krb5: Import MIT 1.22 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-08-06 06:52:23 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-08-06 06:54:05 +0000
commit	d82a140dad3a571d66abb2da24acbba90191f168 (patch)
tree	6b7498b7e81af8f9e6e286c2a42526d63bc94858 /doc/html/admin/conf_files
parent	8f7d3ef26dec89a92ec0665de84a5936310a5574 (diff)

vendor/krb5/1.22

Diffstat (limited to 'doc/html/admin/conf_files')

-rw-r--r--

doc/html/admin/conf_files/index.html

-rw-r--r--

doc/html/admin/conf_files/kadm5_acl.html

-rw-r--r--

doc/html/admin/conf_files/kdc_conf.html

149

-rw-r--r--

doc/html/admin/conf_files/krb5_conf.html

156

4 files changed, 181 insertions, 188 deletions

diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
index 57c59b1edae7..a309e76072c9 100644
--- a/doc/html/admin/conf_files/index.html
+++ b/doc/html/admin/conf_files/index.html

@@ -1,19 +1,17 @@

<!DOCTYPE html>

-<html>

+<html lang="en" data-content_root="../../">

<head>

- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />

<title>Configuration Files — MIT Kerberos Documentation</title>

- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

- <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

- <script src="../../_static/jquery.js"></script>

- <script src="../../_static/underscore.js"></script>

- <script src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />

+ <script src="../../_static/documentation_options.js?v=236fef3b"></script>

+ <script src="../../_static/doctools.js?v=888ff710"></script>

+ <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>

@@ -53,7 +51,7 @@

-<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1>

+<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Link to this heading">¶</a></h1>

<p>Kerberos uses configuration files to allow administrators to specify

settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all

applications using the Kerboros library, on clients and servers.

@@ -63,7 +61,7 @@ used by applications accessing the KDC database directly. <a class="reference i

is also only used on the KDC, it controls permissions for modifying the

KDC database.</p>

-<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2>

+<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2>

<ul>

@@ -154,8 +152,8 @@ KDC database.</p>

- <div class="right" ><i>Release: 1.21.3</i><br />

+ <div class="right" ><i>Release: 1.22-final</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.

</div>

diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 611864b3c535..17e628141aa1 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html

@@ -1,19 +1,17 @@

<!DOCTYPE html>

-<html>

+<html lang="en" data-content_root="../../">

<head>

- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />

<title>kadm5.acl — MIT Kerberos Documentation</title>

- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

- <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

- <script src="../../_static/jquery.js"></script>

- <script src="../../_static/underscore.js"></script>

- <script src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />

+ <script src="../../_static/documentation_options.js?v=236fef3b"></script>

+ <script src="../../_static/doctools.js?v=888ff710"></script>

+ <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>

@@ -53,9 +51,9 @@

-<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1>

+<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Link to this heading">¶</a></h1>

-<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2>

<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List

(ACL) file to manage access rights to the Kerberos database.

For operations that affect principals, the ACL file also controls

@@ -65,7 +63,7 @@ which principals can operate on which other principals.</p>

variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

</section>

-<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>

+<h2>SYNTAX<a class="headerlink" href="#syntax" title="Link to this heading">¶</a></h2>

<p>Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate"><span class="pre">#</span></code>) are

ignored. Lines containing ACL entries have the format:</p>

<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span>

@@ -89,10 +87,6 @@ counterparts. If the character is <em>upper-case</em>, then the operation

is disallowed. If the character is <em>lower-case</em>, then the operation

is permitted.</p>

-<colgroup>

-<col style="width: 2%" />

-<col style="width: 98%" />

-</colgroup>

<tbody>

<td><p>[Dis]allows the addition of principals or policies</p></td>

@@ -178,7 +172,7 @@ restarted for changes to take effect.</p>

</div>

</section>

-<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

+<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2>

<p>Here is an example of a kadm5.acl file:</p>

<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span>

<span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span>

@@ -213,7 +207,7 @@ any principal that it creates or modifies will not be able to get

postdateable tickets or tickets with a life of longer than 9 hours.</p>

</section>

-<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>

+<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Link to this heading">¶</a></h2>

