summaryrefslogtreecommitdiff
path: root/doc/html/admin/conf_files
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2023-08-04 17:53:10 +0000
committerCy Schubert <cy@FreeBSD.org>2023-08-04 17:53:10 +0000
commit0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
treee1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/conf_files
parentb0e4d68d5124581ae353493d69bea352de4cff8a (diff)
vendor/krb5/1.21.1
Diffstat (limited to 'doc/html/admin/conf_files')
-rw-r--r--doc/html/admin/conf_files/index.html33
-rw-r--r--doc/html/admin/conf_files/kadm5_acl.html99
-rw-r--r--doc/html/admin/conf_files/kdc_conf.html495
-rw-r--r--doc/html/admin/conf_files/krb5_conf.html677
4 files changed, 667 insertions, 637 deletions
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
index 2325611706ae..ed605afccf2c 100644
--- a/doc/html/admin/conf_files/index.html
+++ b/doc/html/admin/conf_files/index.html
@@ -1,33 +1,31 @@
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-
- <title>Configuration Files &mdash; MIT Kerberos Documentation</title>
-
+ <title>Configuration Files &#8212; MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
-
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
- VERSION: '1.16',
+ VERSION: '1.21.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
- HAS_SOURCE: true
+ HAS_SOURCE: true,
+ SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="index" title="Index" href="../../genindex.html" />
+ <link rel="search" title="Search" href="../../search.html" />
<link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
- <link rel="up" title="For administrators" href="../index.html" />
<link rel="next" title="krb5.conf" href="krb5_conf.html" />
<link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" />
</head>
@@ -61,16 +59,16 @@
<div class="documentwrapper">
<div class="bodywrapper">
- <div class="body">
+ <div class="body" role="main">
<div class="section" id="configuration-files">
<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1>
<p>Kerberos uses configuration files to allow administrators to specify
-settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> applies to all
+settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all
applications using the Kerboros library, on clients and servers.
For KDC-specific applications, additional settings can be specified in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the two files are merged into a configuration profile
-used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the two files are merged into a configuration profile
+used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>
is also only used on the KDC, it controls permissions for modifying the
KDC database.</p>
<div class="section" id="contents">
@@ -105,7 +103,7 @@ KDC database.</p>
<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
-<li class="toctree-l2 current"><a class="current reference internal" href="">Configuration Files</a><ul>
+<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuration Files</a><ul>
<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
@@ -113,6 +111,7 @@ KDC database.</p>
</li>
<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
@@ -120,6 +119,8 @@ KDC database.</p>
<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
@@ -159,8 +160,8 @@ KDC database.</p>
<div class="footer-wrapper">
<div class="footer" >
- <div class="right" ><i>Release: 1.16</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ <div class="right" ><i>Release: 1.21.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.
</div>
<div class="left">
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 05eab8bbae62..2436e7e23c49 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -1,33 +1,31 @@
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-
- <title>kadm5.acl &mdash; MIT Kerberos Documentation</title>
-
+ <title>kadm5.acl &#8212; MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
-
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
- VERSION: '1.16',
+ VERSION: '1.21.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
- HAS_SOURCE: true
+ HAS_SOURCE: true,
+ SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="index" title="Index" href="../../genindex.html" />
+ <link rel="search" title="Search" href="../../search.html" />
<link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
- <link rel="up" title="Configuration Files" href="index.html" />
<link rel="next" title="Realm configuration decisions" href="../realm_config.html" />
<link rel="prev" title="kdc.conf" href="kdc_conf.html" />
</head>
@@ -61,25 +59,25 @@
<div class="documentwrapper">
<div class="bodywrapper">
- <div class="body">
+ <div class="body" role="main">
<div class="section" id="kadm5-acl">
<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1>
<div class="section" id="description">
<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
-<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List
+<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List
(ACL) file to manage access rights to the Kerberos database.
For operations that affect principals, the ACL file also controls
which principals can operate on which other principals.</p>
<p>The default location of the Kerberos ACL file is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt> unless this is overridden by the <em>acl_file</em>
-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p>
+<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code> unless this is overridden by the <em>acl_file</em>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>
</div>
<div class="section" id="syntax">
<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>
-<p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are
+<p>Empty lines and lines starting with the sharp sign (<code class="docutils literal"><span class="pre">#</span></code>) are
ignored. Lines containing ACL entries have the format:</p>
-<div class="highlight-python"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span>
</pre></div>
</div>
<div class="admonition note">
@@ -91,7 +89,7 @@ will control access for an actor principal on a target principal.</p>
<dt><em>principal</em></dt>
<dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies
the principal whose permissions are to be set.</p>
-<p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+<p class="last">Each component of the name may be wildcarded using the <code class="docutils literal"><span class="pre">*</span></code>
character.</p>
</dd>
<dt><em>permissions</em></dt>
@@ -129,13 +127,13 @@ is permitted.</p>
<td>[Dis]allows the modification of principals or policies</td>
</tr>
<tr class="row-even"><td>p</td>
-<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td>
+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a>)</td>
</tr>
<tr class="row-odd"><td>s</td>
<td>[Dis]allows the explicit setting of the key for a principal</td>
</tr>
<tr class="row-even"><td>x</td>
-<td>Short for admcilsp. All privileges (except <tt class="docutils literal"><span class="pre">e</span></tt>)</td>
+<td>Short for admcilsp. All privileges (except <code class="docutils literal"><span class="pre">e</span></code>)</td>
</tr>
<tr class="row-odd"><td>*</td>
<td>Same as x.</td>
@@ -146,7 +144,7 @@ is permitted.</p>
</dl>
<div class="admonition note">
<p class="first admonition-title">Note</p>
-<p class="last">The <tt class="docutils literal"><span class="pre">extract</span></tt> privilege is not included in the wildcard
+<p class="last">The <code class="docutils literal"><span class="pre">extract</span></code> privilege is not included in the wildcard
privilege; it must be explicitly assigned. This privilege
allows the user to extract keys from the database, and must be
handled with great care to avoid disclosure of important keys
@@ -159,10 +157,10 @@ granted privilege.</p>
<dt><em>target_principal</em></dt>
<dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.)
Specifies the principal on which <em>permissions</em> may be applied.
-Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+Each component of the name may be wildcarded using the <code class="docutils literal"><span class="pre">*</span></code>
character.</p>
<p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>,
-in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the corresponding wildcard in
+in which <code class="docutils literal"><span class="pre">*number</span></code> matches the corresponding wildcard in
<em>principal</em>.</p>
</dd>
<dt><em>restrictions</em></dt>
@@ -172,13 +170,13 @@ in which <tt class="docutils literal"><span class="pre">*number</span></tt> matc
<dt>{+|-}<em>flagname</em></dt>
<dd>flag is forced to the indicated value. The permissible flags
are the same as those for the <strong>default_principal_flags</strong>
-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>
<dt><em>-clearpolicy</em></dt>
<dd>policy is forced to be empty.</dd>
<dt><em>-policy pol</em></dt>
<dd>policy is forced to be <em>pol</em>.</dd>
<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) associated value will be forced to
MIN(<em>time</em>, requested value).</dd>
</dl>
</div></blockquote>
@@ -195,52 +193,52 @@ restarted for changes to take effect.</p>
<div class="section" id="example">
<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
<p>Here is an example of a kadm5.acl file:</p>
-<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1
-joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
-joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
-*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
-*/root@ATHENA.MIT.EDU l * # line 5
-sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span>
+<span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span>
+<span class="n">joeadmin</span><span class="o">/*</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">i</span> <span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 3</span>
+<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ci</span> <span class="o">*</span><span class="mi">1</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 4</span>
+<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">l</span> <span class="o">*</span> <span class="c1"># line 5</span>
+<span class="n">sms</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">x</span> <span class="o">*</span> <span class="o">-</span><span class="n">maxlife</span> <span class="mi">9</span><span class="n">h</span> <span class="o">-</span><span class="n">postdateable</span> <span class="c1"># line 6</span>
</pre></div>
</div>
-<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an
-<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting
+<p>(line 1) Any principal in the <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> realm with an
+<code class="docutils literal"><span class="pre">admin</span></code> instance has all administrative privileges except extracting
keys.</p>
-<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except
-extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance,
-<tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line 1). He has no
-permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt>
-(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null
-instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions
-with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p>
-<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
+<p>(lines 1-3) The user <code class="docutils literal"><span class="pre">joeadmin</span></code> has all permissions except
+extracting keys with his <code class="docutils literal"><span class="pre">admin</span></code> instance,
+<code class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></code> (matches line 1). He has no
+permissions at all with his null instance, <code class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></code>
+(matches line 2). His <code class="docutils literal"><span class="pre">root</span></code> and other non-<code class="docutils literal"><span class="pre">admin</span></code>, non-null
+instances (e.g., <code class="docutils literal"><span class="pre">extra</span></code> or <code class="docutils literal"><span class="pre">dbadmin</span></code>) have inquire permissions
+with any principal that has the instance <code class="docutils literal"><span class="pre">root</span></code> (matches line 3).</p>
+<p>(line 4) Any <code class="docutils literal"><span class="pre">root</span></code> principal in <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> can inquire
or change the password of their null instance, but not any other
-null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
+null instance. (Here, <code class="docutils literal"><span class="pre">*1</span></code> denotes a back-reference to the
component matching the first wildcard in the actor principal.)</p>
-<p>(line 5) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can generate
+<p>(line 5) Any <code class="docutils literal"><span class="pre">root</span></code> principal in <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> can generate
the list of principals in the database, and the list of policies
in the database. This line is separate from line 4, because list
permission can only be granted globally, not to specific target
principals.</p>
<p>(line 6) Finally, the Service Management System principal
-<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but
+<code class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></code> has all permissions except extracting keys, but
any principal that it creates or modifies will not be able to get
postdateable tickets or tickets with a life of longer than 9 hours.</p>
</div>
<div class="section" id="module-behavior">
<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>
<p>The ACL file can coexist with other authorization modules in release
-1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize
+1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize
operations according to the rules above, but will never
authoritatively deny an operation, so other modules can authorize
operations in addition to those authorized by the ACL file.</p>
<p>To operate without an ACL file, set the <em>acl_file</em> variable in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.</p>
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>.</p>
</div>
<div class="section" id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
-<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p>
+<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p>
</div>
</div>
@@ -271,11 +269,12 @@ operations in addition to those authorized by the ACL file.</p>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
-<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="#">kadm5.acl</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
@@ -283,6 +282,8 @@ operations in addition to those authorized by the ACL file.</p>
<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
@@ -322,8 +323,8 @@ operations in addition to those authorized by the ACL file.</p>
<div class="footer-wrapper">
<div class="footer" >
- <div class="right" ><i>Release: 1.16</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ <div class="right" ><i>Release: 1.21.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.
</div>
<div class="left">
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
index 183e63cd26d8..47ed8ef7453d 100644
--- a/doc/html/admin/conf_files/kdc_conf.html
+++ b/doc/html/admin/conf_files/kdc_conf.html
@@ -1,33 +1,31 @@
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-
- <title>kdc.conf &mdash; MIT Kerberos Documentation</title>
-
+ <title>kdc.conf &#8212; MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
-
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
- VERSION: '1.16',
+ VERSION: '1.21.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
- HAS_SOURCE: true
+ HAS_SOURCE: true,
+ SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="index" title="Index" href="../../genindex.html" />
+ <link rel="search" title="Search" href="../../search.html" />
<link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
- <link rel="up" title="Configuration Files" href="index.html" />
<link rel="next" title="kadm5.acl" href="kadm5_acl.html" />
<link rel="prev" title="krb5.conf" href="krb5_conf.html" />
</head>
@@ -61,25 +59,25 @@
<div class="documentwrapper">
<div class="bodywrapper">
- <div class="body">
+ <div class="body" role="main">
<div class="section" id="kdc-conf">
<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1>
-<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> for programs which
-are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> program.
+<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which
+are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program.
