diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
| commit | 0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch) | |
| tree | e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin | |
| parent | b0e4d68d5124581ae353493d69bea352de4cff8a (diff) | |
Diffstat (limited to 'doc/html/admin')
43 files changed, 3865 insertions, 4535 deletions
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html index 70300c8e3886..804e7e7568ae 100644 --- a/doc/html/admin/admin_commands/index.html +++ b/doc/html/admin/admin_commands/index.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Administration programs — MIT Kerberos Documentation</title> - + <title>Administration programs — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="For administrators" href="../index.html" /> <link rel="next" title="kadmin" href="kadmin_local.html" /> <link rel="prev" title="Authentication indicators" href="../auth_indicator.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="administration-programs"> <h1>Administration programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1> @@ -102,6 +100,7 @@ <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -109,11 +108,13 @@ <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Administration programs</a><ul> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Administration programs</a><ul> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> @@ -161,8 +162,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html index 6b2b3304c936..d43e43b16bec 100644 --- a/doc/html/admin/admin_commands/k5srvutil.html +++ b/doc/html/admin/admin_commands/k5srvutil.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>k5srvutil — MIT Kerberos Documentation</title> - + <title>k5srvutil — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="sserver" href="sserver.html" /> <link rel="prev" title="ktutil" href="ktutil.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="k5srvutil"> <span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1> @@ -85,8 +83,8 @@ name.</dd> <dt><strong>change</strong></dt> <dd>Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in -the keytab to match. If a key’s version number doesn’t match the -version number stored in the Kerberos server’s database, then the +the keytab to match. If a key’s version number doesn’t match the +version number stored in the Kerberos server’s database, then the operation will fail. If the <strong>-i</strong> flag is given, k5srvutil will prompt for confirmation before changing each key. If the <strong>-k</strong> option is given, the old and new keys will be displayed. @@ -107,12 +105,17 @@ each key.</dd> </dl> <p>In all cases, the default keytab is used unless this is overridden by the <strong>-f</strong> option.</p> -<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to edit the keytab in +<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to edit the keytab in place.</p> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><em>ktutil</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -127,6 +130,7 @@ place.</p> <li><a class="reference internal" href="#">k5srvutil</a><ul> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -141,6 +145,7 @@ place.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -148,6 +153,8 @@ place.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -162,7 +169,7 @@ place.</p> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">k5srvutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> </ul> </li> @@ -200,8 +207,8 @@ place.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html index 270fc9376f04..6cca1815ffd9 100644 --- a/doc/html/admin/admin_commands/kadmin_local.html +++ b/doc/html/admin/admin_commands/kadmin_local.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kadmin — MIT Kerberos Documentation</title> - + <title>kadmin — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kadmind" href="kadmind.html" /> <link rel="prev" title="Administration programs" href="index.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kadmin"> <span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1> @@ -75,31 +73,31 @@ [[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] [<strong>-w</strong> <em>password</em>] [<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] -[command args...]</p> +[command args…]</p> <p><strong>kadmin.local</strong> [<strong>-r</strong> <em>realm</em>] [<strong>-p</strong> <em>principal</em>] [<strong>-q</strong> <em>query</em>] [<strong>-d</strong> <em>dbname</em>] -[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...] +[<strong>-e</strong> <em>enc</em>:<em>salt</em> …] [<strong>-m</strong>] [<strong>-x</strong> <em>db_args</em>] -[command args...]</p> +[command args…]</p> </div> <div class="section" id="description"> -<span id="kadmin-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a>. -Except as explicitly noted otherwise, this man page will use “kadmin” +database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>. +Except as explicitly noted otherwise, this man page will use “kadmin” to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs).</p> <p>The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> (where <em>ADMINHOST</em> is -the fully-qualified hostname of the admin server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>. -If the credentials cache contains a ticket for one of these +using the service principal <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code> +(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin +server). If the credentials cache contains a ticket for one of these principals, and the <strong>-c</strong> credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos principal name @@ -107,7 +105,7 @@ used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind.</p> <p>Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the master KDC with sufficient permissions to read +be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server.</p> </div> @@ -118,13 +116,13 @@ kadmin.local can be run on any host which can access the LDAP server.</p> <dd>Use <em>realm</em> as the default database realm.</dd> <dt><strong>-p</strong> <em>principal</em></dt> <dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append -<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache, +<code class="docutils literal"><span class="pre">/admin</span></code> to the primary principal name of the default ccache, the value of the <strong>USER</strong> environment variable, or the username as obtained with getpwuid, in order of preference.</dd> <dt><strong>-k</strong></dt> <dd>Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be -<tt class="docutils literal"><span class="pre">host/hostname</span></tt>. If there is no keytab specified with the +<code class="docutils literal"><span class="pre">host/hostname</span></code>. If there is no keytab specified with the <strong>-t</strong> option, then the default keytab will be used.</dd> <dt><strong>-t</strong> <em>keytab</em></dt> <dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used @@ -132,23 +130,23 @@ with the <strong>-k</strong> option.</dd> <dt><strong>-n</strong></dt> <dd>Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure <strong>pkinit_anchors</strong> in the client’s -<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Then use the <strong>-n</strong> option with a principal -of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> (an empty principal name followed by the +the KDC and configure <strong>pkinit_anchors</strong> in the client’s +<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Then use the <strong>-n</strong> option with a principal +of the form <code class="docutils literal"><span class="pre">@REALM</span></code> (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> -<span class="pre">-n</span></tt> with a normal principal name. If supported by the KDC, the +client but not the client’s realm. For this mode, use <code class="docutils literal"><span class="pre">kinit</span> +<span class="pre">-n</span></code> with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.</dd> <dt><strong>-c</strong> <em>credentials_cache</em></dt> -<dd>Use <em>credentials_cache</em> as the credentials cache. The -cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> -(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the -<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. If this option is not specified, kadmin +<dd>Use <em>credentials_cache</em> as the credentials cache. The cache +should contain a service ticket for the <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or +<code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code> (where <em>ADMINHOST</em> is the fully-qualified +hostname of the admin server) service; it can be acquired with the +<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache.</dd> <dt><strong>-w</strong> <em>password</em></dt> @@ -165,9 +163,9 @@ apply to the LDAP database module.</dd> <dt><strong>-m</strong></dt> <dd>If using kadmin.local, prompt for the database master password instead of reading it from a stash file.</dd> -<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> ...”</dt> +<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> …”</dt> <dd>Sets the keysalt list to be used for any new keys created. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-O</strong></dt> <dd>Force use of old AUTH_GSSAPI authentication flavor.</dd> @@ -177,7 +175,7 @@ values.</dd> <dd>Specifies the database specific arguments. See the next section for supported options.</dd> </dl> -<p id="kadmin-options-end">Starting with release 1.14, if any command-line arguments remain after +<p>Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects:</p> @@ -228,7 +226,7 @@ entire operation. First introduced in release 1.13.</dd> server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the <strong>stashsrvpw</strong> command of -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>.</dd> +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>.</dd> <dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt> <dd>Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in @@ -254,7 +252,7 @@ are printed to standard error. New in release 1.12.</dd> <div class="section" id="commands"> <h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> <p>When using the remote client, available commands may be restricted -according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file +according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file on the admin server.</p> <div class="section" id="add-principal"> <span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> @@ -262,8 +260,8 @@ on the admin server.</p> <div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote> <p>Creates the principal <em>newprinc</em>, prompting twice for a password. If no password policy is specified with the <strong>-policy</strong> option, and the -policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists. -However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically +policy named <code class="docutils literal"><span class="pre">default</span></code> is assigned to the principal if it exists. +However, creating a policy named <code class="docutils literal"><span class="pre">default</span></code> will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> <p>This command requires the <strong>add</strong> privilege.</p> @@ -271,20 +269,20 @@ assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> <p>Options:</p> <dl class="docutils"> <dt><strong>-expire</strong> <em>expdate</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The expiration date of the principal.</dd> <dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The password expiration date.</dd> <dt><strong>-maxlife</strong> <em>maxlife</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum ticket life for the principal.</dd> <dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum renewable life of tickets for the principal.</dd> <dt><strong>-kvno</strong> <em>kvno</em></dt> <dd>The initial key version number.</dd> <dt><strong>-policy</strong> <em>policy</em></dt> <dd>The password policy used by this principal. If not specified, the -policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong> +policy <code class="docutils literal"><span class="pre">default</span></code> is used if it exists (unless <strong>-clearpolicy</strong> is specified).</dd> <dt><strong>-clearpolicy</strong></dt> <dd>Prevents any policy from being assigned when <strong>-policy</strong> is not @@ -303,21 +301,22 @@ renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd> proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_dup_skey</strong></dt> <dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. <strong>+allow_dup_skey</strong> clears this flag.</dd> +principal by prohibiting others from obtaining a service ticket +encrypted in this principal’s TGT session key. +<strong>+allow_dup_skey</strong> clears this flag.</dd> <dt>{-|+}<strong>requires_preauth</strong></dt> <dd><strong>+requires_preauth</strong> requires this principal to preauthenticate before being allowed to kinit. <strong>-requires_preauth</strong> clears this flag. When <strong>+requires_preauth</strong> is set on a service principal, the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using +if the client’s initial authentication was performed using preauthentication.</dd> <dt>{-|+}<strong>requires_hwauth</strong></dt> <dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate using a hardware device before being allowed to kinit. <strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was +for that service principal if the client’s initial authentication was performed using a hardware device to preauthenticate.</dd> <dt>{-|+}<strong>ok_as_delegate</strong></dt> <dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets @@ -327,7 +326,9 @@ authenticating to the service. <strong>-ok_as_delegate</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_svr</strong></dt> <dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this -principal. <strong>+allow_svr</strong> clears this flag.</dd> +principal. In release 1.17 and later, user-to-user service +tickets are still allowed unless the <strong>-allow_dup_skey</strong> flag is +also set. <strong>+allow_svr</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_tgs_req</strong></dt> <dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. @@ -369,9 +370,9 @@ be removed using kadmin.local.</dd> does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-x</strong> <em>db_princ_args</em></dt> <dd><p class="first">Indicates database-specific options. The options for the LDAP @@ -405,18 +406,18 @@ principal container configured in the realm.</li> </dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re-enter password for principal jennifer@ATHENA.MIT.EDU: -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">jennifer</span> +<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span><span class="p">;</span> +<span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Principal</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="modify-principal"> -<span id="add-principal-end"></span><span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote> <p>Modifies the specified principal, changing the fields as specified. @@ -434,7 +435,7 @@ to its password policy) so that it can successfully authenticate.</dd> </dl> </div> <div class="section" id="rename-principal"> -<span id="modify-principal-end"></span><span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></div></blockquote> <p>Renames the specified <em>old_principal</em> to <em>new_principal</em>. This @@ -444,7 +445,7 @@ given.</p> <p>Alias: <strong>renprinc</strong></p> </div> <div class="section" id="delete-principal"> -<span id="rename-principal-end"></span><span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote> <p>Deletes the specified <em>principal</em> from the database. This command @@ -453,7 +454,7 @@ prompts for deletion, unless the <strong>-force</strong> option is given.</p> <p>Alias: <strong>delprinc</strong></p> </div> <div class="section" id="change-password"> -<span id="delete-principal-end"></span><span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote> <p>Changes the password of <em>principal</em>. Prompts for a new password if @@ -470,25 +471,25 @@ changed.</p> <dd>Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-keepold</strong></dt> <dd>Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd> +necessary except perhaps for <code class="docutils literal"><span class="pre">krbtgt</span></code> principals.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">cpw</span> <span class="n">systest</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="n">changed</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="purgekeys"> -<span id="change-password-end"></span><span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> +<span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></div></blockquote> <p>Purges previously retained old keys (e.g., from <strong>change_password @@ -499,7 +500,7 @@ is new in release 1.12.</p> <p>This command requires the <strong>modify</strong> privilege.</p> </div> <div class="section" id="get-principal"> -<span id="purgekeys-end"></span><span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> +<span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote> <p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs @@ -508,64 +509,64 @@ fields as quoted tab-separated strings.</p> running the the program to be the same as the one being listed.</p> <p>Alias: <strong>getprinc</strong></p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des-cbc-crc -Key: vno 1, des-cbc-crc:v4 -Attributes: -Policy: [none] +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span> +<span class="n">Principal</span><span class="p">:</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> +<span class="n">Expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Last</span> <span class="n">password</span> <span class="n">change</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> +<span class="n">Password</span> <span class="n">expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">7</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Last</span> <span class="n">modified</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> <span class="p">(</span><span class="n">bjaspan</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">)</span> +<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">0</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> +<span class="n">MKey</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span> +<span class="n">Attributes</span><span class="p">:</span> +<span class="n">Policy</span><span class="p">:</span> <span class="p">[</span><span class="n">none</span><span class="p">]</span> -kadmin: getprinc -terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="o">-</span><span class="n">terse</span> <span class="n">systest</span> +<span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">3</span> <span class="mi">86400</span> <span class="mi">604800</span> <span class="mi">1</span> +<span class="mi">785926535</span> <span class="mi">753241234</span> <span class="mi">785900000</span> +<span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">786100034</span> <span class="mi">0</span> <span class="mi">0</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="list-principals"> -<span id="get-principal-end"></span><span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> +<span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote> <p>Retrieves all or some principal names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All principal names matching the expression are +glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>, +<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All principal names matching the expression are printed. If no expression is provided, all principal names are -printed. If the expression does not contain an <tt class="docutils literal"><span class="pre">@</span></tt> character, an -<tt class="docutils literal"><span class="pre">@</span></tt> character followed by the local realm is appended to the +printed. If the expression does not contain an <code class="docutils literal"><span class="pre">@</span></code> character, an +<code class="docutils literal"><span class="pre">@</span></code> character followed by the local realm is appended to the expression.</p> <p>This command requires the <strong>list</strong> privilege.</p> -<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p> +<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>getprincs</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listprincs test* -test3@SECURE-TEST.OV.COM -test2@SECURE-TEST.OV.COM -test1@SECURE-TEST.OV.COM -testuser@SECURE-TEST.OV.COM -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listprincs</span> <span class="n">test</span><span class="o">*</span> +<span class="n">test3</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">test2</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">test1</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">testuser</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="get-strings"> -<span id="list-principals-end"></span><span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> +<span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_strings</strong> <em>principal</em></div></blockquote> <p>Displays string attributes on <em>principal</em>.</p> <p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: <strong>getstr</strong></p> +<p>Alias: <strong>getstrs</strong></p> </div> <div class="section" id="set-string"> -<span id="get-strings-end"></span><span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> +<span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></div></blockquote> <p>Sets a string attribute on <em>principal</em>. String attributes are used to @@ -581,29 +582,37 @@ specified indicators will be accepted. (New in release 1.14.)</dd> <dt><strong>session_enctypes</strong></dt> <dd>Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values.</dd> <dt><strong>otp</strong></dt> <dd>Enables One Time Passwords (OTP) preauthentication for a client <em>principal</em>. The <em>value</em> is a JSON string representing an array -of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd> +of objects, each having optional <code class="docutils literal"><span class="pre">type</span></code> and <code class="docutils literal"><span class="pre">username</span></code> fields.</dd> <dt><strong>pkinit_cert_match</strong></dt> <dd>Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the <strong>pkinit_cert_match</strong> -option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. (New in release 1.16.)</dd> +option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. (New in release 1.16.)</dd> +<dt><strong>pac_privsvr_enctype</strong></dt> +<dd>Forces the encryption type of the PAC KDC checksum buffers to the +specified encryption type for tickets issued to this server, by +deriving a key from the local krbtgt key if it is of a different +encryption type. It may be necessary to set this value to +“aes256-sha1” on the cross-realm krbtgt entry for an Active +Directory realm when using aes-sha2 keys on the local krbtgt +entry.</dd> </dl> <p>This command requires the <strong>modify</strong> privilege.</p> <p>Alias: <strong>setstr</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>set_string host/foo.mit.edu session_enctypes aes128-cts -set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">set_string</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">session_enctypes</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span> +<span class="n">set_string</span> <span class="n">user</span><span class="nd">@FOO</span><span class="o">.</span><span class="n">COM</span> <span class="n">otp</span> <span class="s2">"[{""type"":""hotp"",""username"":""al""}]"</span> </pre></div> </div> </div> <div class="section" id="del-string"> -<span id="set-string-end"></span><span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> +<span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>del_string</strong> <em>principal</em> <em>key</em></div></blockquote> <p>Deletes a string attribute from <em>principal</em>.</p> @@ -611,7 +620,7 @@ set_string user@FOO.COM otp "[{""type"":""hot <p>Alias: <strong>delstr</strong></p> </div> <div class="section" id="add-policy"> -<span id="del-string-end"></span><span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> +<span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> <p>Adds a password policy named <em>policy</em> to the database.</p> @@ -620,10 +629,10 @@ set_string user@FOO.COM otp "[{""type"":""hot <p>The following options are available:</p> <dl class="docutils"> <dt><strong>-maxlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the maximum lifetime of a password.</dd> <dt><strong>-minlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the minimum lifetime of a password.</dd> <dt><strong>-minlength</strong> <em>length</em></dt> <dd>Sets the minimum length of a password.</dd> @@ -645,7 +654,7 @@ resets to 0 after a successful attempt to authenticate. A </dl> <dl class="docutils" id="policy-failurecountinterval"> <dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the allowable time between authentication failures. If an authentication failure happens after <em>failuretime</em> has elapsed since the previous failure, the number of authentication failures is reset to 1. A @@ -653,28 +662,28 @@ failure, the number of authentication failures is reset to 1. A </dl> <dl class="docutils" id="policy-lockoutduration"> <dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked -with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd> +with <code class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></code>.</dd> <dt><strong>-allowedkeysalts</strong></dt> <dd>Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +setting or changing a principal’s password/keys. See +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.</dd> +with commas (‘,’) only. To clear the allowed key/salt policy use +a value of ‘-‘.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife "2 days" -minlength 5 guests -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_policy</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"2 days"</span> <span class="o">-</span><span class="n">minlength</span> <span class="mi">5</span> <span class="n">guests</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="modify-policy"> -<span id="add-policy-end"></span><span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> <p>Modifies the password policy named <em>policy</em>. Options are as described @@ -683,7 +692,7 @@ for <strong>add_policy</strong>.</p> <p>Alias: <strong>modpol</strong></p> </div> <div class="section" id="delete-policy"> -<span id="modify-policy-end"></span><span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> +<span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote> <p>Deletes the password policy named <em>policy</em>. Prompts for confirmation @@ -692,7 +701,7 @@ principals.</p> <p>This command requires the <strong>delete</strong> privilege.</p> <p>Alias: <strong>delpol</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests +<div class="highlight-default"><div class="highlight"><pre><span></span>kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: @@ -700,60 +709,60 @@ kadmin: </div> </div> <div class="section" id="get-policy"> -<span id="delete-policy-end"></span><span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> +<span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote> <p>Displays the values of the password policy named <em>policy</em>. With the <strong>-terse</strong> flag, outputs the fields as quoted strings separated by tabs.</p> <p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: getpol</p> +<p>Alias: <strong>getpol</strong></p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="n">admin</span> +<span class="n">Policy</span><span class="p">:</span> <span class="n">admin</span> +<span class="n">Maximum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">180</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Minimum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Minimum</span> <span class="n">password</span> <span class="n">length</span><span class="p">:</span> <span class="mi">6</span> +<span class="n">Minimum</span> <span class="n">number</span> <span class="n">of</span> <span class="n">password</span> <span class="n">character</span> <span class="n">classes</span><span class="p">:</span> <span class="mi">2</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">old</span> <span class="n">keys</span> <span class="n">kept</span><span class="p">:</span> <span class="mi">5</span> +<span class="n">Reference</span> <span class="n">count</span><span class="p">:</span> <span class="mi">17</span> -kadmin: get_policy -terse admin -admin 15552000 0 6 2 5 17 -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="o">-</span><span class="n">terse</span> <span class="n">admin</span> +<span class="n">admin</span> <span class="mi">15552000</span> <span class="mi">0</span> <span class="mi">6</span> <span class="mi">2</span> <span class="mi">5</span> <span class="mi">17</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> -<p>The “Reference count” is the number of principals using that policy. +<p>The “Reference count” is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful.</p> </div> <div class="section" id="list-policies"> -<span id="get-policy-end"></span><span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote> <p>Retrieves all or some policy names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All policy names matching the expression are +glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>, +<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed.</p> <p>This command requires the <strong>list</strong> privilege.</p> <p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listpols -test-pol -dict-only -once-a-min -test-pol-nopw +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span> +<span class="nb">dict</span><span class="o">-</span><span class="n">only</span> +<span class="n">once</span><span class="o">-</span><span class="n">a</span><span class="o">-</span><span class="nb">min</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> -kadmin: listpols t* -test-pol -test-pol-nopw -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> <span class="n">t</span><span class="o">*</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="ktadd"> -<span id="list-policies-end"></span><span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> +<span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> <blockquote> <div><div class="line-block"> <div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> @@ -761,7 +770,7 @@ kadmin: </div> </div></blockquote> <p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a -keytab file. Each principal’s keys are randomized in the process. +keytab file. Each principal’s keys are randomized in the process. The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> command.</p> <p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. @@ -771,9 +780,9 @@ With the <strong>-glob</strong> form, it also requires the <strong>list</strong> <dt><strong>-k[eytab]</strong> <em>keytab</em></dt> <dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is used.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the new keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-q</strong></dt> <dd>Display less verbose information.</dd> @@ -782,26 +791,27 @@ list of possible values.</dd> unchanged. This option cannot be specified in combination with the <strong>-e</strong> option.</dd> </dl> -<p>An entry for each of the principal’s unique encryption types is added, +<p>An entry for each of the principal’s unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types.</p> +<p>Alias: <strong>xst</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256-cts-hmac-sha1-96 added to keytab - FILE:/tmp/foo-new-keytab -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> + <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> + <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="ktremove"> -<span id="ktadd-end"></span><span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> +<span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote> <p>Removes entries for the specified <em>principal</em> from a keytab. Requires no permissions, since this does not require database access.</p> -<p>If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that +<p>If the string “all” is specified, all entries for that principal are +removed; if the string “old” is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed.</p> @@ -813,16 +823,17 @@ used.</dd> <dt><strong>-q</strong></dt> <dd>Display less verbose information.</dd> </dl> +<p>Alias: <strong>ktrem</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="nb">all</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> + <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="lock"> -<span id="ktremove-end"></span><h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> +<h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> <p>Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module.</p> </div> @@ -846,9 +857,14 @@ only works with the DB2 KDC database module.</p> <p>The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.</p> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a></p> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -891,6 +907,7 @@ interface to the OpenVision Kerberos administration program.</p> </ul> </li> <li><a class="reference internal" href="#history">HISTORY</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -905,6 +922,7 @@ interface to the OpenVision Kerberos administration program.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -912,12 +930,14 @@ interface to the OpenVision Kerberos administration program.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="">kadmin</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> @@ -964,8 +984,8 @@ interface to the OpenVision Kerberos administration program.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html index d30f4cede9e9..7d66d2b83bf3 100644 --- a/doc/html/admin/admin_commands/kadmind.html +++ b/doc/html/admin/admin_commands/kadmind.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kadmind — MIT Kerberos Documentation</title> - + <title>kadmind — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kdb5_util" href="kdb5_util.html" /> <link rel="prev" title="kadmin" href="kadmin_local.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kadmind"> <span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1> @@ -83,37 +81,37 @@ <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kadmind starts the Kerberos administration server. kadmind typically -runs on the master Kerberos server, which stores the KDC database. If -the KDC database uses the LDAP module, the administration server and -the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> and -<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> to administer the information in these database.</p> +runs on the primary Kerberos server, which stores the KDC database. +If the KDC database uses the LDAP module, the administration server +and the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> and +<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> to administer the information in these database.</p> <p>kadmind requires a number of configuration files to be set up in order for it to work:</p> <dl class="docutils"> -<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a></dt> +<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a></dt> <dd>The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the <strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related settings.</dd> -<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></dt> -<dd>kadmind’s ACL (access control list) tells it which principals are +<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></dt> +<dd>kadmind’s ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the -ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> -variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</dd> +ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> +variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>.</dd> </dl> <p>After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal.</p> <p>kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> -file with the <strong>iprop_enable</strong> option. Incremental propagation -requires the principal <tt class="docutils literal"><span class="pre">kiprop/MASTER\@REALM</span></tt> (where MASTER is the -master KDC’s canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase.</p> +Incremental propagation allows replica KDC servers to receive +principal and policy updates incrementally instead of receiving full +dumps of the database. This facility can be enabled in the +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file with the <strong>iprop_enable</strong> option. Incremental +propagation requires the principal <code class="docutils literal"><span class="pre">kiprop/PRIMARY\@REALM</span></code> (where +PRIMARY is the primary KDC’s canonical host name, and REALM the realm +name). In release 1.13, this principal is automatically created and +registered into the datebase.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> @@ -128,17 +126,16 @@ invoked with the <strong>-nofork</strong> option) rather than from a file on disk.</dd> <dt><strong>-nofork</strong></dt> <dd>causes the server to remain in the foreground and remain -associated to the terminal. In normal operation, you should allow -the server to place itself in the background.</dd> +associated to the terminal.</dd> <dt><strong>-proponly</strong></dt> -<dd>causes the server to only listen and respond to Kerberos slave +<dd>causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a slave KDC -provides incremental updates to other Kerberos slaves.</dd> +to set up a hierarchical propagation topology where a replica KDC +provides incremental updates to other Kerberos replicas.</dd> <dt><strong>-port</strong> <em>port-number</em></dt> <dd>specifies the port on which the administration server listens for connections. The default port is determined by the -<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-P</strong> <em>pid_file</em></dt> <dd>specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify @@ -149,22 +146,27 @@ the correct process.</dd> KDB in response to full resync requests when iprop is enabled.</dd> <dt><strong>-K</strong> <em>kprop_path</em></dt> <dd>specifies the path to the kprop command to use to send full dumps -to slaves in response to full resync requests.</dd> +to replicas in response to full resync requests.</dd> <dt><strong>-k</strong> <em>kprop_port</em></dt> -<dd>specifies the port by which the kprop process that is spawned by kadmind -connects to the slave kpropd, in order to transfer the dump file during -an iprop full resync request.</dd> +<dd>specifies the port by which the kprop process that is spawned by +kadmind connects to the replica kpropd, in order to transfer the +dump file during an iprop full resync request.</dd> <dt><strong>-F</strong> <em>dump_file</em></dt> <dd>specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled.</dd> <dt><strong>-x</strong> <em>db_args</em></dt> -<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for supported arguments.</dd> +<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd> </dl> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -180,6 +182,7 @@ to full resync requests when iprop is enabled.</dd> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -194,6 +197,7 @@ to full resync requests when iprop is enabled.</dd> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -201,13 +205,15 @@ to full resync requests when iprop is enabled.</dd> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kadmind</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> @@ -253,8 +259,8 @@ to full resync requests when iprop is enabled.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html index b47450502a01..90632d0a66a6 100644 --- a/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kdb5_ldap_util — MIT Kerberos Documentation</title> - + <title>kdb5_ldap_util — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="krb5kdc" href="krb5kdc.html" /> <link rel="prev" title="kdb5_util" href="kdb5_util.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kdb5-ldap-util"> <span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Permalink to this headline">¶</a></h1> @@ -81,6 +79,8 @@ services and ticket policies.</p> <div class="section" id="command-line-options"> <h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> <dl class="docutils" id="kdb5-ldap-util-options"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the realm to be operated on.</dd> <dt><strong>-D</strong> <em>user_dn</em></dt> <dd>Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.</dd> @@ -88,9 +88,12 @@ sufficient rights to perform the operation on the LDAP server.</dd> <dd>Specifies the password of <em>user_dn</em>. This option is not recommended.</dd> <dt><strong>-H</strong> <em>ldapuri</em></dt> -<dd>Specifies the URI of the LDAP server. It is recommended to use -<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd> +<dd>Specifies the URI of the LDAP server.</dd> </dl> +<p>By default, kdb5_ldap_util operates on the default realm (as specified +in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) and connects and authenticates to the LDAP +server in the same manner as :ref:kadmind(8)` would given the +parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </div> <div class="section" id="commands"> <span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> @@ -103,9 +106,9 @@ recommended.</dd> [<strong>-containerref</strong> <em>container_reference_dn</em>] [<strong>-k</strong> <em>mkeytype</em>] [<strong>-kv</strong> <em>mkeyVNO</em>] +[<strong>-M</strong> <em>mkeyname</em>] [<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] [<strong>-s</strong>] -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>]</div></blockquote> @@ -114,7 +117,7 @@ recommended.</dd> <dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> <dd>Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd> +by colon (<code class="docutils literal"><span class="pre">:</span></code>).</dd> <dt><strong>-sscope</strong> <em>search_scope</em></dt> <dd>Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub @@ -127,42 +130,44 @@ realm container.</dd> <dt><strong>-k</strong> <em>mkeytype</em></dt> <dd>Specifies the key type of the master key in the database. The default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-kv</strong> <em>mkeyVNO</em></dt> <dd>Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.</dd> +<dt><strong>-M</strong> <em>mkeyname</em></dt> +<dd>Specifies the principal name for the master key in the database. +If not specified, the name is determined by the +<strong>master_key_name</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-m</strong></dt> <dd>Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.</dd> <dt><strong>-P</strong> <em>password</em></dt> <dd>Specifies the master database password. This option is not recommended.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-sf</strong> <em>stashfilename</em></dt> <dd>Specifies the stash file of the master database password.</dd> <dt><strong>-s</strong></dt> <dd>Specifies that the stash file is to be created.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals in this realm.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals in this realm.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies global ticket flags for the realm. Allowable flags are documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Initializing database for realm 'ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re-enter KDC database master key to verify: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create</span> <span class="o">-</span><span class="n">subtrees</span> <span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">sscope</span> <span class="n">SUB</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Initializing</span> <span class="n">database</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span> +<span class="n">You</span> <span class="n">will</span> <span class="n">be</span> <span class="n">prompted</span> <span class="k">for</span> <span class="n">the</span> <span class="n">database</span> <span class="n">Master</span> <span class="n">Password</span><span class="o">.</span> +<span class="n">It</span> <span class="ow">is</span> <span class="n">important</span> <span class="n">that</span> <span class="n">you</span> <span class="n">NOT</span> <span class="n">FORGET</span> <span class="n">this</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span> </pre></div> </div> </div> @@ -173,7 +178,6 @@ Re-enter KDC database master key to verify: [<strong>-subtrees</strong> <em>subtree_dn_list</em>] [<strong>-sscope</strong> <em>search_scope</em>] [<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>]</div></blockquote> @@ -182,7 +186,7 @@ Re-enter KDC database master key to verify: <dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> <dd>Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>). This list replaces the existing list.</dd> +by colon (<code class="docutils literal"><span class="pre">:</span></code>). This list replaces the existing list.</dd> <dt><strong>-sscope</strong> <em>search_scope</em></dt> <dd>Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub @@ -190,65 +194,56 @@ subtrees. The possible values are 1 or one (one level), 2 or sub <dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt> <dd>container object in which the principals of a realm will be created.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals in this realm.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals in this realm.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies global ticket flags for the realm. Allowable flags are documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth -r - ATHENA.MIT.EDU -Password for "cn=admin,o=org": -shell% +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">modify</span> <span class="o">+</span><span class="n">requires_preauth</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">shell</span><span class="o">%</span> </pre></div> </div> </div> <div class="section" id="view"> <span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-view"> -<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Displays the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> +<div><strong>view</strong></div></blockquote> +<p>Displays the attributes of a realm.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Realm</span> <span class="n">Name</span><span class="p">:</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">servers</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">SearchScope</span><span class="p">:</span> <span class="n">ONE</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> </pre></div> </div> </div> <div class="section" id="destroy"> <span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy"> -<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote> +<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote> <p>Destroys an existing realm. Options:</p> <dl class="docutils"> <dt><strong>-f</strong></dt> <dd>If specified, will not prompt the user for confirmation.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span>shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes @@ -261,15 +256,15 @@ shell% <span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-list"> <div><strong>list</strong></div></blockquote> -<p>Lists the name of realms.</p> +<p>Lists the names of realms under the container.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list -Password for "cn=admin,o=org": -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA-LAB.MIT.EDU -shell% +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="nb">list</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">OPENLDAP</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">MEDIA</span><span class="o">-</span><span class="n">LAB</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">shell</span><span class="o">%</span> </pre></div> </div> </div> @@ -285,22 +280,22 @@ to the LDAP server. Options:</p> <dl class="docutils"> <dt><strong>-f</strong> <em>filename</em></dt> <dd>Specifies the complete path of the service password file. By -default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd> +default, <code class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></code> is used.</dd> <dt><em>name</em></dt> <dd>Specifies the name of the object whose password is to be stored. -If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for +If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> are configured for simple binding, this should be the distinguished name it will use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If the KDC or kadmind is +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> variable.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org -Password for "cn=service-kdc,o=org": -Re-enter password for "cn=service-kdc,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">andrew</span><span class="o">/</span><span class="n">conf_keyfile</span> + <span class="n">cn</span><span class="o">=</span><span class="n">service</span><span class="o">-</span><span class="n">kdc</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -308,35 +303,32 @@ Re-enter password for "cn=service-kdc,o=org": <span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-create-policy"> <div><strong>create_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>] <em>policy_name</em></div></blockquote> <p>Creates a ticket policy in the directory. Options:</p> <dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the <strong>add_principal</strong> -command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> <dt><em>policy_name</em></dt> <dd>Specifies the name of the ticket policy.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy -Password for "cn=admin,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create_policy</span> <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"1 day"</span> + <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"1 week"</span> <span class="o">-</span><span class="n">allow_postdated</span> <span class="o">+</span><span class="n">needchange</span> + <span class="o">-</span><span class="n">allow_forwardable</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -344,7 +336,6 @@ Password for "cn=admin,o=org": <span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-modify-policy"> <div><strong>modify_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>] @@ -352,11 +343,11 @@ Password for "cn=admin,o=org": <p>Modifies the attributes of a ticket policy. Options are same as for <strong>create_policy</strong>.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy -Password for "cn=admin,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">modify_policy</span> + <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"60 minutes"</span> <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"10 hours"</span> + <span class="o">+</span><span class="n">allow_postdated</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -364,21 +355,16 @@ Password for "cn=admin,o=org": <span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-view-policy"> <div><strong>view_policy</strong> -[<strong>-r</strong> <em>realm</em>] <em>policy_name</em></div></blockquote> -<p>Displays the attributes of a ticket policy. Options:</p> -<dl class="docutils"> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> +<p>Displays the attributes of the named ticket policy.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view_policy</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Ticket</span> <span class="n">policy</span><span class="p">:</span> <span class="n">tktpolicy</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> </pre></div> </div> </div> @@ -386,13 +372,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE <span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy-policy"> <div><strong>destroy_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-force</strong>] <em>policy_name</em></div></blockquote> <p>Destroys an existing ticket policy. Options:</p> <dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-force</strong></dt> <dd>Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy.</dd> @@ -400,8 +383,8 @@ user will be prompted for confirmation before deleting the policy.</dd> <dd>Specifies the name of the ticket policy.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU tktpolicy +<div class="highlight-default"><div class="highlight"><pre><span></span>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes @@ -412,28 +395,27 @@ This will delete the policy object 'tktpolicy', are you sure? <div class="section" id="list-policy"> <span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-list-policy"> -<div><strong>list_policy</strong> -[<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Lists the ticket policies in realm if specified or in the default -realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> +<div><strong>list_policy</strong></div></blockquote> +<p>Lists ticket policies.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - list_policy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -tktpolicy -tmppolicy -userpolicy +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">list_policy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">tktpolicy</span> +<span class="n">tmppolicy</span> +<span class="n">userpolicy</span> </pre></div> </div> </div> </div> +<div class="section" id="environment"> +<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> -<span id="kdb5-ldap-util-list-policy-end"></span><h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -463,6 +445,7 @@ userpolicy <li><a class="reference internal" href="#list-policy">list_policy</a></li> </ul> </li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -477,6 +460,7 @@ userpolicy <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -484,6 +468,8 @@ userpolicy <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -492,7 +478,7 @@ userpolicy <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_ldap_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> @@ -536,8 +522,8 @@ userpolicy <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html index 87493732a708..dcd33e4f9fe4 100644 --- a/doc/html/admin/admin_commands/kdb5_util.html +++ b/doc/html/admin/admin_commands/kdb5_util.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kdb5_util — MIT Kerberos Documentation</title> - + <title>kdb5_util — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> <link rel="prev" title="kadmind" href="kadmind.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kdb5-util"> <span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Permalink to this headline">¶</a></h1> @@ -71,10 +69,12 @@ [<strong>-r</strong> <em>realm</em>] [<strong>-d</strong> <em>dbname</em>] [<strong>-k</strong> <em>mkeytype</em>] -[<strong>-M</strong> <em>mkeyname</em>] [<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-M</strong> <em>mkeyname</em>] [<strong>-m</strong>] +[<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-P</strong> <em>password</em>] +[<strong>-x</strong> <em>db_args</em>] <em>command</em> [<em>command_options</em>]</p> </div> <div class="section" id="description"> @@ -97,31 +97,34 @@ commands.</p> <dd>specifies the Kerberos realm of the database.</dd> <dt><strong>-d</strong> <em>dbname</em></dt> <dd>specifies the name under which the principal database is stored; -by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. The +by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The password policy database and lock files are also derived from this value.</dd> <dt><strong>-k</strong> <em>mkeytype</em></dt> <dd>specifies the key type of the master key in the database. The default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-kv</strong> <em>mkeyVNO</em></dt> <dd>Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.</dd> <dt><strong>-M</strong> <em>mkeyname</em></dt> <dd>principal name for the master key in the database. If not specified, the name is determined by the <strong>master_key_name</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-m</strong></dt> <dd>specifies that the master database password should be read from the keyboard rather than fetched from a file on disk.</dd> <dt><strong>-sf</strong> <em>stash_file</em></dt> <dd>specifies the stash filename of the master database password. If not specified, the filename is determined by the -<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-P</strong> <em>password</em></dt> <dd>specifies the master database password. Using this option may expose the password to other users on the system via the process list.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>specifies database-specific options. See <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for +supported options.</dd> </dl> </div> <div class="section" id="commands"> @@ -147,34 +150,33 @@ the <strong>-f</strong> argument, does not prompt the user.</p> <span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-stash"> <div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote> -<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> +<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> argument can be used to override the <em>keyfile</em> specified in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </div> <div class="section" id="dump"> <span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-dump"> -<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>] -[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>] -[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote> +<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] +[<strong>-verbose</strong>] [<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> +<em>mkey_file</em>] [<strong>-rev</strong>] [<strong>-recurse</strong>] [<em>filename</em> +[<em>principals</em>…]]</div></blockquote> <p>Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:</p> +default, the database is dumped in current format, “kdb5_util +load_dump version 7”. If filename is not specified, or is the string +“-“, the dump is sent to standard output. Options:</p> <dl class="docutils"> <dt><strong>-b7</strong></dt> -<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util +load_dump version 4”). This was the dump format produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>causes the dump to be in “ovsec_adm_export” format.</dd> <dt><strong>-r13</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on releases prior to 1.8.</dd> <dt><strong>-r18</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on releases prior to 1.11.</dd> <dt><strong>-verbose</strong></dt> <dd>causes the name of each principal and policy to be printed as it @@ -210,8 +212,8 @@ doing a normal dump instead of a recursive traversal.</p> <div class="section" id="load"> <span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-load"> -<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>] -[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote> +<div><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>] +[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></div></blockquote> <p>Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless @@ -223,24 +225,22 @@ database module, the <strong>-update</strong> flag is required.</p> <dl class="docutils"> <dt><strong>-b7</strong></dt> <dd>requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format +(“kdb5_util load_dump version 4”). This was the dump format produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>requires the database to be in “ovsec_adm_import” format. Must be -used with the <strong>-update</strong> option.</dd> <dt><strong>-r13</strong></dt> -<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on +<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on releases prior to 1.8.</dd> <dt><strong>-r18</strong></dt> -<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on +<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on releases prior to 1.11.</dd> <dt><strong>-hash</strong></dt> -<dd>requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.</dd> +<dd>stores the database in hash format, if using the DB2 database +type. If this option is not specified, the database will be +stored in btree format. This option is not recommended, as +databases stored in hash format are known to corrupt data and lose +principals.</dd> <dt><strong>-verbose</strong></dt> <dd>causes the name of each principal and policy to be printed as it is dumped.</dd> @@ -250,13 +250,11 @@ database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.</dd> </dl> -<p>If specified, <em>dbname</em> overrides the value specified on the command -line or the default.</p> </div> <div class="section" id="ark"> <span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Permalink to this headline">¶</a></h3> <blockquote> -<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,...] <em>principal</em></div></blockquote> +<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></div></blockquote> <p>Adds new random keys to <em>principal</em> at the next available key version number. Keys for the current highest key version number will be preserved. The <strong>-e</strong> option specifies the list of encryption and @@ -269,12 +267,12 @@ salt types to be used for the new keys.</p> <p>Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The <strong>-e</strong> option specifies the encryption type of the new master key; see -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values. The <strong>-s</strong> option stashes the new master key in the stash -file, which will be created if it doesn’t already exist.</p> -<p>After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>. Then, -the stash files on the slave servers should be updated with the +file, which will be created if it doesn’t already exist.</p> +<p>After a new master key is added, it should be propagated to replica +servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>. Then, +the stash files on the replica servers should be updated with the kdb5_util <strong>stash</strong> command. Once those steps are complete, the key is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p> </div> @@ -286,7 +284,7 @@ is ready to be marked active with the kdb5_util <strong>use_mkey</strong> comman Once a master key becomes active, it will be used to encrypt newly created principal keys. If no <em>time</em> argument is given, the current time is used, causing the specified master key version to become -active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string.</p> +active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string.</p> <p>After a new master key becomes active, the kdb5_util <strong>update_princ_encryption</strong> command can be used to update all principal keys to be encrypted in the new master key.</p> @@ -297,8 +295,8 @@ principal keys to be encrypted in the new master key.</p> <div><strong>list_mkeys</strong></div></blockquote> <p>List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>getprinc</strong>. A -<tt class="docutils literal"><span class="pre">*</span></tt> following an mkey denotes the currently active master key.</p> +each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>getprinc</strong>. A +<code class="docutils literal"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p> </div> <div class="section" id="purge-mkeys"> <h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3> @@ -354,7 +352,7 @@ below).