<p>The ACL file can coexist with other authorization modules in release

1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of

<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize

@@ -224,7 +218,7 @@ operations in addition to those authorized by the ACL file.</p>

<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></code>.</p>

</section>

-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>

+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>

<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p>

</section>

@@ -313,8 +307,8 @@ operations in addition to those authorized by the ACL file.</p>

- <div class="right" ><i>Release: 1.21.3</i><br />

+ <div class="right" ><i>Release: 1.22-final</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.

</div>

diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
index dc6876d608ec..e6bc02ccbb55 100644
--- a/doc/html/admin/conf_files/kdc_conf.html
+++ b/doc/html/admin/conf_files/kdc_conf.html

@@ -1,19 +1,17 @@

<!DOCTYPE html>

-<html>

+<html lang="en" data-content_root="../../">

<head>

- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />

<title>kdc.conf — MIT Kerberos Documentation</title>

- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

- <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

- <script src="../../_static/jquery.js"></script>

- <script src="../../_static/underscore.js"></script>

- <script src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />

+ <script src="../../_static/documentation_options.js?v=236fef3b"></script>

+ <script src="../../_static/doctools.js?v=888ff710"></script>

+ <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>

@@ -53,7 +51,7 @@

-<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1>

+<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h1>

<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which

are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and

<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program.

@@ -66,18 +64,14 @@ environment variable <strong>KRB5_KDC_PROFILE</strong>.</p>

<p>Please note that you need to restart the KDC daemon for any configuration

changes to take effect.</p>

-<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>

+<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2>

<p>The kdc.conf file is set up in the same format as the

</section>

-<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>

+<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2>

<p>The kdc.conf file may contain the following sections:</p>

-<colgroup>

-<col style="width: 29%" />

-<col style="width: 71%" />

-</colgroup>

<tbody>

<tr class="row-odd"><td><p><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></p></td>

<td><p>Default values for KDC behavior</p></td>

@@ -97,7 +91,7 @@ changes to take effect.</p>

</tbody>

</table>

-<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3>

+<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Link to this heading">¶</a></h3>

<p>Some relations in the [kdcdefaults] section specify default values for

realm variables, to be used if the [realms] subsection does not

contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for

@@ -128,7 +122,7 @@ challenge. (New in release 1.17.)</p>

</dl>

</section>

-<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>

+<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3>

<p>Each tag in the [realms] section is the name of a Kerberos realm. The

value of the tag is a subsection where the relations define KDC

parameters for that particular realm. The following example shows how

@@ -306,14 +300,16 @@ default value will not use values from the [dbmodules] section.)</p>

</dd>

<dt><strong>kadmind_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the kadmin RPC

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.

-Each entry may be an interface address, a port number, or an

-address and port number separated by a colon. If the address

-contains colons, enclose it in square brackets. If no address is

-specified, the wildcard address is used. If kadmind fails to bind

-to any of the specified addresses, it will fail to start. The

-default is to bind to the wildcard address at the port specified

-in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in

-release 1.15.</p>

+Each entry may be an interface address, a port number, an address

+and port number separated by a colon, or a UNIX domain socket

+pathname. If the address contains colons, enclose it in square

+brackets. If no address is specified, the wildcard address is

+used. To disable listening for kadmin RPC connections, set this

+relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kadmind_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If

+kadmind fails to bind to any of the specified addresses, it will

+fail to start. The default is to bind to the wildcard address at

+the port specified in <strong>kadmind_port</strong>, or the standard kadmin

+port (749). New in release 1.15.</p>

</dd>

<dt><strong>kadmind_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>

daemon is to listen for this realm. Port numbers specified in

@@ -323,16 +319,18 @@ assigned port for kadmind is 749, which is used by default.</p>

<dt><strong>key_stash_file</strong></dt><dd><p>(String.) Specifies the location where the master key has been

stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</p>

</dd>

-<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the UDP

-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon.

