summaryrefslogtreecommitdiff
path: root/src/man/krb5.conf.man
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/krb5.conf.man')
-rw-r--r--src/man/krb5.conf.man63
1 files changed, 55 insertions, 8 deletions
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 4e350bd72351..3d12254797d3 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KRB5.CONF" "5" " " "1.15.1" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.16" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
@@ -112,9 +112,10 @@ includedir DIRNAME
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in ".conf" are also included. Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
.sp
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -257,7 +258,7 @@ the client should request when making a TGS\-REQ, in order of
preference from highest to lowest. The list may be delimited with
commas or whitespace. See \fIEncryption_types\fP in
\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
-The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
.sp
@@ -271,7 +272,7 @@ Identifies the supported list of session key encryption types that
the client should request when making an AS\-REQ, in order of
preference from highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.sp
@@ -353,7 +354,7 @@ For security reasons, .k5login files must be owned by
the local user or by root.
.TP
.B \fBkcm_mach_service\fP
-On OS X only, determines the name of the bootstrap service used to
+On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is \fB\-\fP, Mach RPC will not be used to contact the KCM
daemon. The default value is \fBorg.h5l.kcm\fP\&.
@@ -454,7 +455,7 @@ used across NATs. The default value is true.
.B \fBpermitted_enctypes\fP
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
@@ -908,6 +909,10 @@ client principal
.B \fBrealm\fP
Uses the service realm to guess an appropriate cache from the
collection
+.TP
+.B \fBhostname\fP
+If the service principal is host\-based, uses the service hostname
+to guess an appropriate cache from the collection
.UNINDENT
.SS pwqual interface
.sp
@@ -936,6 +941,24 @@ principal creation, modification, password changes and deletion. This
interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
+.SS kadm5_auth interface
+.sp
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation. The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBacl\fP
+This module reads the \fIkadm5.acl(5)\fP file, and authorizes
+operations which are allowed according to the rules in the file.
+.TP
+.B \fBself\fP
+This module authorizes self\-service operations including password
+changes, creation of new random keys, fetching the client\(aqs
+principal record or string attributes, and fetching the policy
+record associated with the client principal.
+.UNINDENT
.SS clpreauth and kdcpreauth interfaces
.sp
The clpreauth and kdcpreauth interfaces allow plugin modules to
@@ -1009,6 +1032,30 @@ the account\(aqs \fI\&.k5login(5)\fP file.
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
+.SS certauth interface
+.sp
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBpkinit_san\fP
+This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
+is set to true for the realm.
+.TP
+.B \fBpkinit_eku\fP
+This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+\fBpkinit_eku_checking\fP value for the realm.
+.TP
+.B \fBdbmatch\fP
+This module authorizes or rejects the certificate according to
+whether it matches the \fBpkinit_cert_match\fP string attribute on
+the client principal, if that attribute is present.
+.UNINDENT
.SH PKINIT OPTIONS
.sp
\fBNOTE:\fP
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-22 08:20:35 +0000