1.\" $NetBSD: krb5.conf.5,v 1.4 2014/04/24 13:45:34 pettai Exp $ 2.\" 3.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd May 4, 2005 37.Dt KRB5.CONF 5 38.Os 39.Sh NAME 40.Nm krb5.conf 41.Nd configuration file for Kerberos 5 42.Sh SYNOPSIS 43.In krb5/krb5.h 44.Sh DESCRIPTION 45The 46.Nm 47file specifies several configuration parameters for the Kerberos 5 48library, as well as for some programs. 49.Pp 50The file consists of one or more sections, containing a number of 51bindings. 52The value of each binding can be either a string or a list of other 53bindings. 54The grammar looks like: 55.Bd -literal -offset indent 56file: 57 /* empty */ 58 sections 59 60sections: 61 section sections 62 section 63 64section: 65 '[' section_name ']' bindings 66 67section_name: 68 STRING 69 70bindings: 71 binding bindings 72 binding 73 74binding: 75 name '=' STRING 76 name '=' '{' bindings '}' 77 78name: 79 STRING 80 81.Ed 82.Li STRINGs 83consists of one or more non-whitespace characters. 84.Pp 85STRINGs that are specified later in this man-page uses the following 86notation. 87.Bl -tag -width "xxx" -offset indent 88.It boolean 89values can be either yes/true or no/false. 90.It time 91values can be a list of year, month, day, hour, min, second. 92Example: 1 month 2 days 30 min. 93If no unit is given, seconds is assumed. 94.It etypes 95valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, 96des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and 97aes256-cts-hmac-sha1-96 . 98.It address 99an address can be either a IPv4 or a IPv6 address. 100.El 101.Pp 102Currently recognised sections and bindings are: 103.Bl -tag -width "xxx" -offset indent 104.It Li [appdefaults] 105Specifies the default values to be used for Kerberos applications. 106You can specify defaults per application, realm, or a combination of 107these. 108The preference order is: 109.Bl -enum -compact 110.It 111.Va application Va realm Va option 112.It 113.Va application Va option 114.It 115.Va realm Va option 116.It 117.Va option 118.El 119.Pp 120The supported options are: 121.Bl -tag -width "xxx" -offset indent 122.It Li forwardable = Va boolean 123When obtaining initial credentials, make the credentials forwardable. 124.It Li proxiable = Va boolean 125When obtaining initial credentials, make the credentials proxiable. 126.It Li no-addresses = Va boolean 127When obtaining initial credentials, request them for an empty set of 128addresses, making the tickets valid from any address. 129.It Li ticket_lifetime = Va time 130Default ticket lifetime. 131.It Li renew_lifetime = Va time 132Default renewable ticket lifetime. 133.It Li encrypt = Va boolean 134Use encryption, when available. 135.It Li forward = Va boolean 136Forward credentials to remote host (for 137.Xr rsh 1 , 138.Xr telnet 1 , 139etc). 140.El 141.It Li [libdefaults] 142.Bl -tag -width "xxx" -offset indent 143.It Li default_realm = Va REALM 144Default realm to use, this is also known as your 145.Dq local realm . 146The default is the result of 147.Fn krb5_get_host_realm "local hostname" . 148.It Li allow_weak_crypto = Va boolean 149is weaks crypto algorithms allowed to be used, among others, DES is 150considered weak. 151.It Li clockskew = Va time 152Maximum time differential (in seconds) allowed when comparing 153times. 154Default is 300 seconds (five minutes). 155.It Li kdc_timeout = Va time 156Maximum time to wait for a reply from the kdc, default is 3 seconds. 157.It Li v4_name_convert 158.It Li v4_instance_resolve 159These are described in the 160.Xr krb5_425_conv_principal 3 161manual page. 162.It Li capath = { 163.Bl -tag -width "xxx" -offset indent 164.It Va destination-realm Li = Va next-hop-realm 165.It ... 166.It Li } 167.El 168This is deprecated, see the 169.Li capaths 170section below. 171.It Li default_cc_type = Va cctype 172sets the default credentials type. 173.It Li default_cc_name = Va ccname 174the default credentials cache name. 175If you want to change the type only use 176.Li default_cc_type . 177The string can contain variables that are expanded on runtime. 178Only support variable now is 179.Li %{uid} 180that expands to the current user id. 181.It Li default_etypes = Va etypes ... 182A list of default encryption types to use. (Default: all enctypes if 183allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.) 184.It Li default_as_etypes = Va etypes ... 185A list of default encryption types to use in AS requests. (Default: the 186value of default_etypes.) 187.It Li default_tgs_etypes = Va etypes ... 188A list of default encryption types to use in TGS requests. (Default: 189the value of default_etypes.) 190.It Li default_etypes_des = Va etypes ... 