-Each entry may be an interface address, a port number, or an

-address and port number separated by a colon. If the address

-contains colons, enclose it in square brackets. If no address is

-specified, the wildcard address is used. If no port is specified,

-the standard port (88) is used. If the KDC daemon fails to bind

-to any of the specified addresses, it will fail to start. The

-default is to bind to the wildcard address on the standard port.

-New in release 1.15.</p>

+<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the listening

+addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each

+entry may be an interface address, a port number, an address and

+port number separated by a colon, or a UNIX domain socket

+pathname. If the address contains colons, enclose it in square

+brackets. If no address is specified, the wildcard address is

+used. If no port is specified, the standard port (88) is used.

+To disable listening on UDP, set this relation to the empty string

+with <code class="docutils literal notranslate"><span class="pre">kdc_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If the KDC daemon fails to bind to any

+of the specified addresses, it will fail to start. The default is

+to bind to the wildcard address on the standard port. New in

+release 1.15.</p>

</dd>

<dt><strong>kdc_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to

release 1.15, this relation lists the ports for the

@@ -342,15 +340,10 @@ if that relation is not defined.</p>

</dd>

<dt><strong>kdc_tcp_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the TCP

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon.

-Each entry may be an interface address, a port number, or an

-address and port number separated by a colon. If the address

-contains colons, enclose it in square brackets. If no address is

-specified, the wildcard address is used. If no port is specified,

-the standard port (88) is used. To disable listening on TCP, set

-this relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>.

-If the KDC daemon fails to bind to any of the specified addresses,

-it will fail to start. The default is to bind to the wildcard

-address on the standard port. New in release 1.15.</p>

+The syntax is identical to that of <strong>kdc_listen</strong>. To disable

+listening on TCP, set this relation to the empty string with

+<code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. The default is to bind to the same

+addresses and ports as for UDP. New in release 1.15.</p>

</dd>

<dt><strong>kdc_tcp_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to

release 1.15, this relation lists the ports for the

@@ -358,15 +351,18 @@ release 1.15, this relation lists the ports for the

release 1.15 and later, it has the same meaning as

<strong>kdc_tcp_listen</strong> if that relation is not defined.</p>

</dd>

-<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening addresses

-and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be

-an interface address, a port number, or an address and port number

-separated by a colon. If the address contains colons, enclose it

-in square brackets. If no address is specified, the wildcard

-address is used. If kadmind fails to bind to any of the specified

-addresses, it will fail to start. The default is to bind to the

-wildcard address at the port specified in <strong>kpasswd_port</strong>, or the

-standard kpasswd port (464). New in release 1.15.</p>

+<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening

+addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each

+entry may be an interface address, a port number, an address and

+port number separated by a colon, or a UNIX domain socket

+pathname. If the address contains colons, enclose it in square

+brackets. If no address is specified, the wildcard address is

+used. To disable listening for kpasswd requests, set this

+relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kpasswd_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If

+kadmind fails to bind to any of the specified addresses, it will

+fail to start. The default is to bind to the wildcard address at

+the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd

+port (464). New in release 1.15.</p>

</dd>

<dt><strong>kpasswd_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>

daemon is to listen for password change requests for this realm.

