diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
| commit | b0e4d68d5124581ae353493d69bea352de4cff8a (patch) | |
| tree | 43300ec43e83eccd367fd76fdfdefba2dcd7d8f4 /doc/html/admin/conf_files | |
| parent | 33a9b234e7087f573ef08cd7318c6497ba08b439 (diff) | |
Notes
Diffstat (limited to 'doc/html/admin/conf_files')
| -rw-r--r-- | doc/html/admin/conf_files/index.html | 4 | ||||
| -rw-r--r-- | doc/html/admin/conf_files/kadm5_acl.html | 41 | ||||
| -rw-r--r-- | doc/html/admin/conf_files/kdc_conf.html | 23 | ||||
| -rw-r--r-- | doc/html/admin/conf_files/krb5_conf.html | 63 |
4 files changed, 96 insertions, 35 deletions
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html index 8b6207cb6a03..2325611706ae 100644 --- a/doc/html/admin/conf_files/index.html +++ b/doc/html/admin/conf_files/index.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -159,7 +159,7 @@ KDC database.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html index 640fc7bc1c9c..05eab8bbae62 100644 --- a/doc/html/admin/conf_files/kadm5_acl.html +++ b/doc/html/admin/conf_files/kadm5_acl.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 </pre></div> </div> -<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with -an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p> -<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his -<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line -1). He has no permissions at all with his null instance, -<tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other -non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have -inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> -(matches line 3).</p> +<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an +<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting +keys.</p> +<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except +extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance, +<tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line 1). He has no +permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> +(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null +instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions +with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p> <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire or change the password of their null instance, but not any other null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the @@ -222,9 +223,20 @@ in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals.</p> <p>(line 6) Finally, the Service Management System principal -<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours.</p> +<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours.</p> +</div> +<div class="section" id="module-behavior"> +<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2> +<p>The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file.</p> +<p>To operate without an ACL file, set the <em>acl_file</em> variable in +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></tt>.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> @@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#syntax">SYNTAX</a></li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html index b81a78f740f7..183e63cd26d8 100644 --- a/doc/html/admin/conf_files/kdc_conf.html +++ b/doc/html/admin/conf_files/kdc_conf.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -149,9 +149,10 @@ to define one parameter for the ATHENA.MIT.EDU realm:</p> <dt><strong>acl_file</strong></dt> <dd>(String.) Location of the access control list file that <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more information on Kerberos ACL -file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd> +which permissions on the Kerberos database. To operate without an +ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> +<span class="pre">""</span></tt>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more +information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd> <dt><strong>database_module</strong></dt> <dd>(String.) This relation indicates the name of the configuration section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters @@ -242,6 +243,10 @@ are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.</dd> +<dt><strong>encrypted_challenge_indicator</strong></dt> +<dd>(String.) Specifies the authentication indicator value that the KDC +asserts into tickets obtained using FAST encrypted challenge +pre-authentication. New in 1.16.</dd> <dt><strong>host_based_services</strong></dt> <dd>(Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is @@ -741,8 +746,6 @@ This option is required if pkinit is to be supported by the KDC.</dd> <dd>Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.)</dd> -<dt><strong>pkinit_kdc_ocsp</strong></dt> -<dd>Specifies the location of the KDC’s OCSP.</dd> <dt><strong>pkinit_pool</strong></dt> <dd>Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client’s @@ -776,8 +779,8 @@ Encryption types marked as “weak” are available for compatibility bu not recommended for use.</p> <table border="1" class="docutils"> <colgroup> -<col width="44%" /> -<col width="56%" /> +<col width="30%" /> +<col width="70%" /> </colgroup> <tbody valign="top"> <tr class="row-odd"><td>des-cbc-crc</td> @@ -832,7 +835,7 @@ not recommended for use.