"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/man/kdc.conf.man" between
krb5-1.17.1.tar.gz and krb5-1.18.tar.gz

About: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography (MIT implementation). Current release.

kdc.conf.man  (krb5-1.17.1):kdc.conf.man  (krb5-1.18)
skipping to change at line 304 skipping to change at line 304
max_renewable_life max_renewable_life
(duration string.) Specifies the maximum time period during which a valid ticket may be renewed (duration string.) Specifies the maximum time period during which a valid ticket may be renewed
in this realm. The default value is 0. in this realm. The default value is 0.
no_host_referral no_host_referral
(Whitespace- or comma-separated list.) Lists services to block from getting host-based referral (Whitespace- or comma-separated list.) Lists services to block from getting host-based referral
processing, even if the client marks the server principal as host- based or the service is also processing, even if the client marks the server principal as host- based or the service is also
listed in host_based_services. no_host_referral = * will disable referral processing altogether. listed in host_based_services. no_host_referral = * will disable referral processing altogether.
des_crc_session_supported
(Boolean value). If set to true, the KDC will assume that servic
e principals support des-cbc-crc
for session key enctype negotiation purposes. If allow_weak_crypt
o in libdefaults is false, or if
des-cbc-crc is not a permitted enctype, then this variable has no
effect. Defaults to true. New
in release 1.11.
reject_bad_transit reject_bad_transit
(Boolean value.) If set to true, the KDC will check the list of t (Boolean value.) If set to true, the KDC will check the list of
ransited realms for cross-realm transited realms for cross-realm
tickets against the transit path computed from the realm name tickets against the transit path computed from the realm names and
s and the capaths section of its the capaths section of its
krb5.conf(5) file; if the path in the ticket to be issued contains krb5.conf(5) file; if the path in the ticket to be issued contain
any realms not in the computed s any realms not in the computed
path, the ticket will not be issued, and an error will be returned to the client instead. If this path, the ticket will not be issued, and an error will be returned to the client instead. If this
value is set to false, such tickets will be issued anyways, and it will be left up to the applica- value is set to false, such tickets will be issued anyways, and it will be left up to the applica-
tion server to validate the realm transit path. tion server to validate the realm transit path.
If the disable-transited-check flag is set in the incoming request , this check is not performed at If the disable-transited-check flag is set in the incoming request , this check is not performed at
all. Having the reject_bad_transit option will cause such ticket requests to be rejected always. all. Having the reject_bad_transit option will cause such ticket requests to be rejected always.
This transit path checking and config file option currently apply only to TGS requests. This transit path checking and config file option currently apply only to TGS requests.
The default value is true. The default value is true.
restrict_anonymous_to_tgt restrict_anonymous_to_tgt
(Boolean value.) If set to true, the KDC will reject ticket reque sts from anonymous principals to (Boolean value.) If set to true, the KDC will reject ticket reque sts from anonymous principals to
service principals other than the realm's ticket-granting servic service principals other than the realm's ticket-granting service.
e. This option allows anonymous This option allows anonymous
PKINIT to be enabled for use as FAST armor tickets without allowin PKINIT to be enabled for use as FAST armor tickets without allo
g anonymous authentication to wing anonymous authentication to
services. The default value is false. New in release 1.9. services. The default value is false. New in release 1.9.
spake_preauth_indicator spake_preauth_indicator
(String.) Specifies an authentication indicator value that the K (String.) Specifies an authentication indicator value that the KD
DC asserts into tickets obtained C asserts into tickets obtained
using SPAKE pre-authentication. The default is not to add any ind using SPAKE pre-authentication. The default is not to add any
icators. This option may be indicators. This option may be
specified multiple times. New in release 1.17. specified multiple times. New in release 1.17.
supported_enctypes supported_enctypes
(List of key:salt strings.) Specifies the default key/salt com binations of principals for this (List of key:salt strings.) Specifies the default key/salt combin ations of principals for this
realm. Any principals created through kadmin(1) will have keys of these types. The default value realm. Any principals created through kadmin(1) will have keys of these types. The default value
for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sh a1-96:normal. For lists of pos- for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha 1-96:normal. For lists of pos-
sible values, see Keysalt lists. sible values, see Keysalt lists.
[dbdefaults] [dbdefaults]
The [dbdefaults] section specifies default values for some database param eters, to be used if the [dbmod- The [dbdefaults] section specifies default values for some database param eters, to be used if the [dbmod-
ules] subsection does not contain a relation for the tag. See the [db modules] section for the defini- ules] subsection does not contain a relation for the tag. See the [dbmod ules] section for the defini-
tions of these relations. tions of these relations.