@@ -433,7 +429,7 @@ possible values, see <a class="reference internal" href="#keysalt-lists"><span c

</dl>

</section>

-<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3>

+<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Link to this heading">¶</a></h3>

<p>The [dbdefaults] section specifies default values for some database

parameters, to be used if the [dbmodules] subsection does not contain

a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the

@@ -455,7 +451,7 @@ definitions of these relations.</p>

</ul>

</section>

-<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3>

+<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Link to this heading">¶</a></h3>

<p>The [dbmodules] section contains parameters used by the KDC database

library and database modules. Each tag in the [dbmodules] section is

the name of a Kerberos realm or a section name specified by a realm’s

@@ -569,7 +565,7 @@ modules. The value should be an absolute path.</p>

</dl>

</section>

-<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3>

+<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h3>

<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and

<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following

relations:</p>

@@ -631,7 +627,7 @@ to the file <code class="docutils literal notranslate"><span class="pre">/var/ad

To disable logging entirely, specify <code class="docutils literal notranslate"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p>

</section>

-<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3>

+<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Link to this heading">¶</a></h3>

<p>Each subsection of [otp] is the name of an OTP token type. The tags

within the subsection define the configuration required to forward a

One Time Password request to a RADIUS server.</p>

@@ -691,7 +687,7 @@ something applicable for your situation:</p>

</section>

-<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>

+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2>

<p>The following are pkinit-specific options. These values may

@@ -725,8 +721,11 @@ the KDC trusts to sign client certificates. This option is

required if pkinit is to be supported by the KDC. This option may

be specified multiple times.</p>

</dd>

-<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum number of bits the KDC is willing to accept

-for a client’s Diffie-Hellman key. The default is 2048.</p>

+<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum strength of Diffie-Hellman group the KDC is

+willing to accept for key exchange. Valid values in order of

+increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521.

+The default is 2048. (P-256, P-384, and P-521 are new in release

+1.22.)</p>

</dd>

<dt><strong>pkinit_allow_upn</strong></dt><dd><p>Specifies that the KDC is willing to accept client certificates

with the Microsoft UserPrincipalName (UPN) Subject Alternative

@@ -734,7 +733,7 @@ Name (SAN). This means the KDC accepts the binding of the UPN in

the certificate to the Kerberos principal name. The default value

is false.</p>

<p>Without this option, the KDC will only accept certificates with

-the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently

+the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently

no option to disable SAN checking in the KDC.</p>

</dd>

<dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage (EKU) values the KDC

@@ -743,7 +742,7 @@ recognized in the kdc.conf file are:</p>

<dt><strong>kpClientAuth</strong></dt><dd><p>This is the default value and specifies that client

certificates must have the id-pkinit-KPClientAuth EKU as

-defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>

+defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>

</dd>

<dt><strong>scLogin</strong></dt><dd><p>If scLogin is specified, client certificates with the

Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be

@@ -791,16 +790,12 @@ in PKINIT requests. The default value is false. (New in release

</dl>

</section>

-<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2>

+<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h2>

<p>Any tag in the configuration files which requires a list of encryption

types can be set to some combination of the following strings.

Encryption types marked as “weak” and “deprecated” are available for

compatibility but not recommended for use.</p>

-<colgroup>

-<col style="width: 30%" />

-<col style="width: 70%" />

-</colgroup>

<tbody>

<td><p>Triple DES cbc mode raw (weak)</p></td>

@@ -866,7 +861,7 @@ these newer encryption types must not be given keys of these

encryption types in the KDC database.</p>

</section>

-<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2>

+<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Link to this heading">¶</a></h2>

<p>Kerberos keys for users are usually derived from passwords. Kerberos

commands and configuration parameters that affect generation of keys

take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt

@@ -884,10 +879,6 @@ the same key, Kerberos 5 incorporates more information into the key

using something called a salt. The supported salt types are as

follows:</p>

-<colgroup>

-<col style="width: 25%" />

-<col style="width: 75%" />

-</colgroup>

<tbody>

<tr class="row-odd"><td><p>normal</p></td>

<td><p>default for Kerberos Version 5</p></td>

@@ -905,7 +896,7 @@ follows:</p>

</table>

</section>

-<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2>

+<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Link to this heading">¶</a></h2>

<p>Here’s an example of a kdc.conf file:</p>

<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>

<span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span>

@@ -945,11 +936,11 @@ follows:</p>

</div>

</section>

-<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

+<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2>

<p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kdc.conf</span></code></p>

</section>

-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>

+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>

</section>

@@ -1049,8 +1040,8 @@ follows:</p>

- <div class="right" ><i>Release: 1.21.3</i><br />

+ <div class="right" ><i>Release: 1.22-final</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT.