</p> <td>The triple DES family: des3-cbc-sha1</td> </tr> <tr class="row-even"><td>aes</td> -<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td> +<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td> </tr> <tr class="row-odd"><td>rc4</td> <td>The RC4 family: arcfour-hmac</td> @@ -1045,7 +1048,7 @@ follows:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html index ca50e7ad27f1..70144fa0bde9 100644 --- a/doc/html/admin/conf_files/krb5_conf.html +++ b/doc/html/admin/conf_files/krb5_conf.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -112,9 +112,10 @@ includedir DIRNAME directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ”.conf” are also included. Included -profile files are syntactically independent of their parents, so each -included file must begin with a section header.</p> +1.15, files with names ending in ”.conf” are also included, unless the +name begins with ”.”. Included profile files are syntactically +independent of their parents, so each included file must begin with a +section header.</p> <p>The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -223,7 +224,7 @@ the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag. -The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types +The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</p> <p class="last">Do not set this unless required for specific backward @@ -236,7 +237,7 @@ libraries are upgraded.</p> the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly +<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</p> <p class="last">Do not set this unless required for specific backward @@ -308,7 +309,7 @@ files in the user’s home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root.</dd> <dt><strong>kcm_mach_service</strong></dt> -<dd>On OS X only, determines the name of the bootstrap service used to +<dd>On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM daemon. The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd> @@ -379,7 +380,7 @@ used across NATs. The default value is true.</dd> <dt><strong>permitted_enctypes</strong></dt> <dd>Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly +<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</dd> <dt><strong>plugin_base_dir</strong></dt> @@ -749,6 +750,9 @@ client principal</dd> <dt><strong>realm</strong></dt> <dd>Uses the service realm to guess an appropriate cache from the collection</dd> +<dt><strong>hostname</strong></dt> +<dd>If the service principal is host-based, uses the service hostname +to guess an appropriate cache from the collection</dd> </dl> </div> <div class="section" id="pwqual-interface"> @@ -776,6 +780,23 @@ interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface.</p> </div> +<div class="section" id="kadm5-auth-interface"> +<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4> +<p>The kadm5_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built-in modules exist for this interface:</p> +<dl class="docutils"> +<dt><strong>acl</strong></dt> +<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes +operations which are allowed according to the rules in the file.</dd> +<dt><strong>self</strong></dt> +<dd>This module authorizes self-service operations including password +changes, creation of new random keys, fetching the client’s +principal record or string attributes, and fetching the policy +record associated with the client principal.</dd> +</dl> +</div> <div class="section" id="clpreauth-and-kdcpreauth-interfaces"> <span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4> <p>The clpreauth and kdcpreauth interfaces allow plugin modules to @@ -840,6 +861,28 @@ the account’s <a class="reference internal" href="../../user/user_config/k principal name maps to the local account name.</dd> </dl> </div> +<div class="section" id="certauth-interface"> +<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4> +<p>The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built-in modules exist for this interface:</p> +<dl class="docutils"> +<dt><strong>pkinit_san</strong></dt> +<dd>This module authorizes the certificate if it contains a PKINIT +Subject Alternative Name for the requested client principal, or a +Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong> +is set to true for the realm.</dd> +<dt><strong>pkinit_eku</strong></dt> +<dd>This module rejects the certificate if it does not contain an +Extended Key Usage attribute consistent with the +<strong>pkinit_eku_checking</strong> value for the realm.</dd> +<dt><strong>dbmatch</strong></dt> +<dd>This module authorizes or rejects the certificate according to +whether it matches the <strong>pkinit_cert_match</strong> string attribute on +the client principal, if that attribute is present.</dd> +</dl> +</div> </div> </div> <div class="section" id="pkinit-options"> @@ -1195,9 +1238,11 @@ Valid parameters are:</p> <li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li> <li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li> <li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li> +<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li> <li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li> <li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li> <li><a class="reference internal" href="#localauth-interface">localauth interface</a></li> +<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li> </ul> </li> </ul> @@ -1275,7 +1320,7 @@ Valid parameters are:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> |