· ldap_kerberos_container_dn · ldap_kerberos_container_dn
· ldap_kdc_dn · ldap_kdc_dn
· ldap_kdc_sasl_authcid · ldap_kdc_sasl_authcid
· ldap_kdc_sasl_authzid · ldap_kdc_sasl_authzid
skipping to change at line 374 skipping to change at line 368
· ldap_kadmind_sasl_mech · ldap_kadmind_sasl_mech
· ldap_kadmind_sasl_realm · ldap_kadmind_sasl_realm
· ldap_service_password_file · ldap_service_password_file
· ldap_conns_per_server · ldap_conns_per_server
[dbmodules] [dbmodules]
The [dbmodules] section contains parameters used by the KDC database libr The [dbmodules] section contains parameters used by the KDC database lib
ary and database modules. Each rary and database modules. Each
tag in the [dbmodules] section is the name of a Kerberos realm or a sec tag in the [dbmodules] section is the name of a Kerberos realm or a secti
tion name specified by a realm's on name specified by a realm's
database_module parameter. The following example shows how to define on database_module parameter. The following example shows how to defin
e database parameter for the e one database parameter for the
ATHENA.MIT.EDU realm: ATHENA.MIT.EDU realm:
[dbmodules] [dbmodules]
ATHENA.MIT.EDU = { ATHENA.MIT.EDU = {
disable_last_success = true disable_last_success = true
} }
The following tags may be specified in a [dbmodules] subsection: The following tags may be specified in a [dbmodules] subsection:
database_name database_name
This DB2-specific tag indicates the location of the database in the filesystem. The default is This DB2-specific tag indicates the location of the database in th e filesystem. The default is
@LOCALSTATEDIR@/krb5kdc/principal. @LOCALSTATEDIR@/krb5kdc/principal.
db_library db_library
This tag indicates the name of the loadable database module. The value should be db2 for the DB2 This tag indicates the name of the loadable database module. The value should be db2 for the DB2
module, klmdb for the LMDB module, or kldap for the LDAP module. module, klmdb for the LMDB module, or kldap for the LDAP module.
disable_last_success disable_last_success
If set to true, suppresses KDC updates to the "Last successful au If set to true, suppresses KDC updates to the "Last successful aut
thentication" field of principal hentication" field of principal
entries requiring preauthentication. Setting this flag may im entries requiring preauthentication. Setting this flag may
prove performance. (Principal improve performance. (Principal
entries which do not require preauthentication never update the entries which do not require preauthentication never update the "L
"Last successful authentication" ast successful authentication"
field.). First introduced in release 1.9. field.). First introduced in release 1.9.
disable_lockout disable_lockout
If set to true, suppresses KDC updates to the "Last failed authent If set to true, suppresses KDC updates to the "Last failed auth
ication" and "Failed password entication" and "Failed password
attempts" fields of principal entries requiring preauthentication attempts" fields of principal entries requiring preauthentication.
. Setting this flag may improve Setting this flag may improve
performance, but also disables account lockout. First introduced in release 1.9. performance, but also disables account lockout. First introduced in release 1.9.
ldap_conns_per_server ldap_conns_per_server
This LDAP-specific tag indicates the number of connections to be m aintained per LDAP server. This LDAP-specific tag indicates the number of connections to be m aintained per LDAP server.
ldap_kdc_dn and ldap_kadmind_dn ldap_kdc_dn and ldap_kadmind_dn
These LDAP-specific tags indicate the default DN for binding to th These LDAP-specific tags indicate the default DN for binding to
e LDAP server. The krb5kdc(8) the LDAP server. The krb5kdc(8)
daemon uses ldap_kdc_dn, while the kadmind(8) daemon and o daemon uses ldap_kdc_dn, while the kadmind(8) daemon and othe
ther administrative programs use r administrative programs use
ldap_kadmind_dn. The kadmind DN must have the rights to read and ldap_kadmind_dn. The kadmind DN must have the rights to read an
write the Kerberos data in the d write the Kerberos data in the
LDAP database. The KDC DN must have the same rights, unless disab le_lockout and disable_last_suc- LDAP database. The KDC DN must have the same rights, unless disab le_lockout and disable_last_suc-
cess are true, in which case it only needs to have rights to read the Kerberos data. These tags cess are true, in which case it only needs to have rights to rea d the Kerberos data. These tags
are ignored if a SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech. are ignored if a SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.
ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
These LDAP-specific tags specify the SASL mechanism (such as EXTE RNAL) to use when binding to the These LDAP-specific tags specify the SASL mechanism (such as EXTER NAL) to use when binding to the
LDAP server. New in release 1.13. LDAP server. New in release 1.13.
ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
These LDAP-specific tags specify the SASL authentication identity These LDAP-specific tags specify the SASL authentication identity
to use when binding to the LDAP to use when binding to the LDAP
server. Not all SASL mechanisms require an authentication server. Not all SASL mechanisms require an authentication iden
identity. If the SASL mechanism tity. If the SASL mechanism
requires a secret (such as the password for DIGEST-MD5), these tag s also determine the name within requires a secret (such as the password for DIGEST-MD5), these tag s also determine the name within
the ldap_service_password_file where the secret is stashed. New i n release 1.13. the ldap_service_password_file where the secret is stashed. New i n release 1.13.
ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
These LDAP-specific tags specify the SASL authorization identity to use when binding to the LDAP These LDAP-specific tags specify the SASL authorization identity t o use when binding to the LDAP
server. In most circumstances they do not need to be specified. New in release 1.13. server. In most circumstances they do not need to be specified. New in release 1.13.
ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
These LDAP-specific tags specify the SASL realm to use when bindin g to the LDAP server. In most These LDAP-specific tags specify the SASL realm to use when bind ing to the LDAP server. In most
circumstances they do not need to be set. New in release 1.13. circumstances they do not need to be set. New in release 1.13.
ldap_kerberos_container_dn ldap_kerberos_container_dn
This LDAP-specific tag indicates the DN of the container object where the realm objects will be This LDAP-specific tag indicates the DN of the container object wh ere the realm objects will be
located. located.
ldap_servers ldap_servers
This LDAP-specific tag indicates the list of LDAP servers that the This LDAP-specific tag indicates the list of LDAP servers that
Kerberos servers can connect the Kerberos servers can connect
to. The list of LDAP servers is whitespace-separated. The LD to. The list of LDAP servers is whitespace-separated. The LDAP s
AP server is specified by a LDAP erver is specified by a LDAP
URI. It is recommended to use ldapi: or ldaps: URLs to connect to the LDAP server. URI. It is recommended to use ldapi: or ldaps: URLs to connect to the LDAP server.
ldap_service_password_file ldap_service_password_file
This LDAP-specific tag indicates the file containing the s This LDAP-specific tag indicates the file containing the
tashed passwords (created by stashed passwords (created by
kdb5_ldap_util stashsrvpw) for the ldap_kdc_dn and ldap_ka kdb5_ldap_util stashsrvpw) for the ldap_kdc_dn and ldap_kadm
dmind_dn objects, or for the ind_dn objects, or for the
ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for SASL ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for SASL
authentication. This file must authentication. This file must
be kept secure. be kept secure.
mapsize mapsize
This LMDB-specific tag indicates the maximum size of the two dat This LMDB-specific tag indicates the maximum size of the two datab
abase environments in megabytes. ase environments in megabytes.
The default value is 128. Increase this value to address "Envir The default value is 128. Increase this value to address "En
onment mapsize limit reached" vironment mapsize limit reached"
errors. New in release 1.17. errors. New in release 1.17.
max_readers max_readers
This LMDB-specific tag indicates the maximum number of concurrent reading processes for the data- This LMDB-specific tag indicates the maximum number of concurrent reading processes for the data-
bases. The default value is 128. New in release 1.17. bases. The default value is 128. New in release 1.17.
nosync This LMDB-specific tag can be set to improve the throughput of kad nosync This LMDB-specific tag can be set to improve the throughput of
mind and other administrative kadmind and other administrative
agents, at the expense of durability (recent database changes m agents, at the expense of durability (recent database changes may
ay not survive a power outage or not survive a power outage or
other sudden reboot). It does not affect the throughput of the KD other sudden reboot). It does not affect the throughput of the K
C. The default value is false. DC. The default value is false.
New in release 1.17. New in release 1.17.
unlockiter unlockiter
If set to true, this DB2-specific tag causes iteration operati If set to true, this DB2-specific tag causes iteration operations
ons to release the database lock to release the database lock
while processing each principal. Setting this flag to true can pr while processing each principal. Setting this flag to true can
event extended blocking of KDC prevent extended blocking of KDC
or kadmin operations when dumps of large databases are in progre or kadmin operations when dumps of large databases are in progress
ss. First introduced in release . First introduced in release
1.13. 1.13.
The following tag may be specified directly in the [dbmodules] section to control where database modules The following tag may be specified directly in the [dbmodules] section t o control where database modules
are loaded from: are loaded from:
db_module_dir db_module_dir
This tag controls where the plugin system looks for database modules. The value should be an This tag controls where the plugin system looks for database modul es. The value should be an
absolute path. absolute path.