</div>

diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
index 7c922675d149..f1438242431d 100644
--- a/doc/html/admin/conf_files/krb5_conf.html
+++ b/doc/html/admin/conf_files/krb5_conf.html

@@ -1,19 +1,17 @@

<!DOCTYPE html>

-<html>

+<html lang="en" data-content_root="../../">

<head>

- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />

<title>krb5.conf — MIT Kerberos Documentation</title>

- <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

- <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

- <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

- <script src="../../_static/jquery.js"></script>

- <script src="../../_static/underscore.js"></script>

- <script src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" />

+ <script src="../../_static/documentation_options.js?v=236fef3b"></script>

+ <script src="../../_static/doctools.js?v=888ff710"></script>

+ <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>

@@ -53,7 +51,7 @@

-<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1>

+<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h1>

<p>The krb5.conf file contains Kerberos configuration information,

including the locations of KDCs and admin servers for the Kerberos

realms of interest, defaults for the current realm and for Kerberos

@@ -67,7 +65,7 @@ also be specified in <strong>KRB5_CONFIG</strong>; all files within the director

whose names consist solely of alphanumeric characters, dashes, or

underscores will be read.</p>

-<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>

+<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2>

<p>The krb5.conf file is set up in the style of a Windows INI file.

Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace)

are ignored as comments. Sections are headed by the section name, in

@@ -83,11 +81,6 @@ the form:</p>

</pre></div>

</div>

-<p>Placing a ‘*’ after the closing bracket of a section name indicates

-that the section is <em>final</em>, meaning that if the same section appears

-within a later file specified in <strong>KRB5_CONFIG</strong>, it will be ignored.

-A subsection can be marked as final by placing a ‘*’ after either the

-tag name or the closing brace.</p>

<p>The krb5.conf file can include other files using either of the

following directives at the beginning of a line:</p>

<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span>

@@ -104,6 +97,15 @@ independent of their parents, so each included file must begin with a

section header. Starting in release 1.17, files are read in

alphanumeric order; in previous releases, they may be read in any

order.</p>

+<p>Placing a ‘*’ after the closing bracket of a section name indicates

+that the section is <em>final</em>, meaning that if the same section appears

+again later, it will be ignored. A subsection can be marked as final

+by placing a ‘*’ after either the tag name or the closing brace. A

+relation can be marked as final by placing a ‘*’ after the tag name.

+Prior to release 1.22, only sections and subsections can be marked as

+final, and the flag only causes values to be ignored if they appear in

+later files specified in <strong>KRB5_CONFIG</strong>, not if they appear later

+within the same file or an included file.</p>

<p>The krb5.conf file can specify that configuration should be obtained

from a loadable module, rather than the file itself, using the

following directive at the beginning of a line before any section

@@ -117,13 +119,9 @@ to the module at initialization time. If krb5.conf uses a module

directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p>

</section>

-<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>

+<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2>

<p>The krb5.conf file may contain the following sections:</p>

-<colgroup>

-<col style="width: 26%" />

-<col style="width: 74%" />

-</colgroup>

<tbody>

<tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td>

<td><p>Settings used by the Kerberos V5 library</p></td>

@@ -148,7 +146,7 @@ directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span c

<p>Additionally, krb5.conf may include any of the relations described in

<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p>

-<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3>

+<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Link to this heading">¶</a></h3>

<p>The libdefaults section may contain any of the following relations:</p>

<dl>

<dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys.