Relations documented here may also be specified in krb5.conf; for the
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
single configuration profile.</p>
<p>Normally, the kdc.conf file is found in the KDC state directory,
-<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>. You can override the default location by setting the
+<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code>. You can override the default location by setting the
environment variable <strong>KRB5_KDC_PROFILE</strong>.</p>
<p>Please note that you need to restart the KDC daemon for any configuration
changes to take effect.</p>
<div class="section" id="structure">
<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
<p>The kdc.conf file is set up in the same format as the
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.</p>
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p>
</div>
<div class="section" id="sections">
<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
@@ -90,29 +88,29 @@ changes to take effect.</p>
<col width="71%" />
</colgroup>
<tbody valign="top">
-<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><em>[kdcdefaults]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></td>
<td>Default values for KDC behavior</td>
</tr>
-<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><em>[realms]</em></a></td>
+<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a></td>
<td>Realm-specific database configuration and settings</td>
</tr>
-<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><em>[dbdefaults]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a></td>
<td>Default database settings</td>
</tr>
-<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a></td>
+<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a></td>
<td>Per-database settings</td>
</tr>
-<tr class="row-odd"><td><a class="reference internal" href="#logging"><em>[logging]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#logging"><span class="std std-ref">[logging]</span></a></td>
<td>Controls how Kerberos daemons perform logging</td>
</tr>
</tbody>
</table>
<div class="section" id="kdcdefaults">
<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3>
-<p>With two exceptions, relations in the [kdcdefaults] section specify
-default values for realm variables, to be used if the [realms]
-subsection does not contain a relation for the tag. See the
-<a class="reference internal" href="#kdc-realms"><em>[realms]</em></a> section for the definitions of these relations.</p>
+<p>Some relations in the [kdcdefaults] section specify default values for
+realm variables, to be used if the [realms] subsection does not
+contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for
+the definitions of these relations.</p>
<ul class="simple">
<li><strong>host_based_services</strong></li>
<li><strong>kdc_listen</strong></li>
@@ -122,6 +120,7 @@ subsection does not contain a relation for the tag. See the
<li><strong>no_host_referral</strong></li>
<li><strong>restrict_anonymous_to_tgt</strong></li>
</ul>
+<p>The following [kdcdefaults] variables have no per-realm equivalent:</p>
<dl class="docutils">
<dt><strong>kdc_max_dgram_reply_size</strong></dt>
<dd>Specifies the maximum packet size that can be sent over UDP. The
@@ -130,6 +129,11 @@ default value is 4096 bytes.</dd>
<dd>(Integer.) Set the size of the listen queue length for the KDC
daemon. The value may be limited by OS settings. The default
value is 5.</dd>
+<dt><strong>spake_preauth_kdc_challenge</strong></dt>
+<dd>(String.) Specifies the group for a SPAKE optimistic challenge.
+See the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>
+for possible values. The default is not to issue an optimistic
+challenge. (New in release 1.17.)</dd>
</dl>
</div>
<div class="section" id="realms">
@@ -138,41 +142,41 @@ value is 5.</dd>
value of the tag is a subsection where the relations define KDC
parameters for that particular realm. The following example shows how
to define one parameter for the ATHENA.MIT.EDU realm:</p>
-<div class="highlight-python"><div class="highlight"><pre>[realms]
- ATHENA.MIT.EDU = {
- max_renewable_life = 7d 0h 0m 0s
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
+ <span class="p">}</span>
</pre></div>
</div>
<p>The following tags may be specified in a [realms] subsection:</p>
<dl class="docutils">
<dt><strong>acl_file</strong></dt>
<dd>(String.) Location of the access control list file that
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> uses to determine which principals are allowed
which permissions on the Kerberos database. To operate without an
-ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span>
-<span class="pre">&quot;&quot;</span></tt>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more
-information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
+ACL file, set this relation to the empty string with <code class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span>
+<span class="pre">&quot;&quot;</span></code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>. For more
+information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</dd>
<dt><strong>database_module</strong></dt>
<dd>(String.) This relation indicates the name of the configuration
-section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters
+section under <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> for database-specific parameters
used by the loadable database library. The default value is the
realm name. If this configuration section does not exist, default
values will be used for all database parameters.</dd>
<dt><strong>database_name</strong></dt>
<dd>(String, deprecated.) This relation specifies the location of the
Kerberos database for this realm, if the DB2 module is being used
-and the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> configuration section does not specify a
-database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+and the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> configuration section does not specify a
+database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/principal</span></code>.</dd>
<dt><strong>default_principal_expiration</strong></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><em>Absolute time</em></a> string.) Specifies the default expiration date of
+<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><span class="std std-ref">Absolute time</span></a> string.) Specifies the default expiration date of
principals created in this realm. The default value is 0, which
means no expiration date.</dd>
<dt><strong>default_principal_flags</strong></dt>
<dd><p class="first">(Flag string.) Specifies the default attributes of principals
created in this realm. The format for this string is a
-comma-separated list of flags, with &#8216;+&#8217; before each flag that
-should be enabled and &#8216;-&#8216; before each flag that should be
+comma-separated list of flags, with ‘+’ before each flag that
+should be enabled and ‘-‘ before each flag that should be
disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>,
<strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and
<strong>service</strong> flags default to enabled.</p>
@@ -183,9 +187,8 @@ disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <str
this principal. Disabling this flag essentially deactivates
the principal within this realm.</dd>
<dt><strong>dup-skey</strong></dt>
-<dd>Enabling this flag allows the principal to obtain a session
-key for another user, permitting user-to-user authentication
-for this principal.</dd>
+<dd>Enabling this flag allows the KDC to issue user-to-user
+service tickets for this principal.</dd>
<dt><strong>forwardable</strong></dt>
<dd>Enabling this flag allows the principal to obtain forwardable
tickets.</dd>
@@ -221,7 +224,7 @@ principal.</dd>
<dt><strong>pwservice</strong></dt>
<dd>If this flag is enabled, it marks this principal as a password
change service. This should only be used in special cases,
-for example, if a user&#8217;s password has expired, then the user
+for example, if a user’s password has expired, then the user
has to get tickets for that principal without going through
the normal password authentication in order to be able to
change the password.</dd>
@@ -230,7 +233,9 @@ change the password.</dd>
tickets.</dd>
<dt><strong>service</strong></dt>
<dd>Enabling this flag allows the the KDC to issue service tickets
-for this principal.</dd>
+for this principal. In release 1.17 and later, user-to-user
+service tickets are still allowed if the <strong>dup-skey</strong> flag is
+set.</dd>
<dt><strong>tgt-based</strong></dt>
<dd>Enabling this flag allows a principal to obtain tickets based
on a ticket-granting-ticket, rather than repeating the
@@ -243,6 +248,11 @@ are not allowed as passwords. The file should contain one string
per line, with no additional whitespace. If none is specified or
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.</dd>
+<dt><strong>disable_pac</strong></dt>
+<dd>(Boolean value.) If true, the KDC will not issue PACs for this
+realm, and S4U2Self and S4U2Proxy operations will be disabled.
+The default is false, which will permit the KDC to issue PACs.
+New in release 1.20.</dd>
<dt><strong>encrypted_challenge_indicator</strong></dt>
<dd>(String.) Specifies the authentication indicator value that the KDC
asserts into tickets obtained using FAST encrypted challenge
@@ -254,17 +264,25 @@ not marked as host-based by the client.</dd>
<dt><strong>iprop_enable</strong></dt>
<dd>(Boolean value.) Specifies whether incremental database
propagation is enabled. The default value is false.</dd>
-<dt><strong>iprop_master_ulogsize</strong></dt>
+<dt><strong>iprop_ulogsize</strong></dt>
<dd>(Integer.) Specifies the maximum number of log entries to be
retained for incremental propagation. The default value is 1000.
-Prior to release 1.11, the maximum value was 2500.</dd>
+Prior to release 1.11, the maximum value was 2500. New in release
+1.19.</dd>
+<dt><strong>iprop_master_ulogsize</strong></dt>
+<dd>The name for <strong>iprop_ulogsize</strong> prior to release 1.19. Its value is
+used as a fallback if <strong>iprop_ulogsize</strong> is not specified.</dd>
+<dt><strong>iprop_replica_poll</strong></dt>
+<dd>(Delta time string.) Specifies how often the replica KDC polls
+for new updates from the primary. The default value is <code class="docutils literal"><span class="pre">2m</span></code>
+(that is, two minutes). New in release 1.17.</dd>
<dt><strong>iprop_slave_poll</strong></dt>
-<dd>(Delta time string.) Specifies how often the slave KDC polls for
-new updates from the master. The default value is <tt class="docutils literal"><span class="pre">2m</span></tt> (that
-is, two minutes).</dd>
+<dd>(Delta time string.) The name for <strong>iprop_replica_poll</strong> prior to
+release 1.17. Its value is used as a fallback if
+<strong>iprop_replica_poll</strong> is not specified.</dd>
<dt><strong>iprop_listen</strong></dt>
<dd>(Whitespace- or comma-separated list.) Specifies the iprop RPC
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -276,21 +294,21 @@ address at the port specified in <strong>iprop_port</strong>. New in release
<dt><strong>iprop_port</strong></dt>
<dd>(Port number.) Specifies the port number to be used for
incremental propagation. When <strong>iprop_enable</strong> is true, this
-relation is required in the slave configuration file, and this
-relation or <strong>iprop_listen</strong> is required in the master
+relation is required in the replica KDC configuration file, and
+this relation or <strong>iprop_listen</strong> is required in the primary
configuration file, as there is no default port number. Port
numbers specified in <strong>iprop_listen</strong> entries will override this
-port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.</dd>
+port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.</dd>
<dt><strong>iprop_resync_timeout</strong></dt>
<dd>(Delta time string.) Specifies the amount of time to wait for a
full propagation to complete. This is optional in configuration
-files, and is used by slave KDCs only. The default value is 5
-minutes (<tt class="docutils literal"><span class="pre">5m</span></tt>). New in release 1.11.</dd>
+files, and is used by replica KDCs only. The default value is 5
+minutes (<code class="docutils literal"><span class="pre">5m</span></code>). New in release 1.11.</dd>
<dt><strong>iprop_logfile</strong></dt>
<dd>(File name.) Specifies where the update log file for the realm
database is to be stored. The default is to use the
<strong>database_name</strong> entry from the realms section of the krb5 config
-file, with <tt class="docutils literal"><span class="pre">.ulog</span></tt> appended. (NOTE: If <strong>database_name</strong> isn&#8217;t
+file, with <code class="docutils literal"><span class="pre">.ulog</span></code> appended. (NOTE: If <strong>database_name</strong> isn’t
specified in the realms section, perhaps because the LDAP database
back end is being used, or the file name is specified in the
[dbmodules] section, then the hard-coded default for
@@ -298,7 +316,7 @@ back end is being used, or the file name is specified in the
default value will not use values from the [dbmodules] section.)</dd>
<dt><strong>kadmind_listen</strong></dt>
<dd>(Whitespace- or comma-separated list.) Specifies the kadmin RPC
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -308,16 +326,16 @@ default is to bind to the wildcard address at the port specified
in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in
release 1.15.</dd>
<dt><strong>kadmind_port</strong></dt>
-<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
daemon is to listen for this realm. Port numbers specified in
<strong>kadmind_listen</strong> entries will override this port number. The
assigned port for kadmind is 749, which is used by default.</dd>
<dt><strong>key_stash_file</strong></dt>
<dd>(String.) Specifies the location where the master key has been
-stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/.k5.REALM</span></tt>, where <em>REALM</em> is the Kerberos realm.</dd>
+stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</dd>
<dt><strong>kdc_listen</strong></dt>
<dd>(Whitespace- or comma-separated list.) Specifies the UDP
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -329,30 +347,30 @@ New in release 1.15.</dd>
<dt><strong>kdc_ports</strong></dt>
<dd>(Whitespace- or comma-separated list, deprecated.) Prior to
release 1.15, this relation lists the ports for the
-<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In
release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong>
if that relation is not defined.</dd>
<dt><strong>kdc_tcp_listen</strong></dt>
<dd>(Whitespace- or comma-separated list.) Specifies the TCP
-listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
specified, the wildcard address is used. If no port is specified,
the standard port (88) is used. To disable listening on TCP, set
-this relation to the empty string with <tt class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.
+this relation to the empty string with <code class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>.
If the KDC daemon fails to bind to any of the specified addresses,
it will fail to start. The default is to bind to the wildcard
address on the standard port. New in release 1.15.</dd>
<dt><strong>kdc_tcp_ports</strong></dt>
<dd>(Whitespace- or comma-separated list, deprecated.) Prior to
release 1.15, this relation lists the ports for the
-<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In
release 1.15 and later, it has the same meaning as
<strong>kdc_tcp_listen</strong> if that relation is not defined.</dd>
<dt><strong>kpasswd_listen</strong></dt>
<dd>(Comma-separated list.) Specifies the kpasswd listening addresses
-and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon. Each entry may be
+and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be
an interface address, a port number, or an address and port number
separated by a colon. If the address contains colons, enclose it
in square brackets. If no address is specified, the wildcard
@@ -361,43 +379,37 @@ addresses, it will fail to start. The default is to bind to the
wildcard address at the port specified in <strong>kpasswd_port</strong>, or the
standard kpasswd port (464). New in release 1.15.</dd>
<dt><strong>kpasswd_port</strong></dt>
-<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
daemon is to listen for password change requests for this realm.
