Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

krb5.conf (5)

Name

krb5.conf - Kerberos configuration file The krb5.conf file contains Kerberos configuration information, includ- ing the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG. Multiple colon-separated filenames may be specified in KRB5_CONFIG; all files which are present will be read. Starting in release 1.14, direc- tory names can also be specified in KRB5_CONFIG; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read.

Synopsis

Please see following description for synopsis

Description

KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)



NAME
       krb5.conf - Kerberos configuration file

       The krb5.conf file contains Kerberos configuration information, includ-
       ing the locations of KDCs and admin servers for the Kerberos realms  of
       interest, defaults for the current realm and for Kerberos applications,
       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
       install  your  krb5.conf  file in the directory /etc.  You can override
       the default location by setting the environment  variable  KRB5_CONFIG.
       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
       files which are present will be read.  Starting in release 1.14, direc-
       tory  names  can also be specified in KRB5_CONFIG; all files within the
       directory  whose  names  consist  solely  of  alphanumeric  characters,
       dashes, or underscores will be read.

STRUCTURE
       The krb5.conf file is set up in the style of a Windows INI file.  Lines
       beginning with '#' or  ';'  (possibly  after  initial  whitespace)  are
       ignored  as  comments.   Sections  are  headed  by the section name, in
       square brackets.  Each section may contain zero or more  relations,  of
       the form:

          foo = bar

       or:

          fubar = {
              foo = bar
              baz = quux
          }

       Placing  a  '*'  at  the end of a line indicates that this is the final
       value for the tag.  This means that neither the remainder of this  con-
       figuration  file  nor  any other configuration file will be checked for
       any other values for this tag.

       For example, if you have the following lines:

          foo = bar*
          foo = baz

       then the second value of foo (baz) would never be read.

       The krb5.conf file can include other files using either of the  follow-
       ing directives at the beginning of a line:

          include FILENAME
          includedir DIRNAME

       FILENAME  or  DIRNAME  should  be  an  absolute path. The named file or
       directory must exist and be readable.  Including a  directory  includes
       all  files  within the directory whose names consist solely of alphanu-
       meric characters, dashes, or underscores.  Starting  in  release  1.15,
       files  with  names ending in ".conf" are also included, unless the name
       begins with ".".  Included profile files are syntactically  independent
       of  their  parents,  so  each  included  file must begin with a section
       header.

       The krb5.conf file can specify that configuration  should  be  obtained
       from  a loadable module, rather than the file itself, using the follow-
       ing directive at the beginning of a line before any section headers:

          module MODULEPATH:RESIDUAL

       MODULEPATH may be relative to the library path of  the  krb5  installa-
       tion,  or it may be an absolute path.  RESIDUAL is provided to the mod-
       ule at initialization time.  If  krb5.conf  uses  a  module  directive,
       kdc.conf(5) should also use one if it exists.

SECTIONS
       The krb5.conf file may contain the following sections:

                    +---------------+----------------------------+
                    |[libdefaults]  | Settings  used by the Ker- |
                    |               | beros V5 library           |
                    +---------------+----------------------------+
                    |[realms]       | Realm-specific     contact |
                    |               | information and settings   |
                    +---------------+----------------------------+
                    |[domain_realm] | Maps  server  hostnames to |
                    |               | Kerberos realms            |
                    +---------------+----------------------------+
                    |[capaths]      | Authentication  paths  for |
                    |               | non-hierarchical           |
                    |               | cross-realm                |
                    +---------------+----------------------------+
                    |[appdefaults]  | Settings used by some Ker- |
                    |               | beros V5 applications      |
                    +---------------+----------------------------+
                    |[plugins]      | Controls   plugin   module |
                    |               | registration               |
                    +---------------+----------------------------+

       Additionally, krb5.conf may include any of the relations  described  in
       kdc.conf(5), but it is not a recommended practice.

   [libdefaults]
       The libdefaults section may contain any of the following relations:

       allow_weak_crypto
              If  this  flag  is  set to false, then weak encryption types (as
              noted in Encryption_types in kdc.conf(5)) will be  filtered  out
              of  the  lists  default_tgs_enctypes,  default_tkt_enctypes, and
              permitted_enctypes.  The default value for this  tag  is  false,
              which may cause authentication failures in existing Kerberos in-
              frastructures that do  not  support  strong  crypto.   Users  in
              affected  environments  should  set this tag to true until their
              infrastructure adopts stronger ciphers.

       ap_req_checksum_type
              An integer which specifies the type of AP-REQ checksum to use in
              authenticators.   This variable should be unset so the appropri-
              ate checksum for the encryption key in use will be  used.   This
              can  be set if backward compatibility requires a specific check-
              sum type.  See the  kdc_req_checksum_type  configuration  option
              for the possible values and their meanings.

       auth_to_local_realm
              For  use in the default realm, non-default realms can be equated
              with the default realm for authenticated name-to-local name map-
              ping.

       canonicalize
              If  this flag is set to true, initial ticket requests to the KDC
              will request canonicalization of the client principal name,  and
              answers  with  different  client  principals  than the requested
              principal will be accepted.  The default value is false.

       ccache_type
              This parameter determines the format of credential  cache  types
              created  by kinit(1) or other programs.  The default value is 4,
              which represents the most current format.  Smaller values can be
              used for compatibility with very old implementations of Kerberos
              which interact with credential caches on the same host.

       clockskew
              Sets the maximum allowable amount of clockskew in  seconds  that
              the  library  will tolerate before assuming that a Kerberos mes-
              sage is invalid.  The default value is 300 seconds, or five min-
              utes.

