diff options
Diffstat (limited to 'doc/html/_sources/admin')
| -rw-r--r-- | doc/html/_sources/admin/admin_commands/kadmin_local.txt | 7 | ||||
| -rw-r--r-- | doc/html/_sources/admin/admin_commands/kpropd.txt | 5 | ||||
| -rw-r--r-- | doc/html/_sources/admin/admin_commands/ktutil.txt | 2 | ||||
| -rw-r--r-- | doc/html/_sources/admin/conf_files/kadm5_acl.txt | 40 | ||||
| -rw-r--r-- | doc/html/_sources/admin/conf_files/kdc_conf.txt | 17 | ||||
| -rw-r--r-- | doc/html/_sources/admin/conf_files/krb5_conf.txt | 59 | ||||
| -rw-r--r-- | doc/html/_sources/admin/pkinit.txt | 20 | ||||
| -rw-r--r-- | doc/html/_sources/admin/realm_config.txt | 2 |
8 files changed, 126 insertions, 26 deletions
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt index 50c3b99ea428..9b5ccf4e911a 100644 --- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt +++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt @@ -661,6 +661,13 @@ KDC: *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. +**pkinit_cert_match** + Specifies a matching expression that defines the certificate + attributes required for the client certificate used by the + principal during PKINIT authentication. The matching expression + is in the same format as those used by the **pkinit_cert_match** + option in :ref:`krb5.conf(5)`. (New in release 1.16.) + This command requires the **modify** privilege. Alias: **setstr** diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt index 5e01e2f14bc1..5468b06754e1 100644 --- a/doc/html/_sources/admin/admin_commands/kpropd.txt +++ b/doc/html/_sources/admin/admin_commands/kpropd.txt @@ -14,6 +14,7 @@ SYNOPSIS [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] +[**--pid-file**\ =\ *pid_file*] [**-d**] [**-t**] @@ -104,6 +105,10 @@ OPTIONS Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. +**--pid-file**\ =\ *pid_file* + In standalone mode, write the process ID of the daemon into + *pid_file*. + ENVIRONMENT ----------- diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt index d55ddc8944c6..2eb19ded2769 100644 --- a/doc/html/_sources/admin/admin_commands/ktutil.txt +++ b/doc/html/_sources/admin/admin_commands/ktutil.txt @@ -87,7 +87,7 @@ add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* - **-k** *kvno* **-e** *enctype* + **-k** *kvno* **-e** *enctype* [**-s** *salt*] Add *principal* to keylist using key or password. diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt index d23fb8a5789e..290bf0e037a7 100644 --- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt +++ b/doc/html/_sources/admin/conf_files/kadm5_acl.txt @@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file:: */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 -(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with -an ``admin`` instance has all administrative privileges. - -(lines 1-3) The user ``joeadmin`` has all permissions with his -``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line -1). He has no permissions at all with his null instance, -``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other -non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have -inquire permissions with any principal that has the instance ``root`` -(matches line 3). +(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an +``admin`` instance has all administrative privileges except extracting +keys. + +(lines 1-3) The user ``joeadmin`` has all permissions except +extracting keys with his ``admin`` instance, +``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no +permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` +(matches line 2). His ``root`` and other non-``admin``, non-null +instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions +with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other @@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal -``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours. +``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours. + +MODULE BEHAVIOR +--------------- + +The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the :ref:`kadm5_auth` section of +:ref:`krb5.conf(5)`. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file. + +To operate without an ACL file, set the *acl_file* variable in +:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. SEE ALSO -------- diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt index 13077ecf4bc2..3af1c3796e6b 100644 --- a/doc/html/_sources/admin/conf_files/kdc_conf.txt +++ b/doc/html/_sources/admin/conf_files/kdc_conf.txt @@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed - which permissions on the Kerberos database. The default value is - |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL - file see :ref:`kadm5.acl(5)`. + which permissions on the Kerberos database. To operate without an + ACL file, set this relation to the empty string with ``acl_file = + ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more + information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration @@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection: if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. +**encrypted_challenge_indicator** + (String.) Specifies the authentication indicator