[logging] [logging]
The [logging] section indicates how krb5kdc(8) and kadmind(8) perform log ging. It may contain the fol- The [logging] section indicates how krb5kdc(8) and kadmind(8) perform l ogging. It may contain the fol-
lowing relations: lowing relations:
admin_server admin_server
Specifies how kadmind(8) performs logging. Specifies how kadmind(8) performs logging.
kdc Specifies how krb5kdc(8) performs logging. kdc Specifies how krb5kdc(8) performs logging.
default default
Specifies how either daemon performs logging in the absence of rel ations specific to the daemon. Specifies how either daemon performs logging in the absence of rel ations specific to the daemon.
debug (Boolean value.) Specifies whether debugging messages are include d in log outputs other than SYS- debug (Boolean value.) Specifies whether debugging messages are include d in log outputs other than SYS-
LOG. Debugging messages are always included in the system log out put because syslog performs its LOG. Debugging messages are always included in the system log ou tput because syslog performs its
own priority filtering. The default value is false. New in relea se 1.15. own priority filtering. The default value is false. New in relea se 1.15.
Logging specifications may have the following forms: Logging specifications may have the following forms:
FILE=filename or FILE:filename FILE=filename or FILE:filename
This value causes the daemon's logging messages to go to the filen ame. If the = form is used, the This value causes the daemon's logging messages to go to the filen ame. If the = form is used, the
file is overwritten. If the : form is used, the file is appended to. file is overwritten. If the : form is used, the file is appended to.
STDERR This value causes the daemon's logging messages to go to its stand ard error stream. STDERR This value causes the daemon's logging messages to go to its stand ard error stream.
CONSOLE CONSOLE
This value causes the daemon's logging messages to go to the conso le, if the system supports it. This value causes the daemon's logging messages to go to the conso le, if the system supports it.
DEVICE=<devicename> DEVICE=<devicename>
This causes the daemon's logging messages to go to the specified d evice. This causes the daemon's logging messages to go to the specified d evice.
SYSLOG[:severity[:facility]] SYSLOG[:severity[:facility]]
This causes the daemon's logging messages to go to the system log. This causes the daemon's logging messages to go to the system log.
For backward compatibility, a severity argument may be specified, and must be specified in order For backward compatibility, a severity argument may be specified , and must be specified in order
to specify a facility. This argument will be ignored. to specify a facility. This argument will be ignored.
The facility argument specifies the facility under which the messa ges are logged. This may be any The facility argument specifies the facility under which the messa ges are logged. This may be any
of the following facilities supported by the syslog(3) call minus of the following facilities supported by the syslog(3) call mi
the LOG_ prefix: KERN, USER, nus the LOG_ prefix: KERN, USER,
MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LOCAL0 through L MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LOCAL0 through LOCA
OCAL7. If no facility is speci- L7. If no facility is speci-
fied, the default is AUTH. fied, the default is AUTH.
In the following example, the logging messages from the KDC will go to th In the following example, the logging messages from the KDC will go to t
e console and to the system log he console and to the system log
under the facility LOG_DAEMON, and the logging messages from the admini under the facility LOG_DAEMON, and the logging messages from the administ
strative server will be appended rative server will be appended
to the file /var/adm/kadmin.log and sent to the device /dev/tty04. to the file /var/adm/kadmin.log and sent to the device /dev/tty04.
[logging] [logging]
kdc = CONSOLE kdc = CONSOLE
kdc = SYSLOG:INFO:DAEMON kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/adm/kadmin.log admin_server = FILE:/var/adm/kadmin.log
admin_server = DEVICE=/dev/tty04 admin_server = DEVICE=/dev/tty04
If no logging specification is given, the default is to use syslog. To d isable logging entirely, specify If no logging specification is given, the default is to use syslog. To d isable logging entirely, specify
default = DEVICE=/dev/null. default = DEVICE=/dev/null.
[otp] [otp]
Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the Each subsection of [otp] is the name of an OTP token type. The tags with in the subsection define the
configuration required to forward a One Time Password request to a RADIUS server. configuration required to forward a One Time Password request to a RADIUS server.