Port numbers specified in <strong>kpasswd_listen</strong> entries will override
this port number. The assigned port for password change requests
is 464, which is used by default.</dd>
<dt><strong>master_key_name</strong></dt>
<dd>(String.) Specifies the name of the principal associated with the
-master key. The default is <tt class="docutils literal"><span class="pre">K/M</span></tt>.</dd>
+master key. The default is <code class="docutils literal"><span class="pre">K/M</span></code>.</dd>
<dt><strong>master_key_type</strong></dt>
-<dd>(Key type string.) Specifies the master key&#8217;s key type. The
-default value for this is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></tt>. For a list of all possible
-values, see <a class="reference internal" href="#encryption-types"><em>Encryption types</em></a>.</dd>
+<dd>(Key type string.) Specifies the master key’s key type. The
+default value for this is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></code>. For a list of all possible
+values, see <a class="reference internal" href="#encryption-types"><span class="std std-ref">Encryption types</span></a>.</dd>
<dt><strong>max_life</strong></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period for
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period for
which a ticket may be valid in this realm. The default value is
24 hours.</dd>
<dt><strong>max_renewable_life</strong></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period
during which a valid ticket may be renewed in this realm.
The default value is 0.</dd>
<dt><strong>no_host_referral</strong></dt>
<dd>(Whitespace- or comma-separated list.) Lists services to block
from getting host-based referral processing, even if the client
marks the server principal as host-based or the service is also
-listed in <strong>host_based_services</strong>. <tt class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></tt> will
+listed in <strong>host_based_services</strong>. <code class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></code> will
disable referral processing altogether.</dd>
-<dt><strong>des_crc_session_supported</strong></dt>
-<dd>(Boolean value). If set to true, the KDC will assume that service
-principals support des-cbc-crc for session key enctype negotiation
-purposes. If <strong>allow_weak_crypto</strong> in <a class="reference internal" href="krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> is
-false, or if des-cbc-crc is not a permitted enctype, then this
-variable has no effect. Defaults to true. New in release 1.11.</dd>
<dt><strong>reject_bad_transit</strong></dt>
<dd><p class="first">(Boolean value.) If set to true, the KDC will check the list of
transited realms for cross-realm tickets against the transit path
computed from the realm names and the capaths section of its
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file; if the path in the ticket to be issued
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file; if the path in the ticket to be issued
contains any realms not in the computed path, the ticket will not
be issued, and an error will be returned to the client instead.
If this value is set to false, such tickets will be issued
@@ -414,23 +426,28 @@ only to TGS requests.</p>
<dt><strong>restrict_anonymous_to_tgt</strong></dt>
<dd>(Boolean value.) If set to true, the KDC will reject ticket
requests from anonymous principals to service principals other
-than the realm&#8217;s ticket-granting service. This option allows
+than the realm’s ticket-granting service. This option allows
anonymous PKINIT to be enabled for use as FAST armor tickets
without allowing anonymous authentication to services. The
default value is false. New in release 1.9.</dd>
+<dt><strong>spake_preauth_indicator</strong></dt>
+<dd>(String.) Specifies an authentication indicator value that the
+KDC asserts into tickets obtained using SPAKE pre-authentication.
+The default is not to add any indicators. This option may be
+specified multiple times. New in release 1.17.</dd>
<dt><strong>supported_enctypes</strong></dt>
<dd>(List of <em>key</em>:<em>salt</em> strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
-through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> will have keys of these types. The
-default value for this tag is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span> <span class="pre">des3-cbc-sha1:normal</span> <span class="pre">arcfour-hmac-md5:normal</span></tt>. For lists of
-possible values, see <a class="reference internal" href="#keysalt-lists"><em>Keysalt lists</em></a>.</dd>
+through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> will have keys of these types. The
+default value for this tag is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span></code>. For lists of
+possible values, see <a class="reference internal" href="#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a>.</dd>
</dl>
</div>
<div class="section" id="dbdefaults">
<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3>
<p>The [dbdefaults] section specifies default values for some database
parameters, to be used if the [dbmodules] subsection does not contain
-a relation for the tag. See the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> section for the
+a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the
definitions of these relations.</p>
<ul class="simple">
<li><strong>ldap_kerberos_container_dn</strong></li>
@@ -445,7 +462,6 @@ definitions of these relations.</p>
<li><strong>ldap_kadmind_sasl_mech</strong></li>
<li><strong>ldap_kadmind_sasl_realm</strong></li>
<li><strong>ldap_service_password_file</strong></li>
-<li><strong>ldap_servers</strong></li>
<li><strong>ldap_conns_per_server</strong></li>
</ul>
</div>
@@ -453,34 +469,34 @@ definitions of these relations.</p>
<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3>
<p>The [dbmodules] section contains parameters used by the KDC database
library and database modules. Each tag in the [dbmodules] section is
-the name of a Kerberos realm or a section name specified by a realm&#8217;s
+the name of a Kerberos realm or a section name specified by a realm’s
<strong>database_module</strong> parameter. The following example shows how to
define one database parameter for the ATHENA.MIT.EDU realm:</p>
-<div class="highlight-python"><div class="highlight"><pre>[dbmodules]
- ATHENA.MIT.EDU = {
- disable_last_success = true
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>
+ <span class="p">}</span>
</pre></div>
</div>
<p>The following tags may be specified in a [dbmodules] subsection:</p>
<dl class="docutils">
<dt><strong>database_name</strong></dt>
<dd>This DB2-specific tag indicates the location of the database in
-the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/principal</span></code>.</dd>
<dt><strong>db_library</strong></dt>
<dd>This tag indicates the name of the loadable database module. The
-value should be <tt class="docutils literal"><span class="pre">db2</span></tt> for the DB2 module and <tt class="docutils literal"><span class="pre">kldap</span></tt> for the
-LDAP module.</dd>
+value should be <code class="docutils literal"><span class="pre">db2</span></code> for the DB2 module, <code class="docutils literal"><span class="pre">klmdb</span></code> for the LMDB
+module, or <code class="docutils literal"><span class="pre">kldap</span></code> for the LDAP module.</dd>
<dt><strong>disable_last_success</strong></dt>
-<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last successful
-authentication&#8221; field of principal entries requiring
+<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, suppresses KDC updates to the “Last successful
+authentication” field of principal entries requiring
preauthentication. Setting this flag may improve performance.
(Principal entries which do not require preauthentication never
-update the &#8220;Last successful authentication&#8221; field.). First
+update the “Last successful authentication” field.). First
introduced in release 1.9.</dd>
<dt><strong>disable_lockout</strong></dt>
-<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last failed
-authentication&#8221; and &#8220;Failed password attempts&#8221; fields of principal
+<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, suppresses KDC updates to the “Last failed
+authentication” and “Failed password attempts” fields of principal
entries requiring preauthentication. Setting this flag may
improve performance, but also disables account lockout. First
introduced in release 1.9.</dd>
@@ -489,8 +505,8 @@ introduced in release 1.9.</dd>
maintained per LDAP server.</dd>
<dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt>
<dd>These LDAP-specific tags indicate the default DN for binding to
-the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon uses
-<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon and other
+the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon uses
+<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon and other
administrative programs use <strong>ldap_kadmind_dn</strong>. The kadmind DN
must have the rights to read and write the Kerberos data in the
LDAP database. The KDC DN must have the same rights, unless
@@ -500,13 +516,13 @@ These tags are ignored if a SASL mechanism is set with
<strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</dd>
<dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt>
<dd>These LDAP-specific tags specify the SASL mechanism (such as
-<tt class="docutils literal"><span class="pre">EXTERNAL</span></tt>) to use when binding to the LDAP server. New in
+<code class="docutils literal"><span class="pre">EXTERNAL</span></code>) to use when binding to the LDAP server. New in
release 1.13.</dd>
<dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt>
<dd>These LDAP-specific tags specify the SASL authentication identity
to use when binding to the LDAP server. Not all SASL mechanisms
require an authentication identity. If the SASL mechanism
-requires a secret (such as the password for <tt class="docutils literal"><span class="pre">DIGEST-MD5</span></tt>), these
+requires a secret (such as the password for <code class="docutils literal"><span class="pre">DIGEST-MD5</span></code>), these
tags also determine the name within the
<strong>ldap_service_password_file</strong> where the secret is stashed. New
in release 1.13.</dd>
@@ -525,18 +541,33 @@ where the realm objects will be located.</dd>
<dd>This LDAP-specific tag indicates the list of LDAP servers that the
Kerberos servers can connect to. The list of LDAP servers is
whitespace-separated. The LDAP server is specified by a LDAP URI.
-It is recommended to use <tt class="docutils literal"><span class="pre">ldapi:</span></tt> or <tt class="docutils literal"><span class="pre">ldaps:</span></tt> URLs to connect
+It is recommended to use <code class="docutils literal"><span class="pre">ldapi:</span></code> or <code class="docutils literal"><span class="pre">ldaps:</span></code> URLs to connect
to the LDAP server.</dd>
<dt><strong>ldap_service_password_file</strong></dt>
<dd>This LDAP-specific tag indicates the file containing the stashed
-passwords (created by <tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>) for the
+passwords (created by <code class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code>) for the
<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the
<strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names
for SASL authentication. This file must be kept secure.</dd>
+<dt><strong>mapsize</strong></dt>
+<dd>This LMDB-specific tag indicates the maximum size of the two
+database environments in megabytes. The default value is 128.
+Increase this value to address “Environment mapsize limit reached”
+errors. New in release 1.17.</dd>
+<dt><strong>max_readers</strong></dt>
+<dd>This LMDB-specific tag indicates the maximum number of concurrent
+reading processes for the databases. The default value is 128.
+New in release 1.17.</dd>
+<dt><strong>nosync</strong></dt>
+<dd>This LMDB-specific tag can be set to improve the throughput of
+kadmind and other administrative agents, at the expense of
+durability (recent database changes may not survive a power outage
+or other sudden reboot). It does not affect the throughput of the
+KDC. The default value is false. New in release 1.17.</dd>
<dt><strong>unlockiter</strong></dt>
-<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, this DB2-specific tag causes iteration
+<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, this DB2-specific tag causes iteration
operations to release the database lock while processing each
-principal. Setting this flag to <tt class="docutils literal"><span class="pre">true</span></tt> can prevent extended
+principal. Setting this flag to <code class="docutils literal"><span class="pre">true</span></code> can prevent extended
blocking of KDC or kadmin operations when dumps of large databases
are in progress. First introduced in release 1.13.</dd>
</dl>
@@ -550,14 +581,14 @@ modules. The value should be an absolute path.</dd>
</div>
<div class="section" id="logging">
<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3>
-<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
-<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> perform logging. It may contain the following
+<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following
relations:</p>
<dl class="docutils">
<dt><strong>admin_server</strong></dt>
-<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> performs logging.</dd>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> performs logging.</dd>
<dt><strong>kdc</strong></dt>
-<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> performs logging.</dd>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> performs logging.</dd>
<dt><strong>default</strong></dt>
<dd>Specifies how either daemon performs logging in the absence of
relations specific to the daemon.</dd>
@@ -571,46 +602,45 @@ release 1.15.</dd>
<p>Logging specifications may have the following forms:</p>
<dl class="docutils">
<dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt>
-<dd>This value causes the daemon&#8217;s logging messages to go to the
-<em>filename</em>. If the <tt class="docutils literal"><span class="pre">=</span></tt> form is used, the file is overwritten.
-If the <tt class="docutils literal"><span class="pre">:</span></tt> form is used, the file is appended to.</dd>
+<dd>This value causes the daemon’s logging messages to go to the
+<em>filename</em>. If the <code class="docutils literal"><span class="pre">=</span></code> form is used, the file is overwritten.