              The  clockskew setting is also used when evaluating ticket start
              and expiration times.  For example, tickets  that  have  reached
              their expiration time can still be used (and renewed if they are
              renewable tickets) if they have been expired for a shorter dura-
              tion than the clockskew setting.

       default_ccache_name
              This  relation  specifies  the  name  of  the default credential
              cache.       The      default       is       FILE:/tmp/volatile-
              user/%{uid}/krb5cc_%{uid}.   This relation is subject to parame-
              ter expansion (see below).  New in release 1.11.

       default_client_keytab_name
              This relation specifies the  name  of  the  default  keytab  for
              obtaining     client     credentials.      The     default    is
              FILE:/var/user/%{username}/client.keytab.  This relation is sub-
              ject to parameter expansion (see below).  New in release 1.11.

       default_keytab_name
              This  relation  specifies  the default keytab name to be used by
              application   servers   such   as   sshd.    The   default    is
              FILE:/etc/krb5/krb5.keytab.  This relation is subject to parame-
              ter expansion (see below).

       default_realm
              Identifies the default Kerberos realm for the client.   Set  its
              value  to your Kerberos realm.  If this value is not set, then a
              realm must be  specified  with  every  Kerberos  principal  when
              invoking programs such as kinit(1).

       default_tgs_enctypes
              Identifies  the  supported  list of session key encryption types
              that the client should request when making a TGS-REQ,  in  order
              of preference from highest to lowest.  The list may be delimited
              with commas or whitespace.  See Encryption_types in  kdc.conf(5)
              for  a  list  of  the accepted values for this tag.  The default
              value   is    aes256-cts-hmac-sha1-96    aes128-cts-hmac-sha1-96
              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel-
              lia128-cts-cmac  des-cbc-crc  des-cbc-md5  des-cbc-md4, but sin-
              gle-DES encryption types will be implicitly  removed  from  this
              list if the value of allow_weak_crypto is false.

              Do  not  set this unless required for specific backward compati-
              bility purposes;  stale  values  of  this  setting  can  prevent
              clients  from taking advantage of new stronger enctypes when the
              libraries are upgraded.

       default_tkt_enctypes
              Identifies the supported list of session  key  encryption  types
              that  the  client should request when making an AS-REQ, in order
              of preference from highest to lowest.  The format is the same as
              for  default_tgs_enctypes.   The  default  value for this tag is
              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel-
              lia128-cts-cmac  des-cbc-crc  des-cbc-md5  des-cbc-md4, but sin-
              gle-DES encryption types will be implicitly  removed  from  this
              list if the value of allow_weak_crypto is false.

              Do  not  set this unless required for specific backward compati-
              bility purposes;  stale  values  of  this  setting  can  prevent
              clients  from taking advantage of new stronger enctypes when the
              libraries are upgraded.

       dns_canonicalize_hostname
              Indicate whether name lookups will be used to canonicalize host-
              names  for use in service principal names.  Setting this flag to
              false can improve security by  reducing  reliance  on  DNS,  but
              means   that  short  hostnames  will  not  be  canonicalized  to
              fully-qualified hostnames.  The default value is true.

       dns_lookup_kdc
              Indicate whether DNS SRV records should be used  to  locate  the
              KDCs  and  other  servers for a realm, if they are not listed in
              the  krb5.conf  information  for  the  realm.   (Note  that  the
              admin_server entry must be in the krb5.conf realm information in
              order to contact kadmind, because  the  DNS  implementation  for
              kadmin is incomplete.)

              Enabling  this  option  does open up a type of denial-of-service
              attack, if someone spoofs the DNS records and redirects  you  to
              another  server.   However,  it's no worse than a denial of ser-
              vice, because that fake KDC will be unable  to  decode  anything
              you  send  it  (besides the initial ticket request, which has no
              encrypted data), and anything the fake KDC  sends  will  not  be
              trusted  without  verification  using  some secret that it won't
              know.

       dns_uri_lookup
              Indicate whether DNS URI records should be used  to  locate  the
              KDCs  and  other  servers for a realm, if they are not listed in
              the krb5.conf information for the realm.  SRV records  are  used
              as  a  fallback if no URI records were found.  The default value
              is true.  New in release 1.15.

       err_fmt
              This relation allows for custom error message formatting.  If  a
              value is set, error messages will be formatted by substituting a
              normal error message for %M and an error  code  for  %C  in  the
              value.

       extra_addresses
              This allows a computer to use multiple local addresses, in order
              to allow Kerberos to work in a  network  that  uses  NATs  while
              still using address-restricted tickets.  The addresses should be
              in a comma-separated list.  This option has no effect  if  noad-
              dresses is true.

       forwardable
              If  this  flag  is  true, initial tickets will be forwardable by
              default, if allowed by the KDC.  The default value is false.

       ignore_acceptor_hostname
              When accepting GSSAPI or krb5 security contexts  for  host-based
              service  principals,  ignore  any hostname passed by the calling
              application, and allow clients to authenticate  to  any  service
              principal in the keytab matching the service name and realm name
              (if given).  This option can improve the  administrative  flexi-
              bility  of  server  applications  on multihomed hosts, but could
              compromise the security of virtual  hosting  environments.   The
              default value is false.  New in release 1.10.

       k5login_authoritative
              If  this  flag  is  true,  principals  must be listed in a local
              user's k5login file to be granted login access, if a .k5login(5)
              file  exists.   If  this flag is false, a principal may still be
              granted login access through other mechanisms even if a  k5login
              file  exists but does not list the principal.  The default value
              is true.

       k5login_directory
              If set, the library will look for a local  user's  k5login  file
              within the named directory, with a filename corresponding to the
              local username.  If not set, the library will look  for  k5login
              files  in the user's home directory, with the filename .k5login.
              For security reasons, .k5login files must be owned by the  local
              user or by root.

       kcm_mach_service
              On macOS only, determines the name of the bootstrap service used
              to contact the KCM daemon for the KCM credential cache type.  If
              the  value  is  -,  Mach RPC will not be used to contact the KCM
              daemon.  The default value is org.h5l.kcm.