191A list of default encryption types to use when requesting a DES credential. 192.It Li default_keytab_name = Va keytab 193The keytab to use if no other is specified, default is 194.Dq FILE:/etc/krb5.keytab . 195.It Li dns_lookup_kdc = Va boolean 196Use DNS SRV records to lookup KDC services location. 197.It Li dns_lookup_realm = Va boolean 198Use DNS TXT records to lookup domain to realm mappings. 199.It Li kdc_timesync = Va boolean 200Try to keep track of the time differential between the local machine 201and the KDC, and then compensate for that when issuing requests. 202.It Li max_retries = Va number 203The max number of times to try to contact each KDC. 204.It Li large_msg_size = Va number 205The threshold where protocols with tiny maximum message sizes are not 206considered usable to send messages to the KDC. 207.It Li ticket_lifetime = Va time 208Default ticket lifetime. 209.It Li renew_lifetime = Va time 210Default renewable ticket lifetime. 211.It Li forwardable = Va boolean 212When obtaining initial credentials, make the credentials forwardable. 213This option is also valid in the [realms] section. 214.It Li proxiable = Va boolean 215When obtaining initial credentials, make the credentials proxiable. 216This option is also valid in the [realms] section. 217.It Li verify_ap_req_nofail = Va boolean 218If enabled, failure to verify credentials against a local key is a 219fatal error. 220The application has to be able to read the corresponding service key 221for this to work. 222Some applications, like 223.Xr su 1 , 224enable this option unconditionally. 225.It Li warn_pwexpire = Va time 226How soon to warn for expiring password. 227Default is seven days. 228.It Li http_proxy = Va proxy-spec 229A HTTP-proxy to use when talking to the KDC via HTTP. 230.It Li dns_proxy = Va proxy-spec 231Enable using DNS via HTTP. 232.It Li extra_addresses = Va address ... 233A list of addresses to get tickets for along with all local addresses. 234.It Li time_format = Va string 235How to print time strings in logs, this string is passed to 236.Xr strftime 3 . 237.It Li date_format = Va string 238How to print date strings in logs, this string is passed to 239.Xr strftime 3 . 240.It Li log_utc = Va boolean 241Write log-entries using UTC instead of your local time zone. 242.It Li scan_interfaces = Va boolean 243Scan all network interfaces for addresses, as opposed to simply using 244the address associated with the system's host name. 245.It Li fcache_version = Va int 246Use file credential cache format version specified. 247.It Li krb4_get_tickets = Va boolean 248Also get Kerberos 4 tickets in 249.Nm kinit , 250.Nm login , 251and other programs. 252This option is also valid in the [realms] section. 253.It Li fcc-mit-ticketflags = Va boolean 254Use MIT compatible format for file credential cache. 255It's the field ticketflags that is stored in reverse bit order for 256older than Heimdal 0.7. 257Setting this flag to 258.Dv TRUE 259make it store the MIT way, this is default for Heimdal 0.7. 260.It Li check-rd-req-server 261If set to "ignore", the framework will ignore any the server input to 262.Xr krb5_rd_req 3, 263this is very useful when the GSS-API server input the 264wrong server name into the gss_accept_sec_context call. 265.El 266.It Li [domain_realm] 267This is a list of mappings from DNS domain to Kerberos realm. 268Each binding in this section looks like: 269.Pp 270.Dl domain = realm 271.Pp 272The domain can be either a full name of a host or a trailing 273component, in the latter case the domain-string should start with a 274period. 275The trailing component only matches hosts that are in the same domain, ie 276.Dq .example.com 277matches 278.Dq foo.example.com , 279but not 280.Dq foo.test.example.com . 281.Pp 282The realm may be the token `dns_locate', in which case the actual 283realm will be determined using DNS (independently of the setting 284of the `dns_lookup_realm' option). 285.It Li [realms] 286.Bl -tag -width "xxx" -offset indent 287.It Va REALM Li = { 288.Bl -tag -width "xxx" -offset indent 289.It Li kdc = Va [service/]host[:port] 290Specifies a list of kdcs for this realm. 291If the optional 292.Va port 293is absent, the 294default value for the 295.Dq kerberos/udp 296.Dq kerberos/tcp , 297and 298.Dq http/tcp 299port (depending on service) will be used. 300The kdcs will be used in the order that they are specified. 301.Pp 302The optional 303.Va service 304specifies over what medium the kdc should be 305contacted. 306Possible services are 307.Dq udp , 308.Dq tcp , 309and 310.Dq http . 311Http can also be written as 312.Dq http:// . 313Default service is 314.Dq udp 315and 316.Dq tcp . 