For each token type, the following tags may be specified: For each token type, the following tags may be specified:
server This is the server to send the RADIUS request to. It can be a hos server This is the server to send the RADIUS request to. It can be a ho
tname with optional port, an ip stname with optional port, an ip
address with optional port, or a Unix domain socket addre address with optional port, or a Unix domain socket address.
ss. The default is @LOCALSTATE- The default is @LOCALSTATE-
DIR@/krb5kdc/<name>.socket. DIR@/krb5kdc/<name>.socket.
secret This tag indicates a filename (which may be relative to @LOCALSTA TEDIR@/krb5kdc) containing the secret This tag indicates a filename (which may be relative to @LOCALS TATEDIR@/krb5kdc) containing the
secret used to encrypt the RADIUS packets. The secret should appe ar in the first line of the file secret used to encrypt the RADIUS packets. The secret should appe ar in the first line of the file
by itself; leading and trailing whitespace on the line will be rem oved. If the value of server is by itself; leading and trailing whitespace on the line will be rem oved. If the value of server is
a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not a Unix domain socket address, this tag is optional, and an empty s ecret will be used if it is not
specified. Otherwise, this tag is required. specified. Otherwise, this tag is required.
timeout timeout
An integer which specifies the time in seconds during which the KD An integer which specifies the time in seconds during which the K
C should attempt to contact the DC should attempt to contact the
RADIUS server. This tag is the total time across all retries RADIUS server. This tag is the total time across all retries and
and should be less than the time should be less than the time
which an OTP value remains valid for. The default is 5 seconds. which an OTP value remains valid for. The default is 5 seconds.
retries retries
This tag specifies the number of retries to make to the RADIUS ser ver. The default is 3 retries This tag specifies the number of retries to make to the RADIUS s erver. The default is 3 retries
(4 tries). (4 tries).
strip_realm strip_realm
If this tag is true, the principal without the realm will be pass ed to the RADIUS server. Other- If this tag is true, the principal without the realm will be passe d to the RADIUS server. Other-
wise, the realm will be included. The default value is true. wise, the realm will be included. The default value is true.
indicator indicator
This tag specifies an authentication indicator to be included in t he ticket if this token type is This tag specifies an authentication indicator to be included in the ticket if this token type is
used to authenticate. This option may be specified multiple times . (New in release 1.14.) used to authenticate. This option may be specified multiple times . (New in release 1.14.)
In the following example, requests are sent to a remote server via UDP: In the following example, requests are sent to a remote server via UDP:
[otp] [otp]
MyRemoteTokenType = { MyRemoteTokenType = {
server = radius.mydomain.com:1812 server = radius.mydomain.com:1812
secret = SEmfiajf42$ secret = SEmfiajf42$
timeout = 15 timeout = 15
retries = 5 retries = 5
strip_realm = true strip_realm = true
} }
An implicit default token type named DEFAULT is defined for when the per- principal configuration does not An implicit default token type named DEFAULT is defined for when the per- principal configuration does not
specify a token type. Its configuration is shown below. You may overrid e this token type to something specify a token type. Its configuration is shown below. You may overr ide this token type to something
applicable for your situation: applicable for your situation:
[otp] [otp]
DEFAULT = { DEFAULT = {
strip_realm = false strip_realm = false
} }
PKINIT OPTIONS PKINIT OPTIONS
NOTE: NOTE:
The following are pkinit-specific options. These values may be spec The following are pkinit-specific options. These values may be specif
ified in [kdcdefaults] as global ied in [kdcdefaults] as global
defaults, or within a realm-specific subsection of [realms]. Also not defaults, or within a realm-specific subsection of [realms]. Also
e that a realm-specific value note that a realm-specific value
over-rides, does not add to, a generic [kdcdefaults] specification. T he search order is: over-rides, does not add to, a generic [kdcdefaults] specification. T he search order is:
1. realm-specific subsection of [realms]: 1. realm-specific subsection of [realms]:
[realms] [realms]
EXAMPLE.COM = { EXAMPLE.COM = {
pkinit_anchors = FILE:/usr/local/example.com.crt pkinit_anchors = FILE:/usr/local/example.com.crt
} }
2. generic value in the [kdcdefaults] section: 2. generic value in the [kdcdefaults] section:
[kdcdefaults] [kdcdefaults]
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
For information about the syntax of some of these options, see Specifyin g PKINIT identity information in For information about the syntax of some of these options, see Specifying PKINIT identity information in
krb5.conf(5). krb5.conf(5).
pkinit_anchors pkinit_anchors
Specifies the location of trusted anchor (root) certificates which Specifies the location of trusted anchor (root) certificates whi
the KDC trusts to sign client ch the KDC trusts to sign client
certificates. This option is required if pkinit is to be suppor certificates. This option is required if pkinit is to be supporte
ted by the KDC. This option may d by the KDC. This option may
be specified multiple times. be specified multiple times.
pkinit_dh_min_bits pkinit_dh_min_bits
Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman Specifies the minimum number of bits the KDC is willing to acce pt for a client's Diffie-Hellman
key. The default is 2048. key. The default is 2048.
pkinit_allow_upn pkinit_allow_upn
Specifies that the KDC is willing to accept client certificates w Specifies that the KDC is willing to accept client certificates wi
ith the Microsoft UserPrincipal- th the Microsoft UserPrincipal-
Name (UPN) Subject Alternative Name (SAN). This means the KDC acc Name (UPN) Subject Alternative Name (SAN). This means the KDC a
epts the binding of the UPN in ccepts the binding of the UPN in
the certificate to the Kerberos principal name. The default value is false. the certificate to the Kerberos principal name. The default value is false.