</p> instead of the default tab-separated (unquoted, unescaped) format</dd> <dt><strong>-e</strong></dt> <dd>write empty hexadecimal string fields as empty fields instead of -as “-1”.</dd> +as “-1”.</dd> <dt><strong>-n</strong></dt> <dd>produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of @@ -372,7 +370,7 @@ output</dd> <dt><strong>name</strong></dt> <dd>principal name</dd> <dt><strong>keyindex</strong></dt> -<dd>index of this key in the principal’s key list</dd> +<dd>index of this key in the principal’s key list</dd> <dt><strong>kvno</strong></dt> <dd>key version number</dd> <dt><strong>enctype</strong></dt> @@ -432,7 +430,7 @@ set.</p> <dd>policy object name</dd> <dt><strong>mkvno</strong></dt> <dd>key version number of the master key that encrypts this -principal’s key data</dd> +principal’s key data</dd> <dt><strong>hist_kvno</strong></dt> <dd>key version number of the history key that encrypts the key history data for this principal</dd> @@ -467,27 +465,32 @@ lifetimes</p> </dd> </dl> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util tabdump -o keyinfo.txt keyinfo +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt +K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo -sqlite> select * from keyinfo where enctype like 'des-cbc-%'; -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +sqlite> select * from keyinfo where enctype like 'aes256-%'; +K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit -$ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +$ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt +K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 </pre></div> </div> </div> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -518,6 +521,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li><a class="reference internal" href="#tabdump">tabdump</a></li> </ul> </li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -532,6 +536,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -539,6 +544,8 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -546,7 +553,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> @@ -591,8 +598,8 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html index 73939b48421a..a4fe1a8fef3b 100644 --- a/doc/html/admin/admin_commands/kprop.html +++ b/doc/html/admin/admin_commands/kprop.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kprop — MIT Kerberos Documentation</title> - + <title>kprop — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kpropd" href="kpropd.html" /> <link rel="prev" title="krb5kdc" href="krb5kdc.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kprop"> <span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1> @@ -73,26 +71,26 @@ [<strong>-d</strong>] [<strong>-P</strong> <em>port</em>] [<strong>-s</strong> <em>keytab</em>] -<em>slave_host</em></p> +<em>replica_host</em></p> </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by <em>slave_host</em>. The dump file must be created by -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p> +from the primary Kerberos server to a replica Kerberos server, which is +specified by <em>replica_host</em>. The dump file must be created by +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the realm of the master server.</dd> +<dd>Specifies the realm of the primary server.</dd> <dt><strong>-f</strong> <em>file</em></dt> <dd>Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans</span></tt>.</dd> +<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/replica_datatrans</span></code>.</dd> <dt><strong>-P</strong> <em>port</em></dt> -<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> server +<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> server on the remote host.</dd> <dt><strong>-d</strong></dt> <dd>Prints debugging information.</dd> @@ -102,14 +100,13 @@ on the remote host.</dd> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p><em>kprop</em> uses the following environment variable:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a></p> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, +<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -140,6 +137,7 @@ on the remote host.</dd> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -147,6 +145,8 @@ on the remote host.</dd> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -157,7 +157,7 @@ on the remote host.</dd> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kprop</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> @@ -199,8 +199,8 @@ on the remote host.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html index 163f4ac8cd75..2bd16d7d043b 100644 --- a/doc/html/admin/admin_commands/kpropd.html +++ b/doc/html/admin/admin_commands/kpropd.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kpropd — MIT Kerberos Documentation</title> - + <title>kpropd — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kproplog" href="kproplog.html" /> <link rel="prev" title="kprop" href="kprop.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kpropd"> <span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1> @@ -71,31 +69,33 @@ [<strong>-r</strong> <em>realm</em>] [<strong>-A</strong> <em>admin_server</em>] [<strong>-a</strong> <em>acl_file</em>] -[<strong>-f</strong> <em>slave_dumpfile</em>] +[<strong>-f</strong> <em>replica_dumpfile</em>] [<strong>-F</strong> <em>principal_database</em>] [<strong>-p</strong> <em>kdb5_util_prog</em>] [<strong>-P</strong> <em>port</em>] -[<strong>–pid-file</strong>=<em>pid_file</em>] +[<strong>–pid-file</strong>=<em>pid_file</em>] +[<strong>-D</strong>] [<strong>-d</strong>] -[<strong>-t</strong>]</p> +[<strong>-s</strong> <em>keytab_file</em>]</p> </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> -<p>The <em>kpropd</em> command runs on the slave KDC server. It listens for -update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> program. If incremental +<p>The <em>kpropd</em> command runs on the replica KDC server. It listens for +update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> program. If incremental propagation is enabled, it periodically requests incremental updates -from the master KDC.</p> -<p>When the slave receives a kprop request from the master, kpropd +from the primary KDC.</p> +<p>When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> to load the dumped database into the active -database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>. This allows the master -Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database.</p> +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> to load the dumped database into the active +database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>. This allows the primary +Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> to propagate its database to +the replica servers. Upon a successful download of the KDC database +file, the replica Kerberos server will have an up-to-date KDC +database.</p> <p>Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to -the <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> file which looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +the <code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> file which looks like this:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kprop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span> </pre></div> </div> <p>kpropd can also run as a standalone daemon, backgrounding itself and @@ -107,75 +107,77 @@ not. Prior to release 1.11, the <strong>-S</strong> option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing.</p> <p>Incremental propagation may be enabled with the <strong>iprop_enable</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the <strong>iprop_slave_poll</strong> variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. <a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal <tt class="docutils literal"><span class="pre">kiprop/slavehostname@REALM</span></tt> (where -<em>slavehostname</em> is the name of the slave KDC host, and <em>REALM</em> is the -name of the Kerberos realm) must be present in the slave’s keytab -file.</p> -<p><a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to force full replication when iprop is +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If incremental propagation is +enabled, the replica periodically polls the primary KDC for updates, at +an interval determined by the <strong>iprop_replica_poll</strong> variable. If the +replica receives updates, kpropd updates its log file with any updates +from the primary. <a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to view a summary of +the update entry log on the replica KDC. If incremental propagation +is enabled, the principal <code class="docutils literal"><span class="pre">kiprop/replicahostname@REALM</span></code> (where +<em>replicahostname</em> is the name of the replica KDC host, and <em>REALM</em> is +the name of the Kerberos realm) must be present in the replica’s +keytab file.</p> +<p><a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to force full replication when iprop is enabled.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the realm of the master server.</dd> +<dd>Specifies the realm of the primary server.</dd> <dt><strong>-A</strong> <em>admin_server</em></dt> <dd>Specifies the server to be contacted for incremental updates; by -default, the master admin server is contacted.</dd> +default, the primary admin server is contacted.</dd> <dt><strong>-f</strong> <em>file</em></dt> <dd>Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/from_master</span></tt>.</dd> +to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/from_master</span></code>.</dd> +<dt><strong>-F</strong> <em>kerberos_db</em></dt> +<dd>Path to the Kerberos database file, if not the default.</dd> <dt><strong>-p</strong></dt> -<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> -program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>SBINDIR</em></a><tt class="docutils literal"><span class="pre">/kdb5_util</span></tt>.</dd> +<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> +program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SBINDIR</span></a><code class="docutils literal"><span class="pre">/kdb5_util</span></code>.</dd> +<dt><strong>-D</strong></dt> +<dd>In this mode, kpropd will not detach itself from the current job +and run in the background. Instead, it will run in the +foreground.</dd> <dt><strong>-d</strong></dt> -<dd>Turn on debug mode. In this mode, kpropd will not detach -itself from the current job and run in the background. Instead, -it will run in the foreground and print out debugging messages -during the database propagation.</dd> -<dt><strong>-t</strong></dt> -<dd>In standalone mode without incremental propagation, exit after one -dump file is received. In incremental propagation mode, exit as -soon as the database is up to date, or if the master returns an -error.</dd> +<dd>Turn on debug mode. kpropd will print out debugging messages +during the database propogation and will run in the foreground +(implies <strong>-D</strong>).</dd> <dt><strong>-P</strong></dt> <dd>Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the <strong>-S</strong> option.</dd> <dt><strong>-a</strong> <em>acl_file</em></dt> <dd>Allows the user to specify the path to the kpropd.acl file; by -default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd> -<dt><strong>–pid-file</strong>=<em>pid_file</em></dt> +default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kpropd.acl</span></code>.</dd> +<dt><strong>–pid-file</strong>=<em>pid_file</em></dt> <dd>In standalone mode, write the process ID of the daemon into <em>pid_file</em>.</dd> +<dt><strong>-s</strong> <em>keytab_file</em></dt> +<dd>Path to a keytab to use for acquiring acceptor credentials.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>Database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd> </dl> </div> -<div class="section" id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>kpropd uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> -</div> <div class="section" id="files"> <h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt>kpropd.acl</dt> <dd>Access file for kpropd; the default location is -<tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></tt>. Each entry is a line +<code class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line containing the principal of a host from which the local machine -will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>.</dd> +will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>.</dd> </dl> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, inetd(8)</p> +<p><a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, +<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, inetd(8)</p> </div> </div> @@ -191,8 +193,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#files">FILES</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -207,6 +209,7 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -214,6 +217,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -225,7 +230,7 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kpropd</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> @@ -266,8 +271,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html index 50b7c7e4d35a..b3785e701002 100644 --- a/doc/html/admin/admin_commands/kproplog.html +++ b/doc/html/admin/admin_commands/kproplog.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kproplog — MIT Kerberos Documentation</title> - + <title>kproplog — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="ktutil" href="ktutil.html" /> <link rel="prev" title="kpropd" href="kpropd.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kproplog"> <span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1> @@ -75,17 +73,17 @@ <p>The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the -update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> process on the master -KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned.</p> +update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> process on the primary +KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> process on the replica KDC +servers. When updates occur, they are logged to this file. +Subsequently any KDC replica configured for incremental updates will +request the current data from the primary KDC and update their log +file with any updates returned.</p> <p>The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on.</p> <p>If no options are specified, kproplog displays a summary of the update -log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays +log. If invoked on the primary, kproplog also displays all of the +update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update.</p> </div> @@ -93,9 +91,10 @@ last update received and the associated time stamp of the last update.</p> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-R</strong></dt> -<dd>Reset the update log. This forces full resynchronization. If used -on a slave then that slave will request a full resync. If used on -the master then all slaves will request full resyncs.</dd> +<dd>Reset the update log. This forces full resynchronization. If +used on a replica then that replica will request a full resync. +If used on the primary then all replicas will request full +resyncs.</dd> <dt><strong>-h</strong></dt> <dd>Display a summary of the update log. This information includes the database version number, state of the database, the number of @@ -107,20 +106,20 @@ when debugging synchronization between KDC servers.</dd> <dt><strong>-v</strong></dt> <dd><p class="first">Display individual attributes per update. An example of the output generated for one entry:</p> -<div class="last highlight-python"><div class="highlight"><pre>Update Entry - Update serial # : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data +<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">Update</span> <span class="n">Entry</span> + <span class="n">Update</span> <span class="n">serial</span> <span class="c1"># : 4</span> + <span class="n">Update</span> <span class="n">operation</span> <span class="p">:</span> <span class="n">Add</span> + <span class="n">Update</span> <span class="n">principal</span> <span class="p">:</span> <span class="n">test</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> + <span class="n">Update</span> <span class="n">size</span> <span class="p">:</span> <span class="mi">424</span> + <span class="n">Update</span> <span class="n">committed</span> <span class="p">:</span> <span class="kc">True</span> + <span class="n">Update</span> <span class="n">time</span> <span class="n">stamp</span> <span class="p">:</span> <span class="n">Fri</span> <span class="n">Feb</span> <span class="mi">20</span> <span class="mi">23</span><span class="p">:</span><span class="mi">37</span><span class="p">:</span><span class="mi">42</span> <span class="mi">2004</span> + <span class="n">Attributes</span> <span class="n">changed</span> <span class="p">:</span> <span class="mi">6</span> + <span class="n">Principal</span> + <span class="n">Key</span> <span class="n">data</span> + <span class="n">Password</span> <span class="n">last</span> <span class="n">changed</span> + <span class="n">Modifying</span> <span class="n">principal</span> + <span class="n">Modification</span> <span class="n">time</span> + <span class="n">TL</span> <span class="n">data</span> </pre></div> </div> </dd> @@ -128,14 +127,12 @@ output generated for one entry:</p> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>kproplog uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a></p> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -166,6 +163,7 @@ output generated for one entry:</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -173,6 +171,8 @@ output generated for one entry:</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -185,7 +185,7 @@ output generated for one entry:</p> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kproplog</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> @@ -225,8 +225,8 @@ output generated for one entry:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html index f39779bf4f0e..5cf520b145bf 100644 --- a/doc/html/admin/admin_commands/krb5kdc.html +++ b/doc/html/admin/admin_commands/krb5kdc.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>krb5kdc — MIT Kerberos Documentation</title> - + <title>krb5kdc — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kprop" href="kprop.html" /> <link rel="prev" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="krb5kdc"> <span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Permalink to this headline">¶</a></h1> @@ -88,31 +86,31 @@ Distribution Center (AS/KDC).</p> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server -should provide service.</p> +should provide service. This option may be specified multiple times +to serve multiple realms. If no <strong>-r</strong> option is given, the default +realm (as specified in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) will be served.</p> <p>The <strong>-d</strong> <em>dbname</em> option specifies the name under which the principal database can be found. This option does not apply to the LDAP database.</p> <p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key to be entered manually as a password when <strong>-m</strong> is given; the default -is <tt class="docutils literal"><span class="pre">des-cbc-crc</span></tt>.</p> +is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></code>.</p> <p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the -master key in the database (usually <tt class="docutils literal"><span class="pre">K/M</span></tt> in the KDC’s realm).</p> +master key in the database (usually <code class="docutils literal"><span class="pre">K/M</span></code> in the KDC’s realm).</p> <p>The <strong>-m</strong> option specifies that the master database password should be fetched from the keyboard rather than from a stash file.</p> <p>The <strong>-n</strong> option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. In -normal operation, you should always allow the KDC to place itself in -the background.</p> +background and does not disassociate itself from the terminal.</p> <p>The <strong>-P</strong> <em>pid_file</em> option tells the KDC to write its PID into <em>pid_file</em> after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process.</p> -<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section of <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88.</p> +<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP and TCP port +numbers which the KDC should listen on for Kerberos version 5 +requests, as a comma-separated list. This value overrides the port +numbers specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> section of +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but may be overridden by realm-specific values. +If no value is given from any source, the default port is 88.</p> <p>The <strong>-w</strong> <em>numworkers</em> option tells the KDC to fork <em>numworkers</em> processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if @@ -120,15 +118,8 @@ the <strong>-P</strong> option is also given) acts as a supervisor. The supervi will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits.</p> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">On operating systems which do not have <em>pktinfo</em> support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC -starts.</p> -</div> <p>The <strong>-x</strong> <em>db_args</em> option specifies database-specific arguments. -See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for +See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p> <p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes.</p> @@ -140,29 +131,26 @@ The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option.</p> <p>For example:</p> -<div class="highlight-python"><div class="highlight"><pre>krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5kdc</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2001</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2002</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM2</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM3</span> </pre></div> </div> <p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file. The location of this file +specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file. The location of this file may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable. Per-realm parameters specified in this file take precedence over -options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> +options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> description for further details.</p> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>krb5kdc uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a></p> +<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -194,6 +182,7 @@ description for further details.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -201,6 +190,8 @@ description for further details.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -210,7 +201,7 @@ description for further details.</p> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">krb5kdc</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> @@ -253,8 +244,8 @@ description for further details.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html index ba95ebbe71ff..03d052c15b88 100644 --- a/doc/html/admin/admin_commands/ktutil.html +++ b/doc/html/admin/admin_commands/ktutil.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>ktutil — MIT Kerberos Documentation</title> - + <title>ktutil — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="k5srvutil" href="k5srvutil.html" /> <link rel="prev" title="kproplog" href="kproplog.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="ktutil"> <span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1> @@ -72,16 +70,18 @@ <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab or Kerberos -V4 srvtab file.</p> +administrator can read, write, or edit entries in a keytab. (Kerberos +V4 srvtab files are no longer supported.)</p> </div> <div class="section" id="commands"> <h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> <div class="section" id="list"> <h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> <blockquote> -<div><strong>list</strong></div></blockquote> -<p>Displays the current keylist.</p> +<div><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</div></blockquote> +<p>Displays the current keylist. If <strong>-t</strong>, <strong>-k</strong>, and/or <strong>-e</strong> are +specified, also display the timestamp, key contents, or enctype +(respectively).</p> <p>Alias: <strong>l</strong></p> </div> <div class="section" id="read-kt"> @@ -91,13 +91,6 @@ V4 srvtab file.</p> <p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p> <p>Alias: <strong>rkt</strong></p> </div> -<div class="section" id="read-st"> -<h3>read_st<a class="headerlink" href="#read-st" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>read_st</strong> <em>srvtab</em></div></blockquote> -<p>Read the Kerberos V4 srvtab file <em>srvtab</em> into the current keylist.</p> -<p>Alias: <strong>rst</strong></p> -</div> <div class="section" id="write-kt"> <h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3> <blockquote> @@ -105,13 +98,6 @@ V4 srvtab file.</p> <p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p> <p>Alias: <strong>wkt</strong></p> </div> -<div class="section" id="write-st"> -<h3>write_st<a class="headerlink" href="#write-st" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>write_st</strong> <em>srvtab</em></div></blockquote> -<p>Write the current keylist into the Kerberos V4 srvtab file <em>srvtab</em>.</p> -<p>Alias: <strong>wst</strong></p> -</div> <div class="section" id="clear-list"> <h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3> <blockquote> @@ -130,8 +116,13 @@ V4 srvtab file.</p> <h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> -<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em> [<strong>-s</strong> <em>salt</em>]</div></blockquote> -<p>Add <em>principal</em> to keylist using key or password.</p> +<strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</div></blockquote> +<p>Add <em>principal</em> to keylist using key or password. If the <strong>-f</strong> flag +is specified, salt information will be fetched from the KDC; in this +case the <strong>-e</strong> flag may be omitted, or it may be supplied to force a +particular enctype. If the <strong>-f</strong> flag is not specified, the <strong>-e</strong> +flag must be specified, and the default salt will be used unless +overridden with the <strong>-s</strong> option.</p> <p>Alias: <strong>addent</strong></p> </div> <div class="section" id="list-requests"> @@ -152,21 +143,26 @@ V4 srvtab file.</p> <div class="section" id="example"> <h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> <blockquote> -<div><div class="highlight-python"><div class="highlight"><pre>ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes128-cts-hmac-sha1-96 -Password for alice@BLEEP.COM: -ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes256-cts-hmac-sha1-96 -Password for alice@BLEEP.COM: -ktutil: write_kt keytab -ktutil: +<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> + <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> + <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">ktutil</span><span class="p">:</span> <span class="n">write_kt</span> <span class="n">alice</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">ktutil</span><span class="p">:</span> </pre></div> </div> </div></blockquote> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -184,9 +180,7 @@ ktutil: <li><a class="reference internal" href="#commands">COMMANDS</a><ul> <li><a class="reference internal" href="#list">list</a></li> <li><a class="reference internal" href="#read-kt">read_kt</a></li> -<li><a class="reference internal" href="#read-st">read_st</a></li> <li><a class="reference internal" href="#write-kt">write_kt</a></li> -<li><a class="reference internal" href="#write-st">write_st</a></li> <li><a class="reference internal" href="#clear-list">clear_list</a></li> <li><a class="reference internal" href="#delete-entry">delete_entry</a></li> <li><a class="reference internal" href="#add-entry">add_entry</a></li> @@ -195,6 +189,7 @@ ktutil: </ul> </li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -209,6 +204,7 @@ ktutil: <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -216,6 +212,8 @@ ktutil: <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -229,7 +227,7 @@ ktutil: <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">ktutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> </ul> @@ -268,8 +266,8 @@ ktutil: <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html index 1e5e1941f991..0d7ba0aa6c74 100644 --- a/doc/html/admin/admin_commands/sserver.html +++ b/doc/html/admin/admin_commands/sserver.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>sserver — MIT Kerberos Documentation</title> - + <title>sserver — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="MIT Kerberos defaults" href="../../mitK5defaults.html" /> <link rel="prev" title="k5srvutil" href="k5srvutil.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="sserver"> <span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1> @@ -74,39 +72,39 @@ </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> -<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a> are a simple demonstration client/server +<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a> are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine.</p> <p>The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service -<tt class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></tt>. This keytab is generated -using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program. The keytab file is usually -installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.</p> +<code class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></code>. This keytab is generated +using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program. The keytab file is usually +installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>.</p> <p>The <strong>-S</strong> option allows for a different keytab than the default.</p> <p>sserver is normally invoked out of inetd(8), using a line in -<tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> that looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sample stream tcp nowait root /usr/local/sbin/sserver sserver +<code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> that looks like this:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">sserver</span> <span class="n">sserver</span> </pre></div> </div> -<p>Since <tt class="docutils literal"><span class="pre">sample</span></tt> is normally not a port defined in <tt class="docutils literal"><span class="pre">/etc/services</span></tt>, -you will usually have to add a line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> which looks +<p>Since <code class="docutils literal"><span class="pre">sample</span></code> is normally not a port defined in <code class="docutils literal"><span class="pre">/etc/services</span></code>, +you will usually have to add a line to <code class="docutils literal"><span class="pre">/etc/services</span></code> which looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sample 13135/tcp +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="mi">13135</span><span class="o">/</span><span class="n">tcp</span> </pre></div> </div> <p>When using sclient, you will first have to have an entry in the -Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and then you have to get -Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>. Also, if you are running +Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and then you have to get +Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files.</p> <p>When you run sclient you should see something like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sendauth succeeded, reply is: -reply len 32, contents: -You are nlgilman@JIMI.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">succeeded</span><span class="p">,</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> +<span class="n">reply</span> <span class="nb">len</span> <span class="mi">32</span><span class="p">,</span> <span class="n">contents</span><span class="p">:</span> +<span class="n">You</span> <span class="n">are</span> <span class="n">nlgilman</span><span class="nd">@JIMI</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> </div> @@ -114,50 +112,55 @@ You are nlgilman@JIMI.MIT.EDU <h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2> <ol class="arabic"> <li><p class="first">kinit returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>kinit: Client not found in Kerberos database while getting - initial credentials +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span> + <span class="n">initial</span> <span class="n">credentials</span> </pre></div> </div> -<p>This means that you didn’t create an entry for your username in the +<p>This means that you didn’t create an entry for your username in the Kerberos database.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>unknown service sample/tcp; check /etc/services +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">unknown</span> <span class="n">service</span> <span class="n">sample</span><span class="o">/</span><span class="n">tcp</span><span class="p">;</span> <span class="n">check</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">services</span> </pre></div> </div> -<p>This means that you don’t have an entry in /etc/services for the +<p>This means that you don’t have an entry in /etc/services for the sample tcp port.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>connect: Connection refused +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">connect</span><span class="p">:</span> <span class="n">Connection</span> <span class="n">refused</span> </pre></div> </div> -<p>This probably means you didn’t edit /etc/inetd.conf correctly, or -you didn’t restart inetd after editing inetd.conf.</p> +<p>This probably means you didn’t edit /etc/inetd.conf correctly, or +you didn’t restart inetd after editing inetd.conf.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>sclient: Server not found in Kerberos database while using - sendauth +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sclient</span><span class="p">:</span> <span class="n">Server</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">using</span> + <span class="n">sendauth</span> </pre></div> </div> -<p>This means that the <tt class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></tt> service was not +<p>This means that the <code class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></code> service was not defined in the Kerberos database; it should be created using -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and a keytab file needs to be generated to make +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and a keytab file needs to be generated to make the key for that service principal available for sclient.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>sendauth rejected, error reply is: - "No such file or directory" +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">rejected</span><span class="p">,</span> <span class="n">error</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> + <span class="s2">"No such file or directory"</span> </pre></div> </div> -<p>This probably means sserver couldn’t find the keytab file. It was +<p>This probably means sserver couldn’t find the keytab file. It was probably not installed in the proper directory.</p> </li> </ol> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a>, services(5), inetd(8)</p> +<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, services(5), inetd(8)</p> </div> </div> @@ -173,6 +176,7 @@ probably not installed in the proper directory.</p> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#common-error-messages">COMMON ERROR MESSAGES</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -187,6 +191,7 @@ probably not installed in the proper directory.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -194,6 +199,8 @@ probably not installed in the proper directory.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -209,7 +216,7 @@ probably not installed in the proper directory.</p> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">sserver</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">sserver</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> @@ -246,8 +253,8 @@ probably not installed in the proper directory.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html index 603f95e2ecd8..47cfe47f0c82 100644 --- a/doc/html/admin/advanced/index.html +++ b/doc/html/admin/advanced/index.html @@ -1,34 +1,32 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Advanced topics — MIT Kerberos Documentation</title> - + <title>Advanced topics — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="For administrators" href="../index.html" /> - <link rel="next" title="LDAP backend on Ubuntu 10.4 (lucid)" href="ldapbackend.html" /> + <link rel="next" title="Retiring DES" href="retiring-des.html" /> <link rel="prev" title="Troubleshooting" href="../troubleshoot.html" /> </head> <body> @@ -44,7 +42,7 @@ accesskey="C">Contents</a> | <a href="../troubleshoot.html" title="Troubleshooting" accesskey="P">previous</a> | - <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)" + <a href="retiring-des.html" title="Retiring DES" accesskey="N">next</a> | <a href="../../genindex.html" title="General Index" accesskey="I">index</a> | @@ -61,13 +59,12 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="advanced-topics"> <h1>Advanced topics<a class="headerlink" href="#advanced-topics" title="Permalink to this headline">¶</a></h1> <div class="toctree-wrapper compound"> <ul> -<li class="toctree-l1"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li> <li class="toctree-l1"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> </ul> </div> @@ -93,6 +90,7 @@ <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -100,6 +98,8 @@ <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -108,8 +108,7 @@ <li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> <li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> <li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Advanced topics</a><ul> -<li class="toctree-l3"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Advanced topics</a><ul> <li class="toctree-l3"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> </ul> </li> @@ -143,8 +142,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> @@ -152,7 +151,7 @@ >Contents</a> | <a href="../troubleshoot.html" title="Troubleshooting" >previous</a> | - <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)" + <a href="retiring-des.html" title="Retiring DES" >next</a> | <a href="../../genindex.html" title="General Index" >index</a> | diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html deleted file mode 100644 index 662067e84ff6..000000000000 --- a/doc/html/admin/advanced/ldapbackend.html +++ /dev/null @@ -1,304 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - - -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> - <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>LDAP backend on Ubuntu 10.4 (lucid) — MIT Kerberos Documentation</title> - - <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> - <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> - <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - - <script type="text/javascript"> - var DOCUMENTATION_OPTIONS = { - URL_ROOT: '../../', - VERSION: '1.16', - COLLAPSE_INDEX: false, - FILE_SUFFIX: '.html', - HAS_SOURCE: true - }; - </script> - <script type="text/javascript" src="../../_static/jquery.js"></script> - <script type="text/javascript" src="../../_static/underscore.js"></script> - <script type="text/javascript" src="../../_static/doctools.js"></script> - <link rel="author" title="About these documents" href="../../about.html" /> - <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Advanced topics" href="index.html" /> - <link rel="next" title="Retiring DES" href="retiring-des.html" /> - <link rel="prev" title="Advanced topics" href="index.html" /> - </head> - <body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Advanced topics" - accesskey="P">previous</a> | - <a href="retiring-des.html" title="Retiring DES" - accesskey="N">next</a> | - <a href="../../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__LDAP backend on Ubuntu 10.4 (lucid)">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body"> - - <div class="section" id="ldap-backend-on-ubuntu-10-4-lucid"> -<span id="ldap-be-ubuntu"></span><h1>LDAP backend on Ubuntu 10.4 (lucid)<a class="headerlink" href="#ldap-backend-on-ubuntu-10-4-lucid" title="Permalink to this headline">¶</a></h1> -<p>Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)</p> -<div class="section" id="prerequisites"> -<h2>Prerequisites<a class="headerlink" href="#prerequisites" title="Permalink to this headline">¶</a></h2> -<p>Install the following packages: <em>slapd, ldap-utils</em> and <em>libldap2-dev</em></p> -<p>You can install the necessary packages with these commands:</p> -<div class="highlight-python"><div class="highlight"><pre>sudo apt-get install slapd -sudo apt-get install ldap-utils -sudo apt-get install libldap2-dev -</pre></div> -</div> -<p>Extend the user schema using schemas from standart OpenLDAP -distribution: <em>cosine, mics, nis, inetcomperson</em></p> -<div class="highlight-python"><div class="highlight"><pre>ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif -ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif -ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif -ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif -</pre></div> -</div> -</div> -<div class="section" id="building-kerberos-from-source"> -<h2>Building Kerberos from source<a class="headerlink" href="#building-kerberos-from-source" title="Permalink to this headline">¶</a></h2> -<div class="highlight-python"><div class="highlight"><pre>./configure --with-ldap -make -sudo make install -</pre></div> -</div> -</div> -<div class="section" id="setting-up-kerberos"> -<h2>Setting up Kerberos<a class="headerlink" href="#setting-up-kerberos" title="Permalink to this headline">¶</a></h2> -<div class="section" id="configuration"> -<h3>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h3> -<p>Update kdc.conf with the LDAP back-end information:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - EXAMPLE.COM = { - database_module = LDAP - } - -[dbmodules] - LDAP = { - db_library = kldap - ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com - ldap_kdc_dn = cn=admin,dc=example,dc=com - ldap_kadmind_dn = cn=admin,dc=example,dc=com - ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash - ldap_servers = ldapi:/// - } -</pre></div> -</div> -</div> -<div class="section" id="schema"> -<h3>Schema<a class="headerlink" href="#schema" title="Permalink to this headline">¶</a></h3> -<p>From the source tree copy -<tt class="docutils literal"><span class="pre">src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema</span></tt> into -<tt class="docutils literal"><span class="pre">/etc/ldap/schema</span></tt></p> -<p>Warning: this step should be done after slapd is installed to avoid -problems with slapd installation.</p> -<p>To convert kerberos.schema to run-time configuration (<tt class="docutils literal"><span class="pre">cn=config</span></tt>) -do the following:</p> -<ol class="arabic"> -<li><p class="first">Create a temporary file <tt class="docutils literal"><span class="pre">/tmp/schema_convert.conf</span></tt> with the -following content:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">include</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ldap</span><span class="o">/</span><span class="n">schema</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">schema</span> -</pre></div> -</div> -</li> -<li><p class="first">Create a temporary directory <tt class="docutils literal"><span class="pre">/tmp/krb5_ldif</span></tt>.</p> -</li> -<li><p class="first">Run:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">slaptest</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">schema_convert</span><span class="o">.</span><span class="n">conf</span> <span class="o">-</span><span class="n">F</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5_ldif</span> -</pre></div> -</div> -<p>This should in a new file named -<tt class="docutils literal"><span class="pre">/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif</span></tt>.</p> -</li> -<li><p class="first">Edit <tt class="docutils literal"><span class="pre">/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif</span></tt> by -replacing the lines:</p> -<div class="highlight-python"><div class="highlight"><pre>dn: cn={0}kerberos -cn: {0}kerberos -</pre></div> -</div> -<p>with</p> -<blockquote> -<div><p>dn: cn=kerberos,cn=schema,cn=config -cn: kerberos</p> -</div></blockquote> -<p>Also, remove following attribute-value pairs:</p> -<div class="highlight-python"><div class="highlight"><pre>structuralObjectClass: olcSchemaConfig -entryUUID: ... -creatorsName: cn=config -createTimestamp: ... -entryCSN: ... -modifiersName: cn=config -modifyTimestamp: ... -</pre></div> -</div> -</li> -<li><p class="first">Load the new schema with ldapadd (with the proper authentication):</p> -<div class="highlight-python"><div class="highlight"><pre>ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif -</pre></div> -</div> -<p>which should result the message <tt class="docutils literal"><span class="pre">adding</span> <span class="pre">new</span> <span class="pre">entry</span> -<span class="pre">"cn=kerberos,cn=schema,cn=config"</span></tt>.</p> -</li> -</ol> -</div> -</div> -<div class="section" id="create-kerberos-database"> -<h2>Create Kerberos database<a class="headerlink" href="#create-kerberos-database" title="Permalink to this headline">¶</a></h2> -<p>Using LDAP administrator credentials, create Kerberos database and -master key stash:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s -</pre></div> -</div> -<p>Stash the LDAP administrative passwords:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com -</pre></div> -</div> -<p>Start <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">krb5kdc</span> -</pre></div> -</div> -<p>To destroy database run:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f -</pre></div> -</div> -</div> -<div class="section" id="useful-references"> -<h2>Useful references<a class="headerlink" href="#useful-references" title="Permalink to this headline">¶</a></h2> -<ul class="simple"> -<li><a class="reference external" href="https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html">Kerberos and LDAP</a></li> -</ul> -</div> -</div> - - - </div> - </div> - </div> - </div> - <div class="sidebar"> - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">LDAP backend on Ubuntu 10.4 (lucid)</a><ul> -<li><a class="reference internal" href="#prerequisites">Prerequisites</a></li> -<li><a class="reference internal" href="#building-kerberos-from-source">Building Kerberos from source</a></li> -<li><a class="reference internal" href="#setting-up-kerberos">Setting up Kerberos</a><ul> -<li><a class="reference internal" href="#configuration">Configuration</a></li> -<li><a class="reference internal" href="#schema">Schema</a></li> -</ul> -</li> -<li><a class="reference internal" href="#create-kerberos-database">Create Kerberos database</a></li> -<li><a class="reference internal" href="#useful-references">Useful references</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> -<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> -<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> -<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> -<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> -<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> -<li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="">LDAP backend on Ubuntu 10.4 (lucid)</a></li> -<li class="toctree-l3"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> -</ul> -</li> -<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. - </div> - <div class="left"> - - <a href="../../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Advanced topics" - >previous</a> | - <a href="retiring-des.html" title="Retiring DES" - >next</a> | - <a href="../../genindex.html" title="General Index" - >index</a> | - <a href="../../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__LDAP backend on Ubuntu 10.4 (lucid)">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html index 8ac29b3dca51..49dfaaa786b5 100644 --- a/doc/html/admin/advanced/retiring-des.html +++ b/doc/html/admin/advanced/retiring-des.html @@ -1,35 +1,33 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Retiring DES — MIT Kerberos Documentation</title> - + <title>Retiring DES — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Advanced topics" href="index.html" /> <link rel="next" title="Various links" href="../various_envs.html" /> - <link rel="prev" title="LDAP backend on Ubuntu 10.4 (lucid)" href="ldapbackend.html" /> + <link rel="prev" title="Advanced topics" href="index.html" /> </head> <body> <div class="header-wrapper"> @@ -42,7 +40,7 @@ <a href="../../index.html" title="Full Table of Contents" accesskey="C">Contents</a> | - <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)" + <a href="index.html" title="Advanced topics" accesskey="P">previous</a> | <a href="../various_envs.html" title="Various links" accesskey="N">next</a> | @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="retiring-des"> <span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Permalink to this headline">¶</a></h1> @@ -70,7 +68,7 @@ the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be -used (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> +used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> <div class="section" id="history"> <h2>History<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> <p>DES was used in the original Kerberos implementation, and was the @@ -81,13 +79,17 @@ partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention.</p> +<p>MIT krb5 began flagging deprecated encryption types with release 1.17, +and removed DES (single-DES) support in release 1.18. As a +consequence, a release prior to 1.18 is required to perform these +migrations.</p> </div> <div class="section" id="types-of-keys"> <h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Permalink to this headline">¶</a></h2> <ul class="simple"> <li>The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos -database. The database master key is currently stored as <tt class="docutils literal"><span class="pre">K/M</span></tt> +database. The database master key is currently stored as <code class="docutils literal"><span class="pre">K/M</span></code> by default.</li> <li>Password-derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC @@ -102,8 +104,8 @@ and stored in a keytab.</li> processing client requests, with an enctype selected by the KDC.</li> </ul> <p>For details on the various enctypes and how enctypes are selected by the KDC -for session keys and client/server long-term keys, see <a class="reference internal" href="../enctypes.html#enctypes"><em>Encryption types</em></a>. -When using the <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> interface to generate new long-term keys, +for session keys and client/server long-term keys, see <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a>. +When using the <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> interface to generate new long-term keys, the <strong>-e</strong> argument can be used to force a particular set of enctypes, overriding the KDC default values.</p> <div class="admonition note"> @@ -126,45 +128,45 @@ only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst-case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, -and <strong>supported_enctypes</strong> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> was set to a value +and <strong>supported_enctypes</strong> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - ZONE.MIT.EDU = { - [...] - master_key_type = des-cbc-crc - supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="p">[</span><span class="o">...</span><span class="p">]</span> + <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> + <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">v4</span> <span class="n">des</span><span class="p">:</span><span class="n">norealm</span> <span class="n">des</span><span class="p">:</span><span class="n">onlyrealm</span> <span class="n">des</span><span class="p">:</span><span class="n">afs3</span> + <span class="p">}</span> </pre></div> </div> <p>This resulted in the keys for all principals in the realm being forced -to DES-only, unless specifically requested using <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</p> +to DES-only, unless specifically requested using <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> <p>Before starting the upgrade, all KDCs were running krb5 1.11, -and the database entries for some “high-value” principals were:</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' -[...] -Number of keys: 1 -Key: vno 1, des-cbc-crc:v4 -[...] -[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' -[...] -Number of keys: 1 -Key: vno 15, des-cbc-crc -[...] -[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' -[...] -Number of keys: 1 -Key: vno 14, des-cbc-crc -[...] +and the database entries for some “high-value” principals were:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">15</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">14</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> </pre></div> </div> -<p>The <tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt> key appears to have never been changed since creation +<p>The <code class="docutils literal"><span class="pre">krbtgt/REALM</span></code> key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key.</p> <div class="section" id="the-krbtgt-key-and-kdc-keys"> <h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Permalink to this headline">¶</a></h3> <p>Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, -<tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt>—if this principal’s key is compromised, so is the +<code class="docutils literal"><span class="pre">krbtgt/REALM</span></code>—if this principal’s key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be @@ -173,22 +175,22 @@ remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry -(see <a class="reference internal" href="../database.html#changing-krbtgt-key"><em>Changing the krbtgt key</em></a>).</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ -> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal -[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ -> -keepold krbtgt/ZONE.MIT.EDU" -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. +(see <a class="reference internal" href="../database.html#changing-krbtgt-key"><span class="std std-ref">Changing the krbtgt key</span></a>).</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> +<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> +<span class="o">></span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> </pre></div> </div> <div class="admonition note"> <p class="first admonition-title">Note</p> -<p class="last">The new <tt class="docutils literal"><span class="pre">krbtgt@REALM</span></tt> key should be propagated to slave KDCs -immediately so that TGTs issued by the master KDC can be used to -issue service tickets on slave KDCs. Slave KDCs will refuse requests -using the new TGT kvno until the new krbtgt entry has been propagated -to them.</p> +<p class="last">The new <code class="docutils literal"><span class="pre">krbtgt@REALM</span></code> key should be propagated to replica KDCs +immediately so that TGTs issued by the primary KDC can be used to +issue service tickets on replica KDCs. Replica KDCs will refuse +requests using the new TGT kvno until the new krbtgt entry has +been propagated to them.</p> </div> <p>It is necessary to explicitly specify the enctypes for the new database entry, since <strong>supported_enctypes</strong> has not been changed. Leaving @@ -198,44 +200,44 @@ administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user-visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure -in <a class="reference internal" href="../enctypes.html#session-key-selection"><em>Session key selection</em></a>. +in <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key-selection procedure on the KDC.</p> <p>After the change, the database entry is now:</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' -[...] -Number of keys: 5 -Key: vno 2, aes256-cts-hmac-sha1-96 -Key: vno 2, aes128-cts-hmac-sha1-96 -Key: vno 2, des3-cbc-sha1 -Key: vno 2, des-cbc-crc -Key: vno 1, des-cbc-crc:v4 -[...] +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">5</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> +<span class="p">[</span><span class="o">...</span><span class="p">]</span> </pre></div> </div> <p>Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is -appropriate to rekey the other high-value principals, <tt class="docutils literal"><span class="pre">kadmin/admin@REALM</span></tt> -and <tt class="docutils literal"><span class="pre">kadmin/changepw@REALM</span></tt>. These are the service principals used for +appropriate to rekey the other high-value principals, <code class="docutils literal"><span class="pre">kadmin/admin@REALM</span></code> +and <code class="docutils literal"><span class="pre">kadmin/changepw@REALM</span></code>. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password-changing services are regular kerberized services, so the -session-key-selection algorithm described in <a class="reference internal" href="../enctypes.html#session-key-selection"><em>Session key selection</em></a> +session-key-selection algorithm described in <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a> applies. It is particularly important to have strong session keys for these services, since user passwords and new long-term keys are conveyed over the encrypted channel.</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ -> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal -[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ -> kadmin/admin" -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for "kadmin/admin@ZONE.MIT.EDU" randomized. -[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ -> kadmin/changepw" -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> +<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> +<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="s2">"</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/admin@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> +<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="s2">"</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/changepw@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> </pre></div> </div> <p>It is not necessary to retain a single-DES key for these services, since @@ -251,43 +253,43 @@ at this stage, giving more time for corrective action.</p> <p>Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This -still requires using the <strong>-e</strong> argument in <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to get non-default +still requires using the <strong>-e</strong> argument in <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to get non-default enctypes:</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ -> aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal -[root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ -> /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ -> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" -Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> +<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> +<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \</span> +<span class="o">></span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> <span class="o">-</span><span class="n">q</span> <span class="s2">"ktadd -e $</span><span class="si">{enctypes}</span><span class="s2"> </span><span class="se">\</span> +<span class="s2">> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU"</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> <p>Be sure to remove the old keys from the application keytab, per best practice.</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold -Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># k5srvutil -f /etc/zephyr/krb5.keytab delold</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> </div> <div class="section" id="adding-strong-keys-by-default"> <h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Permalink to this headline">¶</a></h3> <p>Once the high-visibility services have been rekeyed, it is probably -appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to generate keys with the new +appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to generate keys with the new encryption types by default. This enables server administrators to generate -new enctypes with the <strong>change</strong> subcommand of <a class="reference internal" href="../admin_commands/k5srvutil.html#k5srvutil-1"><em>k5srvutil</em></a>, +new enctypes with the <strong>change</strong> subcommand of <a class="reference internal" href="../admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a>, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys.</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - ZONE.MIT.EDU = { - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> </pre></div> </div> <div class="admonition note"> @@ -296,30 +298,30 @@ has access to the current password and can add the new keys.</p> </div> <p>At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. -If necessary, the server’s krb5 installation should be configured and/or -upgraded to a version supporting non-DES keys. See <a class="reference internal" href="../enctypes.html#enctypes"><em>Encryption types</em></a> for +If necessary, the server’s krb5 installation should be configured and/or +upgraded to a version supporting non-DES keys. See <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a> for krb5 version and configuration settings. Only when the service is configured to accept non-DES keys should the key version number be incremented and new keys generated -(<tt class="docutils literal"><span class="pre">k5srvutil</span> <span class="pre">change</span> <span class="pre">&&</span> <span class="pre">k5srvutil</span> <span class="pre">delold</span></tt>).</p> -<div class="highlight-python"><div class="highlight"><pre>root@dr-willy:~# k5srvutil change -Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. -Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. -root@dr-willy:~# klist -e -k -t /etc/krb5.keytab -Keytab name: WRFILE:/etc/krb5.keytab -KVNO Timestamp Principal ----- ----------------- -------------------------------------------------------- - 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) -root@dr-willy:~# k5srvutil delold -Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. -Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. +(<code class="docutils literal"><span class="pre">k5srvutil</span> <span class="pre">change</span> <span class="pre">&&</span> <span class="pre">k5srvutil</span> <span class="pre">delold</span></code>).