+If the <code class="docutils literal"><span class="pre">:</span></code> form is used, the file is appended to.</dd>
<dt><strong>STDERR</strong></dt>
-<dd>This value causes the daemon&#8217;s logging messages to go to its
+<dd>This value causes the daemon’s logging messages to go to its
standard error stream.</dd>
<dt><strong>CONSOLE</strong></dt>
-<dd>This value causes the daemon&#8217;s logging messages to go to the
+<dd>This value causes the daemon’s logging messages to go to the
console, if the system supports it.</dd>
<dt><strong>DEVICE=</strong><em>&lt;devicename&gt;</em></dt>
-<dd>This causes the daemon&#8217;s logging messages to go to the specified
+<dd>This causes the daemon’s logging messages to go to the specified
device.</dd>
<dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt>
-<dd><p class="first">This causes the daemon&#8217;s logging messages to go to the system log.</p>
-<p>The severity argument specifies the default severity of system log
-messages. This may be any of the following severities supported
-by the syslog(3) call, minus the <tt class="docutils literal"><span class="pre">LOG_</span></tt> prefix: <strong>EMERG</strong>,
-<strong>ALERT</strong>, <strong>CRIT</strong>, <strong>ERR</strong>, <strong>WARNING</strong>, <strong>NOTICE</strong>, <strong>INFO</strong>,
-and <strong>DEBUG</strong>.</p>
-<p>The facility argument specifies the facility under which the
+<dd><p class="first">This causes the daemon’s logging messages to go to the system log.</p>
+<p>For backward compatibility, a severity argument may be specified,
+and must be specified in order to specify a facility. This
+argument will be ignored.</p>
+<p class="last">The facility argument specifies the facility under which the
messages are logged. This may be any of the following facilities
supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>,
<strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>,
-<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>.</p>
-<p class="last">If no severity is specified, the default is <strong>ERR</strong>. If no
+<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>. If no
facility is specified, the default is <strong>AUTH</strong>.</p>
</dd>
</dl>
<p>In the following example, the logging messages from the KDC will go to
-the console and to the system log under the facility LOG_DAEMON with
-default severity of LOG_INFO; and the logging messages from the
-administrative server will be appended to the file
-<tt class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></tt> and sent to the device <tt class="docutils literal"><span class="pre">/dev/tty04</span></tt>.</p>
-<div class="highlight-python"><div class="highlight"><pre>[logging]
- kdc = CONSOLE
- kdc = SYSLOG:INFO:DAEMON
- admin_server = FILE:/var/adm/kadmin.log
- admin_server = DEVICE=/dev/tty04
+the console and to the system log under the facility LOG_DAEMON, and
+the logging messages from the administrative server will be appended
+to the file <code class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></code> and sent to the device
+<code class="docutils literal"><span class="pre">/dev/tty04</span></code>.</p>
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">logging</span><span class="p">]</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">CONSOLE</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">SYSLOG</span><span class="p">:</span><span class="n">INFO</span><span class="p">:</span><span class="n">DAEMON</span>
+ <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">adm</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span>
+ <span class="n">admin_server</span> <span class="o">=</span> <span class="n">DEVICE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">tty04</span>
</pre></div>
</div>
+<p>If no logging specification is given, the default is to use syslog.
+To disable logging entirely, specify <code class="docutils literal"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p>
</div>
<div class="section" id="otp">
<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3>
@@ -623,9 +653,9 @@ One Time Password request to a RADIUS server.</p>
<dd>This is the server to send the RADIUS request to. It can be a
hostname with optional port, an ip address with optional port, or
a Unix domain socket address. The default is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/&lt;name&gt;.socket</span></tt>.</dd>
+<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/&lt;name&gt;.socket</span></code>.</dd>
<dt><strong>secret</strong></dt>
-<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>)
+<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code>)
containing the secret used to encrypt the RADIUS packets. The
secret should appear in the first line of the file by itself;
leading and trailing whitespace on the line will be removed. If
@@ -641,16 +671,16 @@ which an OTP value remains valid for. The default is 5 seconds.</dd>
<dd>This tag specifies the number of retries to make to the RADIUS
server. The default is 3 retries (4 tries).</dd>
<dt><strong>strip_realm</strong></dt>
-<dd>If this tag is <tt class="docutils literal"><span class="pre">true</span></tt>, the principal without the realm will be
+<dd>If this tag is <code class="docutils literal"><span class="pre">true</span></code>, the principal without the realm will be
passed to the RADIUS server. Otherwise, the realm will be
-included. The default value is <tt class="docutils literal"><span class="pre">true</span></tt>.</dd>
+included. The default value is <code class="docutils literal"><span class="pre">true</span></code>.</dd>
<dt><strong>indicator</strong></dt>
<dd>This tag specifies an authentication indicator to be included in
the ticket if this token type is used to authenticate. This
option may be specified multiple times. (New in release 1.14.)</dd>
</dl>
<p>In the following example, requests are sent to a remote server via UDP:</p>
-<div class="highlight-python"><div class="highlight"><pre>[otp]
+<div class="highlight-default"><div class="highlight"><pre><span></span>[otp]
MyRemoteTokenType = {
server = radius.mydomain.com:1812
secret = SEmfiajf42$
@@ -660,14 +690,14 @@ option may be specified multiple times. (New in release 1.14.)</dd>
}
</pre></div>
</div>
-<p>An implicit default token type named <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> is defined for when
+<p>An implicit default token type named <code class="docutils literal"><span class="pre">DEFAULT</span></code> is defined for when
the per-principal configuration does not specify a token type. Its
configuration is shown below. You may override this token type to
something applicable for your situation:</p>
-<div class="highlight-python"><div class="highlight"><pre>[otp]
- DEFAULT = {
- strip_realm = false
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span>
+ <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span>
+ <span class="p">}</span>
</pre></div>
</div>
</div>
@@ -684,23 +714,23 @@ realm-specific value over-rides, does not add to, a generic
</div>
<ol class="arabic">
<li><p class="first">realm-specific subsection of [realms]:</p>
-<div class="highlight-python"><div class="highlight"><pre>[realms]
- EXAMPLE.COM = {
- pkinit_anchors = FILE:/usr/local/example.com.crt
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
+ <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
+ <span class="p">}</span>
</pre></div>
</div>
</li>
<li><p class="first">generic value in the [kdcdefaults] section:</p>
-<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
- pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
+ <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span>
</pre></div>
</div>
</li>
</ol>
<p>For information about the syntax of some of these options, see
-<a class="reference internal" href="krb5_conf.html#pkinit-identity"><em>Specifying PKINIT identity information</em></a> in
-<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p>
+<a class="reference internal" href="krb5_conf.html#pkinit-identity"><span class="std std-ref">Specifying PKINIT identity information</span></a> in
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p>
<dl class="docutils">
<dt><strong>pkinit_anchors</strong></dt>
<dd>Specifies the location of trusted anchor (root) certificates which
@@ -709,7 +739,7 @@ required if pkinit is to be supported by the KDC. This option may
be specified multiple times.</dd>
<dt><strong>pkinit_dh_min_bits</strong></dt>
<dd>Specifies the minimum number of bits the KDC is willing to accept
-for a client&#8217;s Diffie-Hellman key. The default is 2048.</dd>
+for a client’s Diffie-Hellman key. The default is 2048.</dd>
<dt><strong>pkinit_allow_upn</strong></dt>
<dd><p class="first">Specifies that the KDC is willing to accept client certificates
with the Microsoft UserPrincipalName (UPN) Subject Alternative
@@ -717,7 +747,7 @@ Name (SAN). This means the KDC accepts the binding of the UPN in
the certificate to the Kerberos principal name. The default value
is false.</p>
<p class="last">Without this option, the KDC will only accept certificates with
-the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently
+the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently
no option to disable SAN checking in the KDC.</p>
</dd>
<dt><strong>pkinit_eku_checking</strong></dt>
@@ -728,7 +758,7 @@ recognized in the kdc.conf file are:</p>
<dt><strong>kpClientAuth</strong></dt>
<dd>This is the default value and specifies that client
certificates must have the id-pkinit-KPClientAuth EKU as
-defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
<dt><strong>scLogin</strong></dt>
<dd>If scLogin is specified, client certificates with the
Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
@@ -740,7 +770,7 @@ this option is not recommended.</dd>
</dl>
</dd>
<dt><strong>pkinit_identity</strong></dt>
-<dd>Specifies the location of the KDC&#8217;s X.509 identity information.
+<dd>Specifies the location of the KDC’s X.509 identity information.
This option is required if pkinit is to be supported by the KDC.</dd>
<dt><strong>pkinit_indicator</strong></dt>
<dd>Specifies an authentication indicator to include in the ticket if
@@ -748,7 +778,7 @@ pkinit is used to authenticate. This option may be specified
multiple times. (New in release 1.14.)</dd>
<dt><strong>pkinit_pool</strong></dt>
<dd>Specifies the location of intermediate certificates which may be
-used by the KDC to complete the trust chain between a client&#8217;s
+used by the KDC to complete the trust chain between a client’s
certificate and a trusted anchor. This option may be specified
multiple times.</dd>
<dt><strong>pkinit_revoke</strong></dt>
@@ -769,68 +799,54 @@ fails.</p>
<p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the
policy is such that up-to-date CRLs must be present for every CA.</p>
</dd>
+<dt><strong>pkinit_require_freshness</strong></dt>
+<dd>Specifies whether to require clients to include a freshness token
+in PKINIT requests. The default value is false. (New in release
+1.17.)</dd>
</dl>
</div>
<div class="section" id="encryption-types">
<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2>
<p>Any tag in the configuration files which requires a list of encryption
types can be set to some combination of the following strings.
-Encryption types marked as &#8220;weak&#8221; are available for compatibility but
-not recommended for use.</p>
+Encryption types marked as “weak” and “deprecated” are available for
+compatibility but not recommended for use.</p>
<table border="1" class="docutils">
<colgroup>
<col width="30%" />
<col width="70%" />
</colgroup>
<tbody valign="top">
-<tr class="row-odd"><td>des-cbc-crc</td>
-<td>DES cbc mode with CRC-32 (weak)</td>
-</tr>
-<tr class="row-even"><td>des-cbc-md4</td>
-<td>DES cbc mode with RSA-MD4 (weak)</td>
-</tr>
-<tr class="row-odd"><td>des-cbc-md5</td>
-<td>DES cbc mode with RSA-MD5 (weak)</td>
-</tr>
-<tr class="row-even"><td>des-cbc-raw</td>
-<td>DES cbc mode raw (weak)</td>
-</tr>
<tr class="row-odd"><td>des3-cbc-raw</td>
<td>Triple DES cbc mode raw (weak)</td>
</tr>
<tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td>
-<td>Triple DES cbc mode with HMAC/sha1</td>
+<td>Triple DES cbc mode with HMAC/sha1 (deprecated)</td>
</tr>
-<tr class="row-odd"><td>des-hmac-sha1</td>
-<td>DES with HMAC/sha1 (weak)</td>
-</tr>
-<tr class="row-even"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>
+<tr class="row-odd"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>
<td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td>
</tr>
-<tr class="row-odd"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>
+<tr class="row-even"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>
<td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td>
</tr>
-<tr class="row-even"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>
+<tr class="row-odd"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>
<td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td>
</tr>
-<tr class="row-odd"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>
+<tr class="row-even"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>
<td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td>
</tr>
-<tr class="row-even"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>
-<td>RC4 with HMAC/MD5</td>
+<tr class="row-odd"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>
+<td>RC4 with HMAC/MD5 (deprecated)</td>
</tr>
-<tr class="row-odd"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>
+<tr class="row-even"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>
<td>Exportable RC4 with HMAC/MD5 (weak)</td>
</tr>
-<tr class="row-even"><td>camellia256-cts-cmac camellia256-cts</td>
+<tr class="row-odd"><td>camellia256-cts-cmac camellia256-cts</td>
<td>Camellia-256 CTS mode with CMAC</td>
</tr>
-<tr class="row-odd"><td>camellia128-cts-cmac camellia128-cts</td>
+<tr class="row-even"><td>camellia128-cts-cmac camellia128-cts</td>
<td>Camellia-128 CTS mode with CMAC</td>
</tr>
-<tr class="row-even"><td>des</td>
-<td>The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)</td>
-</tr>
<tr class="row-odd"><td>des3</td>
<td>The triple DES family: des3-cbc-sha1</td>
</tr>
@@ -847,11 +863,11 @@ not recommended for use.</p>
</table>
<p>The string <strong>DEFAULT</strong> can be used to refer to the default set of
types for the variable in question. Types or families can be removed
-from the current list by prefixing them with a minus sign (&#8220;-&#8221;).
-Types or families can be prefixed with a plus sign (&#8220;+&#8221;) for symmetry;
+from the current list by prefixing them with a minus sign (“-“).