@@ -258,6 +256,11 @@ it (besides the initial ticket request, which has no encrypted

data), and anything the fake KDC sends will not be trusted without

verification using some secret that it won’t know.</p>

</dd>

+<dt><strong>dns_lookup_realm</strong></dt><dd><p>Indicate whether DNS TXT records should be used to map hostnames

+to realm names for hostnames not listed in the [domain_realm]

+section, and to determine the default realm if <strong>default_realm</strong>

+is not set. The default value is false.</p>

+</dd>

<dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs

and other servers for a realm, if they are not listed in the

krb5.conf information for the realm. SRV records are used as a

@@ -378,26 +381,30 @@ set. The default is not to search domain components.</p>

<dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime

for initial ticket requests. The default value is 0.</p>

</dd>

+<dt><strong>request_timeout</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the maximum total time for KDC and

+password change requests. This timeout does not affect the

+intervals between requests, so setting a low timeout may result in

+fewer requests being attempted and/or some servers not being

+contacted. A value of 0 indicates no specific maximum, in which

+case requests will time out if no server responds after several

+tries. The default value is 0. (New in release 1.22.)</p>

+</dd>

<dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the

groups allowed for SPAKE preauthentication. The possible values

are:</p>

-<colgroup>

-<col style="width: 27%" />

-<col style="width: 73%" />

-</colgroup>

<tbody>

<tr class="row-odd"><td><p>edwards25519</p></td>

-<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td>

+<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td>

</tr>

-<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

+<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

</tr>

-<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

+<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

</tr>

-<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

+<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td>

</tr>

</tbody>

</table>

@@ -426,7 +433,7 @@ default value is false.</p>

</dl>

</section>

-<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>

+<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3>

<p>Each tag in the [realms] section of the file is the name of a Kerberos

realm. The value of the tag is a subsection with relations that

define the properties of that particular realm. For each realm, the

@@ -516,19 +523,20 @@ to a value conforming to one of the previous values. For example,

<code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has

been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p>

</dd>

-<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for that realm. An

-optional port number, separated from the hostname by a colon, may

-be included. If the name or address contains colons (for example,

-if it is an IPv6 address), enclose it in square brackets to

+<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for the realm, or a

+UNIX domain socket path of a locally running KDC. An optional

+port number, separated from the hostname by a colon, may be

+included. If the name or address contains colons (for example, if

+it is an IPv6 address), enclose it in square brackets to

distinguish the colon from a port separator. For your computer to

be able to communicate with the KDC for each realm, this tag must

be given a value in each realm subsection in the configuration

file, or there must be DNS SRV records specifying the KDCs.</p>

</dd>

-<dt><strong>kpasswd_server</strong></dt><dd><p>Points to the server where all the password changes are performed.

-If there is no such entry, DNS will be queried (unless forbidden

-by <strong>dns_lookup_kdc</strong>). Finally, port 464 on the <strong>admin_server</strong>

-host will be tried.</p>

+<dt><strong>kpasswd_server</strong></dt><dd><p>The location of the password change server for the realm, using

+the same syntax as <strong>kdc</strong>. If there is no such entry, DNS will

+be queried (unless forbidden by <strong>dns_lookup_kdc</strong>). Finally,

+port 464 on the <strong>admin_server</strong> host will be tried.</p>

</dd>

<dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is

used as a fallback if <strong>primary_kdc</strong> is not specified.</p>

@@ -540,6 +548,9 @@ primary KDC, in case the user’s password has just been changed, and

the updated database has not been propagated to the replica

servers yet. New in release 1.19.</p>

</dd>

+<dt><strong>sitename</strong></dt><dd><p>Specifies the name of the host’s site for the purpose of DNS-based

+KDC discovery for this realm. New in release 1.22.</p>

+</dd>

<dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions

to the <strong>default_domain</strong> mapping rule. It contains V4 instances

(the tag name) which should be translated to some specific

@@ -555,7 +566,7 @@ is the Kerberos V4 realm name.</p>

</dl>

</section>

-<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3>

+<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Link to this heading">¶</a></h3>