       kcm_socket
              Determines the path to the Unix domain socket used to access the
              KCM  daemon  for the KCM credential cache type.  If the value is
              -, Unix domain sockets will not be used to contact the KCM  dae-
              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.

       kdc_default_options
              Default  KDC options (Xored for multiple values) when requesting
              initial  tickets.   By  default  it   is   set   to   0x00000010
              (KDC_OPT_RENEWABLE_OK).

       kdc_timesync
              Accepted values for this relation are 1 or 0.  If it is nonzero,
              client machines will compute the difference between  their  time
              and  the time returned by the KDC in the timestamps in the tick-
              ets and use this value to correct for an inaccurate system clock
              when  requesting  service tickets or authenticating to services.
              This corrective factor is only used by the Kerberos library;  it
              is not used to change the system clock.  The default value is 1.

       kdc_req_checksum_type
              An  integer  which specifies the type of checksum to use for the
              KDC requests, for compatibility with very  old  KDC  implementa-
              tions.  This value is only used for DES keys; other keys use the
              preferred checksum type for those keys.

              The possible values and their meanings are as follows.

                            +-----+----------------------------+
                            |1    | CRC32                      |
                            +-----+----------------------------+
                            |2    | RSA MD4                    |
                            +-----+----------------------------+
                            |3    | RSA MD4 DES                |
                            +-----+----------------------------+
                            |4    | DES CBC                    |
                            +-----+----------------------------+
                            |7    | RSA MD5                    |
                            +-----+----------------------------+

                            |8    | RSA MD5 DES                |
                            +-----+----------------------------+
                            |9    | NIST SHA                   |
                            +-----+----------------------------+
                            |12   | HMAC SHA1 DES3             |
                            +-----+----------------------------+
                            |-138 | Microsoft MD5 HMAC  check- |
                            |     | sum type                   |
                            +-----+----------------------------+

       noaddresses
              If  this  flag is true, requests for initial tickets will not be
              made with address restrictions set, allowing the tickets  to  be
              used across NATs.  The default value is true.

       permitted_enctypes
              Identifies  all  encryption  types that are permitted for use in
              session key encryption.  The  default  value  for  this  tag  is
              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel-
              lia128-cts-cmac des-cbc-crc des-cbc-md5  des-cbc-md4,  but  sin-
              gle-DES  encryption  types  will be implicitly removed from this
              list if the value of allow_weak_crypto is false.

       plugin_base_dir
              If set, determines the base directory  where  krb5  plugins  are
              located.   The default value is the krb5/plugins subdirectory of
              the krb5 library directory.

       preferred_preauth_types
              This allows you to set  the  preferred  preauthentication  types
              which  the client will attempt before others which may be adver-
              tised by a KDC.  The default value for this setting is "17,  16,
              15,  14", which forces libkrb5 to attempt to use PKINIT if it is
              supported.

       proxiable
              If this flag is true,  initial  tickets  will  be  proxiable  by
              default, if allowed by the KDC.  The default value is false.

       rdns   If  this flag is true, reverse name lookup will be used in addi-
              tion to forward name lookup to canonicalizing hostnames for  use
              in service principal names.  If dns_canonicalize_hostname is set
              to false, this flag has no effect.  The default value is false.

       realm_try_domains
              Indicate whether a host's domain components should  be  used  to
              determine  the  Kerberos  realm  of the host.  The value of this
              variable is an integer: -1 means not to search, 0 means  to  try
              the host's domain itself, 1 means to also try the domain's imme-
              diate parent, and so forth.  The library's usual  mechanism  for
              locating  Kerberos  realms is used to determine whether a domain
              is  a  valid  realm,  which  may  involve  consulting   DNS   if
              dns_lookup_kdc is set.  The default is not to search domain com-
              ponents.

       renew_lifetime
              (duration string.)  Sets the default renewable lifetime for ini-
              tial ticket requests.  The default value is 0.

       safe_checksum_type
              An  integer  which specifies the type of checksum to use for the
              KRB-SAFE requests.  By default it is set to  8  (RSA  MD5  DES).
              For  compatibility  with applications linked against DCE version
              1.1 or earlier Kerberos libraries, use a value of 3 to  use  the
              RSA  MD4  DES  instead.  This field is ignored when its value is
              incompatible with the session key type.  See the  kdc_req_check-
              sum_type  configuration option for the possible values and their
              meanings.

       ticket_lifetime
              (duration string.)  Sets the default lifetime for initial ticket
              requests.  The default value is 1 day.

       udp_preference_limit
              When  sending  a  message to the KDC, the library will try using
              TCP before UDP if the size of the message is  above  udp_prefer-
              ence_limit.    If   the  message  is  smaller  than  udp_prefer-
              ence_limit, then UDP will be tried before  TCP.   Regardless  of
              the  size,  both  protocols  will  be tried if the first attempt
              fails.

       verify_ap_req_nofail
              If this flag is true, then an attempt to verify initial  creden-
              tials  will  fail  if the client machine does not have a keytab.
              The default value is true.

   [realms]
       Each tag in the [realms] section of the file is the name of a  Kerberos
       realm.  The value of the tag is a subsection with relations that define
       the properties of that particular realm.  For each realm, the following
       tags may be specified in the realm's subsection:

       admin_server
              Identifies  the host where the administration server is running.
              Typically, this is the master Kerberos server.  This tag must be
              given a value in order to communicate with the kadmind(8) server
              for the realm.

       auth_to_local
              This tag allows you to set a general rule for mapping  principal
              names  to  local user names.  It will be used if there is not an
              explicit mapping for the principal name  that  is  being  trans-
              lated. The possible values are:

              RULE:exp
                     The local name will be formulated from exp.