</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil change</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># klist -e -k -t /etc/krb5.keytab</span> +<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">KVNO</span> <span class="n">Timestamp</span> <span class="n">Principal</span> +<span class="o">----</span> <span class="o">-----------------</span> <span class="o">--------------------------------------------------------</span> + <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">10</span><span class="o">/</span><span class="mi">12</span> <span class="mi">17</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="mi">59</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> + <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> + <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> + <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span><span class="p">)</span> + <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> +<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil delold</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> <p>When a single service principal is shared by multiple backend servers in @@ -342,40 +344,40 @@ is enabled on the KDC. Setting the <strong>+requires_preauth</strong> flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in -<a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a> for details.</p> +<a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><span class="std std-ref">add_principal</span></a> for details.</p> </div> <p>The following KDC configuration will not generate DES keys by default:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - ZONE.MIT.EDU = { - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> </pre></div> </div> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the -master, to avoid unpleasant surprises should the master fail and a slave -need to be promoted.</p> +primary, to avoid unpleasant surprises should the primary fail and a +replica need to be promoted.</p> </div> <p>It is now appropriate to remove the legacy single-DES key from the -<tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt> entry:</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ -> krbtgt/ZONE.MIT.EDU" -Authenticating as principal host/admin@ATHENA.MIT.EDU with password. -Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. +<code class="docutils literal"><span class="pre">krbtgt/REALM</span></code> entry:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \</span> +<span class="o">></span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> </pre></div> </div> <p>After the maximum ticket lifetime has passed, the old database entry should be removed.</p> -<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU'</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Old</span> <span class="n">keys</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">purged</span><span class="o">.</span> </pre></div> </div> <p>After the KDC is restarted with the new <strong>supported_enctypes</strong>, all user password changes and application keytab updates will not generate DES keys by default.</p> -<div class="highlight-python"><div class="highlight"><pre>contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span>contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] @@ -398,7 +400,7 @@ Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha </div> <p>Once all principals have been re-keyed, DES support can be disabled on the KDC (<strong>allow_weak_crypto = false</strong>), and client machines can remove -<strong>allow_weak_crypto = true</strong> from their <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> configuration +<strong>allow_weak_crypto = true</strong> from their <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> configuration files, completing the migration. <strong>allow_weak_crypto</strong> takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p> @@ -408,7 +410,7 @@ not be used, even if they are present, when <strong>allow_weak_crypto = false</s <p>If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain enabled on the KDC. Client machines need not have this setting, -though—applications which require DES can use API calls to allow +though—applications which require DES can use API calls to allow weak crypto on a per-request basis, overriding the system krb5.conf. However, having <strong>allow_weak_crypto</strong> set on the KDC means that any principals which have a DES key in the database could still use those @@ -426,17 +428,17 @@ user to contact the helpdesk for access.</p> </div> <div class="section" id="the-database-master-key"> <h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Permalink to this headline">¶</a></h2> -<p>This procedure does not alter <tt class="docutils literal"><span class="pre">K/M@REALM</span></tt>, the key used to encrypt key +<p>This procedure does not alter <code class="docutils literal"><span class="pre">K/M@REALM</span></code>, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of -a single-DES key for <tt class="docutils literal"><span class="pre">K/M</span></tt> is minimal, given that access to material -encrypted in <tt class="docutils literal"><span class="pre">K/M</span></tt> (the Kerberos database) is generally tightly controlled. +a single-DES key for <code class="docutils literal"><span class="pre">K/M</span></code> is minimal, given that access to material +encrypted in <code class="docutils literal"><span class="pre">K/M</span></code> (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography -broken by non-cryptographic means. As such, upgrading <tt class="docutils literal"><span class="pre">K/M</span></tt> to a stronger +broken by non-cryptographic means. As such, upgrading <code class="docutils literal"><span class="pre">K/M</span></code> to a stronger encryption type is unlikely to be a high-priority task.</p> <p>Is is possible to upgrade the master key used for the database, if -desired. Using <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>‘s <strong>add_mkey</strong>, <strong>use_mkey</strong>, and +desired. Using <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>’s <strong>add_mkey</strong>, <strong>use_mkey</strong>, and <strong>update_princ_encryption</strong> commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key.</p> @@ -476,6 +478,7 @@ converted to the new master key.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -483,6 +486,8 @@ converted to the new master key.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -492,8 +497,7 @@ converted to the new master key.</p> <li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> <li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current"> -<li class="toctree-l3"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">Retiring DES</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">Retiring DES</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> @@ -526,14 +530,14 @@ converted to the new master key.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> <a href="../../index.html" title="Full Table of Contents" >Contents</a> | - <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)" + <a href="index.html" title="Advanced topics" >previous</a> | <a href="../various_envs.html" title="Various links" >next</a> | diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html index 09dea1613c52..b67d84c522be 100644 --- a/doc/html/admin/appl_servers.html +++ b/doc/html/admin/appl_servers.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Application servers — MIT Kerberos Documentation</title> - + <title>Application servers — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Host configuration" href="host_config.html" /> <link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> </head> @@ -61,118 +59,80 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="application-servers"> <h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1> <p>If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos -database (see <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>), and generate a keytab for -that host, that contains the host’s key. You also need to make sure -the host’s clock is within your maximum clock skew of the KDCs.</p> +database (see <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>), and generate a keytab for that host, +that contains the host’s key. You also need to make sure the host’s +clock is within your maximum clock skew of the KDCs.</p> <div class="section" id="keytabs"> <h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2> -<p>A keytab is a host’s copy of its own keylist, which is analogous to a -user’s password. An application server that needs to authenticate +<p>A keytab is a host’s copy of its own keylist, which is analogous to a +user’s password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a -network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> +network in the clear. Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> command to extract a keytab on the host on which the keytab is to reside.</p> <div class="section" id="adding-principals-to-keytabs"> <span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3> <p>To generate a keytab, or to add a principal to an existing keytab, use -the <strong>ktadd</strong> command from kadmin.</p> -</div> -<div class="section" id="ktadd"> -<h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><div class="line-block"> -<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> -<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div> -</div> -</div></blockquote> -<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a -keytab file. Each principal’s keys are randomized in the process. -The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> -command.</p> -<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. -With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p> -<p>The options are:</p> -<dl class="docutils"> -<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> -<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is -used.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> -<dd>Uses the specified keysalt list for setting the new keys of the -principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a -list of possible values.</dd> -<dt><strong>-q</strong></dt> -<dd>Display less verbose information.</dd> -<dt><strong>-norandkey</strong></dt> -<dd>Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the -<strong>-e</strong> option.</dd> -</dl> -<p>An entry for each of the principal’s unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types.</p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256-cts-hmac-sha1-96 added to keytab - FILE:/tmp/foo-new-keytab -kadmin: +the <strong>ktadd</strong> command from kadmin. Here is a sample session, using +configuration files that enable only AES encryption:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> </pre></div> </div> -<div class="section" id="examples"> -<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4> -<p>Here is a sample session, using configuration files that enable only -AES encryption:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU -Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab -Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab -kadmin: -</pre></div> -</div> -</div> </div> <div class="section" id="removing-principals-from-keytabs"> <h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3> <p>To remove a principal from an existing keytab, use the kadmin -<strong>ktremove</strong> command.</p> -</div> -<div class="section" id="ktremove"> -<h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote> -<p>Removes entries for the specified <em>principal</em> from a keytab. Requires -no permissions, since this does not require database access.</p> -<p>If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed.</p> -<p>The options are:</p> -<dl class="docutils"> -<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> -<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is -used.</dd> -<dt><strong>-q</strong></dt> -<dd>Display less verbose information.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab -kadmin: +<strong>ktremove</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> </div> +<div class="section" id="using-a-keytab-to-acquire-client-credentials"> +<h3>Using a keytab to acquire client credentials<a class="headerlink" href="#using-a-keytab-to-acquire-client-credentials" title="Permalink to this headline">¶</a></h3> +<p>While keytabs are ordinarily used to accept credentials from clients, +they can also be used to acquire initial credentials, allowing one +service to authenticate to another.</p> +<p>To manually obtain credentials using a keytab, use the <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> +<strong>-k</strong> option, together with the <strong>-t</strong> option if the keytab is not in +the default location.</p> +<p>Beginning with release 1.11, GSSAPI applications can be configured to +automatically obtain initial credentials from a keytab as needed. The +recommended configuration is as follows:</p> +<ol class="arabic simple"> +<li>Create a keytab containing a single entry for the desired client +identity.</li> +<li>Place the keytab in a location readable by the service, and set the +<strong>KRB5_CLIENT_KTNAME</strong> environment variable to its filename. +Alternatively, use the <strong>default_client_keytab_name</strong> profile +variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>, or use the default location of +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>.</li> +<li>Set <strong>KRB5CCNAME</strong> to a filename writable by the service, which +will not be used for any other purpose. Do not manually obtain +credentials at this location. (Another credential cache type +besides <strong>FILE</strong> can be used if desired, as long the cache will not +conflict with another use. A <strong>MEMORY</strong> cache can be used if the +service runs as a long-lived process. See <a class="reference internal" href="../basic/ccache_def.html#ccache-definition"><span class="std std-ref">Credential cache</span></a> +for details.)</li> +<li>Start the service. When it authenticates using GSSAPI, it will +automatically obtain credentials from the client keytab into the +specified credential cache, and refresh them before they expire.</li> +</ol> +</div> </div> <div class="section" id="clock-skew"> <h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2> @@ -183,58 +143,57 @@ make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks.</p> <p>The default allowable clock skew is controlled by the <strong>clockskew</strong> -variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</p> +variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> </div> <div class="section" id="getting-dns-information-correct"> <h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2> <p>Several aspects of Kerberos rely on name service. When a hostname is -used to name a service, the Kerberos library canonicalizes the -hostname using forward and reverse name resolution. (The reverse name -resolution step can be turned off using the <strong>rdns</strong> variable in -<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.) The result of this canonicalization must match -the principal entry in the host’s keytab, or authentication will fail.</p> -<p>Each host’s canonical name must be the fully-qualified host name -(including the domain), and each host’s IP address must +used to name a service, clients may canonicalize the hostname using +forward and possibly reverse name resolution. The result of this +canonicalization must match the principal entry in the host’s keytab, +or authentication will fail. To work with all client canonicalization +configurations, each host’s canonical name must be the fully-qualified +host name (including the domain), and each host’s IP address must reverse-resolve to the canonical name.</p> <p>Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the -<tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file rather than the DNS. Ensure that the line for the -server’s hostname is in the following form:</p> -<div class="highlight-python"><div class="highlight"><pre>IP address fully-qualified hostname aliases +<code class="docutils literal"><span class="pre">/etc/hosts</span></code> file rather than the DNS. Ensure that the line for the +server’s hostname is in the following form:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">IP</span> <span class="n">address</span> <span class="n">fully</span><span class="o">-</span><span class="n">qualified</span> <span class="n">hostname</span> <span class="n">aliases</span> </pre></div> </div> -<p>Here is a sample <tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file:</p> -<div class="highlight-python"><div class="highlight"><pre># this is a comment -127.0.0.1 localhost localhost.mit.edu -10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin +<p>Here is a sample <code class="docutils literal"><span class="pre">/etc/hosts</span></code> file:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># this is a comment</span> +<span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="n">localhost</span> <span class="n">localhost</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="mf">10.0</span><span class="o">.</span><span class="mf">0.6</span> <span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">daffodil</span> <span class="n">trillium</span> <span class="n">wake</span><span class="o">-</span><span class="n">robin</span> </pre></div> </div> -<p>The output of <tt class="docutils literal"><span class="pre">klist</span> <span class="pre">-k</span></tt> for this example host should look like:</p> -<div class="highlight-python"><div class="highlight"><pre>viola# klist -k -Keytab name: /etc/krb5.keytab -KVNO Principal ----- ------------------------------------------------------------ - 2 host/daffodil.mit.edu@ATHENA.MIT.EDU +<p>The output of <code class="docutils literal"><span class="pre">klist</span> <span class="pre">-k</span></code> for this example host should look like:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">viola</span><span class="c1"># klist -k</span> +<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">KVNO</span> <span class="n">Principal</span> +<span class="o">----</span> <span class="o">------------------------------------------------------------</span> + <span class="mi">2</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> <p>If you were to ssh to this host with a fresh credentials cache (ticket -file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, the output should list a service -principal of <tt class="docutils literal"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></tt>.</p> +file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, the output should list a service +principal of <code class="docutils literal"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></code>.</p> </div> <div class="section" id="configuring-your-firewall-to-work-with-kerberos-v5"> <span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2> <p>If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either -that you have a slave KDC outside your firewall, or that you configure -your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other -ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.) -Similarly, if you need off-site users to be able to change their -passwords in your realm, they must be able to get to your Kerberos -admin server on the kpasswd port (which defaults to 464). If you need -off-site users to be able to administer your Kerberos realm, they must -be able to get to your Kerberos admin server on the administrative -port (which defaults to 749).</p> +that you have a replica KDC outside your firewall, or that you +configure your firewall to allow UDP requests into at least one of +your KDCs, on whichever port the KDC is running. (The default is port +88; other ports may be specified in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> +file.) Similarly, if you need off-site users to be able to change +their passwords in your realm, they must be able to get to your +Kerberos admin server on the kpasswd port (which defaults to 464). If +you need off-site users to be able to administer your Kerberos realm, +they must be able to get to your Kerberos admin server on the +administrative port (which defaults to 749).</p> <p>If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow @@ -242,8 +201,8 @@ password changes. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749.</p> <p>If any of your KDCs are outside your firewall, you will need to allow -kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> uses -the <tt class="docutils literal"><span class="pre">krb5_prop</span></tt> service on port 754 (tcp).</p> +kprop requests to get through to the remote KDC. <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> uses +the <code class="docutils literal"><span class="pre">krb5_prop</span></code> service on port 754 (tcp).</p> <p>The book <em>UNIX System Security</em>, by David Curry, is a good starting point for learning to configure firewalls.</p> </div> @@ -260,12 +219,8 @@ point for learning to configure firewalls.</p> <li><a class="reference internal" href="#">Application servers</a><ul> <li><a class="reference internal" href="#keytabs">Keytabs</a><ul> <li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li> -<li><a class="reference internal" href="#ktadd">ktadd</a><ul> -<li><a class="reference internal" href="#examples">Examples</a></li> -</ul> -</li> <li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li> -<li><a class="reference internal" href="#ktremove">ktremove</a></li> +<li><a class="reference internal" href="#using-a-keytab-to-acquire-client-credentials">Using a keytab to acquire client credentials</a></li> </ul> </li> <li><a class="reference internal" href="#clock-skew">Clock Skew</a></li> @@ -284,15 +239,16 @@ point for learning to configure firewalls.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Application servers</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -332,8 +288,8 @@ point for learning to configure firewalls.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html index 25f97cfe94b5..75d0ca84e200 100644 --- a/doc/html/admin/auth_indicator.html +++ b/doc/html/admin/auth_indicator.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Authentication indicators — MIT Kerberos Documentation</title> - + <title>Authentication indicators — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Administration programs" href="admin_commands/index.html" /> <link rel="prev" title="HTTPS proxy configuration" href="https.html" /> </head> @@ -61,14 +59,14 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="authentication-indicators"> <span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Permalink to this headline">¶</a></h1> <p>As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism -such as <a class="reference internal" href="pkinit.html#pkinit"><em>PKINIT</em></a> or <a class="reference internal" href="otp.html#otp-preauth"><em>OTP</em></a>. These -annotations are called “authentication indicators.” Service +such as <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a>. These +annotations are called “authentication indicators.” Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC @@ -76,35 +74,35 @@ administrator; there are no pre-set values.</p> <p>To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the <strong>pkinit_indicator</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. For OTP, use the <strong>indicator</strong> variable in the +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For OTP, use the <strong>indicator</strong> variable in the token type definition, or specify the indicators in the <strong>otp</strong> user -string as described in <a class="reference internal" href="otp.html#otp-preauth"><em>OTP Preauthentication</em></a>.</p> +string as described in <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a>.</p> <p>To require an indicator to be present in order to authenticate to a service principal, set the <strong>require_auth</strong> string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces.</p> <p>For example, a realm could be configured to set the authentication -indicator value “strong” when PKINIT is used to authenticate, using a -setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span> +indicator value “strong” when PKINIT is used to authenticate, using a +setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span> </pre></div> </div> -<p>A service principal could be configured to require the “strong” +<p>A service principal could be configured to require the “strong” authentication indicator value:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kadmin setstr host/high.value.server require_auth strong +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin setstr host/high.value.server require_auth strong Password for user/admin@KRBTEST.COM: </pre></div> </div> <p>A user who authenticates with PKINIT would be able to obtain a ticket for the service principal:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user $ kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 </pre></div> </div> <p>but a user who authenticates with a password would not:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kinit user +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit user Password for user@KRBTEST.COM: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for @@ -112,7 +110,7 @@ kvno: KDC policy rejects request while getting credentials for </pre></div> </div> <p>GSSAPI server applications can inspect authentication indicators -through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><em>auth-indicators</em></a> name +through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><span class="std std-ref">auth-indicators</span></a> name attribute.</p> </div> @@ -136,6 +134,7 @@ attribute.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -143,10 +142,12 @@ attribute.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Authentication indicators</a></li> <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> <li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> @@ -182,8 +183,8 @@ attribute.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html index 9e005ec8557a..73e959e4bc57 100644 --- a/doc/html/admin/backup_host.html +++ b/doc/html/admin/backup_host.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Backups of secure hosts — MIT Kerberos Documentation</title> - + <title>Backups of secure hosts — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="PKINIT configuration" href="pkinit.html" /> <link rel="prev" title="Host configuration" href="host_config.html" /> </head> @@ -61,38 +59,38 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="backups-of-secure-hosts"> <h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Permalink to this headline">¶</a></h1> -<p>When you back up a secure host, you should exclude the host’s keytab +<p>When you back up a secure host, you should exclude the host’s keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the -host’s keytab also allows root access to the host. This could be +host’s keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it -is easy to generate another keytab file. (See <a class="reference internal" href="appl_servers.html#add-princ-kt"><em>Adding principals to keytabs</em></a>.) +is easy to generate another keytab file. (See <a class="reference internal" href="appl_servers.html#add-princ-kt"><span class="std std-ref">Adding principals to keytabs</span></a>.) If you are unable to exclude particular files from backups, you should -ensure that the backups are kept as secure as the host’s root +ensure that the backups are kept as secure as the host’s root password.</p> <div class="section" id="backing-up-the-kerberos-database"> <h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Permalink to this headline">¶</a></h2> <p>As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the slave KDCs, you might -never notice, since the next automatic propagation of the database -would install a fresh copy. However, if it happens to the master KDC, -the corrupted database would be propagated to all of the slaves during -the next propagation. For this reason, MIT recommends that you back -up your Kerberos database regularly. Because the master KDC is -continuously dumping the database to a file in order to propagate it -to the slave KDCs, it is a simple matter to have a cron job -periodically copy the dump file to a secure machine elsewhere on your -network. (Of course, it is important to make the host where these -backups are stored as secure as your KDCs, and to encrypt its +become corrupted. If this happens on one of the replica KDCs, you +might never notice, since the next automatic propagation of the +database would install a fresh copy. However, if it happens to the +primary KDC, the corrupted database would be propagated to all of the +replicas during the next propagation. For this reason, MIT recommends +that you back up your Kerberos database regularly. Because the primary +KDC is continuously dumping the database to a file in order to +propagate it to the replica KDCs, it is a simple matter to have a cron +job periodically copy the dump file to a secure machine elsewhere on +your network. (Of course, it is important to make the host where +these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes -corrupted, you can load the most recent dump onto the master KDC. -(See <a class="reference internal" href="database.html#restore-from-dump"><em>Restoring a Kerberos database from a dump file</em></a>.)</p> +corrupted, you can load the most recent dump onto the primary KDC. +(See <a class="reference internal" href="database.html#restore-from-dump"><span class="std std-ref">Dumping and loading a Kerberos database</span></a>.)</p> </div> </div> @@ -119,15 +117,16 @@ corrupted, you can load the most recent dump onto the master KDC. <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Backups of secure hosts</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -167,8 +166,8 @@ corrupted, you can load the most recent dump onto the master KDC. <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html index 2325611706ae..ed605afccf2c 100644 --- a/doc/html/admin/conf_files/index.html +++ b/doc/html/admin/conf_files/index.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Configuration Files — MIT Kerberos Documentation</title> - + <title>Configuration Files — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="For administrators" href="../index.html" /> <link rel="next" title="krb5.conf" href="krb5_conf.html" /> <link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" /> </head> @@ -61,16 +59,16 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="configuration-files"> <h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1> <p>Kerberos uses configuration files to allow administrators to specify -settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> applies to all +settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all applications using the Kerboros library, on clients and servers. For KDC-specific applications, additional settings can be specified in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the two files are merged into a configuration profile -used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the two files are merged into a configuration profile +used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> is also only used on the KDC, it controls permissions for modifying the KDC database.</p> <div class="section" id="contents"> @@ -105,7 +103,7 @@ KDC database.</p> <li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> <li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Configuration Files</a><ul> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuration Files</a><ul> <li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> @@ -113,6 +111,7 @@ KDC database.</p> </li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -120,6 +119,8 @@ KDC database.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -159,8 +160,8 @@ KDC database.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html index 05eab8bbae62..2436e7e23c49 100644 --- a/doc/html/admin/conf_files/kadm5_acl.html +++ b/doc/html/admin/conf_files/kadm5_acl.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kadm5.acl — MIT Kerberos Documentation</title> - + <title>kadm5.acl — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Configuration Files" href="index.html" /> <link rel="next" title="Realm configuration decisions" href="../realm_config.html" /> <link rel="prev" title="kdc.conf" href="kdc_conf.html" /> </head> @@ -61,25 +59,25 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kadm5-acl"> <span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> -<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List +<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals.</p> <p>The default location of the Kerberos ACL file is -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt> unless this is overridden by the <em>acl_file</em> -variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> +<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code> unless this is overridden by the <em>acl_file</em> +variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </div> <div class="section" id="syntax"> <h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2> -<p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are +<p>Empty lines and lines starting with the sharp sign (<code class="docutils literal"><span class="pre">#</span></code>) are ignored. Lines containing ACL entries have the format:</p> -<div class="highlight-python"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ] +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span> </pre></div> </div> <div class="admonition note"> @@ -91,7 +89,7 @@ will control access for an actor principal on a target principal.</p> <dt><em>principal</em></dt> <dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set.</p> -<p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> +<p class="last">Each component of the name may be wildcarded using the <code class="docutils literal"><span class="pre">*</span></code> character.</p> </dd> <dt><em>permissions</em></dt> @@ -129,13 +127,13 @@ is permitted.</p> <td>[Dis]allows the modification of principals or policies</td> </tr> <tr class="row-even"><td>p</td> -<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td> +<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a>)</td> </tr> <tr class="row-odd"><td>s</td> <td>[Dis]allows the explicit setting of the key for a principal</td> </tr> <tr class="row-even"><td>x</td> -<td>Short for admcilsp. All privileges (except <tt class="docutils literal"><span class="pre">e</span></tt>)</td> +<td>Short for admcilsp. All privileges (except <code class="docutils literal"><span class="pre">e</span></code>)</td> </tr> <tr class="row-odd"><td>*</td> <td>Same as x.</td> @@ -146,7 +144,7 @@ is permitted.</p> </dl> <div class="admonition note"> <p class="first admonition-title">Note</p> -<p class="last">The <tt class="docutils literal"><span class="pre">extract</span></tt> privilege is not included in the wildcard +<p class="last">The <code class="docutils literal"><span class="pre">extract</span></code> privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys @@ -159,10 +157,10 @@ granted privilege.</p> <dt><em>target_principal</em></dt> <dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which <em>permissions</em> may be applied. -Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> +Each component of the name may be wildcarded using the <code class="docutils literal"><span class="pre">*</span></code> character.</p> <p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>, -in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the corresponding wildcard in +in which <code class="docutils literal"><span class="pre">*number</span></code> matches the corresponding wildcard in <em>principal</em>.</p> </dd> <dt><em>restrictions</em></dt> @@ -172,13 +170,13 @@ in which <tt class="docutils literal"><span class="pre">*number</span></tt> matc <dt>{+|-}<em>flagname</em></dt> <dd>flag is forced to the indicated value. The permissible flags are the same as those for the <strong>default_principal_flags</strong> -variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><em>-clearpolicy</em></dt> <dd>policy is forced to be empty.</dd> <dt><em>-policy pol</em></dt> <dd>policy is forced to be <em>pol</em>.</dd> <dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) associated value will be forced to MIN(<em>time</em>, requested value).</dd> </dl> </div></blockquote> @@ -195,52 +193,52 @@ restarted for changes to take effect.</p> <div class="section" id="example"> <h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> <p>Here is an example of a kadm5.acl file:</p> -<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1 -joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 -joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 -*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 -*/root@ATHENA.MIT.EDU l * # line 5 -sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span> +<span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span> +<span class="n">joeadmin</span><span class="o">/*</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">i</span> <span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 3</span> +<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ci</span> <span class="o">*</span><span class="mi">1</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="c1"># line 4</span> +<span class="o">*/</span><span class="n">root</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">l</span> <span class="o">*</span> <span class="c1"># line 5</span> +<span class="n">sms</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">x</span> <span class="o">*</span> <span class="o">-</span><span class="n">maxlife</span> <span class="mi">9</span><span class="n">h</span> <span class="o">-</span><span class="n">postdateable</span> <span class="c1"># line 6</span> </pre></div> </div> -<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an -<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting +<p>(line 1) Any principal in the <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> realm with an +<code class="docutils literal"><span class="pre">admin</span></code> instance has all administrative privileges except extracting keys.</p> -<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except -extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance, -<tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line 1). He has no -permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> -(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null -instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions -with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p> -<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire +<p>(lines 1-3) The user <code class="docutils literal"><span class="pre">joeadmin</span></code> has all permissions except +extracting keys with his <code class="docutils literal"><span class="pre">admin</span></code> instance, +<code class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></code> (matches line 1). He has no +permissions at all with his null instance, <code class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></code> +(matches line 2). His <code class="docutils literal"><span class="pre">root</span></code> and other non-<code class="docutils literal"><span class="pre">admin</span></code>, non-null +instances (e.g., <code class="docutils literal"><span class="pre">extra</span></code> or <code class="docutils literal"><span class="pre">dbadmin</span></code>) have inquire permissions +with any principal that has the instance <code class="docutils literal"><span class="pre">root</span></code> (matches line 3).</p> +<p>(line 4) Any <code class="docutils literal"><span class="pre">root</span></code> principal in <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> can inquire or change the password of their null instance, but not any other -null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the +null instance. (Here, <code class="docutils literal"><span class="pre">*1</span></code> denotes a back-reference to the component matching the first wildcard in the actor principal.)</p> -<p>(line 5) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can generate +<p>(line 5) Any <code class="docutils literal"><span class="pre">root</span></code> principal in <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals.</p> <p>(line 6) Finally, the Service Management System principal -<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but +<code class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></code> has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.</p> </div> <div class="section" id="module-behavior"> <h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2> <p>The ACL file can coexist with other authorization modules in release -1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize +1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file.</p> <p>To operate without an ACL file, set the <em>acl_file</em> variable in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></tt>.</p> +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></code>.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p> +<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p> </div> </div> @@ -271,11 +269,12 @@ operations in addition to those authorized by the ACL file.</p> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kadm5.acl</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -283,6 +282,8 @@ operations in addition to those authorized by the ACL file.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -322,8 +323,8 @@ operations in addition to those authorized by the ACL file.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html index 183e63cd26d8..47ed8ef7453d 100644 --- a/doc/html/admin/conf_files/kdc_conf.html +++ b/doc/html/admin/conf_files/kdc_conf.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kdc.conf — MIT Kerberos Documentation</title> - + <title>kdc.conf — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Configuration Files" href="index.html" /> <link rel="next" title="kadm5.acl" href="kadm5_acl.html" /> <link rel="prev" title="krb5.conf" href="krb5_conf.html" /> </head> @@ -61,25 +59,25 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kdc-conf"> <span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1> -<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> for programs which -are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> program. +<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which +are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and +<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile.</p> <p>Normally, the kdc.conf file is found in the KDC state directory, -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>. You can override the default location by setting the +<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code>. You can override the default location by setting the environment variable <strong>KRB5_KDC_PROFILE</strong>.</p> <p>Please note that you need to restart the KDC daemon for any configuration changes to take effect.</p> <div class="section" id="structure"> <h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> <p>The kdc.conf file is set up in the same format as the -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.</p> +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p> </div> <div class="section" id="sections"> <h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> @@ -90,29 +88,29 @@ changes to take effect.</p> <col width="71%" /> </colgroup> <tbody valign="top"> -<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><em>[kdcdefaults]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></td> <td>Default values for KDC behavior</td> </tr> -<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><em>[realms]</em></a></td> +<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a></td> <td>Realm-specific database configuration and settings</td> </tr> -<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><em>[dbdefaults]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a></td> <td>Default database settings</td> </tr> -<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a></td> +<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a></td> <td>Per-database settings</td> </tr> -<tr class="row-odd"><td><a class="reference internal" href="#logging"><em>[logging]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#logging"><span class="std std-ref">[logging]</span></a></td> <td>Controls how Kerberos daemons perform logging</td> </tr> </tbody> </table> <div class="section" id="kdcdefaults"> <span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3> -<p>With two exceptions, relations in the [kdcdefaults] section specify -default values for realm variables, to be used if the [realms] -subsection does not contain a relation for the tag. See the -<a class="reference internal" href="#kdc-realms"><em>[realms]</em></a> section for the definitions of these relations.</p> +<p>Some relations in the [kdcdefaults] section specify default values for +realm variables, to be used if the [realms] subsection does not +contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for +the definitions of these relations.</p> <ul class="simple"> <li><strong>host_based_services</strong></li> <li><strong>kdc_listen</strong></li> @@ -122,6 +120,7 @@ subsection does not contain a relation for the tag. See the <li><strong>no_host_referral</strong></li> <li><strong>restrict_anonymous_to_tgt</strong></li> </ul> +<p>The following [kdcdefaults] variables have no per-realm equivalent:</p> <dl class="docutils"> <dt><strong>kdc_max_dgram_reply_size</strong></dt> <dd>Specifies the maximum packet size that can be sent over UDP. The @@ -130,6 +129,11 @@ default value is 4096 bytes.</dd> <dd>(Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5.</dd> +<dt><strong>spake_preauth_kdc_challenge</strong></dt> +<dd>(String.) Specifies the group for a SPAKE optimistic challenge. +See the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> +for possible values. The default is not to issue an optimistic +challenge. (New in release 1.17.)</dd> </dl> </div> <div class="section" id="realms"> @@ -138,41 +142,41 @@ value is 5.</dd> value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - ATHENA.MIT.EDU = { - max_renewable_life = 7d 0h 0m 0s - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> + <span class="p">}</span> </pre></div> </div> <p>The following tags may be specified in a [realms] subsection:</p> <dl class="docutils"> <dt><strong>acl_file</strong></dt> <dd>(String.) Location of the access control list file that -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed +<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an -ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> -<span class="pre">""</span></tt>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more -information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd> +ACL file, set this relation to the empty string with <code class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> +<span class="pre">""</span></code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>. For more +information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</dd> <dt><strong>database_module</strong></dt> <dd>(String.) This relation indicates the name of the configuration -section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters +section under <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> for database-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters.</dd> <dt><strong>database_name</strong></dt> <dd>(String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used -and the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> configuration section does not specify a -database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd> +and the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> configuration section does not specify a +database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/principal</span></code>.</dd> <dt><strong>default_principal_expiration</strong></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><em>Absolute time</em></a> string.) Specifies the default expiration date of +<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><span class="std std-ref">Absolute time</span></a> string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date.</dd> <dt><strong>default_principal_flags</strong></dt> <dd><p class="first">(Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a -comma-separated list of flags, with ‘+’ before each flag that -should be enabled and ‘-‘ before each flag that should be +comma-separated list of flags, with ‘+’ before each flag that +should be enabled and ‘-‘ before each flag that should be disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>, <strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and <strong>service</strong> flags default to enabled.</p> @@ -183,9 +187,8 @@ disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <str this principal. Disabling this flag essentially deactivates the principal within this realm.</dd> <dt><strong>dup-skey</strong></dt> -<dd>Enabling this flag allows the principal to obtain a session -key for another user, permitting user-to-user authentication -for this principal.</dd> +<dd>Enabling this flag allows the KDC to issue user-to-user +service tickets for this principal.</dd> <dt><strong>forwardable</strong></dt> <dd>Enabling this flag allows the principal to obtain forwardable tickets.</dd> @@ -221,7 +224,7 @@ principal.</dd> <dt><strong>pwservice</strong></dt> <dd>If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, -for example, if a user’s password has expired, then the user +for example, if a user’s password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password.</dd> @@ -230,7 +233,9 @@ change the password.</dd> tickets.</dd> <dt><strong>service</strong></dt> <dd>Enabling this flag allows the the KDC to issue service tickets -for this principal.</dd> +for this principal. In release 1.17 and later, user-to-user +service tickets are still allowed if the <strong>dup-skey</strong> flag is +set.</dd> <dt><strong>tgt-based</strong></dt> <dd>Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the @@ -243,6 +248,11 @@ are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.</dd> +<dt><strong>disable_pac</strong></dt> +<dd>(Boolean value.) If true, the KDC will not issue PACs for this +realm, and S4U2Self and S4U2Proxy operations will be disabled. +The default is false, which will permit the KDC to issue PACs. +New in release 1.20.</dd> <dt><strong>encrypted_challenge_indicator</strong></dt> <dd>(String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge @@ -254,17 +264,25 @@ not marked as host-based by the client.</dd> <dt><strong>iprop_enable</strong></dt> <dd>(Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false.</dd> -<dt><strong>iprop_master_ulogsize</strong></dt> +<dt><strong>iprop_ulogsize</strong></dt> <dd>(Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. -Prior to release 1.11, the maximum value was 2500.</dd> +Prior to release 1.11, the maximum value was 2500. New in release +1.19.</dd> +<dt><strong>iprop_master_ulogsize</strong></dt> +<dd>The name for <strong>iprop_ulogsize</strong> prior to release 1.19. Its value is +used as a fallback if <strong>iprop_ulogsize</strong> is not specified.</dd> +<dt><strong>iprop_replica_poll</strong></dt> +<dd>(Delta time string.) Specifies how often the replica KDC polls +for new updates from the primary. The default value is <code class="docutils literal"><span class="pre">2m</span></code> +(that is, two minutes). New in release 1.17.</dd> <dt><strong>iprop_slave_poll</strong></dt> -<dd>(Delta time string.) Specifies how often the slave KDC polls for -new updates from the master. The default value is <tt class="docutils literal"><span class="pre">2m</span></tt> (that -is, two minutes).</dd> +<dd>(Delta time string.) The name for <strong>iprop_replica_poll</strong> prior to +release 1.17. Its value is used as a fallback if +<strong>iprop_replica_poll</strong> is not specified.</dd> <dt><strong>iprop_listen</strong></dt> <dd>(Whitespace- or comma-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon. +listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -276,21 +294,21 @@ address at the port specified in <strong>iprop_port</strong>. New in release <dt><strong>iprop_port</strong></dt> <dd>(Port number.) Specifies the port number to be used for incremental propagation. When <strong>iprop_enable</strong> is true, this -relation is required in the slave configuration file, and this -relation or <strong>iprop_listen</strong> is required in the master +relation is required in the replica KDC configuration file, and +this relation or <strong>iprop_listen</strong> is required in the primary configuration file, as there is no default port number. Port numbers specified in <strong>iprop_listen</strong> entries will override this -port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.</dd> +port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon.</dd> <dt><strong>iprop_resync_timeout</strong></dt> <dd>(Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration -files, and is used by slave KDCs only. The default value is 5 -minutes (<tt class="docutils literal"><span class="pre">5m</span></tt>). New in release 1.11.</dd> +files, and is used by replica KDCs only. The default value is 5 +minutes (<code class="docutils literal"><span class="pre">5m</span></code>). New in release 1.11.</dd> <dt><strong>iprop_logfile</strong></dt> <dd>(File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the <strong>database_name</strong> entry from the realms section of the krb5 config -file, with <tt class="docutils literal"><span class="pre">.ulog</span></tt> appended. (NOTE: If <strong>database_name</strong> isn’t +file, with <code class="docutils literal"><span class="pre">.ulog</span></code> appended. (NOTE: If <strong>database_name</strong> isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard-coded default for @@ -298,7 +316,7 @@ back end is being used, or the file name is specified in the default value will not use values from the [dbmodules] section.)</dd> <dt><strong>kadmind_listen</strong></dt> <dd>(Whitespace- or comma-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon. +listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -308,16 +326,16 @@ default is to bind to the wildcard address at the port specified in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in release 1.15.</dd> <dt><strong>kadmind_port</strong></dt> -<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> +<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for this realm. Port numbers specified in <strong>kadmind_listen</strong> entries will override this port number. The assigned port for kadmind is 749, which is used by default.</dd> <dt><strong>key_stash_file</strong></dt> <dd>(String.) Specifies the location where the master key has been -stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/.k5.REALM</span></tt>, where <em>REALM</em> is the Kerberos realm.</dd> +stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</dd> <dt><strong>kdc_listen</strong></dt> <dd>(Whitespace- or comma-separated list.) Specifies the UDP -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon. +listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -329,30 +347,30 @@ New in release 1.15.</dd> <dt><strong>kdc_ports</strong></dt> <dd>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In +<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong> if that relation is not defined.</dd> <dt><strong>kdc_tcp_listen</strong></dt> <dd>(Whitespace- or comma-separated list.) Specifies the TCP -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon. +listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with <tt class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></tt>. +this relation to the empty string with <code class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15.</dd> <dt><strong>kdc_tcp_ports</strong></dt> <dd>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In +<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as <strong>kdc_tcp_listen</strong> if that relation is not defined.</dd> <dt><strong>kpasswd_listen</strong></dt> <dd>(Comma-separated list.) Specifies the kpasswd listening addresses -and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon. Each entry may be +and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard @@ -361,43 +379,37 @@ addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd port (464). New in release 1.15.</dd> <dt><strong>kpasswd_port</strong></dt> -<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> +<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for password change requests for this realm. Port numbers specified in <strong>kpasswd_listen</strong> entries will override this port number. The assigned port for password change requests is 464, which is used by default.</dd> <dt><strong>master_key_name</strong></dt> <dd>(String.) Specifies the name of the principal associated with the -master key. The default is <tt class="docutils literal"><span class="pre">K/M</span></tt>.</dd> +master key. The default is <code class="docutils literal"><span class="pre">K/M</span></code>.</dd> <dt><strong>master_key_type</strong></dt> -<dd>(Key type string.) Specifies the master key’s key type. The -default value for this is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></tt>. For a list of all possible -values, see <a class="reference internal" href="#encryption-types"><em>Encryption types</em></a>.</dd> +<dd>(Key type string.) Specifies the master key’s key type. The +default value for this is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></code>. For a list of all possible +values, see <a class="reference internal" href="#encryption-types"><span class="std std-ref">Encryption types</span></a>.</dd> <dt><strong>max_life</strong></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period for +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours.</dd> <dt><strong>max_renewable_life</strong></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0.</dd> <dt><strong>no_host_referral</strong></dt> <dd>(Whitespace- or comma-separated list.) Lists services to block from getting host-based referral processing, even if the client marks the server principal as host-based or the service is also -listed in <strong>host_based_services</strong>. <tt class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></tt> will +listed in <strong>host_based_services</strong>. <code class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></code> will disable referral processing altogether.</dd> -<dt><strong>des_crc_session_supported</strong></dt> -<dd>(Boolean value). If set to true, the KDC will assume that service -principals support des-cbc-crc for session key enctype negotiation -purposes. If <strong>allow_weak_crypto</strong> in <a class="reference internal" href="krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> is -false, or if des-cbc-crc is not a permitted enctype, then this -variable has no effect. Defaults to true. New in release 1.11.</dd> <dt><strong>reject_bad_transit</strong></dt> <dd><p class="first">(Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file; if the path in the ticket to be issued +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued @@ -414,23 +426,28 @@ only to TGS requests.</p> <dt><strong>restrict_anonymous_to_tgt</strong></dt> <dd>(Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other -than the realm’s ticket-granting service. This option allows +than the realm’s ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9.</dd> +<dt><strong>spake_preauth_indicator</strong></dt> +<dd>(String.) Specifies an authentication indicator value that the +KDC asserts into tickets obtained using SPAKE pre-authentication. +The default is not to add any indicators. This option may be +specified multiple times. New in release 1.17.</dd> <dt><strong>supported_enctypes</strong></dt> <dd>(List of <em>key</em>:<em>salt</em> strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created -through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> will have keys of these types. The -default value for this tag is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span> <span class="pre">des3-cbc-sha1:normal</span> <span class="pre">arcfour-hmac-md5:normal</span></tt>. For lists of -possible values, see <a class="reference internal" href="#keysalt-lists"><em>Keysalt lists</em></a>.</dd> +through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> will have keys of these types. The +default value for this tag is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span></code>. For lists of +possible values, see <a class="reference internal" href="#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a>.</dd> </dl> </div> <div class="section" id="dbdefaults"> <span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3> <p>The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain -a relation for the tag. See the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> section for the +a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the definitions of these relations.</p> <ul class="simple"> <li><strong>ldap_kerberos_container_dn</strong></li> @@ -445,7 +462,6 @@ definitions of these relations.</p> <li><strong>ldap_kadmind_sasl_mech</strong></li> <li><strong>ldap_kadmind_sasl_realm</strong></li> <li><strong>ldap_service_password_file</strong></li> -<li><strong>ldap_servers</strong></li> <li><strong>ldap_conns_per_server</strong></li> </ul> </div> @@ -453,34 +469,34 @@ definitions of these relations.</p> <span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3> <p>The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is -the name of a Kerberos realm or a section name specified by a realm’s +the name of a Kerberos realm or a section name specified by a realm’s <strong>database_module</strong> parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm:</p> -<div class="highlight-python"><div class="highlight"><pre>[dbmodules] - ATHENA.MIT.EDU = { - disable_last_success = true - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> + <span class="p">}</span> </pre></div> </div> <p>The following tags may be specified in a [dbmodules] subsection:</p> <dl class="docutils"> <dt><strong>database_name</strong></dt> <dd>This DB2-specific tag indicates the location of the database in -the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd> +the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/principal</span></code>.</dd> <dt><strong>db_library</strong></dt> <dd>This tag indicates the name of the loadable database module. The -value should be <tt class="docutils literal"><span class="pre">db2</span></tt> for the DB2 module and <tt class="docutils literal"><span class="pre">kldap</span></tt> for the -LDAP module.</dd> +value should be <code class="docutils literal"><span class="pre">db2</span></code> for the DB2 module, <code class="docutils literal"><span class="pre">klmdb</span></code> for the LMDB +module, or <code class="docutils literal"><span class="pre">kldap</span></code> for the LDAP module.</dd> <dt><strong>disable_last_success</strong></dt> -<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the “Last successful -authentication” field of principal entries requiring +<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, suppresses KDC updates to the “Last successful +authentication” field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never -update the “Last successful authentication” field.). First +update the “Last successful authentication” field.). First introduced in release 1.9.</dd> <dt><strong>disable_lockout</strong></dt> -<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the “Last failed -authentication” and “Failed password attempts” fields of principal +<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, suppresses KDC updates to the “Last failed +authentication” and “Failed password attempts” fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9.</dd> @@ -489,8 +505,8 @@ introduced in release 1.9.</dd> maintained per LDAP server.