317.It Li admin_server = Va host[:port] 318Specifies the admin server for this realm, where all the modifications 319to the database are performed. 320.It Li kpasswd_server = Va host[:port] 321Points to the server where all the password changes are performed. 322If there is no such entry, the kpasswd port on the admin_server host 323will be tried. 324.It Li krb524_server = Va host[:port] 325Points to the server that does 524 conversions. 326If it is not mentioned, the krb524 port on the kdcs will be tried. 327.It Li v4_instance_convert 328.It Li v4_name_convert 329.It Li default_domain 330See 331.Xr krb5_425_conv_principal 3 . 332.It Li tgs_require_subkey 333a boolan variable that defaults to false. 334Old DCE secd (pre 1.1) might need this to be true. 335.El 336.It Li } 337.El 338.It Li [capaths] 339.Bl -tag -width "xxx" -offset indent 340.It Va client-realm Li = { 341.Bl -tag -width "xxx" -offset indent 342.It Va server-realm Li = Va hop-realm ... 343This serves two purposes. First the first listed 344.Va hop-realm 345tells a client which realm it should contact in order to ultimately 346obtain credentials for a service in the 347.Va server-realm . 348Secondly, it tells the KDC (and other servers) which realms are 349allowed in a multi-hop traversal from 350.Va client-realm 351to 352.Va server-realm . 353Except for the client case, the order of the realms are not important. 354.El 355.It Va } 356.El 357.It Li [logging] 358.Bl -tag -width "xxx" -offset indent 359.It Va entity Li = Va destination 360Specifies that 361.Va entity 362should use the specified 363.Li destination 364for logging. 365See the 366.Xr krb5_openlog 3 367manual page for a list of defined destinations. 368.El 369.It Li [kdc] 370.Bl -tag -width "xxx" -offset indent 371.It Li database Li = { 372.Bl -tag -width "xxx" -offset indent 373.It Li dbname Li = Va DATABASENAME 374Use this database for this realm. 375See the info documetation how to configure different database backends. 376.It Li realm Li = Va REALM 377Specifies the realm that will be stored in this database. 378It realm isn't set, it will used as the default database, there can 379only be one entry that doesn't have a 380.Li realm 381stanza. 382.It Li mkey_file Li = Pa FILENAME 383Use this keytab file for the master key of this database. 384If not specified 385.Va DATABASENAME Ns .mkey 386will be used. 387.It Li acl_file Li = PA FILENAME 388Use this file for the ACL list of this database. 389.It Li log_file Li = Pa FILENAME 390Use this file as the log of changes performed to the database. 391This file is used by 392.Nm ipropd-master 393for propagating changes to slaves. 394.El 395.It Li } 396.It Li max-request = Va SIZE 397Maximum size of a kdc request. 398.It Li require-preauth = Va BOOL 399If set pre-authentication is required. 400Since krb4 requests are not pre-authenticated they will be rejected. 401.It Li ports = Va "list of ports" 402List of ports the kdc should listen to. 403.It Li addresses = Va "list of interfaces" 404List of addresses the kdc should bind to. 405.It Li enable-kerberos4 = Va BOOL 406Turn on Kerberos 4 support. 407.It Li v4-realm = Va REALM 408To what realm v4 requests should be mapped. 409.It Li enable-524 = Va BOOL 410Should the Kerberos 524 converting facility be turned on. 411Default is the same as 412.Va enable-kerberos4 . 413.It Li enable-http = Va BOOL 414Should the kdc answer kdc-requests over http. 415.It Li enable-kaserver = Va BOOL 416If this kdc should emulate the AFS kaserver. 417.It Li tgt-use-strongest-session-key = Va BOOL 418If this is TRUE then the KDC will prefer the strongest key from the 419client's AS-REQ or TGS-REQ enctype list for the ticket session key that 420is supported by the KDC and the target principal when the target 421principal is a krbtgt principal. Else it will prefer the first key from 422the client's AS-REQ enctype list that is also supported by the KDC and 423the target principal. Defaults to FALSE. 424.It Li svc-use-strongest-session-key = Va BOOL 425Like tgt-use-strongest-session-key, but applies to the session key 426enctype of tickets for services other than krbtgt principals. Defaults 427to FALSE. 428.It Li preauth-use-strongest-session-key = Va BOOL 429If TRUE then select the strongest possible enctype from the client's 430AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication). 431Else pick the first supported enctype from the client's AS-REQ. Defaults 432to FALSE. 