1.\" $NetBSD: krb5.conf.5,v 1.2 2011/04/28 14:38:49 wiz Exp $ 2.\" 3.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd May 4, 2005 37.Dt KRB5.CONF 5 38.Os 39.Sh NAME 40.Nm krb5.conf 41.Nd configuration file for Kerberos 5 42.Sh SYNOPSIS 43.In krb5/krb5.h 44.Sh DESCRIPTION 45The 46.Nm 47file specifies several configuration parameters for the Kerberos 5 48library, as well as for some programs. 49.Pp 50The file consists of one or more sections, containing a number of 51bindings. 52The value of each binding can be either a string or a list of other 53bindings. 54The grammar looks like: 55.Bd -literal -offset indent 56file: 57 /* empty */ 58 sections 59 60sections: 61 section sections 62 section 63 64section: 65 '[' section_name ']' bindings 66 67section_name: 68 STRING 69 70bindings: 71 binding bindings 72 binding 73 74binding: 75 name '=' STRING 76 name '=' '{' bindings '}' 77 78name: 79 STRING 80 81.Ed 82.Li STRINGs 83consists of one or more non-whitespace characters. 84.Pp 85STRINGs that are specified later in this man-page uses the following 86notation. 87.Bl -tag -width "xxx" -offset indent 88.It boolean 89values can be either yes/true or no/false. 90.It time 91values can be a list of year, month, day, hour, min, second. 92Example: 1 month 2 days 30 min. 93If no unit is given, seconds is assumed. 94.It etypes 95valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, 96des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and 97aes256-cts-hmac-sha1-96 . 98.It address 99an address can be either a IPv4 or a IPv6 address. 100.El 101.Pp 102Currently recognised sections and bindings are: 103.Bl -tag -width "xxx" -offset indent 104.It Li [appdefaults] 105Specifies the default values to be used for Kerberos applications. 106You can specify defaults per application, realm, or a combination of 107these. 108The preference order is: 109.Bl -enum -compact 110.It 111.Va application Va realm Va option 112.It 113.Va application Va option 114.It 115.Va realm Va option 116.It 117.Va option 118.El 119.Pp 120The supported options are: 121.Bl -tag -width "xxx" -offset indent 122.It Li forwardable = Va boolean 123When obtaining initial credentials, make the credentials forwardable. 124.It Li proxiable = Va boolean 125When obtaining initial credentials, make the credentials proxiable. 126.It Li no-addresses = Va boolean 127When obtaining initial credentials, request them for an empty set of 128addresses, making the tickets valid from any address. 129.It Li ticket_lifetime = Va time 130Default ticket lifetime. 131.It Li renew_lifetime = Va time 132Default renewable ticket lifetime. 133.It Li encrypt = Va boolean 134Use encryption, when available. 135.It Li forward = Va boolean 136Forward credentials to remote host (for 137.Xr rsh 1 , 138.Xr telnet 1 , 139etc). 140.El 141.It Li [libdefaults] 142.Bl -tag -width "xxx" -offset indent 143.It Li default_realm = Va REALM 144Default realm to use, this is also known as your 145.Dq local realm . 146The default is the result of 147.Fn krb5_get_host_realm "local hostname" . 148.It Li allow_weak_crypto = Va boolean 149is weaks crypto algorithms allowed to be used, among others, DES is 150considered weak. 151.It Li clockskew = Va time 152Maximum time differential (in seconds) allowed when comparing 153times. 154Default is 300 seconds (five minutes). 155.It Li kdc_timeout = Va time 156Maximum time to wait for a reply from the kdc, default is 3 seconds. 157.It Li v4_name_convert 158.It Li v4_instance_resolve 159These are described in the 160.Xr krb5_425_conv_principal 3 161manual page. 162.It Li capath = { 163.Bl -tag -width "xxx" -offset indent 164.It Va destination-realm Li = Va next-hop-realm 165.It ... 166.It Li } 167.El 168This is deprecated, see the 169.Li capaths 170section below. 171.It Li default_cc_type = Va cctype 172sets the default credentials type. 173.It Li default_cc_name = Va ccname 174the default credentials cache name. 175If you want to change the type only use 176.Li default_cc_type . 177The string can contain variables that are expanded on runtime. 178Only support variable now is 179.Li %{uid} 180that expands to the current user id. 181.It Li default_etypes = Va etypes ... 182A list of default encryption types to use. 183.It Li default_etypes_des = Va etypes ... 