Without this option, the KDC will only accept certificates with the id-pkinit-san as defined in Without this option, the KDC will only accept certificates with th e id-pkinit-san as defined in
RFC 4556. There is currently no option to disable SAN checking in the KDC. RFC 4556. There is currently no option to disable SAN checking in the KDC.
pkinit_eku_checking pkinit_eku_checking
This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client This option specifies what Extended Key Usage (EKU) values the KD C is willing to accept in client
certificates. The values recognized in the kdc.conf file are: certificates. The values recognized in the kdc.conf file are:
kpClientAuth kpClientAuth
This is the default value and specifies that clien t certificates must have the This is the default value and specifies that client certificates must have the
id-pkinit-KPClientAuth EKU as defined in RFC 4556. id-pkinit-KPClientAuth EKU as defined in RFC 4556.
scLogin scLogin
If scLogin is specified, client certificates with the Mi crosoft Smart Card Login EKU If scLogin is specified, client certificates with th e Microsoft Smart Card Login EKU
(id-ms-kp-sc-logon) will be accepted. (id-ms-kp-sc-logon) will be accepted.
none If none is specified, then client certificates will not b e checked to verify they have an none If none is specified, then client certificates will not be checked to verify they have an
acceptable EKU. The use of this option is not recommended. acceptable EKU. The use of this option is not recommended.
pkinit_identity pkinit_identity
Specifies the location of the KDC's X.509 identity information. T his option is required if pkinit Specifies the location of the KDC's X.509 identity information. T his option is required if pkinit
is to be supported by the KDC. is to be supported by the KDC.
pkinit_indicator pkinit_indicator
Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate.
This option may be specified multiple times. (New in release 1.14 .) This option may be specified multiple times. (New in release 1.14 .)
pkinit_pool pkinit_pool
Specifies the location of intermediate certificates which may be u Specifies the location of intermediate certificates which may be
sed by the KDC to complete the used by the KDC to complete the
trust chain between a client's certificate and a trusted ancho trust chain between a client's certificate and a trusted anchor.
r. This option may be specified This option may be specified
multiple times. multiple times.
pkinit_revoke pkinit_revoke
Specifies the location of Certificate Revocation List (CRL) inform ation to be used by the KDC when Specifies the location of Certificate Revocation List (CRL) inform ation to be used by the KDC when
verifying the validity of client certificates. This option may be specified multiple times. verifying the validity of client certificates. This option may be specified multiple times.
pkinit_require_crl_checking pkinit_require_crl_checking
The default certificate verification process will always check t The default certificate verification process will always check the
he available revocation informa- available revocation informa-
tion to see if a certificate has been revoked. If a match is foun tion to see if a certificate has been revoked. If a match is fou
d for the certificate in a CRL, nd for the certificate in a CRL,
verification fails. If the certificate being verified is not lis verification fails. If the certificate being verified is not list
ted in a CRL, or there is no CRL ed in a CRL, or there is no CRL
present for its issuing CA, and pkinit_require_crl_checking is fal se, then verification succeeds. present for its issuing CA, and pkinit_require_crl_checking is fal se, then verification succeeds.
However, if pkinit_require_crl_checking is true and there is no CR L information available for the However, if pkinit_require_crl_checking is true and there is no C RL information available for the
issuing CA, then verification fails. issuing CA, then verification fails.
pkinit_require_crl_checking should be set to true if the policy i s such that up-to-date CRLs must pkinit_require_crl_checking should be set to true if the policy is such that up-to-date CRLs must
be present for every CA. be present for every CA.
pkinit_require_freshness pkinit_require_freshness
Specifies whether to require clients to include a freshness token in PKINIT requests. The default Specifies whether to require clients to include a freshness token in PKINIT requests. The default
value is false. (New in release 1.17.) value is false. (New in release 1.17.)