+Types or families can be prefixed with a plus sign (“+”) for symmetry;
it has the same meaning as just listing the type or family. For
-example, &#8220;<tt class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-des</span></tt>&#8221; would be the default set of encryption
-types with DES types removed, and &#8220;<tt class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></tt>&#8221; would be the
+example, “<code class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-rc4</span></code>” would be the default set of encryption
+types with RC4 types removed, and “<code class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></code>” would be the
default set of encryption types with triple DES types moved to the
front.</p>
<p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos
@@ -868,11 +884,11 @@ encryption types in the KDC database.</p>
<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2>
<p>Kerberos keys for users are usually derived from passwords. Kerberos
commands and configuration parameters that affect generation of keys
-take lists of enctype-salttype (&#8220;keysalt&#8221;) pairs, known as <em>keysalt
+take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt
lists</em>. Each keysalt pair is an enctype name followed by a salttype
name, in the format <em>enc</em>:<em>salt</em>. Individual keysalt list members are
-separated by comma (&#8221;,&#8221;) characters or space characters. For example:</p>
-<div class="highlight-python"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal
+separated by comma (“,”) characters or space characters. For example:</p>
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">e</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span>
</pre></div>
</div>
<p>would start up kadmin so that by default it would generate
@@ -884,25 +900,19 @@ using something called a salt. The supported salt types are as
follows:</p>
<table border="1" class="docutils">
<colgroup>
-<col width="21%" />
-<col width="79%" />
+<col width="25%" />
+<col width="75%" />
</colgroup>
<tbody valign="top">
<tr class="row-odd"><td>normal</td>
<td>default for Kerberos Version 5</td>
</tr>
-<tr class="row-even"><td>v4</td>
-<td>the only type used by Kerberos Version 4 (no salt)</td>
-</tr>
-<tr class="row-odd"><td>norealm</td>
+<tr class="row-even"><td>norealm</td>
<td>same as the default, without using realm information</td>
</tr>
-<tr class="row-even"><td>onlyrealm</td>
+<tr class="row-odd"><td>onlyrealm</td>
<td>uses only realm information as the salt</td>
</tr>
-<tr class="row-odd"><td>afs3</td>
-<td>AFS version 3, only used for compatibility with Kerberos 4 in AFS</td>
-</tr>
<tr class="row-even"><td>special</td>
<td>generate a random salt</td>
</tr>
@@ -911,51 +921,51 @@ follows:</p>
</div>
<div class="section" id="sample-kdc-conf-file">
<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2>
-<p>Here&#8217;s an example of a kdc.conf file:</p>
-<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
- kdc_listen = 88
- kdc_tcp_listen = 88
-[realms]
- ATHENA.MIT.EDU = {
- kadmind_port = 749
- max_life = 12h 0m 0s
- max_renewable_life = 7d 0h 0m 0s
- master_key_type = aes256-cts-hmac-sha1-96
- supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
- database_module = openldap_ldapconf
- }
+<p>Here’s an example of a kdc.conf file:</p>
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
+ <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span>
+ <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span>
+<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span>
+ <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
+ <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
+ <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span>
+ <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span>
+ <span class="n">database_module</span> <span class="o">=</span> <span class="n">openldap_ldapconf</span>
+ <span class="p">}</span>
-[logging]
- kdc = FILE:/usr/local/var/krb5kdc/kdc.log
- admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+<span class="p">[</span><span class="n">logging</span><span class="p">]</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">log</span>
+ <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span>
-[dbdefaults]
- ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+<span class="p">[</span><span class="n">dbdefaults</span><span class="p">]</span>
+ <span class="n">ldap_kerberos_container_dn</span> <span class="o">=</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbcontainer</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">mit</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">edu</span>
-[dbmodules]
- openldap_ldapconf = {
- db_library = kldap
- disable_last_success = true
- ldap_kdc_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
- # this object needs to have read rights on
- # the realm container and principal subtrees
- ldap_kadmind_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
- # this object needs to have read and write rights on
- # the realm container and principal subtrees
- ldap_service_password_file = /etc/kerberos/service.keyfile
- ldap_servers = ldaps://kerberos.mit.edu
- ldap_conns_per_server = 5
- }
+<span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span>
+ <span class="n">openldap_ldapconf</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">db_library</span> <span class="o">=</span> <span class="n">kldap</span>
+ <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span>
+ <span class="n">ldap_kdc_dn</span> <span class="o">=</span> <span class="s2">&quot;cn=krbadmin,dc=mit,dc=edu&quot;</span>
+ <span class="c1"># this object needs to have read rights on</span>
+ <span class="c1"># the realm container and principal subtrees</span>
+ <span class="n">ldap_kadmind_dn</span> <span class="o">=</span> <span class="s2">&quot;cn=krbadmin,dc=mit,dc=edu&quot;</span>
+ <span class="c1"># this object needs to have read and write rights on</span>
+ <span class="c1"># the realm container and principal subtrees</span>
+ <span class="n">ldap_service_password_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span>
+ <span class="n">ldap_servers</span> <span class="o">=</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="n">ldap_conns_per_server</span> <span class="o">=</span> <span class="mi">5</span>
+ <span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="files">
<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
-<p><a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kdc.conf</span></tt></p>
+<p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kdc.conf</span></code></p>
</div>
<div class="section" id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
-<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p>
+<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p>
</div>
</div>
@@ -996,12 +1006,13 @@ follows:</p>
<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
-<li class="toctree-l3 current"><a class="current reference internal" href="">kdc.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="#">kdc.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
@@ -1009,6 +1020,8 @@ follows:</p>
<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
@@ -1048,8 +1061,8 @@ follows:</p>
<div class="footer-wrapper">
<div class="footer" >
- <div class="right" ><i>Release: 1.16</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ <div class="right" ><i>Release: 1.21.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.
</div>
<div class="left">
diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
index 70144fa0bde9..ce99234d2cc8 100644
--- a/doc/html/admin/conf_files/krb5_conf.html
+++ b/doc/html/admin/conf_files/krb5_conf.html
@@ -1,33 +1,31 @@
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-
- <title>krb5.conf &mdash; MIT Kerberos Documentation</title>
-
+ <title>krb5.conf &#8212; MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
-
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
- VERSION: '1.16',
+ VERSION: '1.21.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
- HAS_SOURCE: true
+ HAS_SOURCE: true,
+ SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="index" title="Index" href="../../genindex.html" />
+ <link rel="search" title="Search" href="../../search.html" />
<link rel="copyright" title="Copyright" href="../../copyright.html" />
- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
- <link rel="up" title="Configuration Files" href="index.html" />
<link rel="next" title="kdc.conf" href="kdc_conf.html" />
<link rel="prev" title="Configuration Files" href="index.html" />
</head>
@@ -61,7 +59,7 @@
<div class="documentwrapper">
<div class="bodywrapper">
- <div class="body">
+ <div class="body" role="main">
<div class="section" id="krb5-conf">
<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1>
@@ -70,7 +68,7 @@ including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your krb5.conf file in the directory
-<tt class="docutils literal"><span class="pre">/etc</span></tt>. You can override the default location by setting the
+<code class="docutils literal"><span class="pre">/etc</span></code>. You can override the default location by setting the
environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated
filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are
present will be read. Starting in release 1.14, directory names can
@@ -80,53 +78,52 @@ underscores will be read.</p>
<div class="section" id="structure">
<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
<p>The krb5.conf file is set up in the style of a Windows INI file.
-Sections are headed by the section name, in square brackets. Each
-section may contain zero or more relations, of the form:</p>
-<div class="highlight-python"><div class="highlight"><pre><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
+Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace)
+are ignored as comments. Sections are headed by the section name, in
+square brackets. Each section may contain zero or more relations, of
+the form:</p>
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
</pre></div>
</div>
<p>or:</p>
-<div class="highlight-python"><div class="highlight"><pre>fubar = {
- foo = bar
- baz = quux
-}
-</pre></div>
-</div>
-<p>Placing a &#8216;*&#8217; at the end of a line indicates that this is the <em>final</em>
-value for the tag. This means that neither the remainder of this
-configuration file nor any other configuration file will be checked
-for any other values for this tag.</p>
-<p>For example, if you have the following lines:</p>
-<div class="highlight-python"><div class="highlight"><pre>foo = bar*
-foo = baz
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
+ <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span>
+<span class="p">}</span>
</pre></div>
</div>
-<p>then the second value of <tt class="docutils literal"><span class="pre">foo</span></tt> (<tt class="docutils literal"><span class="pre">baz</span></tt>) would never be read.</p>
+<p>Placing a ‘*’ after the closing bracket of a section name indicates
+that the section is <em>final</em>, meaning that if the same section appears
+within a later file specified in <strong>KRB5_CONFIG</strong>, it will be ignored.
+A subsection can be marked as final by placing a ‘*’ after either the
+tag name or the closing brace.</p>
<p>The krb5.conf file can include other files using either of the
following directives at the beginning of a line:</p>
-<div class="highlight-python"><div class="highlight"><pre>include FILENAME
-includedir DIRNAME
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span>
+<span class="n">includedir</span> <span class="n">DIRNAME</span>
</pre></div>
</div>
<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in &#8221;.conf&#8221; are also included, unless the
-name begins with &#8221;.&#8221;. Included profile files are syntactically
+1.15, files with names ending in “.conf” are also included, unless the
+name begins with “.”. Included profile files are syntactically
independent of their parents, so each included file must begin with a
-section header.</p>
+section header. Starting in release 1.17, files are read in
+alphanumeric order; in previous releases, they may be read in any
+order.</p>
<p>The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
headers:</p>
-<div class="highlight-python"><div class="highlight"><pre>module MODULEPATH:RESIDUAL
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span>
</pre></div>
</div>
<p><em>MODULEPATH</em> may be relative to the library path of the krb5
installation, or it may be an absolute path. <em>RESIDUAL</em> is provided
to the module at initialization time. If krb5.conf uses a module
-directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> should also use one if it exists.</p>
+directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p>
</div>
<div class="section" id="sections">
<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
@@ -137,48 +134,48 @@ directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc
<col width="74%" />
</colgroup>
<tbody valign="top">
-<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></td>
<td>Settings used by the Kerberos V5 library</td>
</tr>
-<tr class="row-even"><td><a class="reference internal" href="#realms"><em>[realms]</em></a></td>
+<tr class="row-even"><td><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></td>
<td>Realm-specific contact information and settings</td>
</tr>
-<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><em>[domain_realm]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></td>
<td>Maps server hostnames to Kerberos realms</td>
</tr>
-<tr class="row-even"><td><a class="reference internal" href="#capaths"><em>[capaths]</em></a></td>
+<tr class="row-even"><td><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></td>
<td>Authentication paths for non-hierarchical cross-realm</td>
</tr>
-<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><em>[appdefaults]</em></a></td>
+<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></td>
<td>Settings used by some Kerberos V5 applications</td>
</tr>
-<tr class="row-even"><td><a class="reference internal" href="#plugins"><em>[plugins]</em></a></td>
+<tr class="row-even"><td><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></td>
<td>Controls plugin module registration</td>
</tr>
</tbody>
</table>
<p>Additionally, krb5.conf may include any of the relations described in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but it is not a recommended practice.</p>
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p>
<div class="section" id="libdefaults">
<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3>
<p>The libdefaults section may contain any of the following relations:</p>
<dl class="docutils">
+<dt><strong>allow_des3</strong></dt>
+<dd>Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
+In future releases, this flag will allow des3-cbc-sha1 to be used
+at all. The default value for this tag is false. (Added in
+release 1.21.)</dd>
+<dt><strong>allow_rc4</strong></dt>
+<dd>Permit the KDC to issue tickets with arcfour-hmac session keys.
+In future releases, this flag will allow arcfour-hmac to be used
+at all. The default value for this tag is false. (Added in
+release 1.21.)</dd>
<dt><strong>allow_weak_crypto</strong></dt>
<dd>If this flag is set to false, then weak encryption types (as noted
-in <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>) will be filtered
+in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered
out of the lists <strong>default_tgs_enctypes</strong>,
<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default
-value for this tag is false, which may cause authentication
-failures in existing Kerberos infrastructures that do not support
-strong crypto. Users in affected environments should set this tag
-to true until their infrastructure adopts stronger ciphers.</dd>
-<dt><strong>ap_req_checksum_type</strong></dt>
-<dd>An integer which specifies the type of AP-REQ checksum to use in
-authenticators. This variable should be unset so the appropriate
-checksum for the encryption key in use will be used. This can be
-set if backward compatibility requires a specific checksum type.
-See the <strong>kdc_req_checksum_type</strong> configuration option for the
-possible values and their meanings.</dd>
+value for this tag is false.</dd>
<dt><strong>canonicalize</strong></dt>
<dd>If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
@@ -186,7 +183,7 @@ answers with different client principals than the requested
principal will be accepted. The default value is false.</dd>
<dt><strong>ccache_type</strong></dt>
<dd>This parameter determines the format of credential cache types
-created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or other programs. The default value
+created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value
is 4, which represents the most current format. Smaller values
can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.</dd>
@@ -202,31 +199,36 @@ duration than the <strong>clockskew</strong> setting.</p>
</dd>
<dt><strong>default_ccache_name</strong></dt>
<dd>This relation specifies the name of the default credential cache.
-The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a>. This relation is subject to parameter
+The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter
expansion (see below). New in release 1.11.</dd>
<dt><strong>default_client_keytab_name</strong></dt>
<dd>This relation specifies the name of the default keytab for
-obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCKTNAME</em></a>. This
+obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This
relation is subject to parameter expansion (see below).
New in release 1.11.</dd>
<dt><strong>default_keytab_name</strong></dt>
<dd>This relation specifies the default keytab name to be used by
-application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>. This
+application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This
relation is subject to parameter expansion (see below).</dd>
+<dt><strong>default_rcache_name</strong></dt>
+<dd>This relation specifies the name of the default replay cache.
+The default is <code class="docutils literal"><span class="pre">dfl:</span></code>. This relation is subject to parameter
+expansion (see below). New in release 1.18.</dd>
<dt><strong>default_realm</strong></dt>
<dd>Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
-invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>.</dd>
+invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</dd>
<dt><strong>default_tgs_enctypes</strong></dt>
<dd><p class="first">Identifies the supported list of session key encryption types that
the client should request when making a TGS-REQ, in order of
preference from highest to lowest. The list may be delimited with
-commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in
-<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag.
