides a translation from a domain name or hostname to a
868 Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
869 where domain names are indicated by a period (`\fB\&.\fR') prefix.
870 \fIrelation-value\fR is the Kerberos realm name for that particular host or
871 domain. Host names and domain names should be in lower case.
872 .sp
873 .LP
874 If no translation entry applies, the host's realm is considered to be the
875 hostname's domain portion converted to upper case. For example, the following
876 \fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
877 \fBTEST.ATHENA.MIT.EDU\fR realm:
878 .sp
879 .in +2
880 .nf
881 [domain_realm]
882 .mit.edu = ATHENA.MIT.EDU
883 mit.edu = ATHENA.MIT.EDU
884 crash.mit.edu = TEST.ATHENA.MIT.EDU
885 .fubar.org = FUBAR.ORG
886 fubar.org = FUBAR.ORG
887 .fi
888 .in -2
889 .sp
890
891 .sp
892 .LP
893 All other hosts in the \fBmit.edu\fR domain maps by default to the
894 \fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
895 default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
896 and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
897 the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
898 .SS "The \fB[logging]\fR Section"
899 This section indicates how Kerberos programs are to perform logging. There are
900 two types of relations for this section: relations to specify how to log and a
901 relation to specify how to rotate \fBkdc\fR log files.
902 .sp
903 .LP
904 The following relations can be defined to specify how to log. The same relation
905 can be repeated if you want to assign it multiple logging methods.
906 .sp
907 .ne 2
908 .na
909 \fB\fBadmin_server\fR\fR
910 .ad
911 .sp .6
912 .RS 4n
913 Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
914 default is \fBFILE:/var/krb5/kadmin.log.\fR
915 .RE
916
917 .sp
918 .ne 2
1087 .LP
1088 In the following example, the logging messages from the Kerberos administration
1089 daemon goes to the console. The logging messages from the \fBKDC\fR is appended
1090 to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
1091 with a specified time interval of a day.
1092 .sp
1093 .in +2
1094 .nf
1095 [logging]
1096 admin_server = CONSOLE
1097 kdc = FILE:/export/logging/kadmin.log
1098 kdc_rotate = {
1099 period = 1d
1100 versions = 20
1101 }
1102 .fi
1103 .in -2
1104 .sp
1105
1106 .SS "The \fB[capaths]\fR Section"
1107 In order to perform direct (non-hierarchical) cross-realm authentication, a
1108 database is needed to construct the authentication paths between the realms.
1109 This section defines that database.
1110 .sp
1111 .LP
1112 A client uses this section to find the authentication path between its realm
1113 and the realm of the server. The server uses this section to verify the
1114 authentication path used by the client, by checking the transited field of the
1115 received ticket.
1116 .sp
1117 .LP
1118 There is a subsection for each participating realm, and each subsection has
1119 relations named for each of the realms. The \fIrelation-value\fR is an
1120 intermediate realm which can participate in the cross-realm authentication. The
1121 relations can be repeated if there is more than one intermediate realm. A value
1122 of '.' means that the two realms share keys directly, and no intermediate
1123 realms should be allowed to participate.
1124 .sp
1125 .LP
1126 There are n**2 possible entries in this table, but only those entries which is
1190 }
1191
1192 ES.NET = {
1193 NERSC.GOV = .
1194 }
1195
1196 TEST.ANL.GOV = {
1197 NERSC.GOV = ANL.GOV
1198 NERSC.GOV = ES.NET
1199 }
1200 .fi
1201 .in -2
1202 .sp
1203
1204 .sp
1205 .LP
1206 In the above examples, the ordering is not important, except when the same
1207 relation is used more than once. The client uses this to determine the path.
1208 (It is not important to the server, since the transited field is not sorted.)
1209 .SS "PKINIT-specific Options"
1210 The following are \fBpkinit-specific\fR options. These values can be specified
1211 in \fB[libdefaults]\fR as global defaults, or within a realm-specific
1212 subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
1213 in the \fB[realms]\fR section. A realm-specific value overrides, does not add
1214 to, a generic \fB[libdefaults]\fR specification.
1215 .sp
1216 .LP
1217 The search order is:
1218 .RS +4
1219 .TP
1220 1.