ENCRYPTION TYPES ENCRYPTION TYPES
Any tag in the configuration files which requires a list of encryption t ypes can be set to some combina- Any tag in the configuration files which requires a list of encryption ty pes can be set to some combina-
tion of the following strings. Encryption types marked as "weak" are ava ilable for compatibility but not tion of the following strings. Encryption types marked as "weak" are ava ilable for compatibility but not
recommended for use. recommended for use.
┌──────────────────────────────────────┬──────────────────── ───────────────────┐ ┌──────────────────────────────────────┬──────────────────── ───────────────────┐
│des-cbc-crc │ DES cbc mode with C
RC-32 (weak) │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│des-cbc-md4 │ DES cbc mode with R
SA-MD4 (weak) │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│des-cbc-md5 │ DES cbc mode with R
SA-MD5 (weak) │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│des-cbc-raw │ DES cbc mode raw (w
eak) │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│des3-cbc-raw │ Triple DES cbc mode raw (weak) │ │des3-cbc-raw │ Triple DES cbc mode raw (weak) │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│des3-cbc-sha1 des3-hmac-sha1 │ Triple DES cbc mode with HMAC/sha1 │ │des3-cbc-sha1 des3-hmac-sha1 │ Triple DES cbc mode with HMAC/sha1 │
│des3-cbc-sha1-kd │ │ │des3-cbc-sha1-kd │ │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│des-hmac-sha1 │ DES with HMAC/sha1 │aes256-cts-hmac-sha1-96 aes256-cts │ AES-256 CTS mode w
(weak) │ ith 96-bit SHA-1 │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│aes256-cts-hmac-sha1-96 aes256-cts │ AES-256 CTS mode
with 96-bit SHA-1 │
│aes256-sha1 │ HMAC │ │aes256-sha1 │ HMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│aes128-cts-hmac-sha1-96 aes128-cts │ AES-128 CTS mode with 96-bit SHA-1 │ │aes128-cts-hmac-sha1-96 aes128-cts │ AES-128 CTS mode w ith 96-bit SHA-1 │
│aes128-sha1 │ HMAC │ │aes128-sha1 │ HMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│aes256-cts-hmac-sha384-192 │ AES-256 CTS mode wi th 192-bit SHA-384 │ │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode wi th 192-bit SHA-384 │
│aes256-sha2 │ HMAC │ │aes256-sha2 │ HMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│aes128-cts-hmac-sha256-128 │ AES-128 CTS mode wi th 128-bit SHA-256 │ │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode wi th 128-bit SHA-256 │
│aes128-sha2 │ HMAC │ │aes128-sha2 │ HMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│arcfour-hmac rc4-hmac arc- │ RC4 with HMAC/MD5 │ │arcfour-hmac rc4-hmac arc- │ RC4 with HMAC/MD5 │
│four-hmac-md5 │ │ │four-hmac-md5 │ │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│arcfour-hmac-exp rc4-hmac-exp arc- │ Exportable RC4 with HMAC/MD5 (weak) │ │arcfour-hmac-exp rc4-hmac-exp arc- │ Exportable RC4 with HMAC/MD5 (weak) │
│four-hmac-md5-exp │ │ │four-hmac-md5-exp │ │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│camellia256-cts-cmac camellia256-cts │ Camellia-256 CTS mo de with CMAC │ │camellia256-cts-cmac camellia256-cts │ Camellia-256 CTS mo de with CMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│camellia128-cts-cmac camellia128-cts │ Camellia-128 CTS mo de with CMAC │ │camellia128-cts-cmac camellia128-cts │ Camellia-128 CTS mo de with CMAC │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│des │ The DES famil
y: des-cbc-crc, │
│ │ des-cbc-md5, and de
s-cbc-md4 (weak) │
├──────────────────────────────────────┼────────────────────
───────────────────┤
│des3 │ The triple DES fami ly: des3-cbc-sha1 │ │des3 │ The triple DES fami ly: des3-cbc-sha1 │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│aes │ The AES family: │ │aes │ The AES family: │
│ │ aes256-cts-hmac-sha 1-96, │ │ │ aes256-cts-hmac-sha 1-96, │
│ │ aes128-cts-hmac-sha 1-96, │ │ │ aes128-cts-hmac-sha 1-96, │
│ │ aes256-cts-hmac-sha 384-192, and │ │ │ aes256-cts-hmac-sha 384-192, and │
│ │ aes128-cts-hmac-sha 256-128 │ │ │ aes128-cts-hmac-sha 256-128 │
├──────────────────────────────────────┼──────────────────── ───────────────────┤ ├──────────────────────────────────────┼──────────────────── ───────────────────┤
│rc4 │ The RC4 family: arc four-hmac │ │rc4 │ The RC4 family: arc four-hmac │
└──────────────────────────────────────┴──────────────────── ├──────────────────────────────────────┼────────────────────
───────────────────┘ ───────────────────┤
│camellia │ The Camellia family: camel- │ │camellia │ The Camellia family: camel- │
│ │ lia256-cts-cmac and camel- │ │ │ lia256-cts-cmac and camel- │
│ │ lia128-cts-cmac │ │ │ lia128-cts-cmac │
└──────────────────────────────────────┴──────────────────── ───────────────────┘ └──────────────────────────────────────┴──────────────────── ───────────────────┘
The string DEFAULT can be used to refer to the default set of types for the variable in question. Types The string DEFAULT can be used to refer to the default set of types for the variable in question. Types
or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or
families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the
type or family. For example, "DEFAULT -des" would be the default set of encryption types with DES types type or family. For example, "DEFAULT -rc4" would be the default set of encryption types with RC4 types
removed, and "des3 DEFAULT" would be the default set of encryption type s with triple DES types moved to removed, and "des3 DEFAULT" would be the default set of encryption type s with triple DES types moved to
the front. the front.