-The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
-will be implicitly removed from this list if the value of
-<strong>allow_weak_crypto</strong> is false.</p>
+commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag.
+Starting in release 1.18, the default value is the value of
+<strong>permitted_enctypes</strong>. For previous releases or if
+<strong>permitted_enctypes</strong> is not set, the default value is
+<code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p>
<p class="last">Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
@@ -236,10 +238,10 @@ libraries are upgraded.</p>
<dd><p class="first">Identifies the supported list of session key encryption types that
the client should request when making an AS-REQ, in order of
preference from highest to lowest. The format is the same as for
-default_tgs_enctypes. The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
-removed from this list if the value of <strong>allow_weak_crypto</strong> is
-false.</p>
+default_tgs_enctypes. Starting in release 1.18, the default
+value is the value of <strong>permitted_enctypes</strong>. For previous
+releases or if <strong>permitted_enctypes</strong> is not set, the default
+value is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p>
<p class="last">Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
@@ -250,7 +252,10 @@ libraries are upgraded.</p>
hostnames for use in service principal names. Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
-fully-qualified hostnames. The default value is true.</dd>
+fully-qualified hostnames. If this option is set to <code class="docutils literal"><span class="pre">fallback</span></code> (new
+in release 1.18), DNS canonicalization will only be performed the
+server hostname is not found with the original name when
+requesting credentials. The default value is true.</dd>
<dt><strong>dns_lookup_kdc</strong></dt>
<dd><p class="first">Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
@@ -260,11 +265,11 @@ contact kadmind, because the DNS implementation for kadmin is
incomplete.)</p>
<p class="last">Enabling this option does open up a type of denial-of-service
attack, if someone spoofs the DNS records and redirects you to
-another server. However, it&#8217;s no worse than a denial of service,
+another server. However, it’s no worse than a denial of service,
because that fake KDC will be unable to decode anything you send
it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
-verification using some secret that it won&#8217;t know.</p>
+verification using some secret that it won’t know.</p>
</dd>
<dt><strong>dns_uri_lookup</strong></dt>
<dd>Indicate whether DNS URI records should be used to locate the KDCs
@@ -272,6 +277,12 @@ and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. SRV records are used as a
fallback if no URI records were found. The default value is true.
New in release 1.15.</dd>
+<dt><strong>enforce_ok_as_delegate</strong></dt>
+<dd>If this flag to true, GSSAPI credential delegation will be
+disabled when the <code class="docutils literal"><span class="pre">ok-as-delegate</span></code> flag is not set in the
+service ticket. If this flag is false, the <code class="docutils literal"><span class="pre">ok-as-delegate</span></code>
+ticket flag is only enforced when an application specifically
+requests enforcement. The default value is false.</dd>
<dt><strong>err_fmt</strong></dt>
<dd>This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
@@ -295,30 +306,30 @@ flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
default value is false. New in release 1.10.</dd>
<dt><strong>k5login_authoritative</strong></dt>
-<dd>If this flag is true, principals must be listed in a local user&#8217;s
-k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a>
+<dd>If this flag is true, principals must be listed in a local user’s
+k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a>
file exists. If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal. The default value is
true.</dd>
<dt><strong>k5login_directory</strong></dt>
-<dd>If set, the library will look for a local user&#8217;s k5login file
+<dd>If set, the library will look for a local user’s k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
-files in the user&#8217;s home directory, with the filename .k5login.
+files in the user’s home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.</dd>
<dt><strong>kcm_mach_service</strong></dt>
<dd>On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
-value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM
-daemon. The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd>
+value is <code class="docutils literal"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM
+daemon. The default value is <code class="docutils literal"><span class="pre">org.h5l.kcm</span></code>.</dd>
<dt><strong>kcm_socket</strong></dt>
<dd>Determines the path to the Unix domain socket used to access the
KCM daemon for the KCM credential cache type. If the value is
-<tt class="docutils literal"><span class="pre">-</span></tt>, Unix domain sockets will not be used to contact the KCM
+<code class="docutils literal"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM
daemon. The default value is
-<tt class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></tt>.</dd>
+<code class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</dd>
<dt><strong>kdc_default_options</strong></dt>
<dd>Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
@@ -331,97 +342,84 @@ use this value to correct for an inaccurate system clock when
requesting service tickets or authenticating to services. This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.</dd>
-<dt><strong>kdc_req_checksum_type</strong></dt>
-<dd><p class="first">An integer which specifies the type of checksum to use for the KDC
-requests, for compatibility with very old KDC implementations.
-This value is only used for DES keys; other keys use the preferred
-checksum type for those keys.</p>
-<p>The possible values and their meanings are as follows.</p>
-<table border="1" class="last docutils">
-<colgroup>
-<col width="20%" />
-<col width="80%" />
-</colgroup>
-<tbody valign="top">
-<tr class="row-odd"><td>1</td>
-<td>CRC32</td>
-</tr>
-<tr class="row-even"><td>2</td>
-<td>RSA MD4</td>
-</tr>
-<tr class="row-odd"><td>3</td>
-<td>RSA MD4 DES</td>
-</tr>
-<tr class="row-even"><td>4</td>
-<td>DES CBC</td>
-</tr>
-<tr class="row-odd"><td>7</td>
-<td>RSA MD5</td>
-</tr>
-<tr class="row-even"><td>8</td>
-<td>RSA MD5 DES</td>
-</tr>
-<tr class="row-odd"><td>9</td>
-<td>NIST SHA</td>
-</tr>
-<tr class="row-even"><td>12</td>
-<td>HMAC SHA1 DES3</td>
-</tr>
-<tr class="row-odd"><td>-138</td>
-<td>Microsoft MD5 HMAC checksum type</td>
-</tr>
-</tbody>
-</table>
-</dd>
<dt><strong>noaddresses</strong></dt>
<dd>If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs. The default value is true.</dd>
<dt><strong>permitted_enctypes</strong></dt>
-<dd>Identifies all encryption types that are permitted for use in
-session key encryption. The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
-removed from this list if the value of <strong>allow_weak_crypto</strong> is
-false.</dd>
+<dd>Identifies the encryption types that servers will permit for
+session keys and for ticket and authenticator encryption, ordered
+by preference from highest to lowest. Starting in release 1.18,
+this tag also acts as the default value for
+<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The
+default value for this tag is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</dd>
<dt><strong>plugin_base_dir</strong></dt>
<dd>If set, determines the base directory where krb5 plugins are
-located. The default value is the <tt class="docutils literal"><span class="pre">krb5/plugins</span></tt> subdirectory
-of the krb5 library directory.</dd>
+located. The default value is the <code class="docutils literal"><span class="pre">krb5/plugins</span></code> subdirectory
+of the krb5 library directory. This relation is subject to
+parameter expansion (see below) in release 1.17 and later.</dd>
<dt><strong>preferred_preauth_types</strong></dt>
<dd>This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
-KDC. The default value for this setting is &#8220;17, 16, 15, 14&#8221;,
+KDC. The default value for this setting is “17, 16, 15, 14”,
which forces libkrb5 to attempt to use PKINIT if it is supported.</dd>
<dt><strong>proxiable</strong></dt>
<dd>If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC. The default value is false.</dd>
+<dt><strong>qualify_shortname</strong></dt>
+<dd>If this string is set, it determines the domain suffix for
+single-component hostnames when DNS canonicalization is not used
+(either because <strong>dns_canonicalize_hostname</strong> is false or because
+forward canonicalization failed). The default value is the first
+search domain of the system’s DNS configuration. To disable
+qualification of shortnames, set this relation to the empty string
+with <code class="docutils literal"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></code>. (New in release 1.18.)</dd>
<dt><strong>rdns</strong></dt>
<dd>If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names. If <strong>dns_canonicalize_hostname</strong> is set
to false, this flag has no effect. The default value is true.</dd>
<dt><strong>realm_try_domains</strong></dt>
-<dd>Indicate whether a host&#8217;s domain components should be used to
+<dd>Indicate whether a host’s domain components should be used to
determine the Kerberos realm of the host. The value of this
variable is an integer: -1 means not to search, 0 means to try the
-host&#8217;s domain itself, 1 means to also try the domain&#8217;s immediate
-parent, and so forth. The library&#8217;s usual mechanism for locating
+host’s domain itself, 1 means to also try the domain’s immediate
+parent, and so forth. The library’s usual mechanism for locating
Kerberos realms is used to determine whether a domain is a valid
realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is
set. The default is not to search domain components.</dd>
<dt><strong>renew_lifetime</strong></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default renewable lifetime
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.</dd>
-<dt><strong>safe_checksum_type</strong></dt>
-<dd>An integer which specifies the type of checksum to use for the
-KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
-compatibility with applications linked against DCE version 1.1 or
-earlier Kerberos libraries, use a value of 3 to use the RSA MD4
-DES instead. This field is ignored when its value is incompatible
-with the session key type. See the <strong>kdc_req_checksum_type</strong>
-configuration option for the possible values and their meanings.</dd>
+<dt><strong>spake_preauth_groups</strong></dt>
+<dd><p class="first">A whitespace or comma-separated list of words which specifies the
+groups allowed for SPAKE preauthentication. The possible values
+are:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="27%" />
+<col width="73%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>edwards25519</td>
+<td>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html"><strong>RFC 7748</strong></a>)</td>
+</tr>
+<tr class="row-even"><td>P-256</td>
+<td>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td>
+</tr>
+<tr class="row-odd"><td>P-384</td>
+<td>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td>
+</tr>
+<tr class="row-even"><td>P-521</td>
+<td>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td>
+</tr>
+</tbody>
+</table>
+<p class="last">The default value for the client is <code class="docutils literal"><span class="pre">edwards25519</span></code>. The default
+value for the KDC is empty. New in release 1.17.</p>
+</dd>
<dt><strong>ticket_lifetime</strong></dt>
-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default lifetime for initial
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial
ticket requests. The default value is 1 day.</dd>
<dt><strong>udp_preference_limit</strong></dt>
<dd>When sending a message to the KDC, the library will try using TCP
@@ -434,6 +432,11 @@ attempt fails.</dd>
<dd>If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab. The default value is false.</dd>
+<dt><strong>client_aware_channel_bindings</strong></dt>
+<dd>If this flag is true, then all application protocol authentication
+requests will be flagged to indicate that the application supports
+channel bindings when operating over a secure channel. The
+default value is false.</dd>
</dl>
</div>
<div class="section" id="realms">
@@ -441,12 +444,12 @@ keytab. The default value is false.</dd>
<p>Each tag in the [realms] section of the file is the name of a Kerberos
realm. The value of the tag is a subsection with relations that
define the properties of that particular realm. For each realm, the
-following tags may be specified in the realm&#8217;s subsection:</p>
+following tags may be specified in the realm’s subsection:</p>
<dl class="docutils">
<dt><strong>admin_server</strong></dt>
<dd>Identifies the host where the administration server is running.