184A list of default encryption types to use when requesting a DES credential. 185.It Li default_keytab_name = Va keytab 186The keytab to use if no other is specified, default is 187.Dq FILE:/etc/krb5.keytab . 188.It Li dns_lookup_kdc = Va boolean 189Use DNS SRV records to lookup KDC services location. 190.It Li dns_lookup_realm = Va boolean 191Use DNS TXT records to lookup domain to realm mappings. 192.It Li kdc_timesync = Va boolean 193Try to keep track of the time differential between the local machine 194and the KDC, and then compensate for that when issuing requests. 195.It Li max_retries = Va number 196The max number of times to try to contact each KDC. 197.It Li large_msg_size = Va number 198The threshold where protocols with tiny maximum message sizes are not 199considered usable to send messages to the KDC. 200.It Li ticket_lifetime = Va time 201Default ticket lifetime. 202.It Li renew_lifetime = Va time 203Default renewable ticket lifetime. 204.It Li forwardable = Va boolean 205When obtaining initial credentials, make the credentials forwardable. 206This option is also valid in the [realms] section. 207.It Li proxiable = Va boolean 208When obtaining initial credentials, make the credentials proxiable. 209This option is also valid in the [realms] section. 210.It Li verify_ap_req_nofail = Va boolean 211If enabled, failure to verify credentials against a local key is a 212fatal error. 213The application has to be able to read the corresponding service key 214for this to work. 215Some applications, like 216.Xr su 1 , 217enable this option unconditionally. 218.It Li warn_pwexpire = Va time 219How soon to warn for expiring password. 220Default is seven days. 221.It Li http_proxy = Va proxy-spec 222A HTTP-proxy to use when talking to the KDC via HTTP. 223.It Li dns_proxy = Va proxy-spec 224Enable using DNS via HTTP. 225.It Li extra_addresses = Va address ... 226A list of addresses to get tickets for along with all local addresses. 227.It Li time_format = Va string 228How to print time strings in logs, this string is passed to 229.Xr strftime 3 . 230.It Li date_format = Va string 231How to print date strings in logs, this string is passed to 232.Xr strftime 3 . 233.It Li log_utc = Va boolean 234Write log-entries using UTC instead of your local time zone. 235.It Li scan_interfaces = Va boolean 236Scan all network interfaces for addresses, as opposed to simply using 237the address associated with the system's host name. 238.It Li fcache_version = Va int 239Use file credential cache format version specified. 240.It Li krb4_get_tickets = Va boolean 241Also get Kerberos 4 tickets in 242.Nm kinit , 243.Nm login , 244and other programs. 245This option is also valid in the [realms] section. 246.It Li fcc-mit-ticketflags = Va boolean 247Use MIT compatible format for file credential cache. 248It's the field ticketflags that is stored in reverse bit order for 249older than Heimdal 0.7. 250Setting this flag to 251.Dv TRUE 252make it store the MIT way, this is default for Heimdal 0.7. 253.It Li check-rd-req-server 254If set to "ignore", the framework will ignore any the server input to 255.Xr krb5_rd_req 3, 256this is very useful when the GSS-API server input the 257wrong server name into the gss_accept_sec_context call. 258.El 259.It Li [domain_realm] 260This is a list of mappings from DNS domain to Kerberos realm. 261Each binding in this section looks like: 262.Pp 263.Dl domain = realm 264.Pp 265The domain can be either a full name of a host or a trailing 266component, in the latter case the domain-string should start with a 267period. 268The trailing component only matches hosts that are in the same domain, ie 269.Dq .example.com 270matches 271.Dq foo.example.com , 272but not 273.Dq foo.test.example.com . 274.Pp 275The realm may be the token `dns_locate', in which case the actual 276realm will be determined using DNS (independently of the setting 277of the `dns_lookup_realm' option). 278.It Li [realms] 279.Bl -tag -width "xxx" -offset indent 280.It Va REALM Li = { 281.Bl -tag -width "xxx" -offset indent 282.It Li kdc = Va [service/]host[:port] 283Specifies a list of kdcs for this realm. 