433.It Li use-strongest-server-key = Va BOOL 434If TRUE then the KDC picks, for the ticket encrypted part's key, the 435first supported enctype from the target service principal's hdb entry's 436current keyset. Else the KDC picks the first supported enctype from the 437target service principal's hdb entry's current keyset. Defaults to TRUE. 438.It Li check-ticket-addresses = Va BOOL 439Verify the addresses in the tickets used in tgs requests. 440.\" XXX 441.It Li allow-null-ticket-addresses = Va BOOL 442Allow address-less tickets. 443.\" XXX 444.It Li allow-anonymous = Va BOOL 445If the kdc is allowed to hand out anonymous tickets. 446.It Li encode_as_rep_as_tgs_rep = Va BOOL 447Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. 448.\" XXX 449.It Li kdc_warn_pwexpire = Va TIME 450The time before expiration that the user should be warned that her 451password is about to expire. 452.It Li logging = Va Logging 453What type of logging the kdc should use, see also [logging]/kdc. 454.It Li use_2b = { 455.Bl -tag -width "xxx" -offset indent 456.It Va principal Li = Va BOOL 457boolean value if the 524 daemon should return AFS 2b tokens for 458.Fa principal . 459.It ... 460.El 461.It Li } 462.It Li hdb-ldap-structural-object Va structural object 463If the LDAP backend is used for storing principals, this is the 464structural object that will be used when creating and when reading 465objects. 466The default value is account . 467.It Li hdb-ldap-create-base Va creation dn 468is the dn that will be appended to the principal when creating entries. 469Default value is the search dn. 470.It Li enable-digest = Va BOOL 471Should the kdc answer digest requests. The default is FALSE. 472.It Li digests_allowed = Va list of digests 473Specifies the digests the kdc will reply to. The default is 474.Li ntlm-v2 . 475.El 476.It Li [kadmin] 477.Bl -tag -width "xxx" -offset indent 478.It Li require-preauth = Va BOOL 479If pre-authentication is required to talk to the kadmin server. 480.It Li password_lifetime = Va time 481If a principal already have its password set for expiration, this is 482the time it will be valid for after a change. 483.It Li default_keys = Va keytypes... 484For each entry in 485.Va default_keys 486try to parse it as a sequence of 487.Va etype:salttype:salt 488syntax of this if something like: 489.Pp 490[(des|des3|etype):](pw-salt|afs3-salt)[:string] 491.Pp 492If 493.Ar etype 494is omitted it means everything, and if string is omitted it means the 495default salt string (for that principal and encryption type). 496Additional special values of keytypes are: 497.Bl -tag -width "xxx" -offset indent 498.It Li v5 499The Kerberos 5 salt 500.Va pw-salt 501.It Li v4 502The Kerberos 4 salt 503.Va des:pw-salt: 504.El 505.It Li use_v4_salt = Va BOOL 506When true, this is the same as 507.Pp 508.Va default_keys = Va des3:pw-salt Va v4 509.Pp 510and is only left for backwards compatibility. 511.El 512.It Li [password_quality] 513Check the Password quality assurance in the info documentation for 514more information. 515.Bl -tag -width "xxx" -offset indent 516.It Li check_library = Va library-name 517Library name that contains the password check_function 518.It Li check_function = Va function-name 519Function name for checking passwords in check_library 520.It Li policy_libraries = Va library1 ... libraryN 521List of libraries that can do password policy checks 522.It Li policies = Va policy1 ... policyN 523List of policy names to apply to the password. Builtin policies are 524among other minimum-length, character-class, external-check. 525.El 526.El 527.Sh ENVIRONMENT 528.Ev KRB5_CONFIG 529points to the configuration file to read. 530.Sh FILES 531.Bl -tag -width "/etc/krb5.conf" 532.It Pa /etc/krb5.conf 533configuration file for Kerberos 5. 534.El 535.Sh EXAMPLES 536.Bd -literal -offset indent 537[libdefaults] 538 default_realm = FOO.SE 539[domain_realm] 540 .foo.se = FOO.SE 541 .bar.se = FOO.SE 542[realms] 543 FOO.SE = { 544 kdc = kerberos.foo.se 545 v4_name_convert = { 546 rcmd = host 547 } 548 v4_instance_convert = { 549 xyz = xyz.bar.se 550 } 551 default_domain = foo.se 552 } 553[logging] 554 kdc = FILE:/var/heimdal/kdc.log 555 kdc = SYSLOG:INFO 556 default = SYSLOG:INFO:USER 557.Ed 558.Sh DIAGNOSTICS 559Since 560.Nm 561is read and parsed by the krb5 library, there is not a lot of 562opportunities for programs to report parsing errors in any useful 563format. 564To help overcome this problem, there is a program 565.Nm verify_krb5_conf 566that reads 567.Nm 568and tries to emit useful diagnostics from parsing errors. 569Note that this program does not have any way of knowing what options 570are actually used and thus cannot warn about unknown or misspelled 571ones. 572.Sh SEE ALSO 573.Xr kinit 1 , 574.Xr krb5_425_conv_principal 3 , 575.Xr krb5_openlog 3 , 576.Xr strftime 3 , 577.Xr verify_krb5_conf 8 578