                     The    format   for   exp   is   [n:string](regexp)s/pat-
                     tern/replacement/g.  The integer  n  indicates  how  many
                     components  the  target  principal  should have.  If this
                     matches, then a string will be formed from  string,  sub-
                     stituting  the realm of the principal for $0 and the n'th
                     component of the principal for $n (e.g., if the principal
                     was  johndoe/admin  then  [2:$2$1foo] would result in the
                     string adminjohndoefoo).  If this string matches  regexp,
                     then the s//[g] substitution command will be run over the
                     string.  The optional g will cause the substitution to be
                     global  over  the  string,  instead of replacing only the
                     first match in the string.

              DEFAULT
                     The principal name will be used as the local  user  name.
                     If the principal has more than one component or is not in
                     the default realm, this rule is not  applicable  and  the
                     conversion will fail.

              For example:

                 [realms]
                     ATHENA.MIT.EDU = {
                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
                         auto_to_local = DEFAULT
                     }

              would  result in any principal without root or admin as the sec-
              ond component to be translated with the default rule.  A princi-
              pal  with a second component of admin will become its first com-
              ponent.  root will be used as the local name for  any  principal
              with  a  second  component  of root.  The exception to these two
              rules are any principals johndoe/*, which will  always  get  the
              local name guest.

       auth_to_local_names
              This subsection allows you to set explicit mappings from princi-
              pal names to local user names.  The tag is the mapping name, and
              the value is the corresponding local user name.

       default_domain
              This  tag  specifies  the  domain  used to expand hostnames when
              translating Kerberos 4 service principals to Kerberos 5  princi-
              pals  (for  example, when converting rcmd.hostname to host/host-
              name.domain).

       http_anchors
              When KDCs and kpasswd servers are accessed through  HTTPS  prox-
              ies, this tag can be used to specify the location of the CA cer-
              tificate which should be trusted to issue the certificate for  a
              proxy  server.  If left unspecified, the system-wide default set
              of CA certificates is used.

              The syntax for values is similar  to  that  of  values  for  the
              pkinit_anchors tag:

              FILE: filename

              filename is assumed to be the name of an OpenSSL-style ca-bundle
              file.

              DIR: dirname

              dirname is assumed to be an directory which contains CA certifi-
              cates.   All  files  in  the directory will be examined; if they
              contain certificates (in PEM format), they will be used.

              ENV: envvar

              envvar specifies the name of an environment variable  which  has
              been  set  to  a value conforming to one of the previous values.
              For  example,  ENV:X509_PROXY_CA,  where  environment   variable
              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.

       kdc    The  name or address of a host running a KDC for that realm.  An
              optional port number, separated from the hostname  by  a  colon,
              may  be  included.   If the name or address contains colons (for
              example, if it is an IPv6 address), enclose it in square  brack-
              ets  to  distinguish  the colon from a port separator.  For your
              computer to be able to communicate with the KDC for each  realm,
              this  tag  must be given a value in each realm subsection in the
              configuration file, or there must be DNS SRV records  specifying
              the KDCs.

       kpasswd_server
              Points  to  the  server  where all the password changes are per-
              formed.  If there  is  no  such  entry,  the  port  464  on  the
              admin_server host will be tried.

       master_kdc
              Identifies  the  master  KDC(s).  Currently, this tag is used in
              only one case: If an attempt to get credentials fails because of
              an invalid password, the client software will attempt to contact
              the master KDC, in  case  the  user's  password  has  just  been
              changed, and the updated database has not been propagated to the
              slave servers yet.

       v4_instance_convert
              This subsection allows the administrator to configure exceptions
              to  the  default_domain  mapping rule.  It contains V4 instances
              (the tag name) which should be translated to some specific host-
              name  (the  tag  value) as the second component in a Kerberos V5
              principal name.

       v4_realm
              This relation is used by the krb524 library routines  when  con-
              verting  a V5 principal name to a V4 principal name.  It is used
              when the V4 realm name and the V5 realm name are not  the  same,
              but  still share the same principal names and passwords. The tag
              value is the Kerberos V4 realm name.

   [domain_realm]
       The [domain_realm] section provides a translation from a domain name or
       hostname  to a Kerberos realm name.  The tag name can be a host name or
       domain name, where domain names are indicated by a prefix of  a  period
       (.).   The  value  of  the relation is the Kerberos realm name for that
       particular host or domain.  A host name  relation  implicitly  provides
       the  corresponding domain name relation, unless an explicit domain name
       relation is provided.  The Kerberos realm may be identified  either  in
       the  realms  section  or  using DNS SRV records.  Host names and domain
       names should be in lower case.  For example:

          [domain_realm]
              crash.mit.edu = TEST.ATHENA.MIT.EDU
              .dev.mit.edu = TEST.ATHENA.MIT.EDU
              mit.edu = ATHENA.MIT.EDU

       maps the host with the name crash.mit.edu into the  TEST.ATHENA.MIT.EDU
       realm.   The  second  entry maps all hosts under the domain dev.mit.edu
       into the TEST.ATHENA.MIT.EDU realm, but not  the  host  with  the  name
       dev.mit.edu.   That  host is matched by the third entry, which maps the
       host mit.edu and all hosts under the domain mit.edu that do not match a
       preceding rule into the realm ATHENA.MIT.EDU.

       If  no translation entry applies to a hostname used for a service prin-
       cipal for a service ticket request, the  library  will  try  to  get  a
       referral to the appropriate realm from the client realm's KDC.  If that
       does not succeed, the host's realm is considered to be  the  hostname's
       domain  portion  converted  to  uppercase, unless the realm_try_domains
       setting in [libdefaults] causes a different parent domain to be used.

   [capaths]
       In order to perform direct (non-hierarchical)  cross-realm  authentica-
       tion,  configuration  is  needed  to determine the authentication paths
       between realms.