284If the optional 285.Va port 286is absent, the 287default value for the 288.Dq kerberos/udp 289.Dq kerberos/tcp , 290and 291.Dq http/tcp 292port (depending on service) will be used. 293The kdcs will be used in the order that they are specified. 294.Pp 295The optional 296.Va service 297specifies over what medium the kdc should be 298contacted. 299Possible services are 300.Dq udp , 301.Dq tcp , 302and 303.Dq http . 304Http can also be written as 305.Dq http:// . 306Default service is 307.Dq udp 308and 309.Dq tcp . 310.It Li admin_server = Va host[:port] 311Specifies the admin server for this realm, where all the modifications 312to the database are performed. 313.It Li kpasswd_server = Va host[:port] 314Points to the server where all the password changes are performed. 315If there is no such entry, the kpasswd port on the admin_server host 316will be tried. 317.It Li krb524_server = Va host[:port] 318Points to the server that does 524 conversions. 319If it is not mentioned, the krb524 port on the kdcs will be tried. 320.It Li v4_instance_convert 321.It Li v4_name_convert 322.It Li default_domain 323See 324.Xr krb5_425_conv_principal 3 . 325.It Li tgs_require_subkey 326a boolan variable that defaults to false. 327Old DCE secd (pre 1.1) might need this to be true. 328.El 329.It Li } 330.El 331.It Li [capaths] 332.Bl -tag -width "xxx" -offset indent 333.It Va client-realm Li = { 334.Bl -tag -width "xxx" -offset indent 335.It Va server-realm Li = Va hop-realm ... 336This serves two purposes. First the first listed 337.Va hop-realm 338tells a client which realm it should contact in order to ultimately 339obtain credentials for a service in the 340.Va server-realm . 341Secondly, it tells the KDC (and other servers) which realms are 342allowed in a multi-hop traversal from 343.Va client-realm 344to 345.Va server-realm . 346Except for the client case, the order of the realms are not important. 347.El 348.It Va } 349.El 350.It Li [logging] 351.Bl -tag -width "xxx" -offset indent 352.It Va entity Li = Va destination 353Specifies that 354.Va entity 355should use the specified 356.Li destination 357for logging. 358See the 359.Xr krb5_openlog 3 360manual page for a list of defined destinations. 361.El 362.It Li [kdc] 363.Bl -tag -width "xxx" -offset indent 364.It Li database Li = { 365.Bl -tag -width "xxx" -offset indent 366.It Li dbname Li = Va DATABASENAME 367Use this database for this realm. 368See the info documetation how to configure different database backends. 369.It Li realm Li = Va REALM 370Specifies the realm that will be stored in this database. 371It realm isn't set, it will used as the default database, there can 372only be one entry that doesn't have a 373.Li realm 374stanza. 375.It Li mkey_file Li = Pa FILENAME 376Use this keytab file for the master key of this database. 377If not specified 378.Va DATABASENAME Ns .mkey 379will be used. 380.It Li acl_file Li = PA FILENAME 381Use this file for the ACL list of this database. 382.It Li log_file Li = Pa FILENAME 383Use this file as the log of changes performed to the database. 384This file is used by 385.Nm ipropd-master 386for propagating changes to slaves. 387.El 388.It Li } 389.It Li max-request = Va SIZE 390Maximum size of a kdc request. 391.It Li require-preauth = Va BOOL 392If set pre-authentication is required. 393Since krb4 requests are not pre-authenticated they will be rejected. 394.It Li ports = Va "list of ports" 395List of ports the kdc should listen to. 396.It Li addresses = Va "list of interfaces" 397List of addresses the kdc should bind to. 398.It Li enable-kerberos4 = Va BOOL 399Turn on Kerberos 4 support. 400.It Li v4-realm = Va REALM 401To what realm v4 requests should be mapped. 402.It Li enable-524 = Va BOOL 403Should the Kerberos 524 converting facility be turned on. 404Default is the same as 405.Va enable-kerberos4 . 406.It Li enable-http = Va BOOL 407Should the kdc answer kdc-requests over http. 408.It Li enable-kaserver = Va BOOL 409If this kdc should emulate the AFS kaserver. 410.It Li check-ticket-addresses = Va BOOL 411Verify the addresses in the tickets used in tgs requests. 412.\" XXX 413.It Li allow-null-ticket-addresses = Va BOOL 414Allow address-less tickets. 415.\" XXX 416.It Li allow-anonymous = Va BOOL 417If the kdc is allowed to hand out anonymous tickets. 