</dd> <dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt> <dd>These LDAP-specific tags indicate the default DN for binding to -the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon uses -<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon and other +the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon uses +<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon and other administrative programs use <strong>ldap_kadmind_dn</strong>. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless @@ -500,13 +516,13 @@ These tags are ignored if a SASL mechanism is set with <strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</dd> <dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt> <dd>These LDAP-specific tags specify the SASL mechanism (such as -<tt class="docutils literal"><span class="pre">EXTERNAL</span></tt>) to use when binding to the LDAP server. New in +<code class="docutils literal"><span class="pre">EXTERNAL</span></code>) to use when binding to the LDAP server. New in release 1.13.</dd> <dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt> <dd>These LDAP-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism -requires a secret (such as the password for <tt class="docutils literal"><span class="pre">DIGEST-MD5</span></tt>), these +requires a secret (such as the password for <code class="docutils literal"><span class="pre">DIGEST-MD5</span></code>), these tags also determine the name within the <strong>ldap_service_password_file</strong> where the secret is stashed. New in release 1.13.</dd> @@ -525,18 +541,33 @@ where the realm objects will be located.</dd> <dd>This LDAP-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. -It is recommended to use <tt class="docutils literal"><span class="pre">ldapi:</span></tt> or <tt class="docutils literal"><span class="pre">ldaps:</span></tt> URLs to connect +It is recommended to use <code class="docutils literal"><span class="pre">ldapi:</span></code> or <code class="docutils literal"><span class="pre">ldaps:</span></code> URLs to connect to the LDAP server.</dd> <dt><strong>ldap_service_password_file</strong></dt> <dd>This LDAP-specific tag indicates the file containing the stashed -passwords (created by <tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>) for the +passwords (created by <code class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code>) for the <strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the <strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names for SASL authentication. This file must be kept secure.</dd> +<dt><strong>mapsize</strong></dt> +<dd>This LMDB-specific tag indicates the maximum size of the two +database environments in megabytes. The default value is 128. +Increase this value to address “Environment mapsize limit reached” +errors. New in release 1.17.</dd> +<dt><strong>max_readers</strong></dt> +<dd>This LMDB-specific tag indicates the maximum number of concurrent +reading processes for the databases. The default value is 128. +New in release 1.17.</dd> +<dt><strong>nosync</strong></dt> +<dd>This LMDB-specific tag can be set to improve the throughput of +kadmind and other administrative agents, at the expense of +durability (recent database changes may not survive a power outage +or other sudden reboot). It does not affect the throughput of the +KDC. The default value is false. New in release 1.17.</dd> <dt><strong>unlockiter</strong></dt> -<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, this DB2-specific tag causes iteration +<dd>If set to <code class="docutils literal"><span class="pre">true</span></code>, this DB2-specific tag causes iteration operations to release the database lock while processing each -principal. Setting this flag to <tt class="docutils literal"><span class="pre">true</span></tt> can prevent extended +principal. Setting this flag to <code class="docutils literal"><span class="pre">true</span></code> can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13.</dd> </dl> @@ -550,14 +581,14 @@ modules. The value should be an absolute path.</dd> </div> <div class="section" id="logging"> <span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3> -<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and -<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> perform logging. It may contain the following +<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and +<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following relations:</p> <dl class="docutils"> <dt><strong>admin_server</strong></dt> -<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> performs logging.</dd> +<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> performs logging.</dd> <dt><strong>kdc</strong></dt> -<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> performs logging.</dd> +<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> performs logging.</dd> <dt><strong>default</strong></dt> <dd>Specifies how either daemon performs logging in the absence of relations specific to the daemon.</dd> @@ -571,46 +602,45 @@ release 1.15.</dd> <p>Logging specifications may have the following forms:</p> <dl class="docutils"> <dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt> -<dd>This value causes the daemon’s logging messages to go to the -<em>filename</em>. If the <tt class="docutils literal"><span class="pre">=</span></tt> form is used, the file is overwritten. -If the <tt class="docutils literal"><span class="pre">:</span></tt> form is used, the file is appended to.</dd> +<dd>This value causes the daemon’s logging messages to go to the +<em>filename</em>. If the <code class="docutils literal"><span class="pre">=</span></code> form is used, the file is overwritten. +If the <code class="docutils literal"><span class="pre">:</span></code> form is used, the file is appended to.</dd> <dt><strong>STDERR</strong></dt> -<dd>This value causes the daemon’s logging messages to go to its +<dd>This value causes the daemon’s logging messages to go to its standard error stream.</dd> <dt><strong>CONSOLE</strong></dt> -<dd>This value causes the daemon’s logging messages to go to the +<dd>This value causes the daemon’s logging messages to go to the console, if the system supports it.</dd> <dt><strong>DEVICE=</strong><em><devicename></em></dt> -<dd>This causes the daemon’s logging messages to go to the specified +<dd>This causes the daemon’s logging messages to go to the specified device.</dd> <dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt> -<dd><p class="first">This causes the daemon’s logging messages to go to the system log.</p> -<p>The severity argument specifies the default severity of system log -messages. This may be any of the following severities supported -by the syslog(3) call, minus the <tt class="docutils literal"><span class="pre">LOG_</span></tt> prefix: <strong>EMERG</strong>, -<strong>ALERT</strong>, <strong>CRIT</strong>, <strong>ERR</strong>, <strong>WARNING</strong>, <strong>NOTICE</strong>, <strong>INFO</strong>, -and <strong>DEBUG</strong>.</p> -<p>The facility argument specifies the facility under which the +<dd><p class="first">This causes the daemon’s logging messages to go to the system log.</p> +<p>For backward compatibility, a severity argument may be specified, +and must be specified in order to specify a facility. This +argument will be ignored.</p> +<p class="last">The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>, <strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>, -<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>.</p> -<p class="last">If no severity is specified, the default is <strong>ERR</strong>. If no +<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>. If no facility is specified, the default is <strong>AUTH</strong>.</p> </dd> </dl> <p>In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG_DAEMON with -default severity of LOG_INFO; and the logging messages from the -administrative server will be appended to the file -<tt class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></tt> and sent to the device <tt class="docutils literal"><span class="pre">/dev/tty04</span></tt>.</p> -<div class="highlight-python"><div class="highlight"><pre>[logging] - kdc = CONSOLE - kdc = SYSLOG:INFO:DAEMON - admin_server = FILE:/var/adm/kadmin.log - admin_server = DEVICE=/dev/tty04 +the console and to the system log under the facility LOG_DAEMON, and +the logging messages from the administrative server will be appended +to the file <code class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></code> and sent to the device +<code class="docutils literal"><span class="pre">/dev/tty04</span></code>.</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">logging</span><span class="p">]</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">CONSOLE</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">SYSLOG</span><span class="p">:</span><span class="n">INFO</span><span class="p">:</span><span class="n">DAEMON</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">adm</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">DEVICE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">tty04</span> </pre></div> </div> +<p>If no logging specification is given, the default is to use syslog. +To disable logging entirely, specify <code class="docutils literal"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p> </div> <div class="section" id="otp"> <span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3> @@ -623,9 +653,9 @@ One Time Password request to a RADIUS server.</p> <dd>This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/<name>.socket</span></tt>.</dd> +<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/<name>.socket</span></code>.</dd> <dt><strong>secret</strong></dt> -<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>) +<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code>) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If @@ -641,16 +671,16 @@ which an OTP value remains valid for. The default is 5 seconds.</dd> <dd>This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries).</dd> <dt><strong>strip_realm</strong></dt> -<dd>If this tag is <tt class="docutils literal"><span class="pre">true</span></tt>, the principal without the realm will be +<dd>If this tag is <code class="docutils literal"><span class="pre">true</span></code>, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be -included. The default value is <tt class="docutils literal"><span class="pre">true</span></tt>.</dd> +included. The default value is <code class="docutils literal"><span class="pre">true</span></code>.</dd> <dt><strong>indicator</strong></dt> <dd>This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.)</dd> </dl> <p>In the following example, requests are sent to a remote server via UDP:</p> -<div class="highlight-python"><div class="highlight"><pre>[otp] +<div class="highlight-default"><div class="highlight"><pre><span></span>[otp] MyRemoteTokenType = { server = radius.mydomain.com:1812 secret = SEmfiajf42$ @@ -660,14 +690,14 @@ option may be specified multiple times. (New in release 1.14.)</dd> } </pre></div> </div> -<p>An implicit default token type named <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> is defined for when +<p>An implicit default token type named <code class="docutils literal"><span class="pre">DEFAULT</span></code> is defined for when the per-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation:</p> -<div class="highlight-python"><div class="highlight"><pre>[otp] - DEFAULT = { - strip_realm = false - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> + <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span> + <span class="p">}</span> </pre></div> </div> </div> @@ -684,23 +714,23 @@ realm-specific value over-rides, does not add to, a generic </div> <ol class="arabic"> <li><p class="first">realm-specific subsection of [realms]:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - EXAMPLE.COM = { - pkinit_anchors = FILE:/usr/local/example.com.crt - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> + <span class="p">}</span> </pre></div> </div> </li> <li><p class="first">generic value in the [kdcdefaults] section:</p> -<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults] - pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> + <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> </pre></div> </div> </li> </ol> <p>For information about the syntax of some of these options, see -<a class="reference internal" href="krb5_conf.html#pkinit-identity"><em>Specifying PKINIT identity information</em></a> in -<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p> +<a class="reference internal" href="krb5_conf.html#pkinit-identity"><span class="std std-ref">Specifying PKINIT identity information</span></a> in +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> <dl class="docutils"> <dt><strong>pkinit_anchors</strong></dt> <dd>Specifies the location of trusted anchor (root) certificates which @@ -709,7 +739,7 @@ required if pkinit is to be supported by the KDC. This option may be specified multiple times.</dd> <dt><strong>pkinit_dh_min_bits</strong></dt> <dd>Specifies the minimum number of bits the KDC is willing to accept -for a client’s Diffie-Hellman key. The default is 2048.</dd> +for a client’s Diffie-Hellman key. The default is 2048.</dd> <dt><strong>pkinit_allow_upn</strong></dt> <dd><p class="first">Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative @@ -717,7 +747,7 @@ Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false.</p> <p class="last">Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently +the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently no option to disable SAN checking in the KDC.</p> </dd> <dt><strong>pkinit_eku_checking</strong></dt> @@ -728,7 +758,7 @@ recognized in the kdc.conf file are:</p> <dt><strong>kpClientAuth</strong></dt> <dd>This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as -defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd> +defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd> <dt><strong>scLogin</strong></dt> <dd>If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be @@ -740,7 +770,7 @@ this option is not recommended.</dd> </dl> </dd> <dt><strong>pkinit_identity</strong></dt> -<dd>Specifies the location of the KDC’s X.509 identity information. +<dd>Specifies the location of the KDC’s X.509 identity information. This option is required if pkinit is to be supported by the KDC.</dd> <dt><strong>pkinit_indicator</strong></dt> <dd>Specifies an authentication indicator to include in the ticket if @@ -748,7 +778,7 @@ pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.)</dd> <dt><strong>pkinit_pool</strong></dt> <dd>Specifies the location of intermediate certificates which may be -used by the KDC to complete the trust chain between a client’s +used by the KDC to complete the trust chain between a client’s certificate and a trusted anchor. This option may be specified multiple times.</dd> <dt><strong>pkinit_revoke</strong></dt> @@ -769,68 +799,54 @@ fails.</p> <p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the policy is such that up-to-date CRLs must be present for every CA.</p> </dd> +<dt><strong>pkinit_require_freshness</strong></dt> +<dd>Specifies whether to require clients to include a freshness token +in PKINIT requests. The default value is false. (New in release +1.17.)</dd> </dl> </div> <div class="section" id="encryption-types"> <span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2> <p>Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. -Encryption types marked as “weak” are available for compatibility but -not recommended for use.</p> +Encryption types marked as “weak” and “deprecated” are available for +compatibility but not recommended for use.</p> <table border="1" class="docutils"> <colgroup> <col width="30%" /> <col width="70%" /> </colgroup> <tbody valign="top"> -<tr class="row-odd"><td>des-cbc-crc</td> -<td>DES cbc mode with CRC-32 (weak)</td> -</tr> -<tr class="row-even"><td>des-cbc-md4</td> -<td>DES cbc mode with RSA-MD4 (weak)</td> -</tr> -<tr class="row-odd"><td>des-cbc-md5</td> -<td>DES cbc mode with RSA-MD5 (weak)</td> -</tr> -<tr class="row-even"><td>des-cbc-raw</td> -<td>DES cbc mode raw (weak)</td> -</tr> <tr class="row-odd"><td>des3-cbc-raw</td> <td>Triple DES cbc mode raw (weak)</td> </tr> <tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td> -<td>Triple DES cbc mode with HMAC/sha1</td> +<td>Triple DES cbc mode with HMAC/sha1 (deprecated)</td> </tr> -<tr class="row-odd"><td>des-hmac-sha1</td> -<td>DES with HMAC/sha1 (weak)</td> -</tr> -<tr class="row-even"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td> +<tr class="row-odd"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td> <td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td> </tr> -<tr class="row-odd"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td> +<tr class="row-even"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td> <td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td> </tr> -<tr class="row-even"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td> +<tr class="row-odd"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td> <td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td> </tr> -<tr class="row-odd"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td> +<tr class="row-even"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td> <td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td> </tr> -<tr class="row-even"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td> -<td>RC4 with HMAC/MD5</td> +<tr class="row-odd"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td> +<td>RC4 with HMAC/MD5 (deprecated)</td> </tr> -<tr class="row-odd"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td> +<tr class="row-even"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td> <td>Exportable RC4 with HMAC/MD5 (weak)</td> </tr> -<tr class="row-even"><td>camellia256-cts-cmac camellia256-cts</td> +<tr class="row-odd"><td>camellia256-cts-cmac camellia256-cts</td> <td>Camellia-256 CTS mode with CMAC</td> </tr> -<tr class="row-odd"><td>camellia128-cts-cmac camellia128-cts</td> +<tr class="row-even"><td>camellia128-cts-cmac camellia128-cts</td> <td>Camellia-128 CTS mode with CMAC</td> </tr> -<tr class="row-even"><td>des</td> -<td>The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)</td> -</tr> <tr class="row-odd"><td>des3</td> <td>The triple DES family: des3-cbc-sha1</td> </tr> @@ -847,11 +863,11 @@ not recommended for use.</p> </table> <p>The string <strong>DEFAULT</strong> can be used to refer to the default set of types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign (“-”). -Types or families can be prefixed with a plus sign (“+”) for symmetry; +from the current list by prefixing them with a minus sign (“-“). +Types or families can be prefixed with a plus sign (“+”) for symmetry; it has the same meaning as just listing the type or family. For -example, “<tt class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-des</span></tt>” would be the default set of encryption -types with DES types removed, and “<tt class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></tt>” would be the +example, “<code class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-rc4</span></code>” would be the default set of encryption +types with RC4 types removed, and “<code class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></code>” would be the default set of encryption types with triple DES types moved to the front.</p> <p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos @@ -868,11 +884,11 @@ encryption types in the KDC database.</p> <span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2> <p>Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys -take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt +take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt lists</em>. Each keysalt pair is an enctype name followed by a salttype name, in the format <em>enc</em>:<em>salt</em>. Individual keysalt list members are -separated by comma (”,”) characters or space characters. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal +separated by comma (“,”) characters or space characters. For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">e</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> </pre></div> </div> <p>would start up kadmin so that by default it would generate @@ -884,25 +900,19 @@ using something called a salt. The supported salt types are as follows:</p> <table border="1" class="docutils"> <colgroup> -<col width="21%" /> -<col width="79%" /> +<col width="25%" /> +<col width="75%" /> </colgroup> <tbody valign="top"> <tr class="row-odd"><td>normal</td> <td>default for Kerberos Version 5</td> </tr> -<tr class="row-even"><td>v4</td> -<td>the only type used by Kerberos Version 4 (no salt)</td> -</tr> -<tr class="row-odd"><td>norealm</td> +<tr class="row-even"><td>norealm</td> <td>same as the default, without using realm information</td> </tr> -<tr class="row-even"><td>onlyrealm</td> +<tr class="row-odd"><td>onlyrealm</td> <td>uses only realm information as the salt</td> </tr> -<tr class="row-odd"><td>afs3</td> -<td>AFS version 3, only used for compatibility with Kerberos 4 in AFS</td> -</tr> <tr class="row-even"><td>special</td> <td>generate a random salt</td> </tr> @@ -911,51 +921,51 @@ follows:</p> </div> <div class="section" id="sample-kdc-conf-file"> <h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2> -<p>Here’s an example of a kdc.conf file:</p> -<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults] - kdc_listen = 88 - kdc_tcp_listen = 88 -[realms] - ATHENA.MIT.EDU = { - kadmind_port = 749 - max_life = 12h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts-hmac-sha1-96 - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal - database_module = openldap_ldapconf - } +<p>Here’s an example of a kdc.conf file:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> + <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> + <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> +<span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span> + <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> + <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> + <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> + <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> + <span class="n">database_module</span> <span class="o">=</span> <span class="n">openldap_ldapconf</span> + <span class="p">}</span> -[logging] - kdc = FILE:/usr/local/var/krb5kdc/kdc.log - admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log +<span class="p">[</span><span class="n">logging</span><span class="p">]</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">log</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> -[dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu +<span class="p">[</span><span class="n">dbdefaults</span><span class="p">]</span> + <span class="n">ldap_kerberos_container_dn</span> <span class="o">=</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbcontainer</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">mit</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">edu</span> -[dbmodules] - openldap_ldapconf = { - db_library = kldap - disable_last_success = true - ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" - # this object needs to have read rights on - # the realm container and principal subtrees - ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" - # this object needs to have read and write rights on - # the realm container and principal subtrees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 - } +<span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">openldap_ldapconf</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">db_library</span> <span class="o">=</span> <span class="n">kldap</span> + <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> + <span class="n">ldap_kdc_dn</span> <span class="o">=</span> <span class="s2">"cn=krbadmin,dc=mit,dc=edu"</span> + <span class="c1"># this object needs to have read rights on</span> + <span class="c1"># the realm container and principal subtrees</span> + <span class="n">ldap_kadmind_dn</span> <span class="o">=</span> <span class="s2">"cn=krbadmin,dc=mit,dc=edu"</span> + <span class="c1"># this object needs to have read and write rights on</span> + <span class="c1"># the realm container and principal subtrees</span> + <span class="n">ldap_service_password_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span> + <span class="n">ldap_servers</span> <span class="o">=</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">ldap_conns_per_server</span> <span class="o">=</span> <span class="mi">5</span> + <span class="p">}</span> </pre></div> </div> </div> <div class="section" id="files"> <h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kdc.conf</span></tt></p> +<p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kdc.conf</span></code></p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p> +<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p> </div> </div> @@ -996,12 +1006,13 @@ follows:</p> <li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kdc.conf</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kdc.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -1009,6 +1020,8 @@ follows:</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -1048,8 +1061,8 @@ follows:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html index 70144fa0bde9..ce99234d2cc8 100644 --- a/doc/html/admin/conf_files/krb5_conf.html +++ b/doc/html/admin/conf_files/krb5_conf.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>krb5.conf — MIT Kerberos Documentation</title> - + <title>krb5.conf — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Configuration Files" href="index.html" /> <link rel="next" title="kdc.conf" href="kdc_conf.html" /> <link rel="prev" title="Configuration Files" href="index.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="krb5-conf"> <span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1> @@ -70,7 +68,7 @@ including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory -<tt class="docutils literal"><span class="pre">/etc</span></tt>. You can override the default location by setting the +<code class="docutils literal"><span class="pre">/etc</span></code>. You can override the default location by setting the environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are present will be read. Starting in release 1.14, directory names can @@ -80,53 +78,52 @@ underscores will be read.</p> <div class="section" id="structure"> <h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> <p>The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> +Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace) +are ignored as comments. Sections are headed by the section name, in +square brackets. Each section may contain zero or more relations, of +the form:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> </pre></div> </div> <p>or:</p> -<div class="highlight-python"><div class="highlight"><pre>fubar = { - foo = bar - baz = quux -} -</pre></div> -</div> -<p>Placing a ‘*’ at the end of a line indicates that this is the <em>final</em> -value for the tag. This means that neither the remainder of this -configuration file nor any other configuration file will be checked -for any other values for this tag.</p> -<p>For example, if you have the following lines:</p> -<div class="highlight-python"><div class="highlight"><pre>foo = bar* -foo = baz +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">fubar</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span> + <span class="n">baz</span> <span class="o">=</span> <span class="n">quux</span> +<span class="p">}</span> </pre></div> </div> -<p>then the second value of <tt class="docutils literal"><span class="pre">foo</span></tt> (<tt class="docutils literal"><span class="pre">baz</span></tt>) would never be read.</p> +<p>Placing a ‘*’ after the closing bracket of a section name indicates +that the section is <em>final</em>, meaning that if the same section appears +within a later file specified in <strong>KRB5_CONFIG</strong>, it will be ignored. +A subsection can be marked as final by placing a ‘*’ after either the +tag name or the closing brace.</p> <p>The krb5.conf file can include other files using either of the following directives at the beginning of a line:</p> -<div class="highlight-python"><div class="highlight"><pre>include FILENAME -includedir DIRNAME +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span> +<span class="n">includedir</span> <span class="n">DIRNAME</span> </pre></div> </div> <p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ”.conf” are also included, unless the -name begins with ”.”. Included profile files are syntactically +1.15, files with names ending in “.conf” are also included, unless the +name begins with “.”. Included profile files are syntactically independent of their parents, so each included file must begin with a -section header.</p> +section header. Starting in release 1.17, files are read in +alphanumeric order; in previous releases, they may be read in any +order.</p> <p>The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:</p> -<div class="highlight-python"><div class="highlight"><pre>module MODULEPATH:RESIDUAL +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">MODULEPATH</span><span class="p">:</span><span class="n">RESIDUAL</span> </pre></div> </div> <p><em>MODULEPATH</em> may be relative to the library path of the krb5 installation, or it may be an absolute path. <em>RESIDUAL</em> is provided to the module at initialization time. If krb5.conf uses a module -directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> should also use one if it exists.</p> +directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p> </div> <div class="section" id="sections"> <h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> @@ -137,48 +134,48 @@ directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc <col width="74%" /> </colgroup> <tbody valign="top"> -<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></td> <td>Settings used by the Kerberos V5 library</td> </tr> -<tr class="row-even"><td><a class="reference internal" href="#realms"><em>[realms]</em></a></td> +<tr class="row-even"><td><a class="reference internal" href="#realms"><span class="std std-ref">[realms]</span></a></td> <td>Realm-specific contact information and settings</td> </tr> -<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><em>[domain_realm]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><span class="std std-ref">[domain_realm]</span></a></td> <td>Maps server hostnames to Kerberos realms</td> </tr> -<tr class="row-even"><td><a class="reference internal" href="#capaths"><em>[capaths]</em></a></td> +<tr class="row-even"><td><a class="reference internal" href="#capaths"><span class="std std-ref">[capaths]</span></a></td> <td>Authentication paths for non-hierarchical cross-realm</td> </tr> -<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><em>[appdefaults]</em></a></td> +<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><span class="std std-ref">[appdefaults]</span></a></td> <td>Settings used by some Kerberos V5 applications</td> </tr> -<tr class="row-even"><td><a class="reference internal" href="#plugins"><em>[plugins]</em></a></td> +<tr class="row-even"><td><a class="reference internal" href="#plugins"><span class="std std-ref">[plugins]</span></a></td> <td>Controls plugin module registration</td> </tr> </tbody> </table> <p>Additionally, krb5.conf may include any of the relations described in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but it is not a recommended practice.</p> +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p> <div class="section" id="libdefaults"> <span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3> <p>The libdefaults section may contain any of the following relations:</p> <dl class="docutils"> +<dt><strong>allow_des3</strong></dt> +<dd>Permit the KDC to issue tickets with des3-cbc-sha1 session keys. +In future releases, this flag will allow des3-cbc-sha1 to be used +at all. The default value for this tag is false. (Added in +release 1.21.)</dd> +<dt><strong>allow_rc4</strong></dt> +<dd>Permit the KDC to issue tickets with arcfour-hmac session keys. +In future releases, this flag will allow arcfour-hmac to be used +at all. The default value for this tag is false. (Added in +release 1.21.)</dd> <dt><strong>allow_weak_crypto</strong></dt> <dd>If this flag is set to false, then weak encryption types (as noted -in <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>) will be filtered +in <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>) will be filtered out of the lists <strong>default_tgs_enctypes</strong>, <strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default -value for this tag is false, which may cause authentication -failures in existing Kerberos infrastructures that do not support -strong crypto. Users in affected environments should set this tag -to true until their infrastructure adopts stronger ciphers.</dd> -<dt><strong>ap_req_checksum_type</strong></dt> -<dd>An integer which specifies the type of AP-REQ checksum to use in -authenticators. This variable should be unset so the appropriate -checksum for the encryption key in use will be used. This can be -set if backward compatibility requires a specific checksum type. -See the <strong>kdc_req_checksum_type</strong> configuration option for the -possible values and their meanings.</dd> +value for this tag is false.</dd> <dt><strong>canonicalize</strong></dt> <dd>If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and @@ -186,7 +183,7 @@ answers with different client principals than the requested principal will be accepted. The default value is false.</dd> <dt><strong>ccache_type</strong></dt> <dd>This parameter determines the format of credential cache types -created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or other programs. The default value +created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host.</dd> @@ -202,31 +199,36 @@ duration than the <strong>clockskew</strong> setting.</p> </dd> <dt><strong>default_ccache_name</strong></dt> <dd>This relation specifies the name of the default credential cache. -The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a>. This relation is subject to parameter +The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>. This relation is subject to parameter expansion (see below). New in release 1.11.</dd> <dt><strong>default_client_keytab_name</strong></dt> <dd>This relation specifies the name of the default keytab for -obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCKTNAME</em></a>. This +obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>. This relation is subject to parameter expansion (see below). New in release 1.11.</dd> <dt><strong>default_keytab_name</strong></dt> <dd>This relation specifies the default keytab name to be used by -application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>. This +application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. This relation is subject to parameter expansion (see below).</dd> +<dt><strong>default_rcache_name</strong></dt> +<dd>This relation specifies the name of the default replay cache. +The default is <code class="docutils literal"><span class="pre">dfl:</span></code>. This relation is subject to parameter +expansion (see below). New in release 1.18.</dd> <dt><strong>default_realm</strong></dt> <dd>Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when -invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>.</dd> +invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>.</dd> <dt><strong>default_tgs_enctypes</strong></dt> <dd><p class="first">Identifies the supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with -commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in -<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag. -The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types -will be implicitly removed from this list if the value of -<strong>allow_weak_crypto</strong> is false.</p> +commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values for this tag. +Starting in release 1.18, the default value is the value of +<strong>permitted_enctypes</strong>. For previous releases or if +<strong>permitted_enctypes</strong> is not set, the default value is +<code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> <p class="last">Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the @@ -236,10 +238,10 @@ libraries are upgraded.</p> <dd><p class="first">Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for -default_tgs_enctypes. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly -removed from this list if the value of <strong>allow_weak_crypto</strong> is -false.</p> +default_tgs_enctypes. Starting in release 1.18, the default +value is the value of <strong>permitted_enctypes</strong>. For previous +releases or if <strong>permitted_enctypes</strong> is not set, the default +value is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</p> <p class="last">Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the @@ -250,7 +252,10 @@ libraries are upgraded.</p> hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to -fully-qualified hostnames. The default value is true.</dd> +fully-qualified hostnames. If this option is set to <code class="docutils literal"><span class="pre">fallback</span></code> (new +in release 1.18), DNS canonicalization will only be performed the +server hostname is not found with the original name when +requesting credentials. The default value is true.</dd> <dt><strong>dns_lookup_kdc</strong></dt> <dd><p class="first">Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -260,11 +265,11 @@ contact kadmind, because the DNS implementation for kadmin is incomplete.)</p> <p class="last">Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to -another server. However, it’s no worse than a denial of service, +another server. However, it’s no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without -verification using some secret that it won’t know.</p> +verification using some secret that it won’t know.</p> </dd> <dt><strong>dns_uri_lookup</strong></dt> <dd>Indicate whether DNS URI records should be used to locate the KDCs @@ -272,6 +277,12 @@ and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15.</dd> +<dt><strong>enforce_ok_as_delegate</strong></dt> +<dd>If this flag to true, GSSAPI credential delegation will be +disabled when the <code class="docutils literal"><span class="pre">ok-as-delegate</span></code> flag is not set in the +service ticket. If this flag is false, the <code class="docutils literal"><span class="pre">ok-as-delegate</span></code> +ticket flag is only enforced when an application specifically +requests enforcement. The default value is false.</dd> <dt><strong>err_fmt</strong></dt> <dd>This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a @@ -295,30 +306,30 @@ flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10.</dd> <dt><strong>k5login_authoritative</strong></dt> -<dd>If this flag is true, principals must be listed in a local user’s -k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> +<dd>If this flag is true, principals must be listed in a local user’s +k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true.</dd> <dt><strong>k5login_directory</strong></dt> -<dd>If set, the library will look for a local user’s k5login file +<dd>If set, the library will look for a local user’s k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login -files in the user’s home directory, with the filename .k5login. +files in the user’s home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root.</dd> <dt><strong>kcm_mach_service</strong></dt> <dd>On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the -value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM -daemon. The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd> +value is <code class="docutils literal"><span class="pre">-</span></code>, Mach RPC will not be used to contact the KCM +daemon. The default value is <code class="docutils literal"><span class="pre">org.h5l.kcm</span></code>.</dd> <dt><strong>kcm_socket</strong></dt> <dd>Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is -<tt class="docutils literal"><span class="pre">-</span></tt>, Unix domain sockets will not be used to contact the KCM +<code class="docutils literal"><span class="pre">-</span></code>, Unix domain sockets will not be used to contact the KCM daemon. The default value is -<tt class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></tt>.</dd> +<code class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></code>.</dd> <dt><strong>kdc_default_options</strong></dt> <dd>Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 @@ -331,97 +342,84 @@ use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1.</dd> -<dt><strong>kdc_req_checksum_type</strong></dt> -<dd><p class="first">An integer which specifies the type of checksum to use for the KDC -requests, for compatibility with very old KDC implementations. -This value is only used for DES keys; other keys use the preferred -checksum type for those keys.</p> -<p>The possible values and their meanings are as follows.</p> -<table border="1" class="last docutils"> -<colgroup> -<col width="20%" /> -<col width="80%" /> -</colgroup> -<tbody valign="top"> -<tr class="row-odd"><td>1</td> -<td>CRC32</td> -</tr> -<tr class="row-even"><td>2</td> -<td>RSA MD4</td> -</tr> -<tr class="row-odd"><td>3</td> -<td>RSA MD4 DES</td> -</tr> -<tr class="row-even"><td>4</td> -<td>DES CBC</td> -</tr> -<tr class="row-odd"><td>7</td> -<td>RSA MD5</td> -</tr> -<tr class="row-even"><td>8</td> -<td>RSA MD5 DES</td> -</tr> -<tr class="row-odd"><td>9</td> -<td>NIST SHA</td> -</tr> -<tr class="row-even"><td>12</td> -<td>HMAC SHA1 DES3</td> -</tr> -<tr class="row-odd"><td>-138</td> -<td>Microsoft MD5 HMAC checksum type</td> -</tr> -</tbody> -</table> -</dd> <dt><strong>noaddresses</strong></dt> <dd>If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true.</dd> <dt><strong>permitted_enctypes</strong></dt> -<dd>Identifies all encryption types that are permitted for use in -session key encryption. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly -removed from this list if the value of <strong>allow_weak_crypto</strong> is -false.</dd> +<dd>Identifies the encryption types that servers will permit for +session keys and for ticket and authenticator encryption, ordered +by preference from highest to lowest. Starting in release 1.18, +this tag also acts as the default value for +<strong>default_tgs_enctypes</strong> and <strong>default_tkt_enctypes</strong>. The +default value for this tag is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span></code>.</dd> <dt><strong>plugin_base_dir</strong></dt> <dd>If set, determines the base directory where krb5 plugins are -located. The default value is the <tt class="docutils literal"><span class="pre">krb5/plugins</span></tt> subdirectory -of the krb5 library directory.</dd> +located. The default value is the <code class="docutils literal"><span class="pre">krb5/plugins</span></code> subdirectory +of the krb5 library directory. This relation is subject to +parameter expansion (see below) in release 1.17 and later.</dd> <dt><strong>preferred_preauth_types</strong></dt> <dd>This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a -KDC. The default value for this setting is “17, 16, 15, 14”, +KDC. The default value for this setting is “17, 16, 15, 14”, which forces libkrb5 to attempt to use PKINIT if it is supported.</dd> <dt><strong>proxiable</strong></dt> <dd>If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false.</dd> +<dt><strong>qualify_shortname</strong></dt> +<dd>If this string is set, it determines the domain suffix for +single-component hostnames when DNS canonicalization is not used +(either because <strong>dns_canonicalize_hostname</strong> is false or because +forward canonicalization failed). The default value is the first +search domain of the system’s DNS configuration. To disable +qualification of shortnames, set this relation to the empty string +with <code class="docutils literal"><span class="pre">qualify_shortname</span> <span class="pre">=</span> <span class="pre">""</span></code>. (New in release 1.18.)</dd> <dt><strong>rdns</strong></dt> <dd>If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If <strong>dns_canonicalize_hostname</strong> is set to false, this flag has no effect. The default value is true.</dd> <dt><strong>realm_try_domains</strong></dt> -<dd>Indicate whether a host’s domain components should be used to +<dd>Indicate whether a host’s domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the -host’s domain itself, 1 means to also try the domain’s immediate -parent, and so forth. The library’s usual mechanism for locating +host’s domain itself, 1 means to also try the domain’s immediate +parent, and so forth. The library’s usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is set. The default is not to search domain components.</dd> <dt><strong>renew_lifetime</strong></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default renewable lifetime +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0.</dd> -<dt><strong>safe_checksum_type</strong></dt> -<dd>An integer which specifies the type of checksum to use for the -KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For -compatibility with applications linked against DCE version 1.1 or -earlier Kerberos libraries, use a value of 3 to use the RSA MD4 -DES instead. This field is ignored when its value is incompatible -with the session key type. See the <strong>kdc_req_checksum_type</strong> -configuration option for the possible values and their meanings.</dd> +<dt><strong>spake_preauth_groups</strong></dt> +<dd><p class="first">A whitespace or comma-separated list of words which specifies the +groups allowed for SPAKE preauthentication. The possible values +are:</p> +<table border="1" class="docutils"> +<colgroup> +<col width="27%" /> +<col width="73%" /> +</colgroup> +<tbody valign="top"> +<tr class="row-odd"><td>edwards25519</td> +<td>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html"><strong>RFC 7748</strong></a>)</td> +</tr> +<tr class="row-even"><td>P-256</td> +<td>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td> +</tr> +<tr class="row-odd"><td>P-384</td> +<td>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td> +</tr> +<tr class="row-even"><td>P-521</td> +<td>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</td> +</tr> +</tbody> +</table> +<p class="last">The default value for the client is <code class="docutils literal"><span class="pre">edwards25519</span></code>. The default +value for the KDC is empty. New in release 1.17.</p> +</dd> <dt><strong>ticket_lifetime</strong></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default lifetime for initial +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default lifetime for initial ticket requests. The default value is 1 day.</dd> <dt><strong>udp_preference_limit</strong></dt> <dd>When sending a message to the KDC, the library will try using TCP @@ -434,6 +432,11 @@ attempt fails.</dd> <dd>If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false.</dd> +<dt><strong>client_aware_channel_bindings</strong></dt> +<dd>If this flag is true, then all application protocol authentication +requests will be flagged to indicate that the application supports +channel bindings when operating over a secure channel. The +default value is false.</dd> </dl> </div> <div class="section" id="realms"> @@ -441,12 +444,12 @@ keytab. The default value is false.</dd> <p>Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the -following tags may be specified in the realm’s subsection:</p> +following tags may be specified in the realm’s subsection:</p> <dl class="docutils"> <dt><strong>admin_server</strong></dt> <dd>Identifies the host where the administration server is running. -Typically, this is the master Kerberos server. This tag must be -given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> +Typically, this is the primary Kerberos server. This tag must be +given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> server for the realm.</dd> <dt><strong>auth_to_local</strong></dt> <dd><p class="first">This tag allows you to set a general rule for mapping principal @@ -460,11 +463,11 @@ translated. The possible values are:</p> The integer <em>n</em> indicates how many components the target principal should have. If this matches, then a string will be formed from <em>string</em>, substituting the realm of the principal -for <tt class="docutils literal"><span class="pre">$0</span></tt> and the <em>n</em>‘th component of the principal for -<tt class="docutils literal"><span class="pre">$n</span></tt> (e.g., if the principal was <tt class="docutils literal"><span class="pre">johndoe/admin</span></tt> then -<tt class="docutils literal"><span class="pre">[2:$2$1foo]</span></tt> would result in the string -<tt class="docutils literal"><span class="pre">adminjohndoefoo</span></tt>). If this string matches <em>regexp</em>, then -the <tt class="docutils literal"><span class="pre">s//[g]</span></tt> substitution command will be run over the +for <code class="docutils literal"><span class="pre">$0</span></code> and the <em>n</em>’th component of the principal for +<code class="docutils literal"><span class="pre">$n</span></code> (e.g., if the principal was <code class="docutils literal"><span class="pre">johndoe/admin</span></code> then +<code class="docutils literal"><span class="pre">[2:$2$1foo]</span></code> would result in the string +<code class="docutils literal"><span class="pre">adminjohndoefoo</span></code>). If this string matches <em>regexp</em>, then +the <code class="docutils literal"><span class="pre">s//[g]</span></code> substitution command will be run over the string. The optional <strong>g</strong> will cause the substitution to be global over the <em>string</em>, instead of replacing only the first match in the <em>string</em>.</p> @@ -476,22 +479,22 @@ default realm, this rule is not applicable and the conversion will fail.</dd> </dl> <p>For example:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] +<div class="highlight-default"><div class="highlight"><pre><span></span>[realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auto_to_local = DEFAULT + auth_to_local = DEFAULT } </pre></div> </div> -<p class="last">would result in any principal without <tt class="docutils literal"><span class="pre">root</span></tt> or <tt class="docutils literal"><span class="pre">admin</span></tt> as the +<p class="last">would result in any principal without <code class="docutils literal"><span class="pre">root</span></code> or <code class="docutils literal"><span class="pre">admin</span></code> as the second component to be translated with the default rule. A -principal with a second component of <tt class="docutils literal"><span class="pre">admin</span></tt> will become its -first component. <tt class="docutils literal"><span class="pre">root</span></tt> will be used as the local name for any -principal with a second component of <tt class="docutils literal"><span class="pre">root</span></tt>. The exception to -these two rules are any principals <tt class="docutils literal"><span class="pre">johndoe/*</span></tt>, which will -always get the local name <tt class="docutils literal"><span class="pre">guest</span></tt>.</p> +principal with a second component of <code class="docutils literal"><span class="pre">admin</span></code> will become its +first component. <code class="docutils literal"><span class="pre">root</span></code> will be used as the local name for any +principal with a second component of <code class="docutils literal"><span class="pre">root</span></code>. The exception to +these two rules are any principals <code class="docutils literal"><span class="pre">johndoe/*</span></code>, which will +always get the local name <code class="docutils literal"><span class="pre">guest</span></code>.</p> </dd> <dt><strong>auth_to_local_names</strong></dt> <dd>This subsection allows you to set explicit mappings from principal @@ -500,8 +503,17 @@ value is the corresponding local user name.</dd> <dt><strong>default_domain</strong></dt> <dd>This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals -(for example, when converting <tt class="docutils literal"><span class="pre">rcmd.hostname</span></tt> to -<tt class="docutils literal"><span class="pre">host/hostname.domain</span></tt>).</dd> +(for example, when converting <code class="docutils literal"><span class="pre">rcmd.hostname</span></code> to +<code class="docutils literal"><span class="pre">host/hostname.domain</span></code>).</dd> +<dt><strong>disable_encrypted_timestamp</strong></dt> +<dd>If this flag is true, the client will not perform encrypted +timestamp preauthentication if requested by the KDC. Setting this +flag can help to prevent dictionary attacks by active attackers, +if the realm’s KDCs support SPAKE preauthentication or if initial +authentication always uses another mechanism or always uses FAST. +This flag persists across client referrals during initial +authentication. This flag does not prevent the KDC from offering +encrypted timestamp. New in release 1.17.</dd> <dt><strong>http_anchors</strong></dt> <dd><p class="first">When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be @@ -518,8 +530,8 @@ All files in the directory will be examined; if they contain certificates <p><strong>ENV:</strong> <em>envvar</em></p> <p class="last"><em>envvar</em> specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, -<tt class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></tt>, where environment variable <tt class="docutils literal"><span class="pre">X509_PROXY_CA</span></tt> has -been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</p> +<code class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal"><span class="pre">X509_PROXY_CA</span></code> has +been set to <code class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> </dd> <dt><strong>kdc</strong></dt> <dd>The name or address of a host running a KDC for that realm. An @@ -532,15 +544,19 @@ be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs.</dd> <dt><strong>kpasswd_server</strong></dt> <dd>Points to the server where all the password changes are performed. -If there is no such entry, the port 464 on the <strong>admin_server</strong> +If there is no such entry, DNS will be queried (unless forbidden +by <strong>dns_lookup_kdc</strong>). Finally, port 464 on the <strong>admin_server</strong> host will be tried.</dd> <dt><strong>master_kdc</strong></dt> -<dd>Identifies the master KDC(s). Currently, this tag is used in only +<dd>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is +used as a fallback if <strong>primary_kdc</strong> is not specified.</dd> +<dt><strong>primary_kdc</strong></dt> +<dd>Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the -master KDC, in case the user’s password has just been changed, and -the updated database has not been propagated to the slave servers -yet.</dd> +primary KDC, in case the user’s password has just been changed, and +the updated database has not been propagated to the replica +servers yet. New in release 1.19.</dd> <dt><strong>v4_instance_convert</strong></dt> <dd>This subsection allows the administrator to configure exceptions to the <strong>default_domain</strong> mapping rule. It contains V4 instances @@ -557,33 +573,30 @@ is the Kerberos V4 realm name.</dd> </div> <div class="section" id="domain-realm"> <span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3> -<p>The [domain_realm] section provides a translation from a domain name -or hostname to a Kerberos realm name. The tag name can be a host name -or domain name, where domain names are indicated by a prefix of a -period (<tt class="docutils literal"><span class="pre">.</span></tt>). The value of the relation is the Kerberos realm name -for that particular host or domain. A host name relation implicitly -provides the corresponding domain name relation, unless an explicit domain -name relation is provided. The Kerberos realm may be +<p>The [domain_realm] section provides a translation from hostnames to +Kerberos realms. Each tag is a domain name, providing the mapping for +that domain and all subdomains. If the tag begins with a period +(<code class="docutils literal"><span class="pre">.</span></code>) then it applies only to subdomains. The Kerberos realm may be identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records. -Host names and domain names should be in lower case. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>[domain_realm] - crash.mit.edu = TEST.ATHENA.MIT.EDU - .dev.mit.edu = TEST.ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU +Tag names should be in lower case. For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> + <span class="n">crash</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> + <span class="o">.</span><span class="n">dev</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">TEST</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> + <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> -<p>maps the host with the name <tt class="docutils literal"><span class="pre">crash.mit.edu</span></tt> into the -<tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm. The second entry maps all hosts under the -domain <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt> into the <tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm, but not -the host with the name <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt>. That host is matched -by the third entry, which maps the host <tt class="docutils literal"><span class="pre">mit.edu</span></tt> and all hosts -under the domain <tt class="docutils literal"><span class="pre">mit.edu</span></tt> that do not match a preceding rule -into the realm <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt>.</p> +<p>maps the host with the name <code class="docutils literal"><span class="pre">crash.mit.edu</span></code> into the +<code class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm. The second entry maps all hosts under the +domain <code class="docutils literal"><span class="pre">dev.mit.edu</span></code> into the <code class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></code> realm, but not +the host with the name <code class="docutils literal"><span class="pre">dev.mit.edu</span></code>. That host is matched +by the third entry, which maps the host <code class="docutils literal"><span class="pre">mit.edu</span></code> and all hosts +under the domain <code class="docutils literal"><span class="pre">mit.edu</span></code> that do not match a preceding rule +into the realm <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> <p>If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm’s KDC. If -that does not succeed, the host’s realm is considered to be the -hostname’s domain portion converted to uppercase, unless the +referral to the appropriate realm from the client realm’s KDC. If +that does not succeed, the host’s realm is considered to be the +hostname’s domain portion converted to uppercase, unless the <strong>realm_try_domains</strong> setting in [libdefaults] causes a different parent domain to be used.</p> </div> @@ -600,7 +613,7 @@ checking the transited field of the received ticket.</p> subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of ”.” means that the two realms share +intermediate realm. A value of “.” means that the two realms share keys directly, and no intermediate realms should be allowed to participate.</p> <p>Only those entries which will be needed on the client or the server @@ -608,55 +621,55 @@ need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm.</p> -<p>For example, <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt>, <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>, and <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> all wish to -use the <tt class="docutils literal"><span class="pre">ES.NET</span></tt> realm as an intermediate realm. ANL has a sub -realm of <tt class="docutils literal"><span class="pre">TEST.ANL.GOV</span></tt> which will authenticate with <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> -but not <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>. The [capaths] section for <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt> systems +<p>For example, <code class="docutils literal"><span class="pre">ANL.GOV</span></code>, <code class="docutils literal"><span class="pre">PNL.GOV</span></code>, and <code class="docutils literal"><span class="pre">NERSC.GOV</span></code> all wish to +use the <code class="docutils literal"><span class="pre">ES.NET</span></code> realm as an intermediate realm. ANL has a sub +realm of <code class="docutils literal"><span class="pre">TEST.ANL.GOV</span></code> which will authenticate with <code class="docutils literal"><span class="pre">NERSC.GOV</span></code> +but not <code class="docutils literal"><span class="pre">PNL.GOV</span></code>. The [capaths] section for <code class="docutils literal"><span class="pre">ANL.GOV</span></code> systems would look like this:</p> -<div class="highlight-python"><div class="highlight"><pre>[capaths] - ANL.GOV = { - TEST.ANL.GOV = . - PNL.GOV = ES.NET - NERSC.GOV = ES.NET - ES.NET = . - } - TEST.ANL.GOV = { - ANL.GOV = . - } - PNL.GOV = { - ANL.GOV = ES.NET - } - NERSC.GOV = { - ANL.GOV = ES.NET - } - ES.NET = { - ANL.GOV = . - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> + <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> + <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> + <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="p">}</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="p">}</span> + <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> </pre></div> </div> -<p>The [capaths] section of the configuration file used on <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> +<p>The [capaths] section of the configuration file used on <code class="docutils literal"><span class="pre">NERSC.GOV</span></code> systems would look like this:</p> -<div class="highlight-python"><div class="highlight"><pre>[capaths] - NERSC.GOV = { - ANL.GOV = ES.NET - TEST.ANL.GOV = ES.NET - TEST.ANL.GOV = ANL.GOV - PNL.GOV = ES.NET - ES.NET = . - } - ANL.GOV = { - NERSC.GOV = ES.NET - } - PNL.GOV = { - NERSC.GOV = ES.NET - } - ES.NET = { - NERSC.GOV = . - } - TEST.ANL.GOV = { - NERSC.GOV = ANL.GOV - NERSC.GOV = ES.NET - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">capaths</span><span class="p">]</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> + <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> + <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="p">}</span> + <span class="n">PNL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="p">}</span> + <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> + <span class="n">TEST</span><span class="o">.</span><span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ANL</span><span class="o">.</span><span class="n">GOV</span> + <span class="n">NERSC</span><span class="o">.</span><span class="n">GOV</span> <span class="o">=</span> <span class="n">ES</span><span class="o">.</span><span class="n">NET</span> + <span class="p">}</span> </pre></div> </div> <p>When a subtag is used more than once within a tag, clients will use @@ -669,32 +682,32 @@ important to servers.</p> or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application.