       A client will use this section to find the authentication path  between
       its  realm  and the realm of the server.  The server will use this sec-
       tion to verify the authentication path used by the client, by  checking
       the transited field of the received ticket.

       There  is  a  tag for each participating client realm, and each tag has
       subtags for each of the server realms.  The value of the subtags is  an
       intermediate realm which may participate in the cross-realm authentica-
       tion.  The subtags may be repeated if there is more then one intermedi-
       ate  realm.   A  value  of  "."  means  that  the two realms share keys
       directly, and no intermediate realms should be allowed to participate.

       Only those entries which will be needed on the  client  or  the  server
       need to be present.  A client needs a tag for its local realm with sub-
       tags for all the realms of servers it will need to authenticate to.   A
       server  needs a tag for each realm of the clients it will serve, with a
       subtag of the server realm.

       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
       realm  as  an  intermediate realm.  ANL has a sub realm of TEST.ANL.GOV
       which will authenticate with NERSC.GOV but not PNL.GOV.  The  [capaths]
       section for ANL.GOV systems would look like this:

          [capaths]
              ANL.GOV = {
                  TEST.ANL.GOV = .
                  PNL.GOV = ES.NET
                  NERSC.GOV = ES.NET
                  ES.NET = .
              }
              TEST.ANL.GOV = {
                  ANL.GOV = .
              }
              PNL.GOV = {
                  ANL.GOV = ES.NET
              }
              NERSC.GOV = {
                  ANL.GOV = ES.NET
              }
              ES.NET = {
                  ANL.GOV = .
              }

       The  [capaths] section of the configuration file used on NERSC.GOV sys-
       tems would look like this:

          [capaths]
              NERSC.GOV = {
                  ANL.GOV = ES.NET
                  TEST.ANL.GOV = ES.NET
                  TEST.ANL.GOV = ANL.GOV
                  PNL.GOV = ES.NET
                  ES.NET = .
              }
              ANL.GOV = {
                  NERSC.GOV = ES.NET
              }
              PNL.GOV = {
                  NERSC.GOV = ES.NET
              }
              ES.NET = {
                  NERSC.GOV = .
              }
              TEST.ANL.GOV = {
                  NERSC.GOV = ANL.GOV
                  NERSC.GOV = ES.NET
              }

       When a subtag is used more than once within a tag, clients will use the
       order  of  values  to  determine  the path.  The order of values is not
       important to servers.

   [appdefaults]
       Each tag in the [appdefaults] section names a Kerberos  V5  application
       or  an  option  that  is  used by some Kerberos V5 application[s].  The
       value of the tag defines the default behaviors for that application.

       For example:

          [appdefaults]
              telnet = {
                  ATHENA.MIT.EDU = {
                      option1 = false
                  }
              }
              telnet = {
                  option1 = true
                  option2 = true
              }
              ATHENA.MIT.EDU = {
                  option2 = false
              }
              option2 = true

       The above four ways of specifying the value of an option are  shown  in
       order  of  decreasing precedence. In this example, if telnet is running
       in the realm EXAMPLE.COM, it  should,  by  default,  have  option1  and
       option2   set  to  true.   However,  a  telnet  program  in  the  realm
       ATHENA.MIT.EDU should have option1 set to  false  and  option2  set  to
       true.   Any other programs in ATHENA.MIT.EDU should have option2 set to
       false by default.  Any programs running in  other  realms  should  have
       option2 set to true.

       The  list  of  specifiable options for each application may be found in
       that application's man pages.  The application defaults specified  here
       are overridden by those specified in the realms section.

       The  following  relations  can  be  found in the [appdefaults] section,
       though not all relations are recognized by all kerberized applications.
       Some are specific to particular applications.

       autologin = [true | false]
              Forces  the  application  to attempt  automatic  login  by  pre-
              senting Kerberos credentials. This is valid  for  the  following
              applications: rlogin, rsh, rcp, and telnet.

       encrypt = [true | false]
              Forces  applications to use encryption by default (after authen-
              tication) to protect the privacy of the sessions. This is  valid
              for the following applications: rlogin, rsh, rcp, and telnet.

       forward = [true | false]
              Forces  applications  to  forward  the user's credentials (after
              authentication) to the remote server. This is valid for the fol-
              lowing applications: rlogin, rsh, rcp, and telnet.

       forwardable = [true | false]
              See the description in the [libdefaults] section above.  This is
              used by any application that creates a  ticket  granting  ticket
              and  also  by  applications that can forward tickets to a remote
              server.

       proxiable = [true | false]
              See the description in the [libdefaults] section above. This  is
              used by any application that creates a ticket granting ticket.

       renewable = [true | false]
              Creates  a  TGT that can be renewed (prior to the ticket expira-
              tion time). This is used  by  any  application  that  creates  a
              ticket granting ticket.

       noaddresses = [true | false]
              Creates tickets with no address bindings. This is to allow tick-
              ets to be used across a NAT boundary or when  using  multi-homed
              systems.  This option is valid in the kinit [appdefault] section
              only.

       rcmd_protocol = [ rcmdv1 | rcmdv2 ]
              Specifies which Kerberized "rcmd" protocol to use when using the
              Kerberized rlogin(1), rsh(1), or rcp(1) programs. The default is
              to use rcmdv2 by default, as this is the more  secure  and  more
              recent  update  of  the protocol. However, when talking to older
              MIT or SEAM- based "rcmd" servers, it can be necessary to  force
              the new clients to use the older rcmdv1 protocol. This option is
              valid only for the following applications: rlogin, rcp, and rsh.

   [plugins]
          o pwqual interface

          o kadm5_hook interface

          o clpreauth and kdcpreauth interfaces

       Tags in the [plugins] section can be used to  register  dynamic  plugin
       modules  and  to  turn  modules  on  and off.  Not every krb5 pluggable
       interface uses the [plugins] section; the ones that do  are  documented
       here.