<p>The [domain_realm] section provides a translation from hostnames to

Kerberos realms. Each tag is a domain name, providing the mapping for

that domain and all subdomains. If the tag begins with a period

@@ -584,7 +595,7 @@ hostname’s domain portion converted to uppercase, unless the

parent domain to be used.</p>

</section>

-<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3>

+<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Link to this heading">¶</a></h3>

<p>In order to perform direct (non-hierarchical) cross-realm

authentication, configuration is needed to determine the

authentication paths between realms.</p>

@@ -660,7 +671,7 @@ the order of values to determine the path. The order of values is not

important to servers.</p>

</section>

-<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3>

+<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Link to this heading">¶</a></h3>

<p>Each tag in the [appdefaults] section names a Kerberos V5 application

or an option that is used by some Kerberos V5 application[s]. The

value of the tag defines the default behaviors for that application.</p>

@@ -694,7 +705,7 @@ that application’s man pages. The application defaults specified here

are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p>

</section>

-<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3>

+<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Link to this heading">¶</a></h3>

<li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li>

@@ -734,7 +745,7 @@ order of those tags overrides the normal module order.</p>

<p>The following subsections are currently supported within the [plugins]

section:</p>

-<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4>

+<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Link to this heading">¶</a></h4>

<p>The ccselect subsection controls modules for credential cache

selection within a cache collection. In addition to any registered

dynamic modules, the following built-in modules exist (and may be

@@ -752,7 +763,7 @@ to guess an appropriate cache from the collection</p>

</dl>

</section>

-<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4>

+<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Link to this heading">¶</a></h4>

<p>The pwqual subsection controls modules for the password quality

interface, which is used to reject weak passwords when passwords are

changed. The following built-in modules exist for this interface:</p>

@@ -769,7 +780,7 @@ was built with Hesiod support)</p>

</dl>

</section>

-<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4>

+<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Link to this heading">¶</a></h4>

<p>The kadm5_hook interface provides plugins with information on

principal creation, modification, password changes and deletion. This

interface can be used to write a plugin to synchronize MIT Kerberos

@@ -777,7 +788,7 @@ with another database such as Active Directory. No plugins are built

in for this interface.</p>

</section>

-<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4>

+<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Link to this heading">¶</a></h4>

<p>The kadm5_auth section (introduced in release 1.16) controls modules

for the kadmin authorization interface, which determines whether a

client principal is allowed to perform a kadmin operation. The

@@ -794,7 +805,7 @@ record associated with the client principal.</p>

</dl>

</section>

-<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>

+<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Link to this heading">¶</a></h4>

<p>The clpreauth and kdcpreauth interfaces allow plugin modules to

provide client and KDC preauthentication mechanisms. The following

built-in modules exist for these interfaces:</p>

@@ -808,7 +819,7 @@ built-in modules exist for these interfaces:</p>

</dl>

</section>

-<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4>

+<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Link to this heading">¶</a></h4>

<p>The hostrealm section (introduced in release 1.12) controls modules

for the host-to-realm interface, which affects the local mapping of

hostnames to realm names and the choice of default realm. The following

@@ -830,7 +841,7 @@ produce a result.</p>

</dl>

</section>

-<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4>

+<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Link to this heading">¶</a></h4>

<p>The localauth section (introduced in release 1.12) controls modules

for the local authorization interface, which affects the relationship

between Kerberos principals and local system accounts. The following

@@ -858,7 +869,7 @@ principal name maps to the local account name.</p>

</dl>

</section>

-<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4>

+<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Link to this heading">¶</a></h4>

<p>The certauth section (introduced in release 1.16) controls modules for

the certificate authorization interface, which determines whether a

certificate is allowed to preauthenticate a user via PKINIT. The

@@ -882,7 +893,7 @@ the client principal, if that attribute is present.</p>

</section>

-<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>

+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2>

<p>The following are PKINIT-specific options. These values may

@@ -917,7 +928,7 @@ A realm-specific value overrides, not adds to, a generic

</li>

</ol>

-<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3>

+<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Link to this heading">¶</a></h3>

<p>The syntax for specifying Public Key identity, trust, and revocation

information for PKINIT is as follows:</p>

<dl>

@@ -960,8 +971,10 @@ module-name is specified, the default is <a class="reference internal" href="../

a particular smard card reader or token if there is more than one

available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to

force the selection of a particular certificate on the device.