1221 realm-specific subsection of \fB[libdefaults]\fR
1222 .sp
1223 .in +2
1224 .nf
1225 [libdefaults]
1226 EXAMPLE.COM = {
1227 pkinit_anchors = FILE:/usr/local/example.com.crt
1228 .fi
1229 .in -2
1620 one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
1621 the selection of a particular certificate on the device. See the
1622 \fBpkinit_cert_match\fR configuration option for more ways to select a
1623 particular certificate to use for \fBpkinit\fR.
1624 .RE
1625
1626 .sp
1627 .ne 2
1628 .na
1629 \fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
1630 .ad
1631 .sp .6
1632 .RS 4n
1633 \fIenvironment-variable-name\fR specifies the name of an environment variable
1634 which has been set to a value conforming to one of the previous values. For
1635 example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
1636 been set to \fBFILE:/tmp/my_proxy.pem\fR.
1637 .RE
1638
1639 .SS "The \fB[dbmodules]\fR Section"
1640 This section consists of relations that provide configuration information for
1641 plug-in modules. In particular, the relations describe the configuration for
1642 LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
1643 that this section does not need to be filled out in that case.
1644 .sp
1645 .ne 2
1646 .na
1647 \fB\fBdb_library\fR\fR
1648 .ad
1649 .sp .6
1650 .RS 4n
1651 Name of the plug-in library. To use the LDAP KDB plug-in the name must be
1652 \fBkdb_ldap\fR. The default value is \fBdb2\fR.
1653 .RE
1654
1655 .sp
1656 .ne 2
1657 .na
1658 \fB\fBdb_module_dir\fR\fR
1659 .ad
1734 \fB\fBldap_service_password_file\fR\fR
1735 .ad
1736 .sp .6
1737 .RS 4n
1738 File containing stashed passwords used by the KDC when binding to the LDAP
1739 Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
1740 created using \fBkdb5_ldap_util\fR(1M).
1741 .RE
1742
1743 .sp
1744 .ne 2
1745 .na
1746 \fB\fBldap_ssl_port\fR\fR
1747 .ad
1748 .sp .6
1749 .RS 4n
1750 Port number for SSL connection with directory server. The default is \fB389\fR.
1751 .RE
1752
1753 .SH EXAMPLES
1754 \fBExample 1 \fRSample File
1755 .sp
1756 .LP
1757 The following is an example of a generic \fBkrb5.conf\fR file:
1758
1759 .sp
1760 .in +2
1761 .nf
1762 [libdefaults]
1763 default_realm = ATHENA.MIT.EDU
1764 default_tkt_enctypes = des-cbc-crc
1765 default_tgs_enctypes = des-cbc-crc
1766
1767 [realms]
1768 ATHENA.MIT.EDU = {
1769 kdc = kerberos.mit.edu
1770 kdc = kerberos-1.mit.edu
1771 kdc = kerberos-2.mit.edu
1772 admin_server = kerberos.mit.edu
1773 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1812 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1813 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1814 ldap_cert_path = /var/ldap
1815 ldap_servers = ldaps://ds.mit.edu
1816 }
1817 .fi
1818 .in -2
1819 .sp
1820
1821 .SH FILES
1822 .ne 2
1823 .na
1824 \fB\fB/var/krb5/kdc.log\fR\fR
1825 .ad
1826 .sp .6
1827 .RS 4n
1828 \fBKDC\fR logging file
1829 .RE
1830
1831 .SH ATTRIBUTES
1832 See \fBattributes\fR(5) for descriptions of the following attributes:
1833 .sp
1834
1835 .sp
1836 .TS
1837 box;
1838 c | c
1839 l | l .
1840 ATTRIBUTE TYPE ATTRIBUTE VALUE
1841 _
1842 Interface Stability See below.
1843 .TE
1844
1845 .sp
1846 .LP
1847 All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
1848 are Volatile.
1849 .SH SEE ALSO
1850 \fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
1851 \fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
1852 \fBregex\fR(5)
1853 .SH NOTES
1854 If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
1855 fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
1856 if the \fBkrb5.conf\fR file is specified as required for the commands. If this
1857 occurs, the following error message is displayed:
1858 .sp
1859 .in +2
1860 .nf
1861 Error initializing krb5: Improper format of \fIitem\fR
1862 .fi
1863 .in -2
1864 .sp
1865
1866 .sp
1867 .LP
1868 To bypass any other problems that might occur, you should fix the file as soon
1869 as possible.
1870 .sp
1871 .LP
1872 The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
1873 removed in a future release of the Solaris operating system.
|