       New in release 1.9.

       Each pluggable interface corresponds to a subsection of [plugins].  All
       subsections support the same tags:

       disable
              This tag may have multiple values. If there are values for  this
              tag,  then  the named modules will be disabled for the pluggable
              interface.

       enable_only
              This tag may have multiple values. If there are values for  this
              tag,  then  only the named modules will be enabled for the plug-
              gable interface.

       module This tag may have multiple values.  Each value is  a  string  of
              the  form  modulename:pathname,  which  causes the shared object
              located at pathname to be registered as a dynamic  module  named
              modulename  for  the pluggable interface.  If pathname is not an
              absolute path, it will be  treated  as  relative  to  the  plug-
              in_base_dir value from [libdefaults].

       For pluggable interfaces where module order matters, modules registered
       with a module tag normally come first, in the  order  they  are  regis-
       tered,  followed  by  built-in modules in the order they are documented
       below.  If enable_only tags are used, then  the  order  of  those  tags
       overrides the normal module order.

       The  following subsections are currently supported within the [plugins]
       section:

   ccselect interface
       The ccselect subsection controls modules for credential cache selection
       within  a cache collection.  In addition to any registered dynamic mod-
       ules, the following built-in modules exist (and may  be  disabled  with
       the disable tag):

       realm  Uses  the  service  realm to guess an appropriate cache from the
              collection

       hostname
              If the service principal is host-based, uses the  service  host-
              name to guess an appropriate cache from the collection

   pwqual interface
       The  pwqual subsection controls modules for the password quality inter-
       face, which is  used  to  reject  weak  passwords  when  passwords  are
       changed.  The following built-in modules exist for this interface:

       dict   Checks against the realm dictionary file

       empty  Rejects empty passwords

       hesiod Checks  against  user information stored in Hesiod (only if Ker-
              beros was built with Hesiod support)

       princ  Checks against components of the principal name

   kadm5_hook interface
       The kadm5_hook interface provides plugins with information on principal
       creation,  modification, password changes and deletion.  This interface
       can be used to write a plugin to synchronize MIT Kerberos with  another
       database  such  as  Active Directory.  No plugins are built in for this
       interface.

   kadm5_auth interface
       The kadm5_auth section (introduced in release  1.16)  controls  modules
       for  the  kadmin  authorization  interface,  which determines whether a
       client principal is allowed to perform a kadmin operation.  The follow-
       ing built-in modules exist for this interface:

       acl    This  module  reads the kadm5.acl(5) file, and authorizes opera-
              tions which are allowed according to the rules in the file.

       self   This module authorizes self-service operations  including  pass-
              word changes, creation of new random keys, fetching the client's
              principal record or string attributes, and fetching  the  policy
              record associated with the client principal.

   clpreauth and kdcpreauth interfaces
       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
       client and KDC preauthentication mechanisms.   The  following  built-in
       modules exist for these interfaces:

       pkinit This module implements the PKINIT preauthentication mechanism.

       encrypted_challenge
              This module implements the encrypted challenge FAST factor.

       encrypted_timestamp
              This module implements the encrypted timestamp mechanism.

   hostrealm interface
       The hostrealm section (introduced in release 1.12) controls modules for
       the host-to-realm interface, which affects the local mapping  of  host-
       names  to  realm  names and the choice of default realm.  The following
       built-in modules exist for this interface:

       profile
              This module consults the [domain_realm] section of  the  profile
              for  authoritative host-to-realm mappings, and the default_realm
              variable for the default realm.

       dns    This module looks for DNS  records  for  fallback  host-to-realm
              mappings  and  the  default  realm.   It  only  operates  if the
              dns_lookup_realm variable is set to true.

       domain This module applies heuristics for fallback  host-to-realm  map-
              pings.   It  implements the realm_try_domains variable, and uses
              the uppercased parent domain of the hostname if  that  does  not
              produce a result.

   localauth interface
       The localauth section (introduced in release 1.12) controls modules for
       the local  authorization  interface,  which  affects  the  relationship
       between  Kerberos  principals and local system accounts.  The following
       built-in modules exist for this interface:

       default
              This module implements the DEFAULT type for  auth_to_local  val-
              ues.

       rule   This module implements the RULE type for auth_to_local values.

       names  This  module  looks  for  an auth_to_local_names mapping for the
              principal name.

       auth_to_local
              This  module  processes  auth_to_local  values  in  the  default
              realm's   section,   and   applies  the  default  method  if  no
              auth_to_local values exist.

       k5login
              This module authorizes a principal to a local account  according
              to the account's .k5login(5) file.

       an2ln  This  module  authorizes  a  principal to a local account if the
              principal name maps to the local account name.

   certauth interface
       The certauth section (introduced in release 1.16) controls modules  for
       the  certificate  authorization  interface,  which determines whether a
       certificate is allowed to preauthenticate a user via PKINIT.  The  fol-
       lowing built-in modules exist for this interface:

       pkinit_san
              This  module  authorizes the certificate if it contains a PKINIT
              Subject Alternative Name for the requested client principal,  or
              a  Microsoft  UPN SAN matching the principal if pkinit_allow_upn
              is set to true for the realm.

       pkinit_eku
              This module rejects the certificate if it does  not  contain  an
              Extended    Key    Usage    attribute    consistent   with   the
              pkinit_eku_checking value for the realm.

       dbmatch
              This module authorizes or rejects the certificate  according  to
              whether it matches the pkinit_cert_match string attribute on the
              client principal, if that attribute is present.