</p> <p>For example:</p> -<div class="highlight-python"><div class="highlight"><pre>[appdefaults] - telnet = { - ATHENA.MIT.EDU = { - option1 = false - } - } - telnet = { - option1 = true - option2 = true - } - ATHENA.MIT.EDU = { - option2 = false - } - option2 = true +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">appdefaults</span><span class="p">]</span> + <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">option1</span> <span class="o">=</span> <span class="n">false</span> + <span class="p">}</span> + <span class="p">}</span> + <span class="n">telnet</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">option1</span> <span class="o">=</span> <span class="n">true</span> + <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> + <span class="p">}</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">option2</span> <span class="o">=</span> <span class="n">false</span> + <span class="p">}</span> + <span class="n">option2</span> <span class="o">=</span> <span class="n">true</span> </pre></div> </div> <p>The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm -<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> should have <tt class="docutils literal"><span class="pre">option1</span></tt> set to false and -<tt class="docutils literal"><span class="pre">option2</span></tt> set to true. Any other programs in ATHENA.MIT.EDU should -have <tt class="docutils literal"><span class="pre">option2</span></tt> set to false by default. Any programs running in -other realms should have <tt class="docutils literal"><span class="pre">option2</span></tt> set to true.</p> +<code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> should have <code class="docutils literal"><span class="pre">option1</span></code> set to false and +<code class="docutils literal"><span class="pre">option2</span></code> set to true. Any other programs in ATHENA.MIT.EDU should +have <code class="docutils literal"><span class="pre">option2</span></code> set to false by default. Any programs running in +other realms should have <code class="docutils literal"><span class="pre">option2</span></code> set to true.</p> <p>The list of specifiable options for each application may be found in -that application’s man pages. The application defaults specified here +that application’s man pages. The application defaults specified here are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p> </div> <div class="section" id="plugins"> @@ -724,11 +737,11 @@ tag, then only the named modules will be enabled for the pluggable interface.</dd> <dt><strong>module</strong></dt> <dd>This tag may have multiple values. Each value is a string of the -form <tt class="docutils literal"><span class="pre">modulename:pathname</span></tt>, which causes the shared object +form <code class="docutils literal"><span class="pre">modulename:pathname</span></code>, which causes the shared object located at <em>pathname</em> to be registered as a dynamic module named <em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an absolute path, it will be treated as relative to the -<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a>.</dd> +<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</dd> </dl> <p>For pluggable interfaces where module order matters, modules registered with a <strong>module</strong> tag normally come first, in the order @@ -745,7 +758,7 @@ dynamic modules, the following built-in modules exist (and may be disabled with the disable tag):</p> <dl class="docutils"> <dt><strong>k5identity</strong></dt> -<dd>Uses a .k5identity file in the user’s home directory to select a +<dd>Uses a .k5identity file in the user’s home directory to select a client principal</dd> <dt><strong>realm</strong></dt> <dd>Uses the service realm to guess an appropriate cache from the @@ -788,11 +801,11 @@ client principal is allowed to perform a kadmin operation. The following built-in modules exist for this interface:</p> <dl class="docutils"> <dt><strong>acl</strong></dt> -<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes +<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file, and authorizes operations which are allowed according to the rules in the file.</dd> <dt><strong>self</strong></dt> <dd>This module authorizes self-service operations including password -changes, creation of new random keys, fetching the client’s +changes, creation of new random keys, fetching the client’s principal record or string attributes, and fetching the policy record associated with the client principal.</dd> </dl> @@ -851,11 +864,11 @@ values.</dd> principal name.</dd> <dt><strong>auth_to_local</strong></dt> <dd>This module processes <strong>auth_to_local</strong> values in the default -realm’s section, and applies the default method if no +realm’s section, and applies the default method if no <strong>auth_to_local</strong> values exist.</dd> <dt><strong>k5login</strong></dt> <dd>This module authorizes a principal to a local account according to -the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> file.</dd> +the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> file.</dd> <dt><strong>an2ln</strong></dt> <dd>This module authorizes a principal to a local account if the principal name maps to the local account name.</dd> @@ -898,24 +911,24 @@ A realm-specific value overrides, not adds to, a generic </div> <ol class="arabic"> <li><p class="first">realm-specific subsection of [libdefaults]:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - EXAMPLE.COM = { - pkinit_anchors = FILE:/usr/local/example.com.crt - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crt</span> + <span class="p">}</span> </pre></div> </div> </li> <li><p class="first">realm-specific value in the [realms] section:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - OTHERREALM.ORG = { - pkinit_anchors = FILE:/usr/local/otherrealm.org.crt - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">OTHERREALM</span><span class="o">.</span><span class="n">ORG</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">otherrealm</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="n">crt</span> + <span class="p">}</span> </pre></div> </div> </li> <li><p class="first">generic value in the [libdefaults] section:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">generic_trusted_cas</span><span class="o">/</span> </pre></div> </div> </li> @@ -928,8 +941,8 @@ information for PKINIT is as follows:</p> <dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt> <dd><p class="first">This option has context-specific behavior.</p> <p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em> -specifies the name of a PEM-format file containing the user’s -certificate. If <em>keyfilename</em> is not specified, the user’s +specifies the name of a PEM-format file containing the user’s +certificate. If <em>keyfilename</em> is not specified, the user’s private key is expected to be in <em>filename</em> as well. Otherwise, <em>keyfilename</em> is the name of the file containing the private key.</p> <p class="last">In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to @@ -938,42 +951,42 @@ be the name of an OpenSSL-style ca-bundle file.</p> <dt><strong>DIR:</strong><em>dirname</em></dt> <dd><p class="first">This option has context-specific behavior.</p> <p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em> -specifies a directory with files named <tt class="docutils literal"><span class="pre">*.crt</span></tt> and <tt class="docutils literal"><span class="pre">*.key</span></tt> +specifies a directory with files named <code class="docutils literal"><span class="pre">*.crt</span></code> and <code class="docutils literal"><span class="pre">*.key</span></code> where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a -name ending with <tt class="docutils literal"><span class="pre">.crt</span></tt> is found, a matching file ending with -<tt class="docutils literal"><span class="pre">.key</span></tt> is assumed to contain the private key. If no such file -is found, then the certificate in the <tt class="docutils literal"><span class="pre">.crt</span></tt> is not used.</p> +name ending with <code class="docutils literal"><span class="pre">.crt</span></code> is found, a matching file ending with +<code class="docutils literal"><span class="pre">.key</span></code> is assumed to contain the private key. If no such file +is found, then the certificate in the <code class="docutils literal"><span class="pre">.crt</span></code> is not used.</p> <p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to be an OpenSSL-style hashed CA directory where each CA cert is -stored in a file named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></tt>. This infrastructure +stored in a file named <code class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></code>. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used.</p> <p class="last">In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file -named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></tt>. This infrastructure is encouraged, +named <code class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></code>. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used.</p> </dd> <dt><strong>PKCS12:</strong><em>filename</em></dt> <dd><em>filename</em> is the name of a PKCS #12 format file, containing the -user’s certificate and private key.</dd> +user’s certificate and private key.</dd> <dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt> <dd>All keyword/values are optional. <em>modname</em> specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the <em>modname</em>. If no -module-name is specified, the default is <tt class="docutils literal"><span class="pre">opensc-pkcs11.so</span></tt>. -<tt class="docutils literal"><span class="pre">slotid=</span></tt> and/or <tt class="docutils literal"><span class="pre">token=</span></tt> may be specified to force the use of +module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">PKCS11_MODNAME</span></a>. +<code class="docutils literal"><span class="pre">slotid=</span></code> and/or <code class="docutils literal"><span class="pre">token=</span></code> may be specified to force the use of a particular smard card reader or token if there is more than one -available. <tt class="docutils literal"><span class="pre">certid=</span></tt> and/or <tt class="docutils literal"><span class="pre">certlabel=</span></tt> may be specified to +available. <code class="docutils literal"><span class="pre">certid=</span></code> and/or <code class="docutils literal"><span class="pre">certlabel=</span></code> may be specified to force the selection of a particular certificate on the device. See the <strong>pkinit_cert_match</strong> configuration option for more ways to select a particular certificate to use for PKINIT.</dd> <dt><strong>ENV:</strong><em>envvar</em></dt> <dd><em>envvar</em> specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For -example, <tt class="docutils literal"><span class="pre">ENV:X509_PROXY</span></tt>, where environment variable -<tt class="docutils literal"><span class="pre">X509_PROXY</span></tt> has been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</dd> +example, <code class="docutils literal"><span class="pre">ENV:X509_PROXY</span></code>, where environment variable +<code class="docutils literal"><span class="pre">X509_PROXY</span></code> has been set to <code class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</dd> </dl> </div> <div class="section" id="pkinit-krb5-conf-options"> @@ -993,18 +1006,18 @@ attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate.</p> -<p>The Subject and Issuer comparison strings are the <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a> +<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a> string representations from the certificate Subject DN and Issuer DN values.</p> <p>The syntax of the matching rules is:</p> <blockquote> -<div>[<em>relation-operator</em>]<em>component-rule</em> ...</div></blockquote> +<div>[<em>relation-operator</em>]<em>component-rule</em> …</div></blockquote> <p>where:</p> <dl class="docutils"> <dt><em>relation-operator</em></dt> -<dd>can be either <tt class="docutils literal"><span class="pre">&&</span></tt>, meaning all component rules must match, -or <tt class="docutils literal"><span class="pre">||</span></tt>, meaning only one component rule must match. The -default is <tt class="docutils literal"><span class="pre">&&</span></tt>.</dd> +<dd>can be either <code class="docutils literal"><span class="pre">&&</span></code>, meaning all component rules must match, +or <code class="docutils literal"><span class="pre">||</span></code>, meaning only one component rule must match. The +default is <code class="docutils literal"><span class="pre">&&</span></code>.</dd> <dt><em>component-rule</em></dt> <dd><p class="first">can be one of the following. Note that there is no punctuation or whitespace between component rules.</p> @@ -1037,9 +1050,9 @@ certificate. Key Usage values can be:</p> </dd> </dl> <p>Examples:</p> -<div class="last highlight-python"><div class="highlight"><pre>pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM -pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.* -pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature +<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">||<</span><span class="n">SUBJECT</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*<</span><span class="n">SAN</span><span class="o">>.*</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> +<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o">&&<</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">ISSUER</span><span class="o">>.*</span><span class="n">DoE</span><span class="o">.*</span> +<span class="n">pkinit_cert_match</span> <span class="o">=</span> <span class="o"><</span><span class="n">EKU</span><span class="o">></span><span class="n">msScLogin</span><span class="p">,</span><span class="n">clientAuth</span><span class="o"><</span><span class="n">KU</span><span class="o">></span><span class="n">digitalSignature</span> </pre></div> </div> </dd> @@ -1053,7 +1066,7 @@ recognized in the krb5.conf file are:</p> <dl class="last docutils"> <dt><strong>kpKDC</strong></dt> <dd>This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd> +the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd> <dt><strong>kpServerAuth</strong></dt> <dd>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value @@ -1069,17 +1082,16 @@ option is not recommended.</dd> attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048.</dd> <dt><strong>pkinit_identities</strong></dt> -<dd>Specifies the location(s) to be used to find the user’s X.509 -identity information. This option may be specified multiple -times. Each value is attempted in order until identity -information is found and authentication is attempted. Note that -these values are not used if the user specifies +<dd>Specifies the location(s) to be used to find the user’s X.509 +identity information. If this option is specified multiple times, +each value is attempted in order until certificates are found. +Note that these values are not used if the user specifies <strong>X509_user_identity</strong> on the command line.</dd> <dt><strong>pkinit_kdc_hostname</strong></dt> -<dd>The presense of this option indicates that the client is willing +<dd>The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as -defined in <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple +defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate).</dd> <dt><strong>pkinit_pool</strong></dt> @@ -1176,41 +1188,41 @@ Valid parameters are:</p> <div class="section" id="sample-krb5-conf-file"> <h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2> <p>Here is an example of a generic krb5.conf file:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - default_realm = ATHENA.MIT.EDU - dns_lookup_kdc = true - dns_lookup_realm = false +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> + <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span> + <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">false</span> -[realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu - kdc = kerberos-1.mit.edu - kdc = kerberos-2.mit.edu - admin_server = kerberos.mit.edu - master_kdc = kerberos.mit.edu - } - EXAMPLE.COM = { - kdc = kerberos.example.com - kdc = kerberos-1.example.com - admin_server = kerberos.example.com - } +<span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">primary_kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="p">}</span> + <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> + <span class="p">}</span> -[domain_realm] - mit.edu = ATHENA.MIT.EDU +<span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span> + <span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -[capaths] - ATHENA.MIT.EDU = { - EXAMPLE.COM = . - } - EXAMPLE.COM = { - ATHENA.MIT.EDU = . - } +<span class="p">[</span><span class="n">capaths</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> + <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="o">.</span> + <span class="p">}</span> </pre></div> </div> </div> <div class="section" id="files"> <h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> -<p><tt class="docutils literal"><span class="pre">/etc/krb5.conf</span></tt></p> +<p><code class="docutils literal"><span class="pre">/etc/krb5.conf</span></code></p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> @@ -1267,13 +1279,14 @@ Valid parameters are:</p> <li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="">krb5.conf</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -1281,6 +1294,8 @@ Valid parameters are:</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -1320,8 +1335,8 @@ Valid parameters are:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html index 2a9b830ca2a7..13b7bf3680e5 100644 --- a/doc/html/admin/conf_ldap.html +++ b/doc/html/admin/conf_ldap.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Configuring Kerberos with OpenLDAP back-end — MIT Kerberos Documentation</title> - + <title>Configuring Kerberos with OpenLDAP back-end — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Application servers" href="appl_servers.html" /> <link rel="prev" title="Account lockout" href="lockout.html" /> </head> @@ -61,61 +59,47 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="configuring-kerberos-with-openldap-back-end"> -<h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Permalink to this headline">¶</a></h1> +<span id="conf-ldap"></span><h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Permalink to this headline">¶</a></h1> <blockquote> <div><ol class="arabic"> -<li><p class="first">Set up SSL on the OpenLDAP server and client to ensure secure -communication when the KDC service and LDAP server are on different -machines. <tt class="docutils literal"><span class="pre">ldapi://</span></tt> can be used if the LDAP server and KDC -service are running on the same machine.</p> -<ol class="upperalpha simple"> -<li>Setting up SSL on the OpenLDAP server:</li> -</ol> -<blockquote> -<div><ol class="lowerroman"> -<li><p class="first">Get a CA certificate using OpenSSL tools</p> +<li><p class="first">Make sure the LDAP server is using local authentication +(<code class="docutils literal"><span class="pre">ldapi://</span></code>) or TLS (<code class="docutils literal"><span class="pre">ldaps</span></code>). See +<a class="reference external" href="https://www.openldap.org/doc/admin/tls.html">https://www.openldap.org/doc/admin/tls.html</a> for instructions on +configuring TLS support in OpenLDAP.</p> </li> -<li><p class="first">Configure OpenLDAP server for using SSL/TLS</p> -<p>For the latter, you need to specify the location of CA -certificate location in <em>slapd.conf</em> file.</p> -<p>Refer to the following link for more information: -<a class="reference external" href="http://www.openldap.org/doc/admin23/tls.html">http://www.openldap.org/doc/admin23/tls.html</a></p> -</li> -</ol> -</div></blockquote> -<ol class="upperalpha" start="2"> -<li><p class="first">Setting up SSL on OpenLDAP client:</p> -<ol class="lowerroman"> -<li><p class="first">For the KDC and Admin Server, you need to do the client-side -configuration in ldap.conf. For example:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">TLS_CACERT</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openldap</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> +<li><p class="first">Add the Kerberos schema file to the LDAP Server using the OpenLDAP +LDIF file from the krb5 source directory +(<code class="docutils literal"><span class="pre">src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif</span></code>). +The following example uses local authentication:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ldapadd</span> <span class="o">-</span><span class="n">Y</span> <span class="n">EXTERNAL</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldapi</span><span class="p">:</span><span class="o">///</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">openldap</span><span class="o">.</span><span class="n">ldif</span> </pre></div> </div> </li> -</ol> -</li> -</ol> +<li><p class="first">Choose DNs for the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> servers +to bind to the LDAP server, and create them if necessary. Specify +these DNs with the <strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> +directives in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The kadmind DN will also be +used for administrative commands such as <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> +<p>Alternatively, you may configure krb5kdc and kadmind to use SASL +authentication to access the LDAP server; see the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> +relations <strong>ldap_kdc_sasl_mech</strong> and similar.</p> </li> -<li><p class="first">Include the Kerberos schema file (kerberos.schema) in the -configuration file (slapd.conf) on the LDAP Server, by providing -the location where it is stored:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">include</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openldap</span><span class="o">/</span><span class="n">schema</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">schema</span> +<li><p class="first">Specify a location for the LDAP service password file by setting +<strong>ldap_service_password_file</strong>. Use <code class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></code> +to stash passwords for the KDC and kadmind DNs chosen above. For +example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">service</span><span class="o">.</span><span class="n">keyfile</span> <span class="n">cn</span><span class="o">=</span><span class="n">krbadmin</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">example</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">com</span> </pre></div> </div> -</li> -<li><p class="first">Choose DNs for the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> servers -to bind to the LDAP server, and create them if necessary. These DNs -will be specified with the <strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> -directives in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; their passwords can be stashed -with “<tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>” and the resulting file -specified with the <strong>ldap_service_password_file</strong> directive.</p> +<p>Skip this step if you are using SASL authentication and the +mechanism does not require a password.</p> </li> <li><p class="first">Choose a DN for the global Kerberos container entry (but do not -create the entry at this time). This DN will be specified with the -<strong>ldap_kerberos_container_dn</strong> directive in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. +create the entry at this time). Specify this DN with the +<strong>ldap_kerberos_container_dn</strong> directive in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm @@ -124,101 +108,74 @@ container.</p> <li><p class="first">Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If <strong>disable_last_success</strong> and <strong>disable_lockout</strong> are both set to -true in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><em>[dbmodules]</em></a> subsection for the realm, then the +true in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm, then the KDC DN only requires read access to the Kerberos data.</p> <p>Sample access control information:</p> -<div class="highlight-python"><div class="highlight"><pre>access to dn.base="" - by * read - -access to dn.base="cn=Subschema" - by * read - -access to attrs=userPassword,userPKCS12 - by self write - by * auth +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">base</span><span class="o">=</span><span class="s2">""</span> + <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> -access to attrs=shadowLastChange - by self write - by * read +<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">base</span><span class="o">=</span><span class="s2">"cn=Subschema"</span> + <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> -# Providing access to realm container -access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" - by dn.exact="cn=kdc-service,dc=example,dc=com" write - by dn.exact="cn=adm-service,dc=example,dc=com" write - by * none +<span class="c1"># Provide access to the realm container.</span> +<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">subtree</span><span class="o">=</span> <span class="s2">"cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"</span> + <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=kdc-service,dc=example,dc=com"</span> <span class="n">write</span> + <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=adm-service,dc=example,dc=com"</span> <span class="n">write</span> + <span class="n">by</span> <span class="o">*</span> <span class="n">none</span> -# Providing access to principals, if not underneath realm container -access to dn.subtree= "ou=users,dc=example,dc=com" - by dn.exact="cn=kdc-service,dc=example,dc=com" write - by dn.exact="cn=adm-service,dc=example,dc=com" write - by * none +<span class="c1"># Provide access to principals, if not underneath the realm container.</span> +<span class="n">access</span> <span class="n">to</span> <span class="n">dn</span><span class="o">.</span><span class="n">subtree</span><span class="o">=</span> <span class="s2">"ou=users,dc=example,dc=com"</span> + <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=kdc-service,dc=example,dc=com"</span> <span class="n">write</span> + <span class="n">by</span> <span class="n">dn</span><span class="o">.</span><span class="n">exact</span><span class="o">=</span><span class="s2">"cn=adm-service,dc=example,dc=com"</span> <span class="n">write</span> + <span class="n">by</span> <span class="o">*</span> <span class="n">none</span> -access to * - by * read +<span class="n">access</span> <span class="n">to</span> <span class="o">*</span> + <span class="n">by</span> <span class="o">*</span> <span class="n">read</span> </pre></div> </div> -<p>If the locations of the container and principals or the DNs of -the service objects for a realm are changed then this -information should be updated.</p> +<p>If the locations of the container and principals or the DNs of the +service objects for a realm are changed then this information +should be updated.</p> </li> -<li><p class="first">Start the LDAP server as follows:</p> -<div class="highlight-python"><div class="highlight"><pre>slapd -h "ldapi:/// ldaps:///" +<li><p class="first">In <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, make sure the following relations are set +in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>db_library (set to ``kldap``) +ldap_kerberos_container_dn +ldap_kdc_dn +ldap_kadmind_dn +ldap_service_password_file +ldap_servers </pre></div> </div> </li> -<li><p class="first">Modify the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file to include LDAP specific items -listed below:</p> -<div class="highlight-python"><div class="highlight"><pre>realms - database_module - -dbmodules - db_library - db_module_dir - ldap_kdc_dn - ldap_kadmind_dn - ldap_service_password_file - ldap_servers - ldap_conns_per_server -</pre></div> -</div> -</li> -<li><p class="first">Create the realm using <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> (see -<a class="reference internal" href="database.html#ldap-create-realm"><em>Creating a Kerberos realm</em></a>):</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s -</pre></div> -</div> +<li><p class="first">Create the realm using <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>:</p> +<blockquote> +<div><p>kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s</p> +</div></blockquote> <p>Use the <strong>-subtrees</strong> option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above -<tt class="docutils literal"><span class="pre">(ou=users,dc=example,dc=com)</span></tt> exists. If the principals will +<code class="docutils literal"><span class="pre">(ou=users,dc=example,dc=com)</span></code> exists. If the principals will exist underneath the realm container, omit the <strong>-subtrees</strong> option and do not worry about creating the principal subtree.</p> -<p>For more information, refer to the section <a class="reference internal" href="database.html#ops-on-ldap"><em>Operations on the LDAP database</em></a>.</p> +<p>For more information, refer to the section <a class="reference internal" href="database.html#ops-on-ldap"><span class="std std-ref">Operations on the LDAP database</span></a>.</p> <p>The realm object is created under the -<strong>ldap_kerberos_container_dn</strong> specified in the configuration file. -This operation will also create the Kerberos container, if not -present already. This will be used to store information related to -all realms.</p> -</li> -<li><p class="first">Stash the password of the service object used by the KDC and -Administration service to bind to the LDAP server using the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>stashsrvpw</strong> command (see -<a class="reference internal" href="database.html#stash-ldap"><em>Stashing service object’s password</em></a>). The object DN should be the same as -<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> values specified in the -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com -</pre></div> -</div> +<strong>ldap_kerberos_container_dn</strong> specified in the configuration +file. This operation will also create the Kerberos container, if +not present already. This container can be used to store +information related to multiple realms.</p> </li> -<li><p class="first">Add <tt class="docutils literal"><span class="pre">krbPrincipalName</span></tt> to the indexes in slapd.conf to speed up -the access.</p> +<li><p class="first">Add an <code class="docutils literal"><span class="pre">eq</span></code> index for <code class="docutils literal"><span class="pre">krbPrincipalName</span></code> to speed up principal +lookup operations. See +<a class="reference external" href="https://www.openldap.org/doc/admin/tuning.html#Indexes">https://www.openldap.org/doc/admin/tuning.html#Indexes</a> for +details.</p> </li> </ol> </div></blockquote> <p>With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no mechanism provided for creating -aliases, so it must be done by direct manipulation of the LDAP -entries.</p> +entries. Currently we provide no administrative utilities for +creating aliases, so it must be done by direct manipulation of the +LDAP entries.</p> <p>An entry with aliases contains multiple values of the <em>krbPrincipalName</em> attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, @@ -230,12 +187,8 @@ to the pre-existing <em>krbPrincipalName</em> value), and then add additional <p>Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often -required (e.g., <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-C</span></tt>) and canonicalization is only performed +required (e.g., <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-C</span></code>) and canonicalization is only performed for initial ticket requests.</p> -<div class="admonition seealso"> -<p class="first admonition-title">See also</p> -<p class="last"><a class="reference internal" href="advanced/ldapbackend.html#ldap-be-ubuntu"><em>LDAP backend on Ubuntu 10.4 (lucid)</em></a></p> -</div> </div> @@ -258,13 +211,16 @@ for initial ticket requests.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -304,8 +260,8 @@ for initial ticket requests.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html index 3b52d123088c..4ab619f37c8e 100644 --- a/doc/html/admin/database.html +++ b/doc/html/admin/database.html @@ -1,34 +1,32 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Database administration — MIT Kerberos Documentation</title> - + <title>Database administration — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> - <link rel="next" title="Account lockout" href="lockout.html" /> + <link rel="next" title="Database types" href="dbtypes.html" /> <link rel="prev" title="Realm configuration decisions" href="realm_config.html" /> </head> <body> @@ -44,7 +42,7 @@ accesskey="C">Contents</a> | <a href="realm_config.html" title="Realm configuration decisions" accesskey="P">previous</a> | - <a href="lockout.html" title="Account lockout" + <a href="dbtypes.html" title="Database types" accesskey="N">next</a> | <a href="../genindex.html" title="General Index" accesskey="I">index</a> | @@ -61,683 +59,122 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="database-administration"> <h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink to this headline">¶</a></h1> -<p>A Kerberos database contains all of a realm’s Kerberos principals, +<p>A Kerberos database contains all of a realm’s Kerberos principals, their passwords, and other administrative information about each -principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> +principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program to manipulate the Kerberos database as a whole, and the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to make changes to the entries in the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to make changes to the entries in the database. (One notable exception is that users will use the -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> program to change their own passwords.) The kadmin +<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands.</p> -<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> provides a means to create, delete, load, or dump +<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the -<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemons can use the database +<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemons can use the database without manual input.</p> -<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> provides for the maintenance of Kerberos principals, +<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to -communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, but there is also a variant, named +communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version.</p> <p>kadmin can authenticate to the admin server using the service -principal <tt class="docutils literal"><span class="pre">kadmin/HOST</span></tt> (where <em>HOST</em> is the hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>. If the credentials cache contains a +principal <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal"><span class="pre">kadmin/HOST</span></code> (where <em>HOST</em> is the +hostname of the admin server). If the credentials cache contains a ticket for either service principal and the <strong>-c</strong> ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the -principal name, it requests a <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> Kerberos service ticket +principal name, it requests a <code class="docutils literal"><span class="pre">kadmin/admin</span></code> Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5.</p> -<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> for the available kadmin and kadmin.local +<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for the available kadmin and kadmin.local commands and options.</p> -<div class="section" id="kadmin-options"> -<h2>kadmin options<a class="headerlink" href="#kadmin-options" title="Permalink to this headline">¶</a></h2> -<p>You can invoke <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> or kadmin.local with any of the -following options:</p> -<p><strong>kadmin</strong> -[<strong>-O</strong>|<strong>-N</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] -[<strong>-w</strong> <em>password</em>] -[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] -[command args...]</p> -<p><strong>kadmin.local</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...] -[<strong>-m</strong>] -[<strong>-x</strong> <em>db_args</em>] -[command args...]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Use <em>realm</em> as the default database realm.</dd> -<dt><strong>-p</strong> <em>principal</em></dt> -<dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append -<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache, -the value of the <strong>USER</strong> environment variable, or the username as -obtained with getpwuid, in order of preference.</dd> -<dt><strong>-k</strong></dt> -<dd>Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -<tt class="docutils literal"><span class="pre">host/hostname</span></tt>. If there is no keytab specified with the -<strong>-t</strong> option, then the default keytab will be used.</dd> -<dt><strong>-t</strong> <em>keytab</em></dt> -<dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used -with the <strong>-k</strong> option.</dd> -<dt><strong>-n</strong></dt> -<dd>Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure <strong>pkinit_anchors</strong> in the client’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Then use the <strong>-n</strong> option with a principal -of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> -<span class="pre">-n</span></tt> with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation.</dd> -<dt><strong>-c</strong> <em>credentials_cache</em></dt> -<dd>Use <em>credentials_cache</em> as the credentials cache. The -cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> -(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the -<a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache.</dd> -<dt><strong>-w</strong> <em>password</em></dt> -<dd>Use <em>password</em> instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list.</dd> -<dt><strong>-q</strong> <em>query</em></dt> -<dd>Perform the specified query and then exit.</dd> -<dt><strong>-d</strong> <em>dbname</em></dt> -<dd>Specifies the name of the KDC database. This option does not -apply to the LDAP database module.</dd> -<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt> -<dd>Specifies the admin server which kadmin should contact.</dd> -<dt><strong>-m</strong></dt> -<dd>If using kadmin.local, prompt for the database master password -instead of reading it from a stash file.</dd> -<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> ...”</dt> -<dd>Sets the keysalt list to be used for any new keys created. See -<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible -values.</dd> -<dt><strong>-O</strong></dt> -<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd> -<dt><strong>-N</strong></dt> -<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd> -<dt><strong>-x</strong> <em>db_args</em></dt> -<dd>Specifies the database specific arguments. See the next section -for supported options.</dd> -</dl> -</div> -<div class="section" id="date-format"> -<h2>Date Format<a class="headerlink" href="#date-format" title="Permalink to this headline">¶</a></h2> -<p>For the supported date-time formats see <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> section -in <a class="reference internal" href="../basic/date_format.html#datetime"><em>Supported date and time formats</em></a>.</p> -</div> <div class="section" id="principals"> -<h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> <p>Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal.</p> -<div class="section" id="adding-modifying-and-deleting-principals"> -<span id="add-mod-del-princs"></span><h3>Adding, modifying and deleting principals<a class="headerlink" href="#adding-modifying-and-deleting-principals" title="Permalink to this headline">¶</a></h3> -<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> -<strong>add_principal</strong> command.</p> -<p>To modify attributes of a principal, use the kadmin -<strong>modify_principal</strong> command.</p> -<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command.</p> -</div> -<div class="section" id="add-principal"> -<h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote> -<p>Creates the principal <em>newprinc</em>, prompting twice for a password. If -no password policy is specified with the <strong>-policy</strong> option, and the -policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists. -However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p> -<p>Options:</p> -<dl class="docutils"> -<dt><strong>-expire</strong> <em>expdate</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd> -<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd> -<dt><strong>-maxlife</strong> <em>maxlife</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life -for the principal.</dd> -<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable -life of tickets for the principal.</dd> -<dt><strong>-kvno</strong> <em>kvno</em></dt> -<dd>The initial key version number.</dd> -<dt><strong>-policy</strong> <em>policy</em></dt> -<dd>The password policy used by this principal. If not specified, the -policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong> -is specified).</dd> -<dt><strong>-clearpolicy</strong></dt> -<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not -specified.</dd> -<dt>{-|+}<strong>allow_postdated</strong></dt> -<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining -postdated tickets. <strong>+allow_postdated</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_forwardable</strong></dt> -<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining -forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_renewable</strong></dt> -<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining -renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_proxiable</strong></dt> -<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining -proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_dup_skey</strong></dt> -<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. <strong>+allow_dup_skey</strong> clears this flag.</dd> -<dt>{-|+}<strong>requires_preauth</strong></dt> -<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate -before being allowed to kinit. <strong>-requires_preauth</strong> clears this -flag. When <strong>+requires_preauth</strong> is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using -preauthentication.</dd> -<dt>{-|+}<strong>requires_hwauth</strong></dt> -<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate -using a hardware device before being allowed to kinit. -<strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was -performed using a hardware device to preauthenticate.</dd> -<dt>{-|+}<strong>ok_as_delegate</strong></dt> -<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. <strong>-ok_as_delegate</strong> clears this -flag.</dd> -<dt>{-|+}<strong>allow_svr</strong></dt> -<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this -principal. <strong>+allow_svr</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_tgs_req</strong></dt> -<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -<strong>+allow_tgs_req</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_tix</strong></dt> -<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this -principal. <strong>+allow_tix</strong> clears this flag.</dd> -<dt>{-|+}<strong>needchange</strong></dt> -<dd><strong>+needchange</strong> forces a password change on the next initial -authentication to this principal. <strong>-needchange</strong> clears this -flag.</dd> -<dt>{-|+}<strong>password_changing_service</strong></dt> -<dd><strong>+password_changing_service</strong> marks this principal as a password -change service principal.</dd> -<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt> -<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation.</dd> -<dt>{-|+}<strong>no_auth_data_required</strong></dt> -<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.</dd> -<dt>{-|+}<strong>lockdown_keys</strong></dt> -<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local.</dd> -<dt><strong>-randkey</strong></dt> -<dd>Sets the key of the principal to a random value.</dd> -<dt><strong>-nokey</strong></dt> -<dd>Causes the principal to be created with no key. New in release -1.12.</dd> -<dt><strong>-pw</strong> <em>password</em></dt> -<dd>Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> -<dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a -list of possible values.</dd> -<dt><strong>-x</strong> <em>db_princ_args</em></dt> -<dd><p class="first">Indicates database-specific options. The options for the LDAP -database module are:</p> -<dl class="docutils"> -<dt><strong>-x dn=</strong><em>dn</em></dt> -<dd>Specifies the LDAP object that will contain the Kerberos -principal being created.</dd> -<dt><strong>-x linkdn=</strong><em>dn</em></dt> -<dd>Specifies the LDAP object to which the newly created Kerberos -principal object will point.</dd> -<dt><strong>-x containerdn=</strong><em>container_dn</em></dt> -<dd>Specifies the container object under which the Kerberos -principal is to be created.</dd> -<dt><strong>-x tktpolicy=</strong><em>policy</em></dt> -<dd>Associates a ticket policy to the Kerberos principal.</dd> -</dl> -<div class="last admonition note"> -<p class="first admonition-title">Note</p> -<ul class="last simple"> -<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be -specified with the <strong>dn</strong> option.</li> -<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container.</li> -<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or -principal container configured in the realm.</li> -</ul> -</div> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re-enter password for principal jennifer@ATHENA.MIT.EDU: -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: +<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> +<strong>add_principal</strong> command. User principals should usually be created +with the <code class="docutils literal"><span class="pre">+requires_preauth</span> <span class="pre">-allow_svr</span></code> options to help mitigate +dictionary attacks (see <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">Addressing dictionary attack risks</span></a>):</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">alice</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> </pre></div> </div> -</div> -<div class="section" id="modify-principal"> -<h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote> -<p>Modifies the specified principal, changing the fields as specified. -The options to <strong>add_principal</strong> also apply to this command, except -for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options. In addition, the -option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p> -<p>This command requires the <em>modify</em> privilege.</p> -<p>Alias: <strong>modprinc</strong></p> -<p>Options (in addition to the <strong>addprinc</strong> options):</p> -<dl class="docutils"> -<dt><strong>-unlock</strong></dt> -<dd>Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate.</dd> -</dl> -</div> -<div class="section" id="delete-principal"> -<h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<p>User principals which will authenticate with <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT configuration</span></a> should +instead by created with the <code class="docutils literal"><span class="pre">-nokey</span></code> option:</p> <blockquote> -<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote> -<p>Deletes the specified <em>principal</em> from the database. This command -prompts for deletion, unless the <strong>-force</strong> option is given.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delprinc</strong></p> -<div class="section" id="examples"> -<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4> -<p>If you want to create a principal which is contained by a LDAP object, -all you need to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: -</pre></div> -</div> -<p>If you want to create a principal under a specific LDAP container and -link to an existing LDAP object, all you need to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david -WARNING: no policy specified for "david@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. -Principal "david@ATHENA.MIT.EDU" created. -kadmin: +<div>kadmin: addprinc -nokey alice</div></blockquote> +<p>Service principals can be created with the <code class="docutils literal"><span class="pre">-nokey</span></code> option; +long-term keys will be added when a keytab is generated:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">nokey</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="n">foo</span><span class="o">.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> -<p>If you want to associate a ticket policy to a principal, all you need -to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -x tktpolicy=userpolicy david -Principal "david@ATHENA.MIT.EDU" modified. -kadmin: +<p>To modify attributes of an existing principal, use the kadmin +<strong>modify_principal</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">expire</span> <span class="n">tomorrow</span> <span class="n">alice</span> +<span class="n">Principal</span> <span class="s2">"alice@KRBTEST.COM"</span> <span class="n">modified</span><span class="o">.</span> </pre></div> </div> -<p>If, on the other hand, you want to set up an account that expires on -January 1, 2000, that uses a policy called “stduser”, with a temporary -password (which you want the user to change immediately), you would -type the following:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange -Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal -david@ATHENA.MIT.EDU: <= Type it again. -Principal "david@ATHENA.MIT.EDU" created. -kadmin: +<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>kadmin: delprinc alice +Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes +Principal "alice@KRBTEST.COM" deleted. +Make sure that you have removed this principal from all ACLs before reusing. </pre></div> </div> -<p>If you want to delete a principal:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: delprinc jennifer -Are you sure you want to delete the principal -"jennifer@ATHENA.MIT.EDU"? (yes/no): yes -Principal "jennifer@ATHENA.MIT.EDU" deleted. -Make sure that you have removed this principal from -all ACLs before reusing. -kadmin: -</pre></div> -</div> -</div> -</div> -<div class="section" id="retrieving-information-about-a-principal"> -<h3>Retrieving information about a principal<a class="headerlink" href="#retrieving-information-about-a-principal" title="Permalink to this headline">¶</a></h3> -<p>To retrieve a listing of the attributes and/or policies associated -with a principal, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_principal</strong> command.</p> +<p>To change a principal’s password, use the kadmin <strong>change_password</strong> +command. Password changes made through kadmin are subject to the same +password policies as would apply to password changes made through +<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>.</p> +<p>To view the attributes of a principal, use the kadmin` +<strong>get_principal</strong> command.</p> <p>To generate a listing of principals, use the kadmin <strong>list_principals</strong> command.</p> </div> -<div class="section" id="get-principal"> -<h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote> -<p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs -fields as quoted tab-separated strings.</p> -<p>This command requires the <strong>inquire</strong> privilege, or that the principal -running the the program to be the same as the one being listed.</p> -<p>Alias: <strong>getprinc</strong></p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des-cbc-crc -Key: vno 1, des-cbc-crc:v4 -Attributes: -Policy: [none] - -kadmin: getprinc -terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="list-principals"> -<h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote> -<p>Retrieves all or some principal names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an <tt class="docutils literal"><span class="pre">@</span></tt> character, an -<tt class="docutils literal"><span class="pre">@</span></tt> character followed by the local realm is appended to the -expression.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listprincs test* -test3@SECURE-TEST.OV.COM -test2@SECURE-TEST.OV.COM -test1@SECURE-TEST.OV.COM -testuser@SECURE-TEST.OV.COM -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="changing-passwords"> -<h3>Changing passwords<a class="headerlink" href="#changing-passwords" title="Permalink to this headline">¶</a></h3> -<p>To change a principal’s password use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> -<strong>change_password</strong> command.</p> -</div> -<div class="section" id="change-password"> -<h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote> -<p>Changes the password of <em>principal</em>. Prompts for a new password if -neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p> -<p>This command requires the <strong>changepw</strong> privilege, or that the -principal running the program is the same as the principal being -changed.</p> -<p>Alias: <strong>cpw</strong></p> -<p>The following options are available:</p> -<dl class="docutils"> -<dt><strong>-randkey</strong></dt> -<dd>Sets the key of the principal to a random value.</dd> -<dt><strong>-pw</strong> <em>password</em></dt> -<dd>Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> -<dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a -list of possible values.</dd> -<dt><strong>-keepold</strong></dt> -<dd>Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -</pre></div> -</div> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">Password changes through kadmin are subject to the same -password policies as would apply to password changes through -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>.</p> -</div> -</div> -</div> <div class="section" id="policies"> -<span id="id1"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> +<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> <p>A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database.</p> -<div class="section" id="adding-modifying-and-deleting-policies"> -<h3>Adding, modifying and deleting policies<a class="headerlink" href="#adding-modifying-and-deleting-policies" title="Permalink to this headline">¶</a></h3> -<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>add_policy</strong> command.</p> -<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> -command.</p> -<p>To delete a policy, use the kadmin <strong>delete_policy</strong> command.</p> -</div> -<div class="section" id="add-policy"> -<h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> -<p>Adds a password policy named <em>policy</em> to the database.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Alias: <strong>addpol</strong></p> -<p>The following options are available:</p> -<dl class="docutils"> -<dt><strong>-maxlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum -lifetime of a password.</dd> -<dt><strong>-minlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum -lifetime of a password.</dd> -<dt><strong>-minlength</strong> <em>length</em></dt> -<dd>Sets the minimum length of a password.</dd> -<dt><strong>-minclasses</strong> <em>number</em></dt> -<dd>Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters.</dd> -<dt><strong>-history</strong> <em>number</em></dt> -<dd>Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module.</dd> -</dl> -<dl class="docutils" id="policy-maxfailure"> -<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt> -<dd>Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -<em>maxnumber</em> value of 0 (the default) disables lockout.</dd> -</dl> -<dl class="docutils" id="policy-failurecountinterval"> -<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time -between authentication failures. If an authentication failure -happens after <em>failuretime</em> has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -<em>failuretime</em> value of 0 (the default) means forever.</dd> -</dl> -<dl class="docutils" id="policy-lockoutduration"> -<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd> -<dt><strong>-allowedkeysalts</strong></dt> -<dd>Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife "2 days" -minlength 5 guests -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="modify-policy"> -<h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> -<p>Modifies the password policy named <em>policy</em>. Options are as described -for <strong>add_policy</strong>.</p> -<p>This command requires the <strong>modify</strong> privilege.</p> -<p>Alias: <strong>modpol</strong></p> -</div> -<div class="section" id="delete-policy"> -<h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote> -<p>Deletes the password policy named <em>policy</em>. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delpol</strong></p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests -Are you sure you want to delete the policy "guests"? -(yes/no): yes -kadmin: -</pre></div> -</div> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">You must cancel the policy from <em>all</em> principals before -deleting it. The <em>delete_policy</em> command will fail if the policy -is in use by any principals.</p> -</div> -</div> -<div class="section" id="retrieving-policies"> -<h3>Retrieving policies<a class="headerlink" href="#retrieving-policies" title="Permalink to this headline">¶</a></h3> -<p>To retrieve a policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_policy</strong> command.</p> -<p>You can retrieve the list of policies with the kadmin -<strong>list_policies</strong> command.</p> -</div> -<div class="section" id="get-policy"> -<h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote> -<p>Displays the values of the password policy named <em>policy</em>. With the -<strong>-terse</strong> flag, outputs the fields as quoted strings separated by -tabs.</p> -<p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: getpol</p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get_policy -terse admin -admin 15552000 0 6 2 5 17 -kadmin: +<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>add_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"1 year"</span> <span class="o">-</span><span class="n">history</span> <span class="mi">3</span> <span class="n">stduser</span> </pre></div> </div> -<p>The “Reference count” is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful.</p> -</div> -<div class="section" id="list-policies"> -<h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> +command. To delete a policy, use the kadmin <strong>delete_policy</strong> +command.</p> +<p>To associate a policy with a principal, use the kadmin +<strong>modify_principal</strong> command with the <strong>-policy</strong> option:</p> <blockquote> -<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote> -<p>Retrieves all or some policy names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listpols -test-pol -dict-only -once-a-min -test-pol-nopw - -kadmin: listpols t* -test-pol -test-pol-nopw -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="policies-and-principals"> -<h3>Policies and principals<a class="headerlink" href="#policies-and-principals" title="Permalink to this headline">¶</a></h3> -<p>Policies can be applied to principals as they are created by using -the <strong>-policy</strong> flag to <a class="reference internal" href="admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a>. Existing principals can -be modified by using the <strong>-policy</strong> or <strong>-clearpolicy</strong> flag to -<a class="reference internal" href="admin_commands/kadmin_local.html#modify-principal"><em>modify_principal</em></a>.</p> -</div> +<div>kadmin: modprinc -policy stduser alice +Principal “<a class="reference external" href="mailto:alice%40KRBTEST.COM">alice<span>@</span>KRBTEST<span>.</span>COM</a>” modified.</div></blockquote> +<p>A principal entry may be associated with a nonexistent policy, either +because the policy did not exist at the time of associated or was +deleted afterwards. kadmin will warn when associated a principal with +a nonexistent policy, and will annotate the policy name with “[does +not exist]” in the <strong>get_principal</strong> output.</p> <div class="section" id="updating-the-history-key"> -<h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> +<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> <p>If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the -key data of the <tt class="docutils literal"><span class="pre">kadmin/history</span></tt> principal.</p> +key data of the <code class="docutils literal"><span class="pre">kadmin/history</span></code> principal.</p> <p>Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey kadmin/history +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">history</span> </pre></div> </div> <p>This command will fail if you specify the <strong>-keepold</strong> flag. Only one @@ -749,213 +186,74 @@ rollover support for stored old keys.</p> </div> </div> <div class="section" id="privileges"> -<span id="id2"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> +<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> <p>Administrative privileges for the Kerberos database are stored in the -file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</p> +file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For -example, the user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> might have a principal for -his administrative use, called <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt>. This -way, <tt class="docutils literal"><span class="pre">joeadmin</span></tt> would obtain <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt> tickets +example, the user <code class="docutils literal"><span class="pre">joeadmin</span></code> might have a principal for +his administrative use, called <code class="docutils literal"><span class="pre">joeadmin/admin</span></code>. This +way, <code class="docutils literal"><span class="pre">joeadmin</span></code> would obtain <code class="docutils literal"><span class="pre">joeadmin/admin</span></code> tickets only when he actually needs to use those permissions.</p> </div> </div> <div class="section" id="operations-on-the-kerberos-database"> <span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Permalink to this headline">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command is the primary tool for administrating -the Kerberos database.</p> -<p><strong>kdb5_util</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-M</strong> <em>mkeyname</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-m</strong>] -<em>command</em> [<em>command_options</em>]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>specifies the Kerberos realm of the database.</dd> -<dt><strong>-d</strong> <em>dbname</em></dt> -<dd>specifies the name under which the principal database is stored; -by default the database is that listed in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. The -password policy database and lock files are also derived from this -value.</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt> -<dd>specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> -<dd>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</dd> -<dt><strong>-M</strong> <em>mkeyname</em></dt> -<dd>principal name for the master key in the database. If not -specified, the name is determined by the <strong>master_key_name</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-m</strong></dt> -<dd>specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk.</dd> -<dt><strong>-sf</strong> <em>stash_file</em></dt> -<dd>specifies the stash filename of the master database password. If -not specified, the filename is determined by the -<strong>key_stash_file</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-P</strong> <em>password</em></dt> -<dd>specifies the master database password. Using this option may -expose the password to other users on the system via the process -list.</dd> -</dl> -<div class="toctree-wrapper compound"> -<ul class="simple"> -</ul> -</div> -<div class="section" id="dumping-a-kerberos-database-to-a-file"> -<h3>Dumping a Kerberos database to a file<a class="headerlink" href="#dumping-a-kerberos-database-to-a-file" title="Permalink to this headline">¶</a></h3> -<p>To dump a Kerberos database into a file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> -<strong>dump</strong> command on one of the KDCs.</p> -<blockquote> -<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>] -[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>] -[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote> -<p>Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:</p> -<dl class="docutils"> -<dt><strong>-b7</strong></dt> -<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on -releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>causes the dump to be in “ovsec_adm_export” format.</dd> -<dt><strong>-r13</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</dd> -<dt><strong>-r18</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</dd> -<dt><strong>-verbose</strong></dt> -<dd>causes the name of each principal and policy to be printed as it -is dumped.</dd> -<dt><strong>-mkey_convert</strong></dt> -<dd>prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed.</dd> -<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt> -<dd>the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed.</dd> -<dt><strong>-rev</strong></dt> -<dd>dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred.</dd> -<dt><strong>-recurse</strong></dt> -<dd><p class="first">causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the <strong>-rev</strong> option will.</p> -<div class="versionchanged"> -<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong> -option.</p> +<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command is the primary tool for administrating +the Kerberos database when using the DB2 or LMDB modules (see +<a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types</span></a>). Creating a database is described in +<a class="reference internal" href="install_kdc.html#create-db"><span class="std std-ref">Create the KDC database</span></a>.</p> +<p>To create a stash file using the master password (because the database +was not created with one using the <code class="docutils literal"><span class="pre">create</span> <span class="pre">-s</span></code> flag, or after +restoring from a backup which did not contain the stash file), use the +kdb5_util <strong>stash</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util stash +kdb5_util: Cannot find/read stored master key while reading master key +kdb5_util: Warning: proceeding without master key +Enter KDC database master key: <= Type the KDC database master password. +</pre></div> </div> -<div class="last versionchanged"> -<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal.</p> +<p>To destroy a database, use the kdb5_util destroy command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util destroy +Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? +(type 'yes' to confirm)? yes +OK, deleting database '/var/krb5kdc/principal'... +** Database '/var/krb5kdc/principal' destroyed. +</pre></div> </div> -</dd> -</dl> -<div class="section" id="id3"> -<h4>Examples<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump dumpfile -shell% +<div class="section" id="dumping-and-loading-a-kerberos-database"> +<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Permalink to this headline">¶</a></h3> +<p>To dump a Kerberos database into a text file for backup or transfer +purposes, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command on one of the +KDCs:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util dump dumpfile -shell% kbd5_util dump -verbose dumpfile +$ kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU -shell% </pre></div> </div> -<p>If you specify which principals to dump, you must use the full -principal, as in the following example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU +<p>You may specify which principals to dump, using full principal names +including realm:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU -shell% </pre></div> </div> -<p>Otherwise, the principals will not match those in the database and -will not be dumped:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin -shell% +<p>To restore a Kerberos database dump from a file, use the +<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>load</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util load dumpfile </pre></div> </div> -<p>If you do not specify a dump file, kdb5_util will dump the database to -the standard output.</p> -</div> -</div> -<div class="section" id="restoring-a-kerberos-database-from-a-dump-file"> -<span id="restore-from-dump"></span><h3>Restoring a Kerberos database from a dump file<a class="headerlink" href="#restoring-a-kerberos-database-from-a-dump-file" title="Permalink to this headline">¶</a></h3> -<p>To restore a Kerberos database dump from a file, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>load</strong> command on one of the KDCs.</p> -<blockquote> -<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>] -[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote> -<p>Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the <strong>-update</strong> option is given, <strong>load</strong> creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the <strong>-update</strong> flag is required.</p> -<p>Options:</p> -<dl class="docutils"> -<dt><strong>-b7</strong></dt> -<dd>requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format -produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>requires the database to be in “ovsec_adm_import” format. Must be -used with the <strong>-update</strong> option.</dd> -<dt><strong>-r13</strong></dt> -<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</dd> -<dt><strong>-r18</strong></dt> -<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</dd> -<dt><strong>-hash</strong></dt> -<dd>requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.</dd> -<dt><strong>-verbose</strong></dt> -<dd>causes the name of each principal and policy to be printed as it -is dumped.</dd> -<dt><strong>-update</strong></dt> -<dd>records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion.</dd> -</dl> -<p>If specified, <em>dbname</em> overrides the value specified on the command -line or the default.</p> -<div class="section" id="id4"> -<h4>Examples<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h4> -<p>To load a single principal, either replacing or updating the database:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util load dumpfile principal -shell% - -shell% kdb5_util load -update dumpfile principal -shell% +<p>To update an existing database with a partial dump file containing +only some principals, use the <code class="docutils literal"><span class="pre">-update</span></code> flag:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util load -update someprincs </pre></div> </div> <div class="admonition note"> @@ -963,139 +261,63 @@ shell% <p class="last">If the database file exists, and the <em>-update</em> flag was not given, <em>kdb5_util</em> will overwrite the existing database.</p> </div> -<p>Using kdb5_util to upgrade a master KDC from krb5 1.1.x:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump old-kdb-dump -shell% kdb5_util dump -ov old-kdb-dump.ov - [Create a new KDC installation, using the old stash file/master password] -shell% kdb5_util load old-kdb-dump -shell% kdb5_util load -update old-kdb-dump.ov -</pre></div> -</div> -<p>The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x.</p> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">Using kdb5_util to dump and reload the principal database is -only necessary when upgrading from versions of krb5 prior -to 1.2.0—newer versions will use the existing database as-is.</p> -</div> -</div> -</div> -<div class="section" id="creating-a-stash-file"> -<span id="create-stash"></span><h3>Creating a stash file<a class="headerlink" href="#creating-a-stash-file" title="Permalink to this headline">¶</a></h3> -<p>A stash file allows a KDC to authenticate itself to the database -utilities, such as <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, and -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p> -<p>To create a stash file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>stash</strong> command.</p> -<blockquote> -<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote> -<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> -argument can be used to override the <em>keyfile</em> specified in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> -<div class="section" id="example"> -<h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4> -<blockquote> -<div>shell% kdb5_util stash -kdb5_util: Cannot find/read stored master key while reading master key -kdb5_util: Warning: proceeding without master key -Enter KDC database master key: <= Type the KDC database master password. -shell%</div></blockquote> -<p>If you do not specify a stash file, kdb5_util will stash the key in -the file specified in your <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.</p> -</div> -</div> -<div class="section" id="creating-and-destroying-a-kerberos-database"> -<h3>Creating and destroying a Kerberos database<a class="headerlink" href="#creating-and-destroying-a-kerberos-database" title="Permalink to this headline">¶</a></h3> -<p>If you need to create a new Kerberos database, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>create</strong> command.</p> -<blockquote> -<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote> -<p>Creates a new database. If the <strong>-s</strong> option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run.</p> -<p>If you need to destroy the current Kerberos database, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>destroy</strong> command.</p> -<blockquote> -<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote> -<p>Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the <strong>-f</strong> argument, does not prompt the user.</p> -<div class="section" id="id5"> -<h4>Examples<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h4> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util -r ATHENA.MIT.EDU create -s -Loading random data -Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', -master key name 'K/M@ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: <= Type the master password. -Re-enter KDC database master key to verify: <= Type it again. -shell% - -shell% kdb5_util -r ATHENA.MIT.EDU destroy -Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure? -(type 'yes' to confirm)? <= yes -OK, deleting database '/usr/local/var/krb5kdc/principal'... -** Database '/usr/local/var/krb5kdc/principal' destroyed. -shell% -</pre></div> -</div> -</div> </div> <div class="section" id="updating-the-master-key"> -<h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> -<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> allows the master key +<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> +<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps:</p> <ol class="arabic"> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to view the current -master key version number (KVNO). If you have never rolled over -the master key before, this will likely be version 1:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util list_mkeys +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to view the +current master key version number (KVNO). If you have never rolled +over the master key before, this will likely be version 1:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM -KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * +KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * </pre></div> </div> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></tt> to ensure that a +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></code> to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></tt> to create a new +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></code> to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active.</p> </li> -<li><p class="first">Propagate the database to all slave KDCs, either manually or by +<li><p class="first">Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have -any slave KDCs, you can skip this and the next step.</p> +any replica KDCs, you can skip this and the next step.</p> </li> -<li><p class="first">On each slave KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to verify that the -new master key is present, and then <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">stash</span></tt> to write -the new master key to the slave KDC’s stash file.</p> +<li><p class="first">On each replica KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to verify that +the new master key is present, and then <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">stash</span></code> to +write the new master key to the replica KDC’s stash file.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></tt> to begin using the -new master key. Replace <tt class="docutils literal"><span class="pre">2</span></tt> with the version of the new master +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></code> to begin using the +new master key. Replace <code class="docutils literal"><span class="pre">2</span></code> with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active -immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> must be +immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> must be restarted for this change to take full effect.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></tt>. This -command will iterate over the database and re-encrypt all keys in -the new master key. If the database is large and uses DB2, the -master KDC will become unavailable while this command runs, but -clients should fail over to slave KDCs (if any are present) during -this time period. In release 1.13 and later, you can instead run -<tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></tt> to use unlocked -iteration; this variant will take longer, but will keep the -database available to the KDC and kadmind while it runs.</p> +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></code>. +This command will iterate over the database and re-encrypt all keys +in the new master key. If the database is large and uses DB2, the +primary KDC will become unavailable while this command runs, but +clients should fail over to replica KDCs (if any are present) +during this time period. In release 1.13 and later, you can +instead run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></code> to +use unlocked iteration; this variant will take longer, but will +keep the database available to the KDC and kadmind while it runs.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></tt> to clean up the +<li><p class="first">Wait until the above changes have propagated to all replica KDCs +and until all running KDC and kadmind processes have serviced +requests using updated principal entries.</p> +</li> +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></code> to clean up the old master key.</p> </li> </ol> @@ -1103,413 +325,111 @@ old master key.</p> </div> <div class="section" id="operations-on-the-ldap-database"> <span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Permalink to this headline">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> is the primary tool for administrating -the Kerberos LDAP database. It allows an administrator to manage -realms, Kerberos services (KDC and Admin Server) and ticket policies.</p> -<p><strong>kdb5_ldap_util</strong> -[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]] -[<strong>-H</strong> <em>ldapuri</em>] -<strong>command</strong> -[<em>command_options</em>]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-D</strong> <em>user_dn</em></dt> -<dd>Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server.</dd> -<dt><strong>-w</strong> <em>passwd</em></dt> -<dd>Specifies the password of <em>user_dn</em>. This option is not -recommended.</dd> -<dt><strong>-H</strong> <em>ldapuri</em></dt> -<dd>Specifies the URI of the LDAP server. It is recommended to use -<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd> -</dl> -<div class="section" id="creating-a-kerberos-realm"> -<span id="ldap-create-realm"></span><h3>Creating a Kerberos realm<a class="headerlink" href="#creating-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to create a new realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>create</strong> command as follows.</p> -<blockquote> -<div><strong>create</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-s</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</div></blockquote> -<p>Creates realm in directory. Options:</p> -<dl class="docutils"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> -<dd>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt> -<dd>Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees).</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt> -<dd>Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container.</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt> -<dd>Specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> -<dd>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</dd> -<dt><strong>-m</strong></dt> -<dd>Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk.</dd> -<dt><strong>-P</strong> <em>password</em></dt> -<dd>Specifies the master database password. This option is not -recommended.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-sf</strong> <em>stashfilename</em></dt> -<dd>Specifies the stash file of the master database password.</dd> -<dt><strong>-s</strong></dt> -<dd>Specifies that the stash file is to be created.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals in this realm.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Initializing database for realm 'ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re-enter KDC database master key to verify: +<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a> command is the primary tool for +administrating the Kerberos database when using the LDAP module. +Creating an LDAP Kerberos database is describe in <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a>.</p> +<p>To view a list of realms in the LDAP database, use the kdb5_ldap_util +<strong>list</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list +KRBTEST.COM </pre></div> </div> -</div> -<div class="section" id="modifying-a-kerberos-realm"> -<span id="ldap-mod-realm"></span><h3>Modifying a Kerberos realm<a class="headerlink" href="#modifying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to modify a realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>modify</strong> command as follows.</p> -<blockquote> -<div><strong>modify</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</div></blockquote> -<p>Modifies the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> -<dd>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>). This list replaces the existing list.</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt> -<dd>Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees).</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt> -<dd>container object in which the principals of a realm will be -created.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals in this realm.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth -r - ATHENA.MIT.EDU -Password for "cn=admin,o=org": -shell% +<p>To modify the attributes of a realm, use the kdb5_ldap_util <strong>modify</strong> +command. For example, to change the default realm’s maximum ticket +life:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify -maxtktlife "10 hours" </pre></div> </div> +<p>To display the attributes of a realm, use the kdb5_ldap_util <strong>view</strong> +command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view + Realm Name: KRBTEST.COM + Maximum Ticket Life: 0 days 00:10:00 +</pre></div> </div> -<div class="section" id="destroying-a-kerberos-realm"> -<h3>Destroying a Kerberos realm<a class="headerlink" href="#destroying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to destroy a Kerberos realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>destroy</strong> command as follows.</p> -<blockquote> -<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Destroys an existing realm. Options:</p> -<dl class="docutils"> -<dt><strong>-f</strong></dt> -<dd>If specified, will not prompt the user for confirmation.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? +<p>To remove a realm from the LDAP database, destroying its contents, use +the kdb5_ldap_util <strong>destroy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy +Deleting KDC database of 'KRBTEST.COM', are you sure? (type 'yes' to confirm)? yes -OK, deleting database of 'ATHENA.MIT.EDU'... -shell% +OK, deleting database of 'KRBTEST.COM'... +** Database of 'KRBTEST.COM' destroyed. </pre></div> </div> -</div> -<div class="section" id="retrieving-information-about-a-kerberos-realm"> -<h3>Retrieving information about a Kerberos realm<a class="headerlink" href="#retrieving-information-about-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to display the attributes of a realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view</strong> command as follows.</p> -<blockquote> -<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Displays the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="section" id="ticket-policy-operations"> +<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> +<p>Unlike the DB2 and LMDB modules, the LDAP module supports ticket +policy objects, which can be associated with principals to restrict +maximum ticket lifetimes and set mandatory principal flags. Ticket +policy objects are distinct from the password policies described +earlier on this page, and are chiefly managed through kdb5_ldap_util +rather than kadmin. To create a new ticket policy, use the +kdb5_ldap_util <strong>create_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util create_policy -maxrenewlife "2 days" users </pre></div> </div> -</div> -<div class="section" id="listing-available-kerberos-realms"> -<h3>Listing available Kerberos realms<a class="headerlink" href="#listing-available-kerberos-realms" title="Permalink to this headline">¶</a></h3> -<p>If you need to display the list of the realms, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list</strong> command as follows.</p> -<blockquote> -<div><strong>list</strong></div></blockquote> -<p>Lists the name of realms.</p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list -Password for "cn=admin,o=org": -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA-LAB.MIT.EDU -shell% +<p>To associate a ticket policy with a principal, use the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal</strong> (or <strong>add_principal</strong>) command +with the <strong>-x tktpolicy=</strong><em>policy</em> option:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy=users alice </pre></div> </div> -</div> -<div class="section" id="stashing-service-object-s-password"> -<span id="stash-ldap"></span><h3>Stashing service object’s password<a class="headerlink" href="#stashing-service-object-s-password" title="Permalink to this headline">¶</a></h3> -<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>stashsrvpw</strong> command allows an -administrator to store the password of service object in a file. The -KDC and Administration server uses this password to authenticate to -the LDAP server.</p> -<blockquote> -<div><strong>stashsrvpw</strong> -[<strong>-f</strong> <em>filename</em>] -<em>name</em></div></blockquote> -<p>Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options:</p> -<dl class="docutils"> -<dt><strong>-f</strong> <em>filename</em></dt> -<dd>Specifies the complete path of the service password file. By -default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd> -<dt><em>name</em></dt> -<dd>Specifies the name of the object whose password is to be stored. -If <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for -simple binding, this should be the distinguished name it will -use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or -<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org -Password for "cn=service-kdc,o=org": -Re-enter password for "cn=service-kdc,o=org": +<p>To remove a ticket policy reference from a principal, use the same +command with an empty <em>policy</em>:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy= alice </pre></div> </div> -</div> -<div class="section" id="ticket-policy-operations"> -<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> -<div class="section" id="creating-a-ticket-policy"> -<h4>Creating a Ticket Policy<a class="headerlink" href="#creating-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To create a new ticket policy in directory , use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>create_policy</strong> command. Ticket policy -objects are created under the realm container.</p> -<blockquote> -<div><strong>create_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></div></blockquote> -<p>Creates a ticket policy in the directory. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the <strong>add_principal</strong> -command in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy -Password for "cn=admin,o=org": +<p>To list the existing ticket policy objects, use the kdb5_ldap_util +<strong>list_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list_policy +users </pre></div> </div> -</div> -<div class="section" id="modifying-a-ticket-policy"> -<h4>Modifying a Ticket Policy<a class="headerlink" href="#modifying-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To modify a ticket policy in directory, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>modify_policy</strong> command.</p> -<blockquote> -<div><strong>modify_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></div></blockquote> -<p>Modifies the attributes of a ticket policy. Options are same as for -<strong>create_policy</strong>.</p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy -Password for "cn=admin,o=org": +<p>To modify the attributes of a ticket policy object, use the +kdb5_ldap_util <strong>modify_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users </pre></div> </div> -</div> -<div class="section" id="retrieving-information-about-a-ticket-policy"> -<h4>Retrieving Information About a Ticket Policy<a class="headerlink" href="#retrieving-information-about-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To display the attributes of a ticket policy, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view_policy</strong> command.</p> -<blockquote> -<div><strong>view_policy</strong> -[<strong>-r</strong> <em>realm</em>] -<em>policy_name</em></div></blockquote> -<p>Displays the attributes of a ticket policy. Options:</p> -<dl class="docutils"> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<p>To view the attributes of a ticket policy object, use the +kdb5_ldap_util <strong>view_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view_policy users + Ticket policy: users + Maximum renewable life: 2 days 00:00:00 + Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR </pre></div> </div> -</div> -<div class="section" id="destroying-a-ticket-policy"> -<h4>Destroying a Ticket Policy<a class="headerlink" href="#destroying-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To destroy an existing ticket policy, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>destroy_policy</strong> command.</p> -<blockquote> -<div><strong>destroy_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-force</strong>] -<em>policy_name</em></div></blockquote> -<p>Destroys an existing ticket policy. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-force</strong></dt> -<dd>Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy.</dd> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -This will delete the policy object 'tktpolicy', are you sure? +<p>To destroy an ticket policy object, use the kdb5_ldap_util +<strong>destroy_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy_policy users +This will delete the policy object 'users', are you sure? (type 'yes' to confirm)? yes -** policy object 'tktpolicy' deleted. -</pre></div> -</div> -</div> -<div class="section" id="listing-available-ticket-policies"> -<h4>Listing available Ticket Policies<a class="headerlink" href="#listing-available-ticket-policies" title="Permalink to this headline">¶</a></h4> -<p>To list the name of ticket policies in a realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list_policy</strong> command.</p> -<blockquote> -<div><strong>list_policy</strong> -[<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Lists the ticket policies in realm if specified or in the default -realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - list_policy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -tktpolicy -tmppolicy -userpolicy +** policy object 'users' deleted. </pre></div> </div> </div> </div> -</div> <div class="section" id="cross-realm-authentication"> <span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Permalink to this headline">¶</a></h2> <p>In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms -<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> and <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>, you would need to add the -principals <tt class="docutils literal"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></tt> and -<tt class="docutils literal"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></tt> to both databases. +<code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal"><span class="pre">EXAMPLE.COM</span></code>, you would need to add the +principals <code class="docutils literal"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></code> and +<code class="docutils literal"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></code> to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the <strong>-kvno</strong> option.</p> <p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:</p> -<div class="highlight-python"><div class="highlight"><pre>shell%: kadmin.local -e "aes256-cts:normal" -kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM -Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span><span class="p">:</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> <span class="o">-</span><span class="n">e</span> <span class="s2">"aes256-cts:normal"</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> <div class="admonition note"> @@ -1531,17 +451,17 @@ at least 26 characters of random ASCII text.</p> <div class="section" id="changing-the-krbtgt-key"> <span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Permalink to this headline">¶</a></h2> <p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal <tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt>. The key for this principal is created +principal <code class="docutils literal"><span class="pre">krbtgt/REALM</span></code>. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed.</p> -<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> +<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>change_password</strong> command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the <strong>-keepold</strong> flag to change_password to retain the previous key in the database as well as the new key. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> <div class="admonition warning"> @@ -1557,14 +477,14 @@ tickets issued with the old keys have expired.</p> ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see -<a class="reference internal" href="enctypes.html#session-key-selection"><em>Session key selection</em></a>). Because non-MIT Kerberos clients +<a class="reference internal" href="enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS -requests, it can be important to for the krbtgt service to support +requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any <strong>-e</strong> option when changing the krbtgt key, or by setting the <strong>session_enctypes</strong> string attribute on the krbtgt -principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>).</p> +principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>).</p> <p>Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. @@ -1576,23 +496,17 @@ Upgrading the KDC to release 1.14 or later will correct this bug.</p> <h3>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h3> <p>At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support +primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this.</p> -<p>With incremental propagation enabled, all programs on the master KDC +<p>With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to -an “update log” file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> server) and +an “update log” file, maintained as a circular buffer of a certain +size. A process on each replica KDC connects to a service on the +primary KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> server) and periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes. If the -database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time.</p> +check. By default, this check is done every two minutes.</p> <p>Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>):</p> +data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> <table border="1" class="docutils"> <colgroup> <col width="4%" /> @@ -1608,60 +522,61 @@ data in the KDC config file (See <a class="reference internal" href="conf_files/ <td><em>integer</em></td> <td>Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.</td> </tr> -<tr class="row-odd"><td>iprop_slave_poll</td> +<tr class="row-odd"><td>iprop_replica_poll</td> <td><em>time interval</em></td> -<td>Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes.</td> +<td>Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes.</td> </tr> <tr class="row-even"><td>iprop_port</td> <td><em>integer</em></td> -<td>Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.</td> +<td>Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files.</td> </tr> <tr class="row-odd"><td>iprop_resync_timeout</td> <td><em>integer</em></td> -<td>Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes).</td> +<td>Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes).</td> </tr> <tr class="row-even"><td>iprop_logfile</td> <td><em>file name</em></td> -<td>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</td> +<td>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</td> </tr> </tbody> </table> -<p>Both master and slave sides must have a principal named -<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> (where <em>hostname</em> is the lowercase, +<p>Both primary and replica sides must have a principal named +<code class="docutils literal"><span class="pre">kiprop/hostname</span></code> (where <em>hostname</em> is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the -default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>). In release 1.13, the -<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal is created automatically for the master -KDC, but it must still be created for slave KDCs.</p> -<p>On the master KDC side, the <tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal must be -listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>, and given the -<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><em>Privileges</em></a>).</p> -<p>On the slave KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> should be run. When +default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). The <code class="docutils literal"><span class="pre">kiprop/hostname</span></code> principal may +have been created automatically for the primary KDC, but it must +always be created for replica KDCs.</p> +<p>On the primary KDC side, the <code class="docutils literal"><span class="pre">kiprop/hostname</span></code> principal must be +listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, and given the +<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><span class="std std-ref">Privileges</span></a>).</p> +<p>On the replica KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> should be run. When incremental propagation is enabled, it will connect to the kadmind on -the master KDC and start requesting updates.</p> +the primary KDC and start requesting updates.</p> <p>The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed.</p> -<p>If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run <tt class="docutils literal"><span class="pre">kadmind</span> <span class="pre">-proponly</span></tt> on each -intermediate slave, and <tt class="docutils literal"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></tt> on downstream -slaves to direct each one to the appropriate upstream slave.</p> +support. However, if the replica has been unable to fetch changes +from the primary KDC for too long (network problems, perhaps), the log +on the primary may wrap around and overwrite some of the updates that +the replica has not yet retrieved. In this case, the replica will +instruct the primary KDC to dump the current database out to a file +and invoke a one-time kprop propagation, with special options to also +convey the point in the update log at which the replica should resume +fetching incremental updates. Thus, all the keytab and ACL setup +previously described for kprop propagation is still needed.</p> +<p>If an environment has a large number of replicas, it may be desirable +to arrange them in a hierarchy instead of having the primary serve +updates to every replica. To do this, run <code class="docutils literal"><span class="pre">kadmind</span> <span class="pre">-proponly</span></code> on +each intermediate replica, and <code class="docutils literal"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></code> on +downstream replicas to direct each one to the appropriate upstream +replica.</p> <p>There are several known restrictions in the current implementation:</p> <ul class="simple"> <li>The incremental update protocol does not transport changes to policy -objects. Any policy changes on the master will result in full -resyncs to all slaves.</li> -<li>The slave’s KDB module must support locking; it cannot be using the +objects. Any policy changes on the primary will result in full +resyncs to all replicas.</li> +<li>The replica’s KDB module must support locking; it cannot be using the LDAP KDB module.</li> -<li>The master and slave must be able to initiate TCP connections in +<li>The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT.</li> </ul> </div> @@ -1670,22 +585,22 @@ both directions, without an intervening NAT.</li> <p>Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based -on Sun’s patches. Changes to Sun’s implementation since then may not +on Sun’s patches. Changes to Sun’s implementation since then may not be reflected here.)</p> -<p>The Sun config file support looks for <tt class="docutils literal"><span class="pre">sunw_dbprop_enable</span></tt>, -<tt class="docutils literal"><span class="pre">sunw_dbprop_master_ulogsize</span></tt>, and <tt class="docutils literal"><span class="pre">sunw_dbprop_slave_poll</span></tt>.</p> +<p>The Sun config file support looks for <code class="docutils literal"><span class="pre">sunw_dbprop_enable</span></code>, +<code class="docutils literal"><span class="pre">sunw_dbprop_master_ulogsize</span></code>, and <code class="docutils literal"><span class="pre">sunw_dbprop_slave_poll</span></code>.</p> <p>The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn’t always work well, the port -number must be specified in the config file on both the master and -slave sides.</p> -<p>The Sun implementation hard-codes pathnames in <tt class="docutils literal"><span class="pre">/var/krb5</span></tt> for the -update log and the per-slave kprop dump files. In the MIT +some modern versions of rpcbind doesn’t always work well, the port +number must be specified in the config file on both the primary and +replica sides.</p> +<p>The Sun implementation hard-codes pathnames in <code class="docutils literal"><span class="pre">/var/krb5</span></code> for the +update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -<a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans_hostname</span></tt>.</p> +config file, and the per-replica dump files are stored in +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/replica_datatrans_hostname</span></code>.</p> </div> </div> </div> @@ -1699,71 +614,19 @@ config file, and the per-slave dump files are stored in <h2>On this page</h2> <ul> <li><a class="reference internal" href="#">Database administration</a><ul> -<li><a class="reference internal" href="#kadmin-options">kadmin options</a></li> -<li><a class="reference internal" href="#date-format">Date Format</a></li> -<li><a class="reference internal" href="#principals">Principals</a><ul> -<li><a class="reference internal" href="#adding-modifying-and-deleting-principals">Adding, modifying and deleting principals</a></li> -<li><a class="reference internal" href="#add-principal">add_principal</a></li> -<li><a class="reference internal" href="#modify-principal">modify_principal</a></li> -<li><a class="reference internal" href="#delete-principal">delete_principal</a><ul> -<li><a class="reference internal" href="#examples">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#retrieving-information-about-a-principal">Retrieving information about a principal</a></li> -<li><a class="reference internal" href="#get-principal">get_principal</a></li> -<li><a class="reference internal" href="#list-principals">list_principals</a></li> -<li><a class="reference internal" href="#changing-passwords">Changing passwords</a></li> -<li><a class="reference internal" href="#change-password">change_password</a></li> -</ul> -</li> +<li><a class="reference internal" href="#principals">Principals</a></li> <li><a class="reference internal" href="#policies">Policies</a><ul> -<li><a class="reference internal" href="#adding-modifying-and-deleting-policies">Adding, modifying and deleting policies</a></li> -<li><a class="reference internal" href="#add-policy">add_policy</a></li> -<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> -<li><a class="reference internal" href="#delete-policy">delete_policy</a></li> -<li><a class="reference internal" href="#retrieving-policies">Retrieving policies</a></li> -<li><a class="reference internal" href="#get-policy">get_policy</a></li> -<li><a class="reference internal" href="#list-policies">list_policies</a></li> -<li><a class="reference internal" href="#policies-and-principals">Policies and principals</a></li> <li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li> </ul> </li> <li><a class="reference internal" href="#privileges">Privileges</a></li> <li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Kerberos database</a><ul> -<li><a class="reference internal" href="#dumping-a-kerberos-database-to-a-file">Dumping a Kerberos database to a file</a><ul> -<li><a class="reference internal" href="#id3">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#restoring-a-kerberos-database-from-a-dump-file">Restoring a Kerberos database from a dump file</a><ul> -<li><a class="reference internal" href="#id4">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#creating-a-stash-file">Creating a stash file</a><ul> -<li><a class="reference internal" href="#example">Example</a></li> -</ul> -</li> -<li><a class="reference internal" href="#creating-and-destroying-a-kerberos-database">Creating and destroying a Kerberos database</a><ul> -<li><a class="reference internal" href="#id5">Examples</a></li> -</ul> -</li> +<li><a class="reference internal" href="#dumping-and-loading-a-kerberos-database">Dumping and loading a Kerberos database</a></li> <li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li> </ul> </li> <li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP database</a><ul> -<li><a class="reference internal" href="#creating-a-kerberos-realm">Creating a Kerberos realm</a></li> -<li><a class="reference internal" href="#modifying-a-kerberos-realm">Modifying a Kerberos realm</a></li> -<li><a class="reference internal" href="#destroying-a-kerberos-realm">Destroying a Kerberos realm</a></li> -<li><a class="reference internal" href="#retrieving-information-about-a-kerberos-realm">Retrieving information about a Kerberos realm</a></li> -<li><a class="reference internal" href="#listing-available-kerberos-realms">Listing available Kerberos realms</a></li> -<li><a class="reference internal" href="#stashing-service-object-s-password">Stashing service object’s password</a></li> -<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a><ul> -<li><a class="reference internal" href="#creating-a-ticket-policy">Creating a Ticket Policy</a></li> -<li><a class="reference internal" href="#modifying-a-ticket-policy">Modifying a Ticket Policy</a></li> -<li><a class="reference internal" href="#retrieving-information-about-a-ticket-policy">Retrieving Information About a Ticket Policy</a></li> -<li><a class="reference internal" href="#destroying-a-ticket-policy">Destroying a Ticket Policy</a></li> -<li><a class="reference internal" href="#listing-available-ticket-policies">Listing available Ticket Policies</a></li> -</ul> -</li> +<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a></li> </ul> </li> <li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a></li> @@ -1785,9 +648,8 @@ config file, and the per-slave dump files are stored in <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Database administration</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -1795,6 +657,8 @@ config file, and the per-slave dump files are stored in <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -1834,8 +698,8 @@ config file, and the per-slave dump files are stored in <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> @@ -1843,7 +707,7 @@ config file, and the per-slave dump files are stored in >Contents</a> | <a href="realm_config.html" title="Realm configuration decisions" >previous</a> | - <a href="lockout.html" title="Account lockout" + <a href="dbtypes.html" title="Database types" >next</a> | <a href="../genindex.html" title="General Index" >index</a> | diff --git a/doc/html/admin/dbtypes.html b/doc/html/admin/dbtypes.html new file mode 100644 index 000000000000..9794a7528d88 --- /dev/null +++ b/doc/html/admin/dbtypes.html @@ -0,0 +1,294 @@ + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>Database types — MIT Kerberos Documentation</title> + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.21.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="next" title="Account lockout" href="lockout.html" /> + <link rel="prev" title="Database administration" href="database.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="database.html" title="Database administration" + accesskey="P">previous</a> | + <a href="lockout.html" title="Account lockout" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database types">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body" role="main"> + + <div class="section" id="database-types"> +<span id="dbtypes"></span><h1>Database types<a class="headerlink" href="#database-types" title="Permalink to this headline">¶</a></h1> +<p>A Kerberos database can be implemented with one of three built-in +database providers, called KDB modules. Software which incorporates +the MIT krb5 KDC may also provide its own KDB module. The following +subsections describe the three built-in KDB modules and the +configuration specific to them.</p> +<p>The database type can be configured with the <strong>db_library</strong> variable +in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><span class="std std-ref">[dbmodules]</span></a> subsection for the realm. For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">db_library</span> <span class="o">=</span> <span class="n">db2</span> + <span class="p">}</span> +</pre></div> +</div> +<p>If the <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> realm subsection contains a +<strong>database_module</strong> setting, then the subsection within +<code class="docutils literal"><span class="pre">[dbmodules]</span></code> should use that name instead of <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code>.</p> +<p>To transition from one database type to another, stop the +<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> service, use <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">dump</span></code> to create a dump +file, change the <strong>db_library</strong> value and set any appropriate +configuration for the new database type, and use <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">load</span></code> to +create and populate the new database. If the new database type is +LDAP, create the new database using <code class="docutils literal"><span class="pre">kdb5_ldap_util</span></code> and populate it +from the dump file using <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">load</span> <span class="pre">-update</span></code>. Then restart the +<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> services.</p> +<div class="section" id="berkeley-database-module-db2"> +<h2>Berkeley database module (db2)<a class="headerlink" href="#berkeley-database-module-db2" title="Permalink to this headline">¶</a></h2> +<p>The default KDB module is <code class="docutils literal"><span class="pre">db2</span></code>, which uses a version of the +Berkeley DB library. It creates four files based on the database +pathname. If the pathname ends with <code class="docutils literal"><span class="pre">principal</span></code> then the four files +are:</p> +<ul class="simple"> +<li><code class="docutils literal"><span class="pre">principal</span></code>, containing principal entry data</li> +<li><code class="docutils literal"><span class="pre">principal.ok</span></code>, a lock file for the principal database</li> +<li><code class="docutils literal"><span class="pre">principal.kadm5</span></code>, containing policy object data</li> +<li><code class="docutils literal"><span class="pre">principal.kadm5.lock</span></code>, a lock file for the policy database</li> +</ul> +<p>For large databases, the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command (perhaps +invoked by <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or by <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> for incremental +propagation) may cause <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> to stop for a noticeable +period of time while it iterates over the database. This delay can be +avoided by disabling account lockout features so that the KDC does not +perform database writes (see <a class="reference internal" href="lockout.html#disable-lockout"><span class="std std-ref">KDC performance and account lockout</span></a>). Alternatively, +a slower form of iteration can be enabled by setting the +<strong>unlockiter</strong> variable to <code class="docutils literal"><span class="pre">true</span></code>. For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">db_library</span> <span class="o">=</span> <span class="n">db2</span> + <span class="n">unlockiter</span> <span class="o">=</span> <span class="n">true</span> + <span class="p">}</span> +</pre></div> +</div> +<p>In rare cases, a power failure or other unclean system shutdown may +cause inconsistencies in the internal pointers within a database file, +such that <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">dump</span></code> cannot retrieve all principal entries in +the database. In this situation, it may be possible to retrieve all +of the principal data by running <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">dump</span> <span class="pre">-recurse</span></code> to +iterate over the database using the tree pointers instead of the +iteration pointers. Running <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">dump</span> <span class="pre">-rev</span></code> to iterate over +the database backwards may also retrieve some of the data which is not +retrieved by a normal dump operation.</p> +</div> +<div class="section" id="lightning-memory-mapped-database-module-klmdb"> +<h2>Lightning Memory-Mapped Database module (klmdb)<a class="headerlink" href="#lightning-memory-mapped-database-module-klmdb" title="Permalink to this headline">¶</a></h2> +<p>The klmdb module was added in release 1.17. It uses the LMDB library, +and may offer better performance and reliability than the db2 module. +It creates four files based on the database pathname. If the pathname +ends with <code class="docutils literal"><span class="pre">principal</span></code>, then the four files are:</p> +<ul class="simple"> +<li><code class="docutils literal"><span class="pre">principal.mdb</span></code>, containing policy object data and most principal +entry data</li> +<li><code class="docutils literal"><span class="pre">principal.mdb-lock</span></code>, a lock file for the primary database</li> +<li><code class="docutils literal"><span class="pre">principal.lockout.mdb</span></code>, containing the account lockout attributes +(last successful authentication time, last failed authentication +time, and number of failed attempts) for each principal entry</li> +<li><code class="docutils literal"><span class="pre">principal.lockout.mdb-lock</span></code>, a lock file for the lockout database</li> +</ul> +<p>Separating out the lockout attributes ensures that the KDC will never +block on an administrative operation such as a database dump or load. +It also allows the KDC to operate without write access to the primary +database. If both account lockout features are disabled (see +<a class="reference internal" href="lockout.html#disable-lockout"><span class="std std-ref">KDC performance and account lockout</span></a>), the lockout database files will be created +but will not subsequently be opened, and the account lockout +attributes will always have zero values.</p> +<p>Because LMDB creates a memory map to the database files, it requires a +configured memory map size which also determines the maximum size of +the database. This size is applied equally to the two databases, so +twice the configured size will be consumed in the process address +space; this is primarily a limitation on 32-bit platforms. The +default value of 128 megabytes should be sufficient for several +hundred thousand principal entries. If the limit is reached, kadmin +operations will fail and the error message “Environment mapsize limit +reached” will appear in the kadmind log file. In this case, the +<strong>mapsize</strong> variable can be used to increase the map size. The +following example sets the map size to 512 megabytes:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">db_library</span> <span class="o">=</span> <span class="n">klmdb</span> + <span class="n">mapsize</span> <span class="o">=</span> <span class="mi">512</span> + <span class="p">}</span> +</pre></div> +</div> +<p>LMDB has a configurable maximum number of readers. The default value +of 128 should be sufficient for most deployments. If you are going to +use a large number of KDC worker processes, it may be necessary to set +the <strong>max_readers</strong> variable to a larger number.</p> +<p>By default, LMDB synchronizes database files to disk after each write +transaction to ensure durability in the case of an unclean system +shutdown. The klmdb module always turns synchronization off for the +lockout database to ensure reasonable KDC performance, but leaves it +on for the primary database. If high throughput for administrative +operations (including password changes) is required, the <strong>nosync</strong> +variable can be set to “true” to disable synchronization for the +primary database.</p> +<p>The klmdb module does not support explicit locking with the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>lock</strong> command.</p> +</div> +<div class="section" id="ldap-module-kldap"> +<h2>LDAP module (kldap)<a class="headerlink" href="#ldap-module-kldap" title="Permalink to this headline">¶</a></h2> +<p>The kldap module stores principal and policy data using an LDAP +server. To use it you must configure an LDAP server to use the +Kerberos schema. See <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a> for details.</p> +<p>Because <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> is single-threaded, latency in LDAP database +accesses may limit KDC operation throughput. If the LDAP server is +located on the same server host as the KDC and accessed through an +<code class="docutils literal"><span class="pre">ldapi://</span></code> URL, latency should be minimal. If this is not possible, +consider starting multiple KDC worker processes with the +<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> <strong>-w</strong> option to enable concurrent processing of KDC +requests.</p> +<p>The kldap module does not support explicit locking with the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>lock</strong> command.</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Database types</a><ul> +<li><a class="reference internal" href="#berkeley-database-module-db2">Berkeley database module (db2)</a></li> +<li><a class="reference internal" href="#lightning-memory-mapped-database-module-klmdb">Lightning Memory-Mapped Database module (klmdb)</a></li> +<li><a class="reference internal" href="#ldap-module-kldap">LDAP module (kldap)</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Database types</a></li> +<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> +<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="database.html" title="Database administration" + >previous</a> | + <a href="lockout.html" title="Account lockout" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database types">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/dictionary.html b/doc/html/admin/dictionary.html new file mode 100644 index 000000000000..eee254bae404 --- /dev/null +++ b/doc/html/admin/dictionary.html @@ -0,0 +1,232 @@ + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>Addressing dictionary attack risks — MIT Kerberos Documentation</title> + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.21.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="next" title="Principal names and DNS" href="princ_dns.html" /> + <link rel="prev" title="SPAKE Preauthentication" href="spake.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="spake.html" title="SPAKE Preauthentication" + accesskey="P">previous</a> | + <a href="princ_dns.html" title="Principal names and DNS" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body" role="main"> + + <div class="section" id="addressing-dictionary-attack-risks"> +<span id="dictionary"></span><h1>Addressing dictionary attack risks<a class="headerlink" href="#addressing-dictionary-attack-risks" title="Permalink to this headline">¶</a></h1> +<p>Kerberos initial authentication is normally secured using the client +principal’s long-term key, which for users is generally derived from a +password. Using a pasword-derived long-term key carries the risk of a +dictionary attack, where an attacker tries a sequence of possible +passwords, possibly requiring much less effort than would be required +to try all possible values of the key. Even if <a class="reference internal" href="database.html#policies"><span class="std std-ref">password policy +objects</span></a> are used to force users not to pick trivial +passwords, dictionary attacks can sometimes be successful against a +significant fraction of the users in a realm. Dictionary attacks are +not a concern for principals using random keys.</p> +<p>A dictionary attack may be online or offline. An online dictionary +attack is performed by trying each password in a separate request to +the KDC, and is therefore visible to the KDC and also limited in speed +by the KDC’s processing power and the network capacity between the +client and the KDC. Online dictionary attacks can be mitigated using +<a class="reference internal" href="lockout.html#lockout"><span class="std std-ref">account lockout</span></a>. This measure is not totally +satisfactory, as it makes it easy for an attacker to deny access to a +client principal.</p> +<p>An offline dictionary attack is performed by obtaining a ciphertext +generated using the password-derived key, and trying each password +against the ciphertext. This category of attack is invisible to the +KDC and can be performed much faster than an online attack. The +attack will generally take much longer with more recent encryption +types (particularly the ones based on AES), because those encryption +types use a much more expensive string-to-key function. However, the +best defense is to deny the attacker access to a useful ciphertext. +The required defensive measures depend on the attacker’s level of +network access.</p> +<p>An off-path attacker has no access to packets sent between legitimate +users and the KDC. An off-path attacker could gain access to an +attackable ciphertext either by making an AS request for a client +principal which does not have the <strong>+requires_preauth</strong> flag, or by +making a TGS request (after authenticating as a different user) for a +server principal which does not have the <strong>-allow_svr</strong> flag. To +address off-path attackers, a KDC administrator should set those flags +on principals with password-derived keys:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_principal</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">princname</span> +</pre></div> +</div> +<p>An attacker with passive network access (one who can monitor packets +sent between legitimate users and the KDC, but cannot change them or +insert their own packets) can gain access to an attackable ciphertext +by observing an authentication by a user using the most common form of +preauthentication, encrypted timestamp. Any of the following methods +can prevent dictionary attacks by attackers with passive network +access:</p> +<ul class="simple"> +<li>Enabling <a class="reference internal" href="spake.html#spake"><span class="std std-ref">SPAKE preauthentication</span></a> (added in release +1.17) on the KDC, and ensuring that all clients are able to support +it.</li> +<li>Using an <a class="reference internal" href="https.html#https"><span class="std std-ref">HTTPS proxy</span></a> for communication with the KDC, +if the attacker cannot monitor communication between the proxy +server and the KDC.</li> +<li>Using FAST, protecting the initial authentication with either a +random key (such as a host key) or with <a class="reference internal" href="pkinit.html#anonymous-pkinit"><span class="std std-ref">anonymous PKINIT</span></a>.</li> +</ul> +<p>An attacker with active network access (one who can inject or modify +packets sent between legitimate users and the KDC) can try to fool the +client software into sending an attackable ciphertext using an +encryption type and salt string of the attacker’s choosing. Any of the +following methods can prevent dictionary attacks by active attackers:</p> +<ul class="simple"> +<li>Enabling SPAKE preauthentication and setting the +<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal"><span class="pre">true</span></code> in the +<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection of the client configuration.</li> +<li>Using an HTTPS proxy as described above, configured in the client’s +krb5.conf realm configuration. If <a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC discovery</span></a> is used to locate a proxy server, an active +attacker may be able to use DNS spoofing to cause the client to use +a different HTTPS server or to not use HTTPS.