value that the KDC + asserts into tickets obtained using FAST encrypted challenge + pre-authentication. New in 1.16. + **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is @@ -765,9 +771,6 @@ For information about the syntax of some of these options, see pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) -**pkinit_kdc_ocsp** - Specifies the location of the KDC's OCSP. - **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's @@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) des3 The triple DES family: des3-cbc-sha1 -aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 +aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac ==================================================== ========================================================= diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt index 653aad613cbc..4ed9832c7b17 100644 --- a/doc/html/_sources/admin/conf_files/krb5_conf.txt +++ b/doc/html/_sources/admin/conf_files/krb5_conf.txt @@ -55,9 +55,10 @@ following directives at the beginning of a line:: directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ".conf" are also included. Included -profile files are syntactically independent of their parents, so each -included file must begin with a section header. +1.15, files with names ending in ".conf" are also included, unless the +name begins with ".". Included profile files are syntactically +independent of their parents, so each included file must begin with a +section header. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the @@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations: the local user or by root. **kcm_mach_service** - On OS X only, determines the name of the bootstrap service used to + On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. @@ -744,6 +745,10 @@ disabled with the disable tag): Uses the service realm to guess an appropriate cache from the collection +**hostname** + If the service principal is host-based, uses the service hostname + to guess an appropriate cache from the collection + .. _pwqual: pwqual interface @@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. +.. _kadm5_auth: + +kadm5_auth interface +#################### + +The kadm5_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built-in modules exist for this interface: + +**acl** + This module reads the :ref:`kadm5.acl(5)` file, and authorizes + operations which are allowed according to the rules in the file. + +**self** + This module authorizes self-service operations including password + changes, creation of new random keys, fetching the client's + principal record or string attributes, and fetching the policy + record associated with the client principal. + .. _clpreauth: .. _kdcpreauth: @@ -858,6 +883,32 @@ built-in modules exist for this interface: This module authorizes a principal to a local account if the principal name maps to the local account name. +.. _certauth: + +certauth interface +################## + +The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built-in modules exist for this interface: + +**pkinit_san** + This module authorizes the certificate if it contains a PKINIT + Subject Alternative Name for the requested client principal, or a + Microsoft UPN SAN matching the principal if **pkinit_allow_upn** + is set to true for the realm. + +**pkinit_eku** + This module rejects the certificate if it does not contain an + Extended Key Usage attribute consistent with the + **pkinit_eku_checking** value for the realm. + +**dbmatch** + This module authorizes or rejects the certificate according to + whether it matches the **pkinit_cert_match** string attribute on + the client principal, if that attribute is present. + PKINIT options -------------- diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt index 460d75d1e2be..c601c5c9ebba 100644 --- a/doc/html/_sources/admin/pkinit.txt +++ b/doc/html/_sources/admin/pkinit.txt @@ -223,6 +223,26 @@ time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' +By default, the KDC requires PKINIT client certificates to have the +standard Extended Key Usage and Subject Alternative Name attributes +for PKINIT. Starting in release 1.16, it is possible to authorize +client certificates based on the subject or other criteria instead of +the standard PKINIT Subject Alternative Name, by setting the +**pkinit_cert_match** string attribute on each client principal entry. +For example:: + + kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$" + +The **pkinit_cert_match** string attribute follows the syntax used by +the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the +use of non-PKINIT client certificates, it will also be necessary to +disable key usage checking using the **pkinit_eku_checking** relation; +for example:: + + [kdcdefaults] + pkinit_eku_checking = none + + Configuring the clients ----------------------- diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt index c016d720fded..c7d9164f5e78 100644 --- a/doc/html/_sources/admin/realm_config.txt +++ b/doc/html/_sources/admin/realm_config.txt @@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: -* ``_kerberos.REALM`` for fiding KDCs. +* ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. |