-Typically, this is the master Kerberos server. This tag must be
-given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+Typically, this is the primary Kerberos server. This tag must be
+given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>
server for the realm.</dd>
<dt><strong>auth_to_local</strong></dt>
<dd><p class="first">This tag allows you to set a general rule for mapping principal
@@ -460,11 +463,11 @@ translated. The possible values are:</p>
The integer <em>n</em> indicates how many components the target
principal should have. If this matches, then a string will be
formed from <em>string</em>, substituting the realm of the principal
-for <tt class="docutils literal"><span class="pre">$0</span></tt> and the <em>n</em>&#8216;th component of the principal for
-<tt class="docutils literal"><span class="pre">$n</span></tt> (e.g., if the principal was <tt class="docutils literal"><span class="pre">johndoe/admin</span></tt> then
-<tt class="docutils literal"><span class="pre">[2:$2$1foo]</span></tt> would result in the string
-<tt class="docutils literal"><span class="pre">adminjohndoefoo</span></tt>). If this string matches <em>regexp</em>, then
-the <tt class="docutils literal"><span class="pre">s//[g]</span></tt> substitution command will be run over the
+for <code class="docutils literal"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for
+<code class="docutils literal"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal"><span class="pre">johndoe/admin</span></code> then
+<code class="docutils literal"><span class="pre">[2:$2$1foo]</span></code> would result in the string
+<code class="docutils literal"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then
+the <code class="docutils literal"><span class="pre">s//[g]</span></code> substitution command will be run over the
string. The optional <strong>g</strong> will cause the substitution to be
global over the <em>string</em>, instead of replacing only the first
match in the <em>string</em>.</p>
@@ -476,22 +479,22 @@ default realm, this rule is not applicable and the conversion
will fail.</dd>
</dl>
<p>For example:</p>
-<div class="highlight-python"><div class="highlight"><pre>[realms]
+<div class="highlight-default"><div class="highlight"><pre><span></span>[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
- auto_to_local = DEFAULT
+ auth_to_local = DEFAULT
}
</pre></div>
</div>
-<p class="last">would result in any principal without <tt class="docutils literal"><span class="pre">root</span></tt> or <tt class="docutils literal"><span class="pre">admin</span></tt> as the
+<p class="last">would result in any principal without <code class="docutils literal"><span class="pre">root</span></code> or <code class="docutils literal"><span class="pre">admin</span></code> as the
second component to be translated with the default rule. A
-principal with a second component of <tt class="docutils literal"><span class="pre">admin</span></tt> will become its
-first component. <tt class="docutils literal"><span class="pre">root</span></tt> will be used as the local name for any
-principal with a second component of <tt class="docutils literal"><span class="pre">root</span></tt>. The exception to
-these two rules are any principals <tt class="docutils literal"><span class="pre">johndoe/*</span></tt>, which will
-always get the local name <tt class="docutils literal"><span class="pre">guest</span></tt>.</p>
+principal with a second component of <code class="docutils literal"><span class="pre">admin</span></code> will become its
+first component. <code class="docutils literal"><span class="pre">root</span></code> will be used as the local name for any
+principal with a second component of <code class="docutils literal"><span class="pre">root</span></code>. The exception to
+these two rules are any principals <code class="docutils literal"><span class="pre">johndoe/*</span></code>, which will
+always get the local name <code class="docutils literal"><span class="pre">guest</span></code>.</p>
</dd>
<dt><strong>auth_to_local_names</strong></dt>
<dd>This subsection allows you to set explicit mappings from principal
@@ -500,8 +503,17 @@ value is the corresponding local user name.</dd>
<dt><strong>default_domain</strong></dt>
<dd>This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
-(for example, when converting <tt class="docutils literal"><span class="pre">rcmd.hostname</span></tt> to
-<tt class="docutils literal"><span class="pre">host/hostname.domain</span></tt>).</dd>
+(for example, when converting <code class="docutils literal"><span class="pre">rcmd.hostname</span></code> to
+<code class="docutils literal"><span class="pre">host/hostname.domain</span></code>).</dd>
+<dt><strong>disable_encrypted_timestamp</strong></dt>
+<dd>If this flag is true, the client will not perform encrypted
+timestamp preauthentication if requested by the KDC. Setting this
+flag can help to prevent dictionary attacks by active attackers,
+if the realm’s KDCs support SPAKE preauthentication or if initial
+authentication always uses another mechanism or always uses FAST.
+This flag persists across client referrals during initial
+authentication. This flag does not prevent the KDC from offering
+encrypted timestamp. New in release 1.17.</dd>
<dt><strong>http_anchors</strong></dt>
<dd><p class="first">When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
can be used to specify the location of the CA certificate which should be
@@ -518,8 +530,8 @@ All files in the directory will be examined; if they contain certificates
<p><strong>ENV:</strong> <em>envvar</em></p>
<p class="last"><em>envvar</em> specifies the name of an environment variable which has been set
to a value conforming to one of the previous values. For example,
-<tt class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></tt>, where environment variable <tt class="docutils literal"><span class="pre">X509_PROXY_CA</span></tt> has
-been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</p>
+<code class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal"><span class="pre">X509_PROXY_CA</span></code> has
+been set to <code class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p>
</dd>
<dt><strong>kdc</strong></dt>
<dd>The name or address of a host running a KDC for that realm. An
@@ -532,15 +544,19 @@ be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.</dd>
<dt><strong>kpasswd_server</strong></dt>
<dd>Points to the server where all the password changes are performed.
-If there is no such entry, the port 464 on the <strong>admin_server</strong>
+If there is no such entry, DNS will be queried (unless forbidden
+by <strong>dns_lookup_kdc</strong>). Finally, port 464 on the <strong>admin_server</strong>
host will be tried.</dd>
<dt><strong>master_kdc</strong></dt>
-<dd>Identifies the master KDC(s). Currently, this tag is used in only
+<dd>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is
+used as a fallback if <strong>primary_kdc</strong> is not specified.</dd>
+<dt><strong>primary_kdc</strong></dt>
+<dd>Identifies the primary KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
-master KDC, in case the user&#8217;s password has just been changed, and
-the updated database has not been propagated to the slave servers
-yet.</dd>
+primary KDC, in case the user’s password has just been changed, and
+the updated database has not been propagated to the replica
+servers yet. New in release 1.19.</dd>
<dt><strong>v4_instance_convert</strong></dt>
<dd>This subsection allows the administrator to configure exceptions
to the <strong>default_domain</strong> mapping rule. It contains V4 instances
@@ -557,33 +573,30 @@ is the Kerberos V4 realm name.</dd>
</div>
<div class="section" id="domain-realm">
<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3>
-<p>The [domain_realm] section provides a translation from a domain name
-or hostname to a Kerberos realm name. The tag name can be a host name
-or domain name, where domain names are indicated by a prefix of a
-period (<tt class="docutils literal"><span class="pre">.</span></tt>). The value of the relation is the Kerberos realm name
-for that particular host or domain. A host name relation implicitly
-provides the corresponding domain name relation, unless an explicit domain
-name relation is provided. The Kerberos realm may be
+<p>The [domain_realm] section provides a translation from hostnames to
+Kerberos realms. Each tag is a domain name, providing the mapping for
+that domain and all subdomains. If the tag begins with a period
+(<code class="docutils literal"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be
identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records.
-Host names and domain names should be in lower case. For example:</p>
-<div class="highlight-python"><div class="highlight"><pre>[domain_realm]
- crash.mit.edu = TEST.ATHENA.MIT.EDU
- .dev.mit.edu = TEST.ATHENA.MIT.EDU
- mit.edu = ATHENA.MIT.EDU
+Tag names should be in lower case. For example:</p>
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span>
+ <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
+ <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
+ <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
</pre></div>
</div>
-<p>maps the host with the name <tt class="docutils literal"><span class="pre">crash.mit.edu</span></tt> into the
-<tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm. The second entry maps all hosts under the
-domain <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt> into the <tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm, but not
-the host with the name <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt>. That host is matched
-by the third entry, which maps the host <tt class="docutils literal"><span class="pre">mit.edu</span></tt> and all hosts
-under the domain <tt class="docutils literal"><span class="pre">mit.edu</span></tt> that do not match a preceding rule
-into the realm <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt>.</p>
+<p>maps the host with the name <code class="docutils literal"><span class="pre">crash.mit.edu</span></code> into the
+<code class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the
+domain <code class="docutils literal"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not
+the host with the name <code class="docutils literal"><span class="pre">dev.mit.edu</span></code>. That host is matched
+by the third entry, which maps the host <code class="docutils literal"><span class="pre">mit.edu</span></code> and all hosts
+under the domain <code class="docutils literal"><span class="pre">mit.edu</span></code> that do not match a preceding rule
+into the realm <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code>.</p>
<p>If no translation entry applies to a hostname used for a service
principal for a service ticket request, the library will try to get a
-referral to the appropriate realm from the client realm&#8217;s KDC. If
-that does not succeed, the host&#8217;s realm is considered to be the
-hostname&#8217;s domain portion converted to uppercase, unless the
+referral to the appropriate realm from the client realm’s KDC. If
+that does not succeed, the host’s realm is considered to be the
+hostname’s domain portion converted to uppercase, unless the
<strong>realm_try_domains</strong> setting in [libdefaults] causes a different
parent domain to be used.</p>
</div>
@@ -600,7 +613,7 @@ checking the transited field of the received ticket.</p>
subtags for each of the server realms. The value of the subtags is an
intermediate realm which may participate in the cross-realm
authentication. The subtags may be repeated if there is more then one
-intermediate realm. A value of &#8221;.&#8221; means that the two realms share
+intermediate realm. A value of “.” means that the two realms share
keys directly, and no intermediate realms should be allowed to
participate.</p>
<p>Only those entries which will be needed on the client or the server
@@ -608,55 +621,55 @@ need to be present. A client needs a tag for its local realm with
subtags for all the realms of servers it will need to authenticate to.
A server needs a tag for each realm of the clients it will serve, with
a subtag of the server realm.</p>
-<p>For example, <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt>, <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>, and <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> all wish to
-use the <tt class="docutils literal"><span class="pre">ES.NET</span></tt> realm as an intermediate realm. ANL has a sub
-realm of <tt class="docutils literal"><span class="pre">TEST.ANL.GOV</span></tt> which will authenticate with <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
-but not <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>. The [capaths] section for <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt> systems
+<p>For example, <code class="docutils literal"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal"><span class="pre">NERSC.GOV</span></code> all wish to
+use the <code class="docutils literal"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub
+realm of <code class="docutils literal"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal"><span class="pre">NERSC.GOV</span></code>
+but not <code class="docutils literal"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal"><span class="pre">ANL.GOV</span></code> systems
would look like this:</p>
-<div class="highlight-python"><div class="highlight"><pre>[capaths]
- ANL.GOV = {
- TEST.ANL.GOV = .
- PNL.GOV = ES.NET
- NERSC.GOV = ES.NET
- ES.NET = .
- }
- TEST.ANL.GOV = {
- ANL.GOV = .
- }
- PNL.GOV = {
- ANL.GOV = ES.NET
- }
- NERSC.GOV = {
- ANL.GOV = ES.NET
- }
- ES.NET = {
- ANL.GOV = .
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
+ <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
+ <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="p">}</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="p">}</span>
+ <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
</pre></div>
</div>
-<p>The [capaths] section of the configuration file used on <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
+<p>The [capaths] section of the configuration file used on <code class="docutils literal"><span class="pre">NERSC.GOV</span></code>
systems would look like this:</p>
-<div class="highlight-python"><div class="highlight"><pre>[capaths]
- NERSC.GOV = {
- ANL.GOV = ES.NET
- TEST.ANL.GOV = ES.NET
- TEST.ANL.GOV = ANL.GOV
- PNL.GOV = ES.NET
- ES.NET = .
- }
- ANL.GOV = {
- NERSC.GOV = ES.NET
- }
- PNL.GOV = {
- NERSC.GOV = ES.NET
- }
- ES.NET = {
- NERSC.GOV = .