PKINIT OPTIONS
       NOTE:
          The following are PKINIT-specific  options.   These  values  may  be
          specified   in   [libdefaults]  as  global  defaults,  or  within  a
          realm-specific subsection of [libdefaults], or may be  specified  as
          realm-specific  values  in  the  [realms] section.  A realm-specific
          value overrides, not adds to, a generic [libdefaults] specification.
          The search order is:

       1. realm-specific subsection of [libdefaults]:

             [libdefaults]
                 EXAMPLE.COM = {
                     pkinit_anchors = FILE:/usr/local/example.com.crt
                 }

       2. realm-specific value in the [realms] section:

             [realms]
                 OTHERREALM.ORG = {
                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
                 }

       3. generic value in the [libdefaults] section:

             [libdefaults]
                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/

   Specifying PKINIT identity information
       The  syntax  for  specifying Public Key identity, trust, and revocation
       information for PKINIT is as follows:

       FILE:filename[,keyfilename]
              This option has context-specific behavior.

              In pkinit_identity or pkinit_identities, filename specifies  the
              name of a PEM-format file containing the user's certificate.  If
              keyfilename is not specified, the user's private key is expected
              to  be  in filename as well.  Otherwise, keyfilename is the name
              of the file containing the private key.

              In pkinit_anchors or pkinit_pool, filename is assumed to be  the
              name of an OpenSSL-style ca-bundle file.

       DIR:dirname
              This option has context-specific behavior.

              In  pkinit_identity  or  pkinit_identities,  dirname specifies a
              directory with files named *.crt and *.key where the first  part
              of  the  file name is the same for matching pairs of certificate
              and private key files.  When a file with a name ending with .crt
              is found, a matching file ending with .key is assumed to contain
              the private key.  If no such file is found, then the certificate
              in the .crt is not used.

              In  pkinit_anchors  or  pkinit_pool, dirname is assumed to be an
              OpenSSL-style hashed CA directory where each CA cert  is  stored
              in  a  file  named  hash-of-ca-cert.#.   This  infrastructure is
              encouraged, but all files in the directory will be examined  and
              if they contain certificates (in PEM format), they will be used.

              In  pkinit_revoke,  dirname  is  assumed  to be an OpenSSL-style
              hashed CA directory where each revocation list is  stored  in  a
              file  named  hash-of-ca-cert.r#.  This infrastructure is encour-
              aged, but all files in the directory will  be  examined  and  if
              they  contain  a  revocation  list (in PEM format), they will be
              used.

       PKCS12:filename
              filename is the name of a PKCS #12 format file,  containing  the
              user's certificate and private key.

       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer-
       tid=cert-id][:certlabel=cert-label]
              All keyword/values are optional.  modname specifies the location
              of  a  library implementing PKCS #11.  If a value is encountered
              with no keyword, it is assumed to be the modname.   If  no  mod-
              ule-name is specified, the default is opensc-pkcs11.so.  slotid=
              and/or token= may be specified to force the use of a  particular
              smard  card reader or token if there is more than one available.
              certid= and/or certlabel= may be specified to force  the  selec-
              tion  of  a  particular  certificate  on  the  device.   See the
              pkinit_cert_match configuration option for more ways to select a
              particular certificate to use for PKINIT.

       ENV:envvar
              envvar  specifies  the name of an environment variable which has
              been set to a value conforming to one of  the  previous  values.
              For   example,   ENV:X509_PROXY,   where   environment  variable
              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

   PKINIT krb5.conf options
       pkinit_anchors
              Specifies the location of  trusted  anchor  (root)  certificates
              which  the  client trusts to sign KDC certificates.  This option
              may be specified multiple times.  These values from  the  config
              file are not used if the user specifies X509_anchors on the com-
              mand line.

       pkinit_cert_match
              Specifies matching rules that the client certificate must  match
              before  it  is used to attempt PKINIT authentication.  If a user
              has multiple certificates available (on a  smart  card,  or  via
              other  media),  there  must  be  exactly  one certificate chosen
              before attempting PKINIT authentication.   This  option  may  be
              specified  multiple  times.   All the available certificates are
              checked against each rule in order until there  is  a  match  of
              exactly one certificate.

              The  Subject  and  Issuer  comparison  strings  are the RFC 2253
              string representations  from  the  certificate  Subject  DN  and
              Issuer DN values.

              The syntax of the matching rules is:
                 [relation-operator]component-rule ...

              where:

              relation-operator
                     can be either &&, meaning all component rules must match,
                     or ||, meaning only one component rule must  match.   The
                     default is &&.

              component-rule
                     can be one of the following.  Note that there is no punc-
                     tuation or whitespace between component rules.
                        <SUBJECT>regular-expression
                        <ISSUER>regular-expression
                        <SAN>regular-expression
                        <EKU>extended-key-usage-list
                        <KU>key-usage-list


                     extended-key-usage-list  is  a  comma-separated  list  of
                     required  Extended  Key  Usage values.  All values in the
                     list must be present in the  certificate.   Extended  Key
                     Usage values can be:

                     o pkinit

                     o msScLogin

                     o clientAuth

                     o emailProtection

                     key-usage-list  is a comma-separated list of required Key
                     Usage values.  All values in the list must be present  in
                     the certificate.  Key Usage values can be:

                     o digitalSignature

                     o keyEncipherment

              Examples:

                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature

       pkinit_eku_checking
              This option specifies what Extended Key Usage value the KDC cer-
              tificate presented to the client must contain.   (Note  that  if
              the   KDC  certificate  has  the  pkinit  SubjectAlternativeName
              encoded as the Kerberos TGS name, EKU checking is not  necessary
              since  the  issuing CA has certified this as a KDC certificate.)
              The values recognized in the krb5.conf file are:

              kpKDC  This is the default value and specifies that the KDC must
                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.

              kpServerAuth
                     If  kpServerAuth is specified, a KDC certificate with the
                     id-kp-serverAuth EKU will be accepted.   This  key  usage
                     value is used in most commercially issued server certifi-
                     cates.