418.It Li encode_as_rep_as_tgs_rep = Va BOOL 419Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. 420.\" XXX 421.It Li kdc_warn_pwexpire = Va TIME 422The time before expiration that the user should be warned that her 423password is about to expire. 424.It Li logging = Va Logging 425What type of logging the kdc should use, see also [logging]/kdc. 426.It Li use_2b = { 427.Bl -tag -width "xxx" -offset indent 428.It Va principal Li = Va BOOL 429boolean value if the 524 daemon should return AFS 2b tokens for 430.Fa principal . 431.It ... 432.El 433.It Li } 434.It Li hdb-ldap-structural-object Va structural object 435If the LDAP backend is used for storing principals, this is the 436structural object that will be used when creating and when reading 437objects. 438The default value is account . 439.It Li hdb-ldap-create-base Va creation dn 440is the dn that will be appended to the principal when creating entries. 441Default value is the search dn. 442.It Li enable-digest = Va BOOL 443Should the kdc answer digest requests. The default is FALSE. 444.It Li digests_allowed = Va list of digests 445Specifies the digests the kdc will reply to. The default is 446.Li ntlm-v2 . 447.El 448.It Li [kadmin] 449.Bl -tag -width "xxx" -offset indent 450.It Li require-preauth = Va BOOL 451If pre-authentication is required to talk to the kadmin server. 452.It Li password_lifetime = Va time 453If a principal already have its password set for expiration, this is 454the time it will be valid for after a change. 455.It Li default_keys = Va keytypes... 456For each entry in 457.Va default_keys 458try to parse it as a sequence of 459.Va etype:salttype:salt 460syntax of this if something like: 461.Pp 462[(des|des3|etype):](pw-salt|afs3-salt)[:string] 463.Pp 464If 465.Ar etype 466is omitted it means everything, and if string is omitted it means the 467default salt string (for that principal and encryption type). 468Additional special values of keytypes are: 469.Bl -tag -width "xxx" -offset indent 470.It Li v5 471The Kerberos 5 salt 472.Va pw-salt 473.It Li v4 474The Kerberos 4 salt 475.Va des:pw-salt: 476.El 477.It Li use_v4_salt = Va BOOL 478When true, this is the same as 479.Pp 480.Va default_keys = Va des3:pw-salt Va v4 481.Pp 482and is only left for backwards compatibility. 483.El 484.It Li [password_quality] 485Check the Password quality assurance in the info documentation for 486more information. 487.Bl -tag -width "xxx" -offset indent 488.It Li check_library = Va library-name 489Library name that contains the password check_function 490.It Li check_function = Va function-name 491Function name for checking passwords in check_library 492.It Li policy_libraries = Va library1 ... libraryN 493List of libraries that can do password policy checks 494.It Li policies = Va policy1 ... policyN 495List of policy names to apply to the password. Builtin policies are 496among other minimum-length, character-class, external-check. 497.El 498.El 499.Sh ENVIRONMENT 500.Ev KRB5_CONFIG 501points to the configuration file to read. 502.Sh FILES 503.Bl -tag -width "/etc/krb5.conf" 504.It Pa /etc/krb5.conf 505configuration file for Kerberos 5. 506.El 507.Sh EXAMPLES 508.Bd -literal -offset indent 509[libdefaults] 510 default_realm = FOO.SE 511[domain_realm] 512 .foo.se = FOO.SE 513 .bar.se = FOO.SE 514[realms] 515 FOO.SE = { 516 kdc = kerberos.foo.se 517 v4_name_convert = { 518 rcmd = host 519 } 520 v4_instance_convert = { 521 xyz = xyz.bar.se 522 } 523 default_domain = foo.se 524 } 525[logging] 526 kdc = FILE:/var/heimdal/kdc.log 527 kdc = SYSLOG:INFO 528 default = SYSLOG:INFO:USER 529.Ed 530.Sh DIAGNOSTICS 531Since 532.Nm 533is read and parsed by the krb5 library, there is not a lot of 534opportunities for programs to report parsing errors in any useful 535format. 536To help overcome this problem, there is a program 537.Nm verify_krb5_conf 538that reads 539.Nm 540and tries to emit useful diagnostics from parsing errors. 541Note that this program does not have any way of knowing what options 542are actually used and thus cannot warn about unknown or misspelled 543ones. 544.Sh SEE ALSO 545.Xr kinit 1 , 546.Xr krb5_425_conv_principal 3 , 547.Xr krb5_openlog 3 , 548.Xr strftime 3 , 549.Xr verify_krb5_conf 8 550