- }
- TEST.ANL.GOV = {
- NERSC.GOV = ANL.GOV
- NERSC.GOV = ES.NET
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span>
+ <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
+ <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="p">}</span>
+ <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="p">}</span>
+ <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
+ <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span>
+ <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span>
+ <span class="p">}</span>
</pre></div>
</div>
<p>When a subtag is used more than once within a tag, clients will use
@@ -669,32 +682,32 @@ important to servers.</p>
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.</p>
<p>For example:</p>
-<div class="highlight-python"><div class="highlight"><pre>[appdefaults]
- telnet = {
- ATHENA.MIT.EDU = {
- option1 = false
- }
- }
- telnet = {
- option1 = true
- option2 = true
- }
- ATHENA.MIT.EDU = {
- option2 = false
- }
- option2 = true
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span>
+ <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span>
+ <span class="p">}</span>
+ <span class="p">}</span>
+ <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span>
+ <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span>
+ <span class="p">}</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span>
+ <span class="p">}</span>
+ <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span>
</pre></div>
</div>
<p>The above four ways of specifying the value of an option are shown in
order of decreasing precedence. In this example, if telnet is running
in the realm EXAMPLE.COM, it should, by default, have option1 and
option2 set to true. However, a telnet program in the realm
-<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> should have <tt class="docutils literal"><span class="pre">option1</span></tt> set to false and
-<tt class="docutils literal"><span class="pre">option2</span></tt> set to true. Any other programs in ATHENA.MIT.EDU should
-have <tt class="docutils literal"><span class="pre">option2</span></tt> set to false by default. Any programs running in
-other realms should have <tt class="docutils literal"><span class="pre">option2</span></tt> set to true.</p>
+<code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal"><span class="pre">option1</span></code> set to false and
+<code class="docutils literal"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should
+have <code class="docutils literal"><span class="pre">option2</span></code> set to false by default. Any programs running in
+other realms should have <code class="docutils literal"><span class="pre">option2</span></code> set to true.</p>
<p>The list of specifiable options for each application may be found in
-that application&#8217;s man pages. The application defaults specified here
+that application’s man pages. The application defaults specified here
are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p>
</div>
<div class="section" id="plugins">
@@ -724,11 +737,11 @@ tag, then only the named modules will be enabled for the pluggable
interface.</dd>
<dt><strong>module</strong></dt>
<dd>This tag may have multiple values. Each value is a string of the
-form <tt class="docutils literal"><span class="pre">modulename:pathname</span></tt>, which causes the shared object
+form <code class="docutils literal"><span class="pre">modulename:pathname</span></code>, which causes the shared object
located at <em>pathname</em> to be registered as a dynamic module named
<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an
absolute path, it will be treated as relative to the
-<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a>.</dd>
+<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</dd>
</dl>
<p>For pluggable interfaces where module order matters, modules
registered with a <strong>module</strong> tag normally come first, in the order
@@ -745,7 +758,7 @@ dynamic modules, the following built-in modules exist (and may be
disabled with the disable tag):</p>
<dl class="docutils">
<dt><strong>k5identity</strong></dt>
-<dd>Uses a .k5identity file in the user&#8217;s home directory to select a
+<dd>Uses a .k5identity file in the user’s home directory to select a
client principal</dd>
<dt><strong>realm</strong></dt>
<dd>Uses the service realm to guess an appropriate cache from the
@@ -788,11 +801,11 @@ client principal is allowed to perform a kadmin operation. The
following built-in modules exist for this interface:</p>
<dl class="docutils">
<dt><strong>acl</strong></dt>
-<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes
+<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes
operations which are allowed according to the rules in the file.</dd>
<dt><strong>self</strong></dt>
<dd>This module authorizes self-service operations including password
-changes, creation of new random keys, fetching the client&#8217;s
+changes, creation of new random keys, fetching the client’s
principal record or string attributes, and fetching the policy
record associated with the client principal.</dd>
</dl>
@@ -851,11 +864,11 @@ values.</dd>
principal name.</dd>
<dt><strong>auth_to_local</strong></dt>
<dd>This module processes <strong>auth_to_local</strong> values in the default
-realm&#8217;s section, and applies the default method if no
+realm’s section, and applies the default method if no
<strong>auth_to_local</strong> values exist.</dd>
<dt><strong>k5login</strong></dt>
<dd>This module authorizes a principal to a local account according to
-the account&#8217;s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> file.</dd>
+the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</dd>
<dt><strong>an2ln</strong></dt>
<dd>This module authorizes a principal to a local account if the
principal name maps to the local account name.</dd>
@@ -898,24 +911,24 @@ A realm-specific value overrides, not adds to, a generic
</div>
<ol class="arabic">
<li><p class="first">realm-specific subsection of [libdefaults]:</p>
-<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
- EXAMPLE.COM = {
- pkinit_anchors = FILE:/usr/local/example.com.crt
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
+ <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span>
+ <span class="p">}</span>
</pre></div>
</div>
</li>
<li><p class="first">realm-specific value in the [realms] section:</p>
-<div class="highlight-python"><div class="highlight"><pre>[realms]
- OTHERREALM.ORG = {
- pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
- }
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span>
+ <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span>
+ <span class="p">}</span>
</pre></div>
</div>
</li>
<li><p class="first">generic value in the [libdefaults] section:</p>
-<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
- pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
+ <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span>
</pre></div>
</div>
</li>
@@ -928,8 +941,8 @@ information for PKINIT is as follows:</p>
<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt>
<dd><p class="first">This option has context-specific behavior.</p>
<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em>
-specifies the name of a PEM-format file containing the user&#8217;s
-certificate. If <em>keyfilename</em> is not specified, the user&#8217;s
+specifies the name of a PEM-format file containing the user’s
+certificate. If <em>keyfilename</em> is not specified, the user’s
private key is expected to be in <em>filename</em> as well. Otherwise,
<em>keyfilename</em> is the name of the file containing the private key.</p>
<p class="last">In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to
@@ -938,42 +951,42 @@ be the name of an OpenSSL-style ca-bundle file.</p>
<dt><strong>DIR:</strong><em>dirname</em></dt>
<dd><p class="first">This option has context-specific behavior.</p>
<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em>
-specifies a directory with files named <tt class="docutils literal"><span class="pre">*.crt</span></tt> and <tt class="docutils literal"><span class="pre">*.key</span></tt>
+specifies a directory with files named <code class="docutils literal"><span class="pre">*.crt</span></code> and <code class="docutils literal"><span class="pre">*.key</span></code>
where the first part of the file name is the same for matching
pairs of certificate and private key files. When a file with a
-name ending with <tt class="docutils literal"><span class="pre">.crt</span></tt> is found, a matching file ending with
-<tt class="docutils literal"><span class="pre">.key</span></tt> is assumed to contain the private key. If no such file
-is found, then the certificate in the <tt class="docutils literal"><span class="pre">.crt</span></tt> is not used.</p>
+name ending with <code class="docutils literal"><span class="pre">.crt</span></code> is found, a matching file ending with
+<code class="docutils literal"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file
+is found, then the certificate in the <code class="docutils literal"><span class="pre">.crt</span></code> is not used.</p>
<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to
be an OpenSSL-style hashed CA directory where each CA cert is
-stored in a file named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></tt>. This infrastructure
+stored in a file named <code class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure
is encouraged, but all files in the directory will be examined and
if they contain certificates (in PEM format), they will be used.</p>
<p class="last">In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style
hashed CA directory where each revocation list is stored in a file
-named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></tt>. This infrastructure is encouraged,
+named <code class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.</p>
</dd>
<dt><strong>PKCS12:</strong><em>filename</em></dt>
<dd><em>filename</em> is the name of a PKCS #12 format file, containing the
-user&#8217;s certificate and private key.</dd>
+user’s certificate and private key.</dd>
<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt>
<dd>All keyword/values are optional. <em>modname</em> specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the <em>modname</em>. If no
-module-name is specified, the default is <tt class="docutils literal"><span class="pre">opensc-pkcs11.so</span></tt>.
-<tt class="docutils literal"><span class="pre">slotid=</span></tt> and/or <tt class="docutils literal"><span class="pre">token=</span></tt> may be specified to force the use of
+module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>.
+<code class="docutils literal"><span class="pre">slotid=</span></code> and/or <code class="docutils literal"><span class="pre">token=</span></code> may be specified to force the use of
a particular smard card reader or token if there is more than one
-available. <tt class="docutils literal"><span class="pre">certid=</span></tt> and/or <tt class="docutils literal"><span class="pre">certlabel=</span></tt> may be specified to
+available. <code class="docutils literal"><span class="pre">certid=</span></code> and/or <code class="docutils literal"><span class="pre">certlabel=</span></code> may be specified to
force the selection of a particular certificate on the device.
See the <strong>pkinit_cert_match</strong> configuration option for more ways
to select a particular certificate to use for PKINIT.</dd>
<dt><strong>ENV:</strong><em>envvar</em></dt>
<dd><em>envvar</em> specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
-example, <tt class="docutils literal"><span class="pre">ENV:X509_PROXY</span></tt>, where environment variable
-<tt class="docutils literal"><span class="pre">X509_PROXY</span></tt> has been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</dd>
+example, <code class="docutils literal"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable
+<code class="docutils literal"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</dd>
</dl>
</div>
<div class="section" id="pkinit-krb5-conf-options">
@@ -993,18 +1006,18 @@ attempting PKINIT authentication. This option may be specified
multiple times. All the available certificates are checked
against each rule in order until there is a match of exactly one
certificate.</p>
-<p>The Subject and Issuer comparison strings are the <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a>
+<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a>
string representations from the certificate Subject DN and Issuer
DN values.</p>
<p>The syntax of the matching rules is:</p>
<blockquote>
-<div>[<em>relation-operator</em>]<em>component-rule</em> ...</div></blockquote>
+<div>[<em>relation-operator</em>]<em>component-rule</em> …</div></blockquote>
<p>where:</p>
<dl class="docutils">
<dt><em>relation-operator</em></dt>
-<dd>can be either <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>, meaning all component rules must match,
-or <tt class="docutils literal"><span class="pre">||</span></tt>, meaning only one component rule must match. The
-default is <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>.</dd>
+<dd>can be either <code class="docutils literal"><span class="pre">&amp;&amp;</span></code>, meaning all component rules must match,
+or <code class="docutils literal"><span class="pre">||</span></code>, meaning only one component rule must match. The
+default is <code class="docutils literal"><span class="pre">&amp;&amp;</span></code>.</dd>
<dt><em>component-rule</em></dt>
<dd><p class="first">can be one of the following. Note that there is no
punctuation or whitespace between component rules.</p>
@@ -1037,9 +1050,9 @@ certificate. Key Usage values can be:</p>
</dd>
</dl>
<p>Examples:</p>
-<div class="last highlight-python"><div class="highlight"><pre>pkinit_cert_match = ||&lt;SUBJECT&gt;.*DoE.*&lt;SAN&gt;.*@EXAMPLE.COM
-pkinit_cert_match = &amp;&amp;&lt;EKU&gt;msScLogin,clientAuth&lt;ISSUER&gt;.*DoE.*
-pkinit_cert_match = &lt;EKU&gt;msScLogin,clientAuth&lt;KU&gt;digitalSignature
+<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||&lt;</span><span class="n">SUBJECT</span><span class="o">&gt;.*</span><span class="n">DoE</span><span class="o">.*&lt;</span><span class="n">SAN</span><span class="o">&gt;.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
+<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&amp;&amp;&lt;</span><span class="n">EKU</span><span class="o">&gt;</span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o">&lt;</span><span class="n">ISSUER</span><span class="o">&gt;.*</span><span class="n">DoE</span><span class="o">.*</span>
+<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&lt;</span><span class="n">EKU</span><span class="o">&gt;</span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o">&lt;</span><span class="n">KU</span><span class="o">&gt;</span><span class="n">digitalSignature</span>
</pre></div>
</div>
</dd>
@@ -1053,7 +1066,7 @@ recognized in the krb5.conf file are:</p>
<dl class="last docutils">
<dt><strong>kpKDC</strong></dt>
<dd>This is the default value and specifies that the KDC must have
-the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
<dt><strong>kpServerAuth</strong></dt>
<dd>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the
id-kp-serverAuth EKU will be accepted. This key usage value
@@ -1069,17 +1082,16 @@ option is not recommended.</dd>
attempt to use. The acceptable values are 1024, 2048, and 4096.
The default is 2048.</dd>
<dt><strong>pkinit_identities</strong></dt>
-<dd>Specifies the location(s) to be used to find the user&#8217;s X.509
-identity information. This option may be specified multiple
-times. Each value is attempted in order until identity
-information is found and authentication is attempted. Note that
-these values are not used if the user specifies
+<dd>Specifies the location(s) to be used to find the user’s X.509
+identity information. If this option is specified multiple times,
+each value is attempted in order until certificates are found.
+Note that these values are not used if the user specifies
<strong>X509_user_identity</strong> on the command line.</dd>
<dt><strong>pkinit_kdc_hostname</strong></dt>
-<dd>The presense of this option indicates that the client is willing
+<dd>The presence of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id-pkinit-san as
-defined in <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple
+defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).</dd>
<dt><strong>pkinit_pool</strong></dt>
@@ -1176,41 +1188,41 @@ Valid parameters are:</p>
<div class="section" id="sample-krb5-conf-file">
<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2>
<p>Here is an example of a generic krb5.conf file:</p>
-<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
- default_realm = ATHENA.MIT.EDU
- dns_lookup_kdc = true
- dns_lookup_realm = false
+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
+ <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
+ <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span>
+ <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span>
-[realms]
- ATHENA.MIT.EDU = {
- kdc = kerberos.mit.edu
- kdc = kerberos-1.mit.edu
- kdc = kerberos-2.mit.edu
- admin_server = kerberos.mit.edu
- master_kdc = kerberos.mit.edu
- }
- EXAMPLE.COM = {
- kdc = kerberos.example.com
- kdc = kerberos-1.example.com
- admin_server = kerberos.example.com
- }
+<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>
+ <span class="p">}</span>
+ <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+ <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+ <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+ <span class="p">}</span>
-[domain_realm]
- mit.edu = ATHENA.MIT.EDU
+<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span>
+ <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>
-[capaths]
- ATHENA.MIT.EDU = {
- EXAMPLE.COM = .
- }
- EXAMPLE.COM = {
- ATHENA.MIT.EDU = .
- }
+<span class="p">[</span><span class="n">capaths</span><span class="p">]</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
+ <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
+ <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span>
+ <span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="files">
<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
-<p><tt class="docutils literal"><span class="pre">/etc/krb5.conf</span></tt></p>
+<p><code class="docutils literal"><span class="pre">/etc/krb5.conf</span></code></p>
</div>
<div class="section" id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
@@ -1267,13 +1279,14 @@ Valid parameters are:</p>
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
-<li class="toctree-l3 current"><a class="current reference internal" href="">krb5.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
@@ -1281,6 +1294,8 @@ Valid parameters are:</p>
<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
@@ -1320,8 +1335,8 @@ Valid parameters are:</p>
<div class="footer-wrapper">
<div class="footer" >
- <div class="right" ><i>Release: 1.16</i><br />
- &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ <div class="right" ><i>Release: 1.21.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.
</div>
<div class="left">
generated by cgit v1.3 (git 2.53.0) at 2026-04-29 01:27:14 +0000