While aes128-cts and aes256-cts are supported for all Kerberos operations , they are not supported by very While aes128-cts and aes256-cts are supported for all Kerberos operations , they are not supported by very
old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). S ervices running versions of krb5 old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). S ervices running versions of krb5
without AES support must not be given keys of these encryption types in t he KDC database. without AES support must not be given keys of these encryption types in t he KDC database.
The aes128-sha2 and aes256-sha2 encryption types are new in release 1.15. Services running versions of The aes128-sha2 and aes256-sha2 encryption types are new in release 1.15. Services running versions of
krb5 without support for these newer encryption types must not be given k eys of these encryption types in krb5 without support for these newer encryption types must not be given k eys of these encryption types in
the KDC database. the KDC database.
skipping to change at line 764 skipping to change at line 744
would start up kadmin so that by default it would generate password-der ived keys for the aes256-cts and would start up kadmin so that by default it would generate password-der ived keys for the aes256-cts and
aes128-cts encryption types, using a normal salt. aes128-cts encryption types, using a normal salt.
To ensure that people who happen to pick the same password do not have th e same key, Kerberos 5 incorpo- To ensure that people who happen to pick the same password do not have th e same key, Kerberos 5 incorpo-
rates more information into the key using something called a salt. The supported salt types are as fol- rates more information into the key using something called a salt. The supported salt types are as fol-
lows: lows:
┌──────────┬────────────────────────────────── ─────┐ ┌──────────┬────────────────────────────────── ─────┐
│normal │ default for Kerberos Version 5 │ │normal │ default for Kerberos Version 5 │
├──────────┼────────────────────────────────── ─────┤ ├──────────┼────────────────────────────────── ─────┤
│v4 │ the only type used by Kerberos │norealm │ same as the default, without u
Ver- │ sing │
│ │ sion 4 (no salt)
├──────────┼──────────────────────────────────
─────┤
│norealm │ same as the default, without u
sing │
│ │ realm information │ │ │ realm information │
├──────────┼────────────────────────────────── ─────┤ ├──────────┼────────────────────────────────── ─────┤
│onlyrealm │ uses only realm information as the │ │onlyrealm │ uses only realm information as the │
│ │ salt │ │ │ salt │
├──────────┼────────────────────────────────── ─────┤ ├──────────┼────────────────────────────────── ─────┤
│afs3 │ AFS version 3, only used for comp
ati- │
│ │ bility with Kerberos 4 in AFS
├──────────┼──────────────────────────────────
─────┤
│special │ generate a random salt │ │special │ generate a random salt │
└──────────┴────────────────────────────────── ─────┘ └──────────┴────────────────────────────────── ─────┘
SAMPLE KDC.CONF FILE SAMPLE KDC.CONF FILE
Here's an example of a kdc.conf file: Here's an example of a kdc.conf file:
[kdcdefaults] [kdcdefaults]
kdc_listen = 88 kdc_listen = 88
kdc_tcp_listen = 88 kdc_tcp_listen = 88
[realms] [realms]
skipping to change at line 829 skipping to change at line 803
SEE ALSO SEE ALSO
krb5.conf(5), krb5kdc(8), kadm5.acl(5) krb5.conf(5), krb5kdc(8), kadm5.acl(5)
AUTHOR AUTHOR
MIT MIT
COPYRIGHT COPYRIGHT
1985-2019, MIT 1985-2019, MIT
1.17.1 KDC.CONF(5) 1.18 KDC.CONF(5)
 End of changes. 69 change blocks. 
197 lines changed or deleted 149 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)