              none   If none is specified, then the KDC certificate  will  not
                     be  checked  to verify it has an acceptable EKU.  The use
                     of this option is not recommended.

       pkinit_dh_min_bits
              Specifies the size of the Diffie-Hellman  key  the  client  will
              attempt to use.  The acceptable values are 1024, 2048, and 4096.
              The default is 2048.

       pkinit_identities
              Specifies the location(s) to be used to find  the  user's  X.509
              identity  information.   This  option  may be specified multiple
              times.  Each value is attempted in order until identity informa-
              tion  is found and authentication is attempted.  Note that these
              values are not used if the user specifies X509_user_identity  on
              the command line.

       pkinit_kdc_hostname
              The presense of this option indicates that the client is willing
              to accept a KDC certificate with a dNSName SAN (Subject Alterna-
              tive Name) rather than requiring the id-pkinit-san as defined in
              RFC 4556.  This option may be  specified  multiple  times.   Its
              value  should  contain  the  acceptable hostname for the KDC (as
              contained in its certificate).

       pkinit_pool
              Specifies the location of intermediate certificates which may be
              used  by  the  client  to complete the trust chain between a KDC
              certificate and a trusted anchor.  This option may be  specified
              multiple times.

       pkinit_require_crl_checking
              The  default  certificate verification process will always check
              the available revocation information to see if a certificate has
              been revoked.  If a match is found for the certificate in a CRL,
              verification fails.  If the certificate being  verified  is  not
              listed  in a CRL, or there is no CRL present for its issuing CA,
              and pkinit_require_crl_checking is false, then verification suc-
              ceeds.

              However,  if pkinit_require_crl_checking is true and there is no
              CRL information available for the issuing CA, then  verification
              fails.

              pkinit_require_crl_checking  should be set to true if the policy
              is such that up-to-date CRLs must be present for every CA.

       pkinit_revoke
              Specifies the location  of  Certificate  Revocation  List  (CRL)
              information to be used by the client when verifying the validity
              of the KDC certificate presented.  This option may be  specified
              multiple times.

PARAMETER EXPANSION
       Starting    with    release    1.11,   several   variables,   such   as
       default_keytab_name, allow parameters to be expanded.  Valid parameters
       are:

                    +------------------+----------------------------+
                    |%{TEMP}           | Temporary directory        |
                    +------------------+----------------------------+



                    |%{uid}            | Unix  real  UID or Windows |
                    |                  | SID                        |
                    +------------------+----------------------------+
                    |%{euid}           | Unix effective user ID  or |
                    |                  | Windows SID                |
                    +------------------+----------------------------+
                    |%{USERID}         | Same as %{uid}             |
                    +------------------+----------------------------+
                    |%{null}           | Empty string               |
                    +------------------+----------------------------+
                    |%{LIBDIR}         | Installation       library |
                    |                  | directory                  |
                    +------------------+----------------------------+
                    |%{BINDIR}         | Installation binary direc- |
                    |                  | tory                       |
                    +------------------+----------------------------+
                    |%{SBINDIR}        | Installation  admin binary |
                    |                  | directory                  |
                    +------------------+----------------------------+
                    |%{username}       | (Unix) Username of  effec- |
                    |                  | tive user ID               |
                    +------------------+----------------------------+
                    |%{APPDATA}        | (Windows) Roaming applica- |
                    |                  | tion data for current user |
                    +------------------+----------------------------+
                    |%{COMMON_APPDATA} | (Windows) Application data |
                    |                  | for all users              |
                    +------------------+----------------------------+
                    |%{LOCAL_APPDATA}  | (Windows)  Local  applica- |
                    |                  | tion data for current user |
                    +------------------+----------------------------+
                    |%{SYSTEM}         | (Windows)  Windows  system |
                    |                  | folder                     |
                    +------------------+----------------------------+
                    |%{WINDOWS}        | (Windows) Windows folder   |
                    +------------------+----------------------------+
                    |%{USERCONFIG}     | (Windows)   Per-user   MIT |
                    |                  | krb5 config file directory |
                    +------------------+----------------------------+
                    |%{COMMONCONFIG}   | (Windows) Common MIT  krb5 |
                    |                  | config file directory      |
                    +------------------+----------------------------+

SAMPLE KRB5.CONF FILE
       Here is an example of a generic krb5.conf file:

          [libdefaults]
              default_realm = ATHENA.MIT.EDU
              dns_lookup_kdc = true
              dns_lookup_realm = false

          [realms]
              ATHENA.MIT.EDU = {
                  kdc = kerberos.mit.edu
                  kdc = kerberos-1.mit.edu
                  kdc = kerberos-2.mit.edu
                  admin_server = kerberos.mit.edu
                  master_kdc = kerberos.mit.edu
              }
              EXAMPLE.COM = {
                  kdc = kerberos.example.com
                  kdc = kerberos-1.example.com
                  admin_server = kerberos.example.com
              }

          [domain_realm]
              mit.edu = ATHENA.MIT.EDU

          [capaths]
              ATHENA.MIT.EDU = {
                     EXAMPLE.COM = .
              }
              EXAMPLE.COM = {
                     ATHENA.MIT.EDU = .
              }

FILES
       /etc/krb5.conf


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------------+
       |ATTRIBUTE TYPE |    ATTRIBUTE VALUE     |
       +---------------+------------------------+
       |Availability   | security/kerberos-5    |
       +---------------+------------------------+
       |Stability      | Pass-through committed |
       +---------------+------------------------+
SEE ALSO
       syslog(3)

AUTHOR
       MIT

COPYRIGHT
       1985-2018, MIT



NOTES
       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from      https://web.mit.edu/ker-
       beros/dist/krb5/1.16/krb5-1.16.1.tar.gz

       Further information about this software can be found on the open source
       community website at https://web.mit.edu/kerberos/.



1.16.1                                                            KRB5.CONF(5)