-See the <strong>pkinit_cert_match</strong> configuration option for more ways

-to select a particular certificate to use for PKINIT.</p>

+Specifier values must not contain colon characters, as colons are

+always treated as separators. See the <strong>pkinit_cert_match</strong>

+configuration option for more ways to select a particular

+certificate to use for PKINIT.</p>

</dd>

<dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has

been set to a value conforming to one of the previous values. For

@@ -971,7 +984,7 @@ example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_P

</dl>

</section>

-<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3>

+<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Link to this heading">¶</a></h3>

<dl>

<dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which

the client trusts to sign KDC certificates. This option may be

@@ -986,7 +999,7 @@ attempting PKINIT authentication. This option may be specified

multiple times. All the available certificates are checked

against each rule in order until there is a match of exactly one

certificate.</p>

-<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a>

+<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2253.html"><strong>RFC 2253</strong></a>

string representations from the certificate Subject DN and Issuer

DN values.</p>

<p>The syntax of the matching rules is:</p>

@@ -1044,7 +1057,7 @@ issuing CA has certified this as a KDC certificate.) The values

recognized in the krb5.conf file are:</p>

<dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have

-the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>

+the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p>

</dd>

<dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the

id-kp-serverAuth EKU will be accepted. This key usage value

@@ -1056,9 +1069,10 @@ option is not recommended.</p>

</dd>

</dl>

</dd>

-<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the size of the Diffie-Hellman key the client will

-attempt to use. The acceptable values are 1024, 2048, and 4096.

-The default is 2048.</p>

+<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the group of the Diffie-Hellman key the client will

+attempt to use. The acceptable values are 1024, 2048, P-256,

+4096, P-384, and P-521. The default is 2048. (P-256, P-384, and

+P-521 are new in release 1.22.)</p>

</dd>

<dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509

identity information. If this option is specified multiple times,

@@ -1069,7 +1083,7 @@ Note that these values are not used if the user specifies

<dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing

to accept a KDC certificate with a dNSName SAN (Subject

Alternative Name) rather than requiring the id-pkinit-san as

-defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple

+defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple

times. Its value should contain the acceptable hostname for the

KDC (as contained in its certificate).</p>

</dd>

@@ -1100,16 +1114,12 @@ multiple times.</p>

</section>

-<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2>

+<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Link to this heading">¶</a></h2>

<p>Starting with release 1.11, several variables, such as

<strong>default_keytab_name</strong>, allow parameters to be expanded.

Valid parameters are:</p>

-<colgroup>

-<col style="width: 25%" />

-<col style="width: 75%" />

-</colgroup>

<tbody>

<td><p>Temporary directory</p></td>

@@ -1164,7 +1174,7 @@ Valid parameters are:</p>

</div></blockquote>

</section>

-<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2>

+<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Link to this heading">¶</a></h2>

<p>Here is an example of a generic krb5.conf file:</p>

<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>

<span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

@@ -1199,11 +1209,11 @@ Valid parameters are:</p>

</div>

</section>

-<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

+<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2>

</section>

-<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>

+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2>

<p>syslog(3)</p>

</section>

@@ -1316,8 +1326,8 @@ Valid parameters are:</p>

- <div class="right" ><i>Release: 1.21.3</i><br />

+ <div class="right" ><i>Release: 1.22-final</i><br />

</div>