</li> +<li>Using FAST as described above.</li> +</ul> +<p>If <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a> are used for +initial authentication, the principal’s long-term keys are not used +and dictionary attacks are usually not a concern.</p> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Addressing dictionary attack risks</a></li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> +<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Addressing dictionary attack risks</a></li> +<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="spake.html" title="SPAKE Preauthentication" + >previous</a> | + <a href="princ_dns.html" title="Principal names and DNS" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html index 56e5b6be0ae2..419e7246f443 100644 --- a/doc/html/admin/enctypes.html +++ b/doc/html/admin/enctypes.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Encryption types — MIT Kerberos Documentation</title> - + <title>Encryption types — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="HTTPS proxy configuration" href="https.html" /> <link rel="prev" title="Principal names and DNS" href="princ_dns.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="encryption-types"> <span id="enctypes"></span><h1>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h1> @@ -98,16 +96,15 @@ TGS-REQ, this list only affects the session key selection.</p> <span id="id1"></span><h2>Session key selection<a class="headerlink" href="#session-key-selection" title="Permalink to this headline">¶</a></h2> <p>The KDC chooses the session key enctype by taking the intersection of its <strong>permitted_enctypes</strong> list, the list of long-term keys for the -most recent kvno of the service, and the client’s requested list of -enctypes. If <strong>allow_weak_crypto</strong> is true, all services are assumed -to support des-cbc-crc.</p> -<p>Starting in krb5-1.11, <strong>des_crc_session_supported</strong> in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> allows additional control over whether the KDC -issues des-cbc-crc session keys.</p> -<p>Also starting in krb5-1.11, it is possible to set a string attribute -on a service principal to control what session key enctypes the KDC -may issue for service tickets for that principal. See -<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a> in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> for details.</p> +most recent kvno of the service, and the client’s requested list of +enctypes. Starting in krb5-1.21, all services are assumed to support +aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session +keys will not be issued by default.</p> +<p>Starting in krb5-1.11, it is possible to set a string attribute on a +service principal to control what session key enctypes the KDC may +issue for service tickets for that principal, overriding the service’s +long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. +See <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a> in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for details.</p> </div> <div class="section" id="choosing-enctypes-for-a-service"> <h2>Choosing enctypes for a service<a class="headerlink" href="#choosing-enctypes-for-a-service" title="Permalink to this headline">¶</a></h2> @@ -125,19 +122,35 @@ a service principal.</p> </div> <div class="section" id="configuration-variables"> <h2>Configuration variables<a class="headerlink" href="#configuration-variables" title="Permalink to this headline">¶</a></h2> -<p>The following <tt class="docutils literal"><span class="pre">[libdefaults]</span></tt> settings in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> will +<p>The following <code class="docutils literal"><span class="pre">[libdefaults]</span></code> settings in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> will affect how enctypes are chosen.</p> <dl class="docutils"> <dt><strong>allow_weak_crypto</strong></dt> <dd>defaults to <em>false</em> starting with krb5-1.8. When <em>false</em>, removes -single-DES enctypes (and other weak enctypes) from -<strong>permitted_enctypes</strong>, <strong>default_tkt_enctypes</strong>, and -<strong>default_tgs_enctypes</strong>. Do not set this to <em>true</em> unless the -use of weak enctypes is an acceptable risk for your environment -and the weak enctypes are required for backward compatibility.</dd> +weak enctypes from <strong>permitted_enctypes</strong>, +<strong>default_tkt_enctypes</strong>, and <strong>default_tgs_enctypes</strong>. Do not +set this to <em>true</em> unless the use of weak enctypes is an +acceptable risk for your environment and the weak enctypes are +required for backward compatibility.</dd> +<dt><strong>allow_des3</strong></dt> +<dd>was added in release 1.21 and defaults to <em>false</em>. Unless this +flag is set to <em>true</em>, the KDC will not issue tickets with +des3-cbc-sha1 session keys. In a future release, this flag will +control whether des3-cbc-sha1 is permitted in similar fashion to +weak enctypes.</dd> +<dt><strong>allow_rc4</strong></dt> +<dd>was added in release 1.21 and defaults to <em>false</em>. Unless this +flag is set to <em>true</em>, the KDC will not issue tickets with +arcfour-hmac session keys. In a future release, this flag will +control whether arcfour-hmac is permitted in similar fashion to +weak enctypes.</dd> <dt><strong>permitted_enctypes</strong></dt> -<dd>controls the set of enctypes that a service will accept as session -keys.</dd> +<dd>controls the set of enctypes that a service will permit for +session keys and for ticket and authenticator encryption. The KDC +and other programs that access the Kerberos database will ignore +keys of non-permitted enctypes. Starting in release 1.18, this +setting also acts as the default for <strong>default_tkt_enctypes</strong> and +<strong>default_tgs_enctypes</strong>.</dd> <dt><strong>default_tkt_enctypes</strong></dt> <dd>controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless @@ -151,24 +164,24 @@ required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.</dd> </dl> -<p>The following per-realm setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> affects the +<p>The following per-realm setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> affects the generation of long-term keys.</p> <dl class="docutils"> <dt><strong>supported_enctypes</strong></dt> -<dd>controls the default set of enctype-salttype pairs that <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> +<dd>controls the default set of enctype-salttype pairs that <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> will use for generating long-term keys, either randomly or from passwords</dd> </dl> </div> <div class="section" id="enctype-compatibility"> <h2>Enctype compatibility<a class="headerlink" href="#enctype-compatibility" title="Permalink to this headline">¶</a></h2> -<p>See <a class="reference internal" href="conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> for additional information about enctypes.</p> +<p>See <a class="reference internal" href="conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> for additional information about enctypes.</p> <table border="1" class="docutils"> <colgroup> -<col width="57%" /> -<col width="11%" /> -<col width="17%" /> -<col width="15%" /> +<col width="51%" /> +<col width="20%" /> +<col width="16%" /> +<col width="14%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head">enctype</th> @@ -180,26 +193,26 @@ passwords</dd> <tbody valign="top"> <tr class="row-even"><td>des-cbc-crc</td> <td>weak</td> -<td>all</td> +<td><1.18</td> <td>>=2000</td> </tr> <tr class="row-odd"><td>des-cbc-md4</td> <td>weak</td> -<td>all</td> +<td><1.18</td> <td>?</td> </tr> <tr class="row-even"><td>des-cbc-md5</td> <td>weak</td> -<td>all</td> +<td><1.18</td> <td>>=2000</td> </tr> <tr class="row-odd"><td>des3-cbc-sha1</td> -<td> </td> +<td>deprecated</td> <td>>=1.1</td> <td>none</td> </tr> <tr class="row-even"><td>arcfour-hmac</td> -<td> </td> +<td>deprecated</td> <td>>=1.3</td> <td>>=2000</td> </tr> @@ -209,40 +222,88 @@ passwords</dd> <td>>=2000</td> </tr> <tr class="row-even"><td>aes128-cts-hmac-sha1-96</td> -<td> </td> +<td> </td> <td>>=1.3</td> <td>>=Vista</td> </tr> <tr class="row-odd"><td>aes256-cts-hmac-sha1-96</td> -<td> </td> +<td> </td> <td>>=1.3</td> <td>>=Vista</td> </tr> <tr class="row-even"><td>aes128-cts-hmac-sha256-128</td> -<td> </td> +<td> </td> <td>>=1.15</td> <td>none</td> </tr> <tr class="row-odd"><td>aes256-cts-hmac-sha384-192</td> -<td> </td> +<td> </td> <td>>=1.15</td> <td>none</td> </tr> <tr class="row-even"><td>camellia128-cts-cmac</td> -<td> </td> +<td> </td> <td>>=1.9</td> <td>none</td> </tr> <tr class="row-odd"><td>camellia256-cts-cmac</td> -<td> </td> +<td> </td> <td>>=1.9</td> <td>none</td> </tr> </tbody> </table> -<p>krb5 releases 1.8 and later disable the single-DES enctypes by -default. Microsoft Windows releases Windows 7 and later disable -single-DES enctypes by default.</p> +<p>krb5 releases 1.18 and later do not support single-DES. krb5 releases +1.8 and later disable the single-DES enctypes by default. Microsoft +Windows releases Windows 7 and later disable single-DES enctypes by +default.</p> +<p>krb5 releases 1.17 and later flag deprecated encryption types +(including <code class="docutils literal"><span class="pre">des3-cbc-sha1</span></code> and <code class="docutils literal"><span class="pre">arcfour-hmac</span></code>) in KDC logs and +kadmin output. krb5 release 1.19 issues a warning during initial +authentication if <code class="docutils literal"><span class="pre">des3-cbc-sha1</span></code> is used. Future releases will +disable <code class="docutils literal"><span class="pre">des3-cbc-sha1</span></code> by default and eventually remove support for +it.</p> +</div> +<div class="section" id="migrating-away-from-older-encryption-types"> +<h2>Migrating away from older encryption types<a class="headerlink" href="#migrating-away-from-older-encryption-types" title="Permalink to this headline">¶</a></h2> +<p>Administrator intervention may be required to migrate a realm away +from legacy encryption types, especially if the realm was created +using krb5 release 1.2 or earlier. This migration should be performed +before upgrading to krb5 versions which disable or remove support for +legacy encryption types.</p> +<p>If there is a <strong>supported_enctypes</strong> setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> on +the KDC, make sure that it does not include weak or deprecated +encryption types. This will ensure that newly created keys do not use +those encryption types by default.</p> +<p>Check the <code class="docutils literal"><span class="pre">krbtgt/REALM</span></code> principal using the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> +<strong>getprinc</strong> command. If it lists a weak or deprecated encryption +type as the first key, it must be migrated using the procedure in +<a class="reference internal" href="database.html#changing-krbtgt-key"><span class="std std-ref">Changing the krbtgt key</span></a>.</p> +<p>Check the <code class="docutils literal"><span class="pre">kadmin/history</span></code> principal, which should have only one key +entry. If it uses a weak or deprecated encryption type, it should be +upgraded following the notes in <a class="reference internal" href="database.html#updating-history-key"><span class="std std-ref">Updating the history key</span></a>.</p> +<p>Check the other kadmin principals: kadmin/changepw, kadmin/admin, and +any kadmin/hostname principals that may exist. These principals can +be upgraded with <strong>change_password -randkey</strong> in kadmin.</p> +<p>Check the <code class="docutils literal"><span class="pre">K/M</span></code> entry. If it uses a weak or deprecated encryption +type, it should be upgraded following the procedure in +<a class="reference internal" href="database.html#updating-master-key"><span class="std std-ref">Updating the master key</span></a>.</p> +<p>User and service principals using legacy encryption types can be +enumerated with the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>tabdump keyinfo</strong> command.</p> +<p>Service principals can be migrated with a keytab rotation on the +service host, which can be accomplished using the <a class="reference internal" href="admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a> +<strong>change</strong> and <strong>delold</strong> commands. Allow enough time for existing +tickets to expire between the change and delold operations.</p> +<p>User principals with password-based keys can be migrated with a +password change. The realm administrator can set a password +expiration date using the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal +-pwexpire</strong> command to force a password change.</p> +<p>If a legacy encryption type has not yet been disabled by default in +the version of krb5 running on the KDC, it can be disabled +administratively with the <strong>permitted_enctypes</strong> variable. For +example, setting <strong>permitted_enctypes</strong> to <code class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-des3</span> <span class="pre">-rc4</span></code> will +cause any database keys of the triple-DES and RC4 encryption types to +be ignored.</p> </div> </div> @@ -260,6 +321,7 @@ single-DES enctypes by default.</p> <li><a class="reference internal" href="#choosing-enctypes-for-a-service">Choosing enctypes for a service</a></li> <li><a class="reference internal" href="#configuration-variables">Configuration variables</a></li> <li><a class="reference internal" href="#enctype-compatibility">Enctype compatibility</a></li> +<li><a class="reference internal" href="#migrating-away-from-older-encryption-types">Migrating away from older encryption types</a></li> </ul> </li> </ul> @@ -273,6 +335,7 @@ single-DES enctypes by default.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -280,10 +343,10 @@ single-DES enctypes by default.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Encryption types</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> @@ -321,8 +384,8 @@ single-DES enctypes by default.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html index a5a6c8ae1109..0a9d61d7ad36 100644 --- a/doc/html/admin/env_variables.html +++ b/doc/html/admin/env_variables.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Environment variables — MIT Kerberos Documentation</title> - + <title>Environment variables — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Troubleshooting" href="troubleshoot.html" /> <link rel="prev" title="MIT Kerberos defaults" href="../mitK5defaults.html" /> </head> @@ -61,45 +59,11 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="environment-variables"> <h1>Environment variables<a class="headerlink" href="#environment-variables" title="Permalink to this headline">¶</a></h1> -<p>The following environment variables can be used during runtime:</p> -<dl class="docutils"> -<dt><strong>KRB5_CONFIG</strong></dt> -<dd>Main Kerberos configuration file. Multiple filenames can be -specified, separated by a colon; all files which are present will -be read. (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default path.)</dd> -<dt><strong>KRB5_KDC_PROFILE</strong></dt> -<dd>KDC configuration file. (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default -name.)</dd> -<dt><strong>KRB5_KTNAME</strong></dt> -<dd>Default keytab file name. (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the -default name.)</dd> -<dt><strong>KRB5_CLIENT_KTNAME</strong></dt> -<dd>Default client keytab file name. (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for -the default name.)</dd> -<dt><strong>KRB5CCNAME</strong></dt> -<dd>Default name for the credentials cache file, in the form <em>type</em>:<em>residual</em>. The type of the default cache may determine the -availability of a cache collection. For instance, a default cache -of type <tt class="docutils literal"><span class="pre">DIR</span></tt> causes caches within the directory to be present -in the global cache collection.</dd> -<dt><strong>KRB5RCACHETYPE</strong></dt> -<dd>Default replay cache type. Defaults to <tt class="docutils literal"><span class="pre">dfl</span></tt>. A value of -<tt class="docutils literal"><span class="pre">none</span></tt> disables the replay cache.</dd> -<dt><strong>KRB5RCACHEDIR</strong></dt> -<dd>Default replay cache directory. (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the -default location.)</dd> -<dt><strong>KPROP_PORT</strong></dt> -<dd><a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> port to use. Defaults to 754.</dd> -<dt><strong>KRB5_TRACE</strong></dt> -<dd>Filename for trace-logging output (introduced in release 1.9). -For example, <tt class="docutils literal"><span class="pre">env</span> <span class="pre">KRB5_TRACE=/dev/stdout</span> <span class="pre">kinit</span></tt> would send -tracing information for kinit to <tt class="docutils literal"><span class="pre">/dev/stdout</span></tt>. Some programs -may ignore this variable (particularly setuid or login system -programs).</dd> -</dl> +<p>This content has moved to <a class="reference internal" href="../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>.</p> </div> @@ -122,6 +86,7 @@ programs).</dd> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -129,13 +94,15 @@ programs).</dd> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Environment variables</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Environment variables</a></li> <li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> <li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> <li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> @@ -168,8 +135,8 @@ programs).</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html index 3c0dbaa87656..21a8f2c7d23b 100644 --- a/doc/html/admin/host_config.html +++ b/doc/html/admin/host_config.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Host configuration — MIT Kerberos Documentation</title> - + <title>Host configuration — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Backups of secure hosts" href="backup_host.html" /> <link rel="prev" title="Application servers" href="appl_servers.html" /> </head> @@ -61,35 +59,35 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="host-configuration"> <h1>Host configuration<a class="headerlink" href="#host-configuration" title="Permalink to this headline">¶</a></h1> <p>All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Here we describe some of the behavior changes +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Here we describe some of the behavior changes you might want to make.</p> <div class="section" id="default-realm"> <h2>Default realm<a class="headerlink" href="#default-realm" title="Permalink to this headline">¶</a></h2> -<p>In the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section, the <strong>default_realm</strong> realm +<p>In the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section, the <strong>default_realm</strong> realm relation sets the default Kerberos realm. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - default_realm = ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> <p>The default realm affects Kerberos behavior in the following ways:</p> <ul class="simple"> <li>When a principal name is parsed from text, the default realm is used -if no <tt class="docutils literal"><span class="pre">@REALM</span></tt> component is specified.</li> +if no <code class="docutils literal"><span class="pre">@REALM</span></code> component is specified.</li> <li>The default realm affects login authorization as described below.</li> <li>For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the <strong>-r</strong> parameter is given to specify a realm.</li> <li>A server program may use the default realm when looking up its key -in a <a class="reference internal" href="install_appl_srv.html#keytab-file"><em>keytab file</em></a>, if its realm is not -determined by <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> configuration or by the server +in a <a class="reference internal" href="install_appl_srv.html#keytab-file"><span class="std std-ref">keytab file</span></a>, if its realm is not +determined by <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> configuration or by the server program itself.</li> -<li>If <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> is passed the <strong>-n</strong> flag, it requests anonymous +<li>If <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> is passed the <strong>-n</strong> flag, it requests anonymous tickets from the default realm.</li> </ul> <p>In some situations, these uses of the default realm might conflict. @@ -108,28 +106,28 @@ whether a Kerberos principal is allowed to access a local account.</p> its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the -default realm; for instance, <tt class="docutils literal"><span class="pre">alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU</span></tt> -is granted access to the <tt class="docutils literal"><span class="pre">alice</span></tt> account if <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> is +default realm; for instance, <code class="docutils literal"><span class="pre">alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU</span></code> +is granted access to the <code class="docutils literal"><span class="pre">alice</span></code> account if <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> is the default realm.)</p> -<p>The simplest way to control local access is using <a class="reference internal" href="../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> -files. To use these, place a <tt class="docutils literal"><span class="pre">.k5login</span></tt> file in the home directory +<p>The simplest way to control local access is using <a class="reference internal" href="../user/user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> +files. To use these, place a <code class="docutils literal"><span class="pre">.k5login</span></code> file in the home directory of each account listing the principal names which should have login -access to that account. If it is not desirable to use <tt class="docutils literal"><span class="pre">.k5login</span></tt> +access to that account. If it is not desirable to use <code class="docutils literal"><span class="pre">.k5login</span></code> files located in account home directories, the <strong>k5login_directory</strong> -relation in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section can specify a directory +relation in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section can specify a directory containing one file per account uname.</p> -<p>By default, if a <tt class="docutils literal"><span class="pre">.k5login</span></tt> file is present, it controls -authorization both positively and negatively–any principal name +<p>By default, if a <code class="docutils literal"><span class="pre">.k5login</span></code> file is present, it controls +authorization both positively and negatively–any principal name contained in the file is granted access and any other principal name -is denied access, even if it would have had access if the <tt class="docutils literal"><span class="pre">.k5login</span></tt> -file didn’t exist. The <strong>k5login_authoritative</strong> relation in the -<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section can be set to false to make <tt class="docutils literal"><span class="pre">.k5login</span></tt> +is denied access, even if it would have had access if the <code class="docutils literal"><span class="pre">.k5login</span></code> +file didn’t exist. The <strong>k5login_authoritative</strong> relation in the +<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section can be set to false to make <code class="docutils literal"><span class="pre">.k5login</span></code> files provide positive authorization only.</p> -<p>The <strong>auth_to_local</strong> relation in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section for the +<p>The <strong>auth_to_local</strong> relation in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section for the default realm can specify pattern-matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] +<div class="highlight-default"><div class="highlight"><pre><span></span>[realms] DEFAULT.REALM = { # Allow access to principals from OTHER.REALM. # @@ -140,7 +138,7 @@ to principals from a different realm than the default realm:</p> # only principals in OTHER.REALM are matched. # # s/@OTHER\.REALM$// removes the realm name, leaving behind the - # principal name as the acount name. + # principal name as the account name. auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// # Also allow principals from the default realm. Omit this line @@ -149,47 +147,47 @@ to principals from a different realm than the default realm:</p> } </pre></div> </div> -<p>The <strong>auth_to_local_names</strong> subsection of the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section +<p>The <strong>auth_to_local_names</strong> subsection of the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of <strong>auth_to_local_names</strong> might be:</p> -<div class="highlight-python"><div class="highlight"><pre>[realms] - ATHENA.MIT.EDU = { - auth_to_local_names = { - # Careful, these match principals in any realm! - host/example.com = hostaccount - fred = localfred - } - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">auth_to_local_names</span> <span class="o">=</span> <span class="p">{</span> + <span class="c1"># Careful, these match principals in any realm!</span> + <span class="n">host</span><span class="o">/</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="o">=</span> <span class="n">hostaccount</span> + <span class="n">fred</span> <span class="o">=</span> <span class="n">localfred</span> + <span class="p">}</span> + <span class="p">}</span> </pre></div> </div> <p>Local authorization behavior can also be modified using plugin -modules; see <a class="reference internal" href="../plugindev/hostrealm.html#hostrealm-plugin"><em>Host-to-realm interface (hostrealm)</em></a> for details.</p> +modules; see <a class="reference internal" href="../plugindev/hostrealm.html#hostrealm-plugin"><span class="std std-ref">Host-to-realm interface (hostrealm)</span></a> for details.</p> </div> <div class="section" id="plugin-module-configuration"> <span id="plugin-config"></span><h2>Plugin module configuration<a class="headerlink" href="#plugin-module-configuration" title="Permalink to this headline">¶</a></h2> <p>Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin -modules. For most of these behaviors, you can use the <a class="reference internal" href="conf_files/krb5_conf.html#plugins"><em>[plugins]</em></a> +modules. For most of these behaviors, you can use the <a class="reference internal" href="conf_files/krb5_conf.html#plugins"><span class="std std-ref">[plugins]</span></a> section of krb5.conf to register third-party modules, and to switch off registered or built-in modules.</p> <p>A plugin module takes the form of a Unix shared object -(<tt class="docutils literal"><span class="pre">modname.so</span></tt>) or Windows DLL (<tt class="docutils literal"><span class="pre">modname.dll</span></tt>). If you have +(<code class="docutils literal"><span class="pre">modname.so</span></code>) or Windows DLL (<code class="docutils literal"><span class="pre">modname.dll</span></code>). If you have installed a third-party plugin module and want to register it, you do so using the <strong>module</strong> relation in the appropriate subsection of the [plugins] section. The value for <strong>module</strong> must give the module name and the path to the module, separated by a colon. The module name -will often be the same as the shared object’s name, but in unusual +will often be the same as the shared object’s name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a -client preauthentication module named <tt class="docutils literal"><span class="pre">mypreauth</span></tt> installed at -<tt class="docutils literal"><span class="pre">/path/to/mypreauth.so</span></tt>, you could write:</p> -<div class="highlight-python"><div class="highlight"><pre>[plugins] - clpreauth = { - module = mypreauth:/path/to/mypreauth.so - } +client preauthentication module named <code class="docutils literal"><span class="pre">mypreauth</span></code> installed at +<code class="docutils literal"><span class="pre">/path/to/mypreauth.so</span></code>, you could write:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> + <span class="n">clpreauth</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">module</span> <span class="o">=</span> <span class="n">mypreauth</span><span class="p">:</span><span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">mypreauth</span><span class="o">.</span><span class="n">so</span> + <span class="p">}</span> </pre></div> </div> <p>Many of the pluggable behaviors in MIT krb5 contain built-in modules @@ -198,23 +196,23 @@ you have registered) using the <strong>disable</strong> directive in the appropriate subsection of the [plugins] section. For example, to disable the use of .k5identity files to select credential caches, you could write:</p> -<div class="highlight-python"><div class="highlight"><pre>[plugins] - ccselect = { - disable = k5identity - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> + <span class="n">ccselect</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">disable</span> <span class="o">=</span> <span class="n">k5identity</span> + <span class="p">}</span> </pre></div> </div> <p>If you want to disable multiple modules, specify the <strong>disable</strong> directive multiple times, giving one module to disable each time.</p> <p>Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the <strong>enable_only</strong> directive. For -example, to make <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> check password quality using only a +example, to make <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> check password quality using only a module you have registered, and no other mechanism, you could write:</p> -<div class="highlight-python"><div class="highlight"><pre>[plugins] - pwqual = { - module = mymodule:/path/to/mymodule.so - enable_only = mymodule - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">plugins</span><span class="p">]</span> + <span class="n">pwqual</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">module</span> <span class="o">=</span> <span class="n">mymodule</span><span class="p">:</span><span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">mymodule</span><span class="o">.</span><span class="n">so</span> + <span class="n">enable_only</span> <span class="o">=</span> <span class="n">mymodule</span> + <span class="p">}</span> </pre></div> </div> <p>Again, if you want to specify multiple modules, specify the @@ -226,35 +224,38 @@ modules.</p> <h3>KDC location modules<a class="headerlink" href="#kdc-location-modules" title="Permalink to this headline">¶</a></h3> <p>For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the -“libkrb5” subdirectory of the krb5 plugin directory, which defaults to -<a class="reference internal" href="../mitK5defaults.html#paths"><em>LIBDIR</em></a><tt class="docutils literal"><span class="pre">/krb5/plugins</span></tt>. For example, Samba’s winbind krb5 +“libkrb5” subdirectory of the krb5 plugin directory, which defaults to +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LIBDIR</span></a><code class="docutils literal"><span class="pre">/krb5/plugins</span></code>. For example, Samba’s winbind krb5 locator plugin would be registered by placing its shared object in -<a class="reference internal" href="../mitK5defaults.html#paths"><em>LIBDIR</em></a><tt class="docutils literal"><span class="pre">/krb5/plugins/libkrb5/winbind_krb5_locator.so</span></tt>.</p> +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LIBDIR</span></a><code class="docutils literal"><span class="pre">/krb5/plugins/libkrb5/winbind_krb5_locator.so</span></code>.</p> </div> <div class="section" id="gssapi-mechanism-modules"> <span id="gssapi-plugin-config"></span><h3>GSSAPI mechanism modules<a class="headerlink" href="#gssapi-mechanism-modules" title="Permalink to this headline">¶</a></h3> <p>GSSAPI mechanism modules are registered using the file -<tt class="docutils literal"><span class="pre">/etc/gss/mech</span></tt> or configuration files in the <tt class="docutils literal"><span class="pre">/etc/gss/mech.d/</span></tt> -directory. Only files with a <tt class="docutils literal"><span class="pre">.conf</span></tt> suffix will be read from the -<tt class="docutils literal"><span class="pre">/etc/gss/mech.d/</span></tt> directory. Each line in these files has the -form:</p> -<div class="highlight-python"><div class="highlight"><pre>oid pathname [options] <type> +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal"><span class="pre">/gss/mech</span></code> or configuration files in the +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal"><span class="pre">/gss/mech.d</span></code> directory with a <code class="docutils literal"><span class="pre">.conf</span></code> +suffix. Each line in these files has the form:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">name</span> <span class="n">oid</span> <span class="n">pathname</span> <span class="p">[</span><span class="n">options</span><span class="p">]</span> <span class="o"><</span><span class="nb">type</span><span class="o">></span> </pre></div> </div> -<p>Only the oid and pathname are required. <em>oid</em> is the object -identifier of the GSSAPI mechanism to be registered. <em>pathname</em> is a -path to the module shared object or DLL. <em>options</em> (if present) are -options provided to the plugin module, surrounded in square brackets. -<em>type</em> (if present) can be used to indicate a special type of module. -Currently the only special module type is “interposer”, for a module -designed to intercept calls to other mechanisms.</p> +<p>Only the name, oid, and pathname are required. <em>name</em> is the +mechanism name, which may be used for debugging or logging purposes. +<em>oid</em> is the object identifier of the GSSAPI mechanism to be +registered. <em>pathname</em> is a path to the module shared object or DLL. +<em>options</em> (if present) are options provided to the plugin module, +surrounded in square brackets. <em>type</em> (if present) can be used to +indicate a special type of module. Currently the only special module +type is “interposer”, for a module designed to intercept calls to +other mechanisms.</p> +<p>If the environment variable <strong>GSS_MECH_CONFIG</strong> is set, its value is +used as the sole mechanism configuration filename.</p> </div> <div class="section" id="configuration-profile-modules"> <span id="profile-plugin-config"></span><h3>Configuration profile modules<a class="headerlink" href="#configuration-profile-modules" title="Permalink to this headline">¶</a></h3> <p>A configuration profile module replaces the information source for -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> itself. To use a profile module, begin krb5.conf +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> itself. To use a profile module, begin krb5.conf with the line:</p> -<div class="highlight-python"><div class="highlight"><pre>module PATHNAME:STRING +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">module</span> <span class="n">PATHNAME</span><span class="p">:</span><span class="n">STRING</span> </pre></div> </div> <p>where <em>PATHNAME</em> is a path to the module shared object or DLL, and @@ -294,15 +295,16 @@ take over, and the rest of krb5.conf will be ignored.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Host configuration</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -342,8 +344,8 @@ take over, and the rest of krb5.conf will be ignored.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html index 7429ffb922ee..0e787e90fb74 100644 --- a/doc/html/admin/https.html +++ b/doc/html/admin/https.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>HTTPS proxy configuration — MIT Kerberos Documentation</title> - + <title>HTTPS proxy configuration — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Authentication indicators" href="auth_indicator.html" /> <link rel="prev" title="Encryption types" href="enctypes.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="https-proxy-configuration"> <span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Permalink to this headline">¶</a></h1> @@ -83,25 +81,25 @@ is available in the python package index.</p> <div class="section" id="configuring-the-clients"> <h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2> <p>To use an HTTPS proxy, a client host must trust the CA which issued -that proxy’s SSL certificate. If that CA’s certificate is not in the +that proxy’s SSL certificate. If that CA’s certificate is not in the system-wide default set of trusted certificates, configure the -following relation in the client host’s <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in -the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection:</p> -<div class="highlight-python"><div class="highlight"><pre>http_anchors = FILE:/etc/krb5/cacert.pem +following relation in the client host’s <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in +the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">http_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> </pre></div> </div> <p>Adjust the pathname to match the path of the file which contains a -copy of the CA’s certificate. The <cite>http_anchors</cite> option is documented -more fully in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p> +copy of the CA’s certificate. The <cite>http_anchors</cite> option is documented +more fully in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> <p>Configure the client to access the KDC and kpasswd service by -specifying their locations in its <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in the form +specifying their locations in its <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the form of HTTPS URLs for the proxy server:</p> -<div class="highlight-python"><div class="highlight"><pre>kdc = https://server.fqdn/KdcProxy -kpasswd_server = https://server.fqdn/KdcProxy +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdc</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span> +<span class="n">kpasswd_server</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span> </pre></div> </div> <p>If the proxy and client are properly configured, client commands such -as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class="docutils literal"><span class="pre">kvno</span></tt>, and <tt class="docutils literal"><span class="pre">kpasswd</span></tt> should all function normally.</p> +as <code class="docutils literal"><span class="pre">kinit</span></code>, <code class="docutils literal"><span class="pre">kvno</span></code>, and <code class="docutils literal"><span class="pre">kpasswd</span></code> should all function normally.</p> </div> </div> @@ -128,6 +126,7 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class=" <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -135,11 +134,11 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class=" <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">HTTPS proxy configuration</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> @@ -176,8 +175,8 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class=" <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html index 54fffddfba05..d6f9f7263031 100644 --- a/doc/html/admin/index.html +++ b/doc/html/admin/index.html @@ -1,32 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>For administrators — MIT Kerberos Documentation</title> - + <title>For administrators — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> <link rel="next" title="Installation guide" href="install.html" /> <link rel="prev" title="sclient" href="../user/user_commands/sclient.html" /> </head> @@ -60,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="for-administrators"> <h1>For administrators<a class="headerlink" href="#for-administrators" title="Permalink to this headline">¶</a></h1> @@ -70,6 +69,7 @@ <li class="toctree-l1"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l1"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l1"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l1"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l1"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l1"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l1"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -77,6 +77,8 @@ <li class="toctree-l1"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l1"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l1"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l1"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l1"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l1"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l1"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l1"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -112,11 +114,12 @@ <h2>Table of contents</h2> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1 current"><a class="current reference internal" href="">For administrators</a><ul> +<li class="toctree-l1 current"><a class="current reference internal" href="#">For administrators</a><ul> <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -124,6 +127,8 @@ <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -163,8 +168,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html index 9c321e46a69f..715b58fa2767 100644 --- a/doc/html/admin/install.html +++ b/doc/html/admin/install.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Installation guide — MIT Kerberos Documentation</title> - + <title>Installation guide — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Installing KDCs" href="install_kdc.html" /> <link rel="prev" title="For administrators" href="index.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="installation-guide"> <h1>Installation guide<a class="headerlink" href="#installation-guide" title="Permalink to this headline">¶</a></h1> @@ -70,15 +68,15 @@ <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="install_kdc.html">Installing KDCs</a><ul> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-and-configure-the-master-kdc">Install and configure the master KDC</a></li> +<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-and-configure-the-primary-kdc">Install and configure the primary KDC</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#edit-kdc-configuration-files">Edit KDC configuration files</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#create-the-kdc-database">Create the KDC database</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#start-the-kerberos-daemons-on-the-master-kdc">Start the Kerberos daemons on the master KDC</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-the-slave-kdcs">Install the slave KDCs</a></li> +<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#start-the-kerberos-daemons-on-the-primary-kdc">Start the Kerberos daemons on the primary KDC</a></li> +<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-the-replica-kdcs">Install the replica KDCs</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li> -<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#switching-master-and-slave-kdcs">Switching master and slave KDCs</a></li> +<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#switching-primary-and-replica-kdcs">Switching primary and replica KDCs</a></li> <li class="toctree-l2"><a class="reference internal" href="install_kdc.html#incremental-database-propagation">Incremental database propagation</a></li> </ul> </li> @@ -98,7 +96,7 @@ <h2>Additional references<a class="headerlink" href="#additional-references" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> <li>Debian: <a class="reference external" href="http://techpubs.spinlocksolutions.com/dklar/kerberos.html">Setting up MIT Kerberos 5</a></li> -<li>Solaris: <a class="reference external" href="http://download.oracle.com/docs/cd/E19253-01/816-4557/6maosrjv2/index.html">Configuring the Kerberos Service</a></li> +<li>Solaris: <a class="reference external" href="https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html">Configuring the Kerberos Service</a></li> </ol> </div> </div> @@ -123,7 +121,7 @@ <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> -<li class="toctree-l2 current"><a class="current reference internal" href="">Installation guide</a><ul> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Installation guide</a><ul> <li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> <li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> <li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> @@ -132,6 +130,7 @@ <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -139,6 +138,8 @@ <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -178,8 +179,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html index 753e53d0f1cb..ba75eae8a2ea 100644 --- a/doc/html/admin/install_appl_srv.html +++ b/doc/html/admin/install_appl_srv.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>UNIX Application Servers — MIT Kerberos Documentation</title> - + <title>UNIX Application Servers — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="Installation guide" href="install.html" /> <link rel="next" title="Configuration Files" href="conf_files/index.html" /> <link rel="prev" title="Installing and configuring UNIX client machines" href="install_clients.html" /> </head> @@ -61,61 +59,56 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="unix-application-servers"> <h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Permalink to this headline">¶</a></h1> <p>An application server is a host that provides one or more services -over the network. Application servers can be “secure” or “insecure.” -A “secure” host is set up to require authentication from every client -connecting to it. An “insecure” host will still provide Kerberos +over the network. Application servers can be “secure” or “insecure.” +A “secure” host is set up to require authentication from every client +connecting to it. An “insecure” host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect.</p> <p>If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an -insecure server, and still take advantage of Kerberos V5’s single +insecure server, and still take advantage of Kerberos V5’s single sign-on capability.</p> <div class="section" id="the-keytab-file"> <span id="keytab-file"></span><h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Permalink to this headline">¶</a></h2> <p>All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>. -The keytab file is an local copy of the host’s key. The keytab file +KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. +The keytab file is an local copy of the host’s key. The keytab file is a potential point of entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should -be readable only by root, and should exist only on the machine’s local +be readable only by root, and should exist only on the machine’s local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to -the machine’s root password.</p> +the machine’s root password.</p> <p>In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to -the database is described fully in <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>. (See -<a class="reference internal" href="install_kdc.html#slave-host-key"><em>Create host keytabs for slave KDCs</em></a> for a brief description.) The keytab is -generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd"><em>ktadd</em></a> +the database is described fully in <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>. (See +<a class="reference internal" href="install_kdc.html#replica-host-key"><span class="std std-ref">Create host keytabs for replica KDCs</span></a> for a brief description.) The keytab is +generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd"><span class="std std-ref">ktadd</span></a> command.</p> <p>For example, to generate a keytab file to allow the host -<tt class="docutils literal"><span class="pre">trillium.mit.edu</span></tt> to authenticate for the services host, ftp, and -pop, the administrator <tt class="docutils literal"><span class="pre">joeadmin</span></tt> would issue the command (on -<tt class="docutils literal"><span class="pre">trillium.mit.edu</span></tt>):</p> -<div class="highlight-python"><div class="highlight"><pre>trillium% kadmin -kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu - pop/trillium.mit.edu -kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin5: quit -trillium% +<code class="docutils literal"><span class="pre">trillium.mit.edu</span></code> to authenticate for the services host, ftp, and +pop, the administrator <code class="docutils literal"><span class="pre">joeadmin</span></code> would issue the command (on +<code class="docutils literal"><span class="pre">trillium.mit.edu</span></code>):</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">trillium</span><span class="o">%</span> <span class="n">kadmin</span> +<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">ftp</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">pop</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ftp</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">pop</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">quit</span> +<span class="n">trillium</span><span class="o">%</span> </pre></div> </div> <p>If you generate the keytab file on another host, you need to get a -copy of the keytab file onto the destination host (<tt class="docutils literal"><span class="pre">trillium</span></tt>, in +copy of the keytab file onto the destination host (<code class="docutils literal"><span class="pre">trillium</span></code>, in the above example) without sending it unencrypted over the network.</p> </div> <div class="section" id="some-advice-about-secure-hosts"> @@ -127,7 +120,7 @@ place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them.</p> <p>We recommend that backups of secure machines exclude the keytab file -(<a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>). If this is not possible, the backups should at least be +(<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured.</p> <p>The keytab file and any programs run by root, including the Kerberos @@ -159,12 +152,13 @@ readable only by root.</p> <li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> <li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">UNIX Application Servers</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">UNIX Application Servers</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -172,6 +166,8 @@ readable only by root.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -211,8 +207,8 @@ readable only by root.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html index 9c4fabbd0f03..86f472039879 100644 --- a/doc/html/admin/install_clients.html +++ b/doc/html/admin/install_clients.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title> - + <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="Installation guide" href="install.html" /> <link rel="next" title="UNIX Application Servers" href="install_appl_srv.html" /> <link rel="prev" title="Installing KDCs" href="install_kdc.html" /> </head> @@ -61,16 +59,16 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="installing-and-configuring-unix-client-machines"> <h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Permalink to this headline">¶</a></h1> -<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>, -<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>. All of -these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><em>BINDIR</em></a>.</p> +<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, +<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>. All of +these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">BINDIR</span></a>.</p> <p>You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by -operating system, and should be covered in your operating system’s +operating system, and should be covered in your operating system’s documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in.</p> <p>You will also need to educate your users to use the ticket management @@ -80,12 +78,12 @@ typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd.</p> <div class="section" id="client-machine-configuration-files"> <h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Permalink to this headline">¶</a></h2> -<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file. +<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file. At a minimum, it should define a <strong>default_realm</strong> setting in -<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>. If you are not using DNS SRV records -(<a class="reference internal" href="realm_config.html#kdc-hostnames"><em>Hostnames for KDCs</em></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><em>KDC Discovery</em></a>), it must -also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section containing information for your -realm’s KDCs.</p> +<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>. If you are not using DNS SRV records +(<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), it must +also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section containing information for your +realm’s KDCs.</p> <p>Consider setting <strong>rdns</strong> to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized @@ -96,7 +94,7 @@ true for historical reasons only.</p> <p>If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting <strong>forwardable</strong> to true so that users obtain forwardable tickets by -default. Otherwise users will need to use <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-f</span></tt> to get +default. Otherwise users will need to use <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-f</span></code> to get forwardable tickets.</p> <p>Consider adjusting the <strong>ticket_lifetime</strong> setting to match the likely length of sessions for your users. For instance, if most of your @@ -104,12 +102,12 @@ users will be logging in for an eight-hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by -each user’s principal record on the KDC.</p> +each user’s principal record on the KDC.</p> <p>If a client host may access services in different realms, it may be -useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> mapping so that clients know +useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this -section out on client machines and just define it in the KDC’s +section out on client machines and just define it in the KDC’s krb5.conf.</p> </div> </div> @@ -135,13 +133,14 @@ krb5.conf.</p> <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> <li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">Installing and configuring UNIX client machines</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing and configuring UNIX client machines</a></li> <li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -149,6 +148,8 @@ krb5.conf.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -188,8 +189,8 @@ krb5.conf.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html index b3984a5ed599..9667adda8228 100644 --- a/doc/html/admin/install_kdc.html +++ b/doc/html/admin/install_kdc.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Installing KDCs — MIT Kerberos Documentation</title> - + <title>Installing KDCs — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="Installation guide" href="install.html" /> <link rel="next" title="Installing and configuring UNIX client machines" href="install_clients.html" /> <link rel="prev" title="Installation guide" href="install.html" /> </head> @@ -61,28 +59,29 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="installing-kdcs"> <h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Permalink to this headline">¶</a></h1> <p>When setting up Kerberos in a production environment, it is best to -have multiple slave KDCs alongside with a master KDC to ensure the +have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains -a copy of the Kerberos database. The master KDC contains the writable -copy of the realm database, which it replicates to the slave KDCs at -regular intervals. All database changes (such as password changes) -are made on the master KDC. Slave KDCs provide Kerberos -ticket-granting services, but not database administration, when the -master KDC is unavailable. MIT recommends that you install all of -your KDCs to be able to function as either the master or one of the -slaves. This will enable you to easily switch your master KDC with -one of the slaves if necessary (see <a class="reference internal" href="#switch-master-slave"><em>Switching master and slave KDCs</em></a>). This -installation procedure is based on that recommendation.</p> +a copy of the Kerberos database. The primary KDC contains the +writable copy of the realm database, which it replicates to the +replica KDCs at regular intervals. All database changes (such as +password changes) are made on the primary KDC. Replica KDCs provide +Kerberos ticket-granting services, but not database administration, +when the primary KDC is unavailable. MIT recommends that you install +all of your KDCs to be able to function as either the primary or one +of the replicas. This will enable you to easily switch your primary +KDC with one of the replicas if necessary (see +<a class="reference internal" href="#switch-primary-replica"><span class="std std-ref">Switching primary and replica KDCs</span></a>). This installation procedure is based +on that recommendation.</p> <div class="admonition warning"> <p class="first admonition-title">Warning</p> <ul class="last simple"> <li>The Kerberos system relies on the availability of correct time -information. Ensure that the master and all slave KDCs have +information. Ensure that the primary and all replica KDCs have properly synchronized clocks.</li> <li>It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file @@ -92,65 +91,65 @@ of those areas could potentially gain access to the Kerberos database.</li> </ul> </div> -<div class="section" id="install-and-configure-the-master-kdc"> -<h2>Install and configure the master KDC<a class="headerlink" href="#install-and-configure-the-master-kdc" title="Permalink to this headline">¶</a></h2> +<div class="section" id="install-and-configure-the-primary-kdc"> +<h2>Install and configure the primary KDC<a class="headerlink" href="#install-and-configure-the-primary-kdc" title="Permalink to this headline">¶</a></h2> <p>Install Kerberos either from the OS-provided packages or from the -source (See <a class="reference internal" href="../build/doing_build.html#do-build"><em>Building within a single tree</em></a>).</p> +source (See <a class="reference internal" href="../build/doing_build.html#do-build"><span class="std std-ref">Building within a single tree</span></a>).</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p>For the purpose of this document we will use the following names:</p> -<div class="highlight-python"><div class="highlight"><pre>kerberos.mit.edu - master KDC -kerberos-1.mit.edu - slave KDC -ATHENA.MIT.EDU - realm name -.k5.ATHENA.MIT.EDU - stash file -admin/admin - admin principal +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span> <span class="n">primary</span> <span class="n">KDC</span> +<span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span> <span class="n">replica</span> <span class="n">KDC</span> +<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span> <span class="n">realm</span> <span class="n">name</span> +<span class="o">.</span><span class="n">k5</span><span class="o">.</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span> <span class="n">stash</span> <span class="n">file</span> +<span class="n">admin</span><span class="o">/</span><span class="n">admin</span> <span class="o">-</span> <span class="n">admin</span> <span class="n">principal</span> </pre></div> </div> -<p class="last">See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default names and locations +<p class="last">See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment.</p> </div> </div> <div class="section" id="edit-kdc-configuration-files"> <h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Permalink to this headline">¶</a></h2> -<p>Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> and -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, to reflect the correct information (such as +<p>Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> and +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. -(See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the recommended default locations for +(See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the recommended default locations for these files).</p> <p>Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file whose values must be specified, and this +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file whose values must be specified, and this section will explain those.</p> <p>If the locations for these configuration files differs from the default ones, set <strong>KRB5_CONFIG</strong> and <strong>KRB5_KDC_PROFILE</strong> environment variables to point to the krb5.conf and kdc.conf respectively. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>export KRB5_CONFIG=/yourdir/krb5.conf -export KRB5_KDC_PROFILE=/yourdir/kdc.conf +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">KRB5_CONFIG</span><span class="o">=/</span><span class="n">yourdir</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">conf</span> +<span class="n">export</span> <span class="n">KRB5_KDC_PROFILE</span><span class="o">=/</span><span class="n">yourdir</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">conf</span> </pre></div> </div> <div class="section" id="krb5-conf"> <h3>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h3> -<p>If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames"><em>Mapping hostnames onto Kerberos realms</em></a>), -you must specify the <strong>default_realm</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> +<p>If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames"><span class="std std-ref">Mapping hostnames onto Kerberos realms</span></a>), +you must specify the <strong>default_realm</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section. If you are not using DNS URI or SRV records (see -<a class="reference internal" href="realm_config.html#kdc-hostnames"><em>Hostnames for KDCs</em></a> and <a class="reference internal" href="realm_config.html#kdc-discovery"><em>KDC Discovery</em></a>), you must include the -<strong>kdc</strong> tag for each <em>realm</em> in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section. To +<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a> and <a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), you must include the +<strong>kdc</strong> tag for each <em>realm</em> in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section. To communicate with the kadmin server in each realm, the <strong>admin_server</strong> tag must be set in the -<a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section.</p> +<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section.</p> <p>An example krb5.conf file:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - default_realm = ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -[realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu - kdc = kerberos-1.mit.edu - admin_server = kerberos.mit.edu - } +<span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="p">}</span> </pre></div> </div> </div> @@ -160,33 +159,33 @@ tag must be set in the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging.</p> <p>An example kdc.conf file:</p> -<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults] - kdc_listen = 88 - kdc_tcp_listen = 88 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> + <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> + <span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> -[realms] - ATHENA.MIT.EDU = { - kadmind_port = 749 - max_life = 12h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts - supported_enctypes = aes256-cts:normal aes128-cts:normal - # If the default location does not suit your setup, - # explicitly configure the following values: - # database_name = /var/krb5kdc/principal - # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU - # acl_file = /var/krb5kdc/kadm5.acl - } +<span class="p">[</span><span class="n">realms</span><span class="p">]</span> + <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">kadmind_port</span> <span class="o">=</span> <span class="mi">749</span> + <span class="n">max_life</span> <span class="o">=</span> <span class="mi">12</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> + <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span> + <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span> + <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="p">:</span><span class="n">normal</span> + <span class="c1"># If the default location does not suit your setup,</span> + <span class="c1"># explicitly configure the following values:</span> + <span class="c1"># database_name = /var/krb5kdc/principal</span> + <span class="c1"># key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU</span> + <span class="c1"># acl_file = /var/krb5kdc/kadm5.acl</span> + <span class="p">}</span> -[logging] - # By default, the KDC and kadmind will log output using - # syslog. You can instead send log output to files like this: - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5lib.log +<span class="p">[</span><span class="n">logging</span><span class="p">]</span> + <span class="c1"># By default, the KDC and kadmind will log output using</span> + <span class="c1"># syslog. You can instead send log output to files like this:</span> + <span class="n">kdc</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">.</span><span class="n">log</span> + <span class="n">admin_server</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> + <span class="n">default</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5lib</span><span class="o">.</span><span class="n">log</span> </pre></div> </div> -<p>Replace <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> and <tt class="docutils literal"><span class="pre">kerberos.mit.edu</span></tt> with the name of +<p>Replace <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal"><span class="pre">kerberos.mit.edu</span></code> with the name of your Kerberos realm and server respectively.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> @@ -198,8 +197,8 @@ your Kerberos realm and server respectively.</p> </div> <div class="section" id="create-the-kdc-database"> <span id="create-db"></span><h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Permalink to this headline">¶</a></h2> -<p>You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command on the master KDC to -create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><em>stash file</em></a>.</p> +<p>You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command on the primary KDC to +create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><span class="std std-ref">stash file</span></a>.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">If you choose not to install a stash file, the KDC will @@ -207,7 +206,7 @@ prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot.</p> </div> -<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> will prompt you for the master password for the +<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common @@ -215,46 +214,46 @@ or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in -this manual is “MITiys4K5!”, which represents the sentence “MIT is -your source for Kerberos 5!” (It’s the first letter of each word, -substituting the numeral “4” for the word “for”, and includes the +this manual is “MITiys4K5!”, which represents the sentence “MIT is +your source for Kerberos 5!” (It’s the first letter of each word, +substituting the numeral “4” for the word “for”, and includes the punctuation mark at the end.)</p> <p>The following is an example of how to create a Kerberos database and -stash file on the master KDC, using the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command. -Replace <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> with the name of your Kerberos realm:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util create -r ATHENA.MIT.EDU -s +stash file on the primary KDC, using the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command. +Replace <code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> with the name of your Kerberos realm:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_util</span> <span class="n">create</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">s</span> -Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', -master key name 'K/M@ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: <= Type the master password. -Re-enter KDC database master key to verify: <= Type it again. -shell% +<span class="n">Initializing</span> <span class="n">database</span> <span class="s1">'/usr/local/var/krb5kdc/principal'</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span><span class="p">,</span> +<span class="n">master</span> <span class="n">key</span> <span class="n">name</span> <span class="s1">'K/M@ATHENA.MIT.EDU'</span> +<span class="n">You</span> <span class="n">will</span> <span class="n">be</span> <span class="n">prompted</span> <span class="k">for</span> <span class="n">the</span> <span class="n">database</span> <span class="n">Master</span> <span class="n">Password</span><span class="o">.</span> +<span class="n">It</span> <span class="ow">is</span> <span class="n">important</span> <span class="n">that</span> <span class="n">you</span> <span class="n">NOT</span> <span class="n">FORGET</span> <span class="n">this</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">master</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">it</span> <span class="n">again</span><span class="o">.</span> +<span class="n">shell</span><span class="o">%</span> </pre></div> </div> -<p>This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt> (or at the locations specified -in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>):</p> +<p>This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code> (or at the locations specified +in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> <ul class="simple"> -<li>two Kerberos database files, <tt class="docutils literal"><span class="pre">principal</span></tt>, and <tt class="docutils literal"><span class="pre">principal.ok</span></tt></li> -<li>the Kerberos administrative database file, <tt class="docutils literal"><span class="pre">principal.kadm5</span></tt></li> -<li>the administrative database lock file, <tt class="docutils literal"><span class="pre">principal.kadm5.lock</span></tt></li> -<li>the stash file, in this example <tt class="docutils literal"><span class="pre">.k5.ATHENA.MIT.EDU</span></tt>. If you do +<li>two Kerberos database files, <code class="docutils literal"><span class="pre">principal</span></code>, and <code class="docutils literal"><span class="pre">principal.ok</span></code></li> +<li>the Kerberos administrative database file, <code class="docutils literal"><span class="pre">principal.kadm5</span></code></li> +<li>the administrative database lock file, <code class="docutils literal"><span class="pre">principal.kadm5.lock</span></code></li> +<li>the stash file, in this example <code class="docutils literal"><span class="pre">.k5.ATHENA.MIT.EDU</span></code>. If you do not want a stash file, run the above command without the <strong>-s</strong> option.</li> </ul> <p>For more information on administrating Kerberos database see -<a class="reference internal" href="database.html#db-operations"><em>Operations on the Kerberos database</em></a>.</p> +<a class="reference internal" href="database.html#db-operations"><span class="std std-ref">Operations on the Kerberos database</span></a>.</p> </div> <div class="section" id="add-administrators-to-the-acl-file"> <span id="admin-acl"></span><h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Permalink to this headline">¶</a></h2> <p>Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. -This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon to control which +This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the <strong>acl_file</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</p> -<p>For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</p> +variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>.</p> +<p>For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> </div> <div class="section" id="add-administrators-to-the-kerberos-database"> <span id="addadmin-kdb"></span><h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Permalink to this headline">¶</a></h2> @@ -263,33 +262,33 @@ are allowed to administer Kerberos database) to the Kerberos database. You <em>must</em> add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use -the kadmin.local utility on the master KDC. kadmin.local is designed -to be run on the master KDC host without using Kerberos authentication -to an admin server; instead, it must have read and write access to the -Kerberos database on the local filesystem.</p> +the kadmin.local utility on the primary KDC. kadmin.local is designed +to be run on the primary KDC host without using Kerberos +authentication to an admin server; instead, it must have read and +write access to the Kerberos database on the local filesystem.</p> <p>The administrative principals you create should be the ones you added -to the ACL file (see <a class="reference internal" href="#admin-acl"><em>Add administrators to the ACL file</em></a>).</p> -<p>In the following example, the administrative principal <tt class="docutils literal"><span class="pre">admin/admin</span></tt> +to the ACL file (see <a class="reference internal" href="#admin-acl"><span class="std std-ref">Add administrators to the ACL file</span></a>).</p> +<p>In the following example, the administrative principal <code class="docutils literal"><span class="pre">admin/admin</span></code> is created:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kadmin.local +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> -kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU +<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> -WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU"; -assigning "default". -Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. -Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. -Principal "admin/admin@ATHENA.MIT.EDU" created. -kadmin.local: +<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"admin/admin@ATHENA.MIT.EDU"</span><span class="p">;</span> +<span class="n">assigning</span> <span class="s2">"default"</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Enter</span> <span class="n">a</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><=</span> <span class="n">Type</span> <span class="n">it</span> <span class="n">again</span><span class="o">.</span> +<span class="n">Principal</span> <span class="s2">"admin/admin@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> +<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span> </pre></div> </div> </div> -<div class="section" id="start-the-kerberos-daemons-on-the-master-kdc"> -<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the master KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-master-kdc" title="Permalink to this headline">¶</a></h2> +<div class="section" id="start-the-kerberos-daemons-on-the-primary-kdc"> +<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the primary KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-primary-kdc" title="Permalink to this headline">¶</a></h2> <p>At this point, you are ready to start the Kerberos KDC -(<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>) and administrative daemons on the Master KDC. To +(<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>) and administrative daemons on the primary KDC. To do so, type:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> <span class="n">shell</span><span class="o">%</span> <span class="n">kadmind</span> </pre></div> </div> @@ -297,96 +296,98 @@ do so, type:</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Assuming you want these daemons to start up automatically at -boot time, you can add them to the KDC’s <tt class="docutils literal"><span class="pre">/etc/rc</span></tt> or -<tt class="docutils literal"><span class="pre">/etc/inittab</span></tt> file. You need to have a -<a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><em>stash file</em></a> in order to do this.</p> +boot time, you can add them to the KDC’s <code class="docutils literal"><span class="pre">/etc/rc</span></code> or +<code class="docutils literal"><span class="pre">/etc/inittab</span></code> file. You need to have a +<a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><span class="std std-ref">stash file</span></a> in order to do this.</p> </div> <p>You can verify that they started properly by checking for their startup messages in the logging locations you defined in -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> (see <a class="reference internal" href="conf_files/kdc_conf.html#logging"><em>[logging]</em></a>). For example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% tail /var/log/krb5kdc.log -Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation -shell% tail /var/log/kadmin.log -Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> (see <a class="reference internal" href="conf_files/kdc_conf.html#logging"><span class="std std-ref">[logging]</span></a>). For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">tail</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">.</span><span class="n">log</span> +<span class="n">Dec</span> <span class="mi">02</span> <span class="mi">12</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">47</span> <span class="n">beeblebrox</span> <span class="n">krb5kdc</span><span class="p">[</span><span class="mi">3187</span><span class="p">](</span><span class="n">info</span><span class="p">):</span> <span class="n">commencing</span> <span class="n">operation</span> +<span class="n">shell</span><span class="o">%</span> <span class="n">tail</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">kadmin</span><span class="o">.</span><span class="n">log</span> +<span class="n">Dec</span> <span class="mi">02</span> <span class="mi">12</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">52</span> <span class="n">beeblebrox</span> <span class="n">kadmind</span><span class="p">[</span><span class="mi">3189</span><span class="p">](</span><span class="n">info</span><span class="p">):</span> <span class="n">starting</span> </pre></div> </div> <p>Any errors the daemons encounter while starting will also be listed in the logging output.</p> -<p>As an additional verification, check if <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> succeeds +<p>As an additional verification, check if <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> succeeds against the principals that you have created on the previous step -(<a class="reference internal" href="#addadmin-kdb"><em>Add administrators to the Kerberos database</em></a>). Run:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kinit admin/admin@ATHENA.MIT.EDU +(<a class="reference internal" href="#addadmin-kdb"><span class="std std-ref">Add administrators to the Kerberos database</span></a>). Run:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> <span class="n">admin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> </div> -<div class="section" id="install-the-slave-kdcs"> -<h2>Install the slave KDCs<a class="headerlink" href="#install-the-slave-kdcs" title="Permalink to this headline">¶</a></h2> -<p>You are now ready to start configuring the slave KDCs.</p> +<div class="section" id="install-the-replica-kdcs"> +<h2>Install the replica KDCs<a class="headerlink" href="#install-the-replica-kdcs" title="Permalink to this headline">¶</a></h2> +<p>You are now ready to start configuring the replica KDCs.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Assuming you are setting the KDCs up so that you can easily -switch the master KDC with one of the slaves, you should -perform each of these steps on the master KDC as well as the -slave KDCs, unless these instructions specify otherwise.</p> +switch the primary KDC with one of the replicas, you should +perform each of these steps on the primary KDC as well as +the replica KDCs, unless these instructions specify +otherwise.</p> </div> -<div class="section" id="create-host-keytabs-for-slave-kdcs"> -<span id="slave-host-key"></span><h3>Create host keytabs for slave KDCs<a class="headerlink" href="#create-host-keytabs-for-slave-kdcs" title="Permalink to this headline">¶</a></h3> -<p>Each KDC needs a <tt class="docutils literal"><span class="pre">host</span></tt> key in the Kerberos database. These keys +<div class="section" id="create-host-keytabs-for-replica-kdcs"> +<span id="replica-host-key"></span><h3>Create host keytabs for replica KDCs<a class="headerlink" href="#create-host-keytabs-for-replica-kdcs" title="Permalink to this headline">¶</a></h3> +<p>Each KDC needs a <code class="docutils literal"><span class="pre">host</span></code> key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump -file from the master KDC to the secondary KDC servers.</p> -<p>On the master KDC, connect to administrative interface and create the -host principal for each of the KDCs’ <tt class="docutils literal"><span class="pre">host</span></tt> services. For example, -if the master KDC were called <tt class="docutils literal"><span class="pre">kerberos.mit.edu</span></tt>, and you had a -slave KDC named <tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>, you would type the following:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kadmin -kadmin: addprinc -randkey host/kerberos.mit.edu -NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" -Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. +file from the primary KDC to the secondary KDC servers.</p> +<p>On the primary KDC, connect to administrative interface and create the +host principal for each of the KDCs’ <code class="docutils literal"><span class="pre">host</span></code> services. For example, +if the primary KDC were called <code class="docutils literal"><span class="pre">kerberos.mit.edu</span></code>, and you had a +replica KDC named <code class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></code>, you would type the +following:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kadmin</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"host/kerberos.mit.edu@ATHENA.MIT.EDU"</span><span class="p">;</span> <span class="n">assigning</span> <span class="s2">"default"</span> +<span class="n">Principal</span> <span class="s2">"host/kerberos.mit.edu@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> -kadmin: addprinc -randkey host/kerberos-1.mit.edu -NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" -Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"host/kerberos-1.mit.edu@ATHENA.MIT.EDU"</span><span class="p">;</span> <span class="n">assigning</span> <span class="s2">"default"</span> +<span class="n">Principal</span> <span class="s2">"host/kerberos-1.mit.edu@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> </pre></div> </div> -<p>It is not strictly necessary to have the master KDC server in the +<p>It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap -the master KDC with one of the slaves.</p> -<p>Next, extract <tt class="docutils literal"><span class="pre">host</span></tt> random keys for all participating KDCs and -store them in each host’s default keytab file. Ideally, you should +the primary KDC with one of the replicas.</p> +<p>Next, extract <code class="docutils literal"><span class="pre">host</span></code> random keys for all participating KDCs and +store them in each host’s default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. -To extract a keytab directly on a slave KDC called -<tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>, you would execute the following command:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd host/kerberos-1.mit.edu -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. +To extract a keytab directly on a replica KDC called +<code class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></code>, you would execute the following command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> -<p>If you are instead extracting a keytab for the slave KDC called -<tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt> on the master KDC, you should use a dedicated -temporary keytab file for that machine’s keytab:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. +<p>If you are instead extracting a keytab for the replica KDC called +<code class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></code> on the primary KDC, you should use a dedicated +temporary keytab file for that machine’s keytab:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> + <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> -<p>The file <tt class="docutils literal"><span class="pre">/tmp/kerberos-1.keytab</span></tt> can then be installed as -<tt class="docutils literal"><span class="pre">/etc/krb5.keytab</span></tt> on the host <tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>.</p> +<p>The file <code class="docutils literal"><span class="pre">/tmp/kerberos-1.keytab</span></code> can then be installed as +<code class="docutils literal"><span class="pre">/etc/krb5.keytab</span></code> on the host <code class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></code>.</p> </div> -<div class="section" id="configure-slave-kdcs"> -<h3>Configure slave KDCs<a class="headerlink" href="#configure-slave-kdcs" title="Permalink to this headline">¶</a></h3> -<p>Database propagation copies the contents of the master’s database, but -does not propagate configuration files, stash files, or the kadm5 ACL -file. The following files must be copied by hand to each slave (see -<a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default locations for these files):</p> +<div class="section" id="configure-replica-kdcs"> +<h3>Configure replica KDCs<a class="headerlink" href="#configure-replica-kdcs" title="Permalink to this headline">¶</a></h3> +<p>Database propagation copies the contents of the primary’s database, +but does not propagate configuration files, stash files, or the kadm5 +ACL file. The following files must be copied by hand to each replica +(see <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><span class="std std-ref">MIT Kerberos defaults</span></a> for the default locations for these files):</p> <ul class="simple"> <li>krb5.conf</li> <li>kdc.conf</li> @@ -394,98 +395,98 @@ file. The following files must be copied by hand to each slave (see <li>master key stash file</li> </ul> <p>Move the copied files into their appropriate directories, exactly as -on the master KDC. kadm5.acl is only needed to allow a slave to swap -with the master KDC.</p> -<p>The database is propagated from the master KDC to the slave KDCs via -the <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> daemon. You must explicitly specify the +on the primary KDC. kadm5.acl is only needed to allow a replica to +swap with the primary KDC.</p> +<p>The database is propagated from the primary KDC to the replica KDCs +via the <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the -slave machine with a new database. Create a file named kpropd.acl in -the KDC state directory containing the <tt class="docutils literal"><span class="pre">host</span></tt> principals for each of -the KDCs:</p> -<div class="highlight-python"><div class="highlight"><pre>host/kerberos.mit.edu@ATHENA.MIT.EDU -host/kerberos-1.mit.edu@ATHENA.MIT.EDU +replica machine with a new database. Create a file named kpropd.acl +in the KDC state directory containing the <code class="docutils literal"><span class="pre">host</span></code> principals for each +of the KDCs:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">host</span><span class="o">/</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> <div class="admonition note"> <p class="first admonition-title">Note</p> -<p class="last">If you expect that the master and slave KDCs will be +<p class="last">If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the -master KDC’s host principal in the kpropd.acl files of the -slave KDCs.</p> +primary KDC’s host principal in the kpropd.acl files of the +replica KDCs.</p> </div> -<p>Then, add the following line to <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> on each KDC +<p>Then, add the following line to <code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> on each KDC (adjust the path to kpropd):</p> -<div class="highlight-python"><div class="highlight"><pre>krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5_prop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span> </pre></div> </div> -<p>You also need to add the following line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> on each +<p>You also need to add the following line to <code class="docutils literal"><span class="pre">/etc/services</span></code> on each KDC, if it is not already present (assuming that the default port is used):</p> -<div class="highlight-python"><div class="highlight"><pre>krb5_prop 754/tcp # Kerberos slave propagation +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5_prop</span> <span class="mi">754</span><span class="o">/</span><span class="n">tcp</span> <span class="c1"># Kerberos replica propagation</span> </pre></div> </div> <p>Restart inetd daemon.</p> -<p>Alternatively, start <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> as a stand-alone daemon. This is +<p>Alternatively, start <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> as a stand-alone daemon. This is required when incremental propagation is enabled.</p> -<p>Now that the slave KDC is able to accept database propagation, you’ll -need to propagate the database from the master server.</p> -<p>NOTE: Do not start the slave KDC yet; you still do not have a copy of -the master’s database.</p> +<p>Now that the replica KDC is able to accept database propagation, +you’ll need to propagate the database from the primary server.</p> +<p>NOTE: Do not start the replica KDC yet; you still do not have a copy +of the primary’s database.</p> </div> -<div class="section" id="propagate-the-database-to-each-slave-kdc"> -<span id="kprop-to-slaves"></span><h3>Propagate the database to each slave KDC<a class="headerlink" href="#propagate-the-database-to-each-slave-kdc" title="Permalink to this headline">¶</a></h3> -<p>First, create a dump file of the database on the master KDC, as +<div class="section" id="propagate-the-database-to-each-replica-kdc"> +<span id="kprop-to-replicas"></span><h3>Propagate the database to each replica KDC<a class="headerlink" href="#propagate-the-database-to-each-replica-kdc" title="Permalink to this headline">¶</a></h3> +<p>First, create a dump file of the database on the primary KDC, as follows:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_util</span> <span class="n">dump</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">replica_datatrans</span> </pre></div> </div> -<p>Then, manually propagate the database to each slave KDC, as in the +<p>Then, manually propagate the database to each replica KDC, as in the following example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kprop</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">replica_datatrans</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> -Database propagation to kerberos-1.mit.edu: SUCCEEDED +<span class="n">Database</span> <span class="n">propagation</span> <span class="n">to</span> <span class="n">kerberos</span><span class="o">-</span><span class="mf">1.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="p">:</span> <span class="n">SUCCEEDED</span> </pre></div> </div> <p>You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> -<p class="last">Remember that you need to replace <tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc</span></tt> +<p class="last">Remember that you need to replace <code class="docutils literal"><span class="pre">/usr/local/var/krb5kdc</span></code> with the name of the KDC state directory.</p> </div> -<div class="highlight-python"><div class="highlight"><pre>#!/bin/sh +<div class="highlight-default"><div class="highlight"><pre><span></span>#!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" -kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans +kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do - kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc + kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done </pre></div> </div> <p>You will need to set up a cron job to run this script at the intervals -you decided on earlier (see <a class="reference internal" href="realm_config.html#db-prop"><em>Database propagation</em></a>).</p> -<p>Now that the slave KDC has a copy of the Kerberos database, you can +you decided on earlier (see <a class="reference internal" href="realm_config.html#db-prop"><span class="std std-ref">Database propagation</span></a>).</p> +<p>Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span> </pre></div> </div> -<p>As with the master KDC, you will probably want to add this command to -the KDCs’ <tt class="docutils literal"><span class="pre">/etc/rc</span></tt> or <tt class="docutils literal"><span class="pre">/etc/inittab</span></tt> files, so they will start +<p>As with the primary KDC, you will probably want to add this command to +the KDCs’ <code class="docutils literal"><span class="pre">/etc/rc</span></code> or <code class="docutils literal"><span class="pre">/etc/inittab</span></code> files, so they will start the krb5kdc daemon automatically at boot time.</p> <div class="section" id="propagation-failed"> <h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Permalink to this headline">¶</a></h4> <p>You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link -to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot"><em>Troubleshooting</em></a> section.</p> +to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot"><span class="std std-ref">Troubleshooting</span></a> section.</p> <ol class="arabic simple"> -<li><a class="reference internal" href="troubleshoot.html#kprop-no-route"><em>kprop: No route to host while connecting to server</em></a></li> -<li><a class="reference internal" href="troubleshoot.html#kprop-con-refused"><em>kprop: Connection refused while connecting to server</em></a></li> -<li><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange"><em>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</em></a></li> +<li><a class="reference internal" href="troubleshoot.html#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></li> +<li><a class="reference internal" href="troubleshoot.html#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></li> +<li><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange"><span class="std std-ref">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</span></a></li> </ol> </div> </div> @@ -493,46 +494,46 @@ to be redirected to <a class="reference internal" href="troubleshoot.html#troubl <div class="section" id="add-kerberos-principals-to-the-database"> <h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Permalink to this headline">¶</a></h2> <p>Once your KDCs are set up and running, you are ready to use -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to load principals for your users, hosts, and other +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described -fully in <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>.</p> -<p>You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. See the following section for the -instructions.</p> +fully in <a class="reference internal" href="database.html#principals"><span class="std std-ref">Principals</span></a>.</p> +<p>You may occasionally want to use one of your replica KDCs as the +primary. This might happen if you are upgrading the primary KDC, or +if your primary KDC has a disk crash. See the following section for +the instructions.</p> </div> -<div class="section" id="switching-master-and-slave-kdcs"> -<span id="switch-master-slave"></span><h2>Switching master and slave KDCs<a class="headerlink" href="#switching-master-and-slave-kdcs" title="Permalink to this headline">¶</a></h2> -<p>You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash.</p> +<div class="section" id="switching-primary-and-replica-kdcs"> +<span id="switch-primary-replica"></span><h2>Switching primary and replica KDCs<a class="headerlink" href="#switching-primary-and-replica-kdcs" title="Permalink to this headline">¶</a></h2> +<p>You may occasionally want to use one of your replica KDCs as the +primary. This might happen if you are upgrading the primary KDC, or +if your primary KDC has a disk crash.</p> <p>Assuming you have configured all of your KDCs to be able to function -as either the master KDC or a slave KDC (as this document recommends), -all you need to do to make the changeover is:</p> -<p>If the master KDC is still running, do the following on the <em>old</em> -master KDC:</p> +as either the primary KDC or a replica KDC (as this document +recommends), all you need to do to make the changeover is:</p> +<p>If the primary KDC is still running, do the following on the <em>old</em> +primary KDC:</p> <ol class="arabic simple"> <li>Kill the kadmind process.</li> <li>Disable the cron job that propagates the database.</li> <li>Run your database propagation script manually, to ensure that the -slaves all have the latest copy of the database (see -<a class="reference internal" href="#kprop-to-slaves"><em>Propagate the database to each slave KDC</em></a>).</li> +replicas all have the latest copy of the database (see +<a class="reference internal" href="#kprop-to-replicas"><span class="std std-ref">Propagate the database to each replica KDC</span></a>).</li> </ol> -<p>On the <em>new</em> master KDC:</p> +<p>On the <em>new</em> primary KDC:</p> <ol class="arabic simple"> -<li>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon (see <a class="reference internal" href="#start-kdc-daemons"><em>Start the Kerberos daemons on the master KDC</em></a>).</li> +<li>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon (see <a class="reference internal" href="#start-kdc-daemons"><span class="std std-ref">Start the Kerberos daemons on the primary KDC</span></a>).</li> <li>Set up the cron job to propagate the database (see -<a class="reference internal" href="#kprop-to-slaves"><em>Propagate the database to each slave KDC</em></a>).</li> -<li>Switch the CNAMEs of the old and new master KDCs. If you can’t do -this, you’ll need to change the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file on every +<a class="reference internal" href="#kprop-to-replicas"><span class="std std-ref">Propagate the database to each replica KDC</span></a>).</li> +<li>Switch the CNAMEs of the old and new primary KDCs. If you can’t do +this, you’ll need to change the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file on every client machine in your Kerberos realm.</li> </ol> </div> <div class="section" id="incremental-database-propagation"> <h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2> <p>If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to slave KDCs. See <a class="reference internal" href="database.html#incr-db-prop"><em>Incremental database propagation</em></a> -for details.</p> +set up incremental propagation to replica KDCs. See +<a class="reference internal" href="database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a> for details.</p> </div> </div> @@ -545,7 +546,7 @@ for details.</p> <h2>On this page</h2> <ul> <li><a class="reference internal" href="#">Installing KDCs</a><ul> -<li><a class="reference internal" href="#install-and-configure-the-master-kdc">Install and configure the master KDC</a></li> +<li><a class="reference internal" href="#install-and-configure-the-primary-kdc">Install and configure the primary KDC</a></li> <li><a class="reference internal" href="#edit-kdc-configuration-files">Edit KDC configuration files</a><ul> <li><a class="reference internal" href="#krb5-conf">krb5.conf</a></li> <li><a class="reference internal" href="#kdc-conf">kdc.conf</a></li> @@ -554,18 +555,18 @@ for details.</p> <li><a class="reference internal" href="#create-the-kdc-database">Create the KDC database</a></li> <li><a class="reference internal" href="#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li> <li><a class="reference internal" href="#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li> -<li><a class="reference internal" href="#start-the-kerberos-daemons-on-the-master-kdc">Start the Kerberos daemons on the master KDC</a></li> -<li><a class="reference internal" href="#install-the-slave-kdcs">Install the slave KDCs</a><ul> -<li><a class="reference internal" href="#create-host-keytabs-for-slave-kdcs">Create host keytabs for slave KDCs</a></li> -<li><a class="reference internal" href="#configure-slave-kdcs">Configure slave KDCs</a></li> -<li><a class="reference internal" href="#propagate-the-database-to-each-slave-kdc">Propagate the database to each slave KDC</a><ul> +<li><a class="reference internal" href="#start-the-kerberos-daemons-on-the-primary-kdc">Start the Kerberos daemons on the primary KDC</a></li> +<li><a class="reference internal" href="#install-the-replica-kdcs">Install the replica KDCs</a><ul> +<li><a class="reference internal" href="#create-host-keytabs-for-replica-kdcs">Create host keytabs for replica KDCs</a></li> +<li><a class="reference internal" href="#configure-replica-kdcs">Configure replica KDCs</a></li> +<li><a class="reference internal" href="#propagate-the-database-to-each-replica-kdc">Propagate the database to each replica KDC</a><ul> <li><a class="reference internal" href="#propagation-failed">Propagation failed?</a></li> </ul> </li> </ul> </li> <li><a class="reference internal" href="#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li> -<li><a class="reference internal" href="#switching-master-and-slave-kdcs">Switching master and slave KDCs</a></li> +<li><a class="reference internal" href="#switching-primary-and-replica-kdcs">Switching primary and replica KDCs</a></li> <li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a></li> </ul> </li> @@ -577,7 +578,7 @@ for details.</p> <li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> <li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="">Installing KDCs</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing KDCs</a></li> <li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li> <li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> </ul> @@ -585,6 +586,7 @@ for details.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -592,6 +594,8 @@ for details.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -631,8 +635,8 @@ for details.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html index ad1b66e5458c..f9c33d949ad0 100644 --- a/doc/html/admin/lockout.html +++ b/doc/html/admin/lockout.html @@ -1,35 +1,33 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Account lockout — MIT Kerberos Documentation</title> - + <title>Account lockout — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> - <link rel="prev" title="Database administration" href="database.html" /> + <link rel="prev" title="Database types" href="dbtypes.html" /> </head> <body> <div class="header-wrapper"> @@ -42,7 +40,7 @@ <a href="../index.html" title="Full Table of Contents" accesskey="C">Contents</a> | - <a href="database.html" title="Database administration" + <a href="dbtypes.html" title="Database types" accesskey="P">previous</a> | <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" accesskey="N">next</a> | @@ -61,14 +59,14 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="account-lockout"> -<h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1> +<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1> <p>As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a -principal’s password by brute force, but also makes it easy for an +principal’s password by brute force, but also makes it easy for an attacker to deny access to a principal.</p> <div class="section" id="configuring-account-lockout"> <h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2> @@ -78,27 +76,27 @@ know whether or not a client successfully decrypted the ticket it issued. It is also important to set the <strong>-allow_svr</strong> flag on a principal to protect its password from an off-line dictionary attack through a TGS request. You can set these flags on a principal with -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> as follows:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc +requires_preauth -allow_svr PRINCNAME +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> as follows:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> </pre></div> </div> -<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><em>policy objects</em></a>. There may be an existing policy associated with user -principals (such as the “default” policy), or you may need to create a +<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><span class="std std-ref">policy objects</span></a>. There may be an existing policy associated with user +principals (such as the “default” policy), or you may need to create a new one and associate it with each user principal.</p> <p>The policy parameters related to account lockout are:</p> <ul class="simple"> -<li><a class="reference internal" href="database.html#policy-maxfailure"><em>maxfailure</em></a>: the number of failed attempts +<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-maxfailure"><span class="std std-ref">maxfailure</span></a>: the number of failed attempts before the principal is locked out</li> -<li><a class="reference internal" href="database.html#policy-failurecountinterval"><em>failurecountinterval</em></a>: the +<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-failurecountinterval"><span class="std std-ref">failurecountinterval</span></a>: the allowable interval between failed attempts</li> -<li><a class="reference internal" href="database.html#policy-lockoutduration"><em>lockoutduration</em></a>: the amount of time +<li><a class="reference internal" href="admin_commands/kadmin_local.html#policy-lockoutduration"><span class="std std-ref">lockoutduration</span></a>: the amount of time a principal is locked out for</li> </ul> <p>Here is an example of setting these parameters on a new policy and associating it with a principal:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addpol -maxfailure 10 -failurecountinterval 180 - -lockoutduration 60 lockout_policy -kadmin: modprinc -policy lockout_policy PRINCNAME +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxfailure</span> <span class="mi">10</span> <span class="o">-</span><span class="n">failurecountinterval</span> <span class="mi">180</span> + <span class="o">-</span><span class="n">lockoutduration</span> <span class="mi">60</span> <span class="n">lockout_policy</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">policy</span> <span class="n">lockout_policy</span> <span class="n">PRINCNAME</span> </pre></div> </div> </div> @@ -108,7 +106,7 @@ kadmin: modprinc -policy lockout_policy PRINCNAME principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you might see:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kinit user +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user @@ -132,18 +130,18 @@ lockout:</p> the account lockout system to function, but may be of administrative interest. These fields can be observed with the <strong>getprinc</strong> kadmin command. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc user -Principal: user@KRBTEST.COM -... -Last successful authentication: [never] -Last failed authentication: Mon Dec 03 12:30:33 EST 2012 -Failed password attempts: 2 -... +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">user</span> +<span class="n">Principal</span><span class="p">:</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> +<span class="o">...</span> +<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Dec</span> <span class="mi">03</span> <span class="mi">12</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mi">33</span> <span class="n">EST</span> <span class="mi">2012</span> +<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">2</span> +<span class="o">...</span> </pre></div> </div> <p>A principal which has been locked out can be administratively unlocked with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -unlock PRINCNAME +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">unlock</span> <span class="n">PRINCNAME</span> </pre></div> </div> <p>This command will reset the number of failed attempts to 0.</p> @@ -151,16 +149,16 @@ with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin <div class="section" id="kdc-replication-and-account-lockout"> <h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2> <p>The account lockout state of a principal is not replicated by either -traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> or incremental propagation. Because of +traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the <strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in -the environment (a master and three slaves), an attacker could make as -many as 40 attempts before the principal is locked out on all four +the environment (a primary and three replicas), an attacker could make +as many as 40 attempts before the principal is locked out on all four KDCs.</p> -<p>An administrative unlock is propagated from the master to the slave +<p>An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each slave to +unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure.</p> <p>If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi-master @@ -168,7 +166,7 @@ LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply.</p> </div> <div class="section" id="kdc-performance-and-account-lockout"> -<h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2> <p>In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from @@ -176,12 +174,12 @@ it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the <strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the -database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>[dbmodules] - DB = { - disable_last_success = true - disable_lockout = true - } +database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. For example:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">dbmodules</span><span class="p">]</span> + <span class="n">DB</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">disable_last_success</span> <span class="o">=</span> <span class="n">true</span> + <span class="n">disable_lockout</span> <span class="o">=</span> <span class="n">true</span> + <span class="p">}</span> </pre></div> </div> <p>Of the two variables, setting <strong>disable_last_success</strong> will usually @@ -228,15 +226,16 @@ read access, account lockout will not function.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Account lockout</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -276,14 +275,14 @@ read access, account lockout will not function.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> <a href="../index.html" title="Full Table of Contents" >Contents</a> | - <a href="database.html" title="Database administration" + <a href="dbtypes.html" title="Database types" >previous</a> | <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end" >next</a> | diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html index 4375c3ff6bbb..d0da95f192b1 100644 --- a/doc/html/admin/otp.html +++ b/doc/html/admin/otp.html @@ -1,34 +1,32 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>OTP Preauthentication — MIT Kerberos Documentation</title> - + <title>OTP Preauthentication — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> - <link rel="next" title="Principal names and DNS" href="princ_dns.html" /> + <link rel="next" title="SPAKE Preauthentication" href="spake.html" /> <link rel="prev" title="PKINIT configuration" href="pkinit.html" /> </head> <body> @@ -44,7 +42,7 @@ accesskey="C">Contents</a> | <a href="pkinit.html" title="PKINIT configuration" accesskey="P">previous</a> | - <a href="princ_dns.html" title="Principal names and DNS" + <a href="spake.html" title="SPAKE Preauthentication" accesskey="N">next</a> | <a href="../genindex.html" title="General Index" accesskey="I">index</a> | @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="otp-preauthentication"> <span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Permalink to this headline">¶</a></h1> @@ -78,53 +76,53 @@ permits the use of a local companion daemon which can handle the details of authentication.</p> <div class="section" id="defining-token-types"> <h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Permalink to this headline">¶</a></h2> -<p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> or -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> according to the following format:</p> -<div class="highlight-python"><div class="highlight"><pre>[otp] - <name> = { - server = <host:port or filename> (default: see below) - secret = <filename> - timeout = <integer> (default: 5 [seconds]) - retries = <integer> (default: 3) - strip_realm = <boolean> (default: true) - indicator = <string> (default: none) - } +<p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> or +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> according to the following format:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> + <span class="o"><</span><span class="n">name</span><span class="o">></span> <span class="o">=</span> <span class="p">{</span> + <span class="n">server</span> <span class="o">=</span> <span class="o"><</span><span class="n">host</span><span class="p">:</span><span class="n">port</span> <span class="ow">or</span> <span class="n">filename</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">see</span> <span class="n">below</span><span class="p">)</span> + <span class="n">secret</span> <span class="o">=</span> <span class="o"><</span><span class="n">filename</span><span class="o">></span> + <span class="n">timeout</span> <span class="o">=</span> <span class="o"><</span><span class="n">integer</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="mi">5</span> <span class="p">[</span><span class="n">seconds</span><span class="p">])</span> + <span class="n">retries</span> <span class="o">=</span> <span class="o"><</span><span class="n">integer</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="mi">3</span><span class="p">)</span> + <span class="n">strip_realm</span> <span class="o">=</span> <span class="o"><</span><span class="n">boolean</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">true</span><span class="p">)</span> + <span class="n">indicator</span> <span class="o">=</span> <span class="o"><</span><span class="n">string</span><span class="o">></span> <span class="p">(</span><span class="n">default</span><span class="p">:</span> <span class="n">none</span><span class="p">)</span> + <span class="p">}</span> </pre></div> </div> -<p>If the server field begins with ‘/’, it will be interpreted as a UNIX +<p>If the server field begins with ‘/’, it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not -specified, it defaults to <a class="reference internal" href="../mitK5defaults.html#paths"><em>RUNSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/<name>.socket</span></tt>.</p> +specified, it defaults to <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">RUNSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/<name>.socket</span></code>.</p> <p>When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion.</p> <p>If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see -<a class="reference internal" href="auth_indicator.html#auth-indicator"><em>Authentication indicators</em></a>). This key may be specified multiple times to +<a class="reference internal" href="auth_indicator.html#auth-indicator"><span class="std std-ref">Authentication indicators</span></a>). This key may be specified multiple times to add multiple indicators.</p> </div> <div class="section" id="the-default-token-type"> <h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Permalink to this headline">¶</a></h2> <p>A default token type is used internally when no token type is specified for a given user. It is defined as follows:</p> -<div class="highlight-python"><div class="highlight"><pre>[otp] - DEFAULT = { - strip_realm = false - } +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> + <span class="n">DEFAULT</span> <span class="o">=</span> <span class="p">{</span> + <span class="n">strip_realm</span> <span class="o">=</span> <span class="n">false</span> + <span class="p">}</span> </pre></div> </div> -<p>The administrator may override the internal <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> token type +<p>The administrator may override the internal <code class="docutils literal"><span class="pre">DEFAULT</span></code> token type simply by defining a configuration with the same name.</p> </div> <div class="section" id="token-instance-configuration"> <h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Permalink to this headline">¶</a></h2> <p>To enable OTP for a client principal, the administrator must define the <strong>otp</strong> string attribute for that principal. (See -<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>.) The <strong>otp</strong> user string is a JSON string of the +<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>.) The <strong>otp</strong> user string is a JSON string of the format:</p> -<div class="highlight-xml"><div class="highlight"><pre>[{ +<div class="highlight-xml"><div class="highlight"><pre><span></span>[{ "type": <span class="nt"><string></span>, "username": <span class="nt"><string></span>, "indicators": [<span class="nt"><string></span>, ...] @@ -133,14 +131,14 @@ format:</p> </div> <p>This is an array of token objects. Both fields of token objects are optional. The <strong>type</strong> field names the token type of this token; if -not specified, it defaults to <tt class="docutils literal"><span class="pre">DEFAULT</span></tt>. The <strong>username</strong> field +not specified, it defaults to <code class="docutils literal"><span class="pre">DEFAULT</span></code>. The <strong>username</strong> field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The <strong>indicators</strong> field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type.</p> -<p>For ease of configuration, an empty array (<tt class="docutils literal"><span class="pre">[]</span></tt>) is treated as -equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre">[{}]</span></tt>).</p> +<p>For ease of configuration, an empty array (<code class="docutils literal"><span class="pre">[]</span></code>) is treated as +equivalent to one DEFAULT token (<code class="docutils literal"><span class="pre">[{}]</span></code>).</p> </div> <div class="section" id="other-considerations"> <h2>Other considerations<a class="headerlink" href="#other-considerations" title="Permalink to this headline">¶</a></h2> @@ -176,15 +174,16 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre"> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">OTP Preauthentication</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -224,8 +223,8 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre"> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> @@ -233,7 +232,7 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre"> >Contents</a> | <a href="pkinit.html" title="PKINIT configuration" >previous</a> | - <a href="princ_dns.html" title="Principal names and DNS" + <a href="spake.html" title="SPAKE Preauthentication" >next</a> | <a href="../genindex.html" title="General Index" >index</a> | diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html index 50e073c82f0f..bbbee70777e5 100644 --- a/doc/html/admin/pkinit.html +++ b/doc/html/admin/pkinit.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>PKINIT configuration — MIT Kerberos Documentation</title> - + <title>PKINIT configuration — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="OTP Preauthentication" href="otp.html" /> <link rel="prev" title="Backups of secure hosts" href="backup_host.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="pkinit-configuration"> <span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration" title="Permalink to this headline">¶</a></h1> @@ -86,21 +84,21 @@ a client to use an Active Directory KDC.</p> <h3>Generating a certificate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certificate" title="Permalink to this headline">¶</a></h3> <p>You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:</p> -<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out cakey.pem 2048 -openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> +<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">key</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">out</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">days</span> <span class="mi">3650</span> </pre></div> </div> <p>The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after -<tt class="docutils literal"><span class="pre">-days</span></tt>. Since the CA certificate must be deployed to client +<code class="docutils literal"><span class="pre">-days</span></code>. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances.</p> <p>The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which must be carefully protected. cacert.pem will contain the CA -certificate, which must be placed in the filesytems of the KDC and +certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates.</p> </div> @@ -109,7 +107,7 @@ certificates.</p> <p>A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:</p> -<div class="highlight-python"><div class="highlight"><pre>[kdc_cert] +<div class="highlight-default"><div class="highlight"><pre><span></span>[kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 @@ -123,7 +121,7 @@ realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] -name_type=EXP:0,INTEGER:1 +name_type=EXP:0,INTEGER:2 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] @@ -133,27 +131,27 @@ princ2=GeneralString:${ENV::REALM} </div> <p>If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands:</p> -<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out kdckey.pem 2048 -openssl req -new -out kdc.req -key kdckey.pem -env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ - -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ - -extfile extensions.kdc -extensions kdc_cert -CAcreateserial -rm kdc.req +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> +<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> <span class="o">-</span><span class="n">key</span> <span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> +<span class="n">env</span> <span class="n">REALM</span><span class="o">=</span><span class="n">YOUR_REALMNAME</span> <span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="n">req</span> <span class="o">-</span><span class="ow">in</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> \ + <span class="o">-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">CA</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">out</span> <span class="n">kdc</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">days</span> <span class="mi">365</span> \ + <span class="o">-</span><span class="n">extfile</span> <span class="n">extensions</span><span class="o">.</span><span class="n">kdc</span> <span class="o">-</span><span class="n">extensions</span> <span class="n">kdc_cert</span> <span class="o">-</span><span class="n">CAcreateserial</span> +<span class="n">rm</span> <span class="n">kdc</span><span class="o">.</span><span class="n">req</span> </pre></div> </div> <p>The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your -KDC’s realm name for YOUR_REALMNAME. You can adjust the certificate’s -expiration date by changing the number after <tt class="docutils literal"><span class="pre">-days</span></tt>. Remember to +KDC’s realm name for YOUR_REALMNAME. You can adjust the certificate’s +expiration date by changing the number after <code class="docutils literal"><span class="pre">-days</span></code>. Remember to create a new KDC certificate before the old one expires.</p> <p>The result of this operation will be in two files, kdckey.pem and -kdc.pem. Both files must be placed in the KDC’s filesystem. -kdckey.pem, which contains the KDC’s private key, must be carefully +kdc.pem. Both files must be placed in the KDC’s filesystem. +kdckey.pem, which contains the KDC’s private key, must be carefully protected.</p> -<p>If you examine the KDC certificate with <tt class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span> <span class="pre">-in</span> <span class="pre">kdc.pem</span> -<span class="pre">-text</span> <span class="pre">-noout</span></tt>, OpenSSL will not know how to display the KDC principal +<p>If you examine the KDC certificate with <code class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span> <span class="pre">-in</span> <span class="pre">kdc.pem</span> +<span class="pre">-text</span> <span class="pre">-noout</span></code>, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as -<tt class="docutils literal"><span class="pre">othername:<unsupported></span></tt>. This is normal and does not mean +<code class="docutils literal"><span class="pre">othername:<unsupported></span></code>. This is normal and does not mean anything is wrong with the KDC certificate.</p> </div> <div class="section" id="generating-client-certificates"> @@ -162,7 +160,7 @@ anything is wrong with the KDC certificate.</p> fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file (different from the KDC extensions file above) containing:</p> -<div class="highlight-python"><div class="highlight"><pre>[client_cert] +<div class="highlight-default"><div class="highlight"><pre><span></span>[client_cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 @@ -185,85 +183,85 @@ princ1=GeneralString:${ENV::CLIENT} </div> <p>If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands:</p> -<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out clientkey.pem 2048 -openssl req -new -key clientkey.pem -out client.req -env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ - -CAkey cakey.pem -CA cacert.pem -req -in client.req \ - -extensions client_cert -extfile extensions.client \ - -days 365 -out client.pem -rm client.req +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> +<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">key</span> <span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">out</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> +<span class="n">env</span> <span class="n">REALM</span><span class="o">=</span><span class="n">YOUR_REALMNAME</span> <span class="n">CLIENT</span><span class="o">=</span><span class="n">YOUR_PRINCNAME</span> <span class="n">openssl</span> <span class="n">x509</span> \ + <span class="o">-</span><span class="n">CAkey</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">CA</span> <span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">req</span> <span class="o">-</span><span class="ow">in</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> \ + <span class="o">-</span><span class="n">extensions</span> <span class="n">client_cert</span> <span class="o">-</span><span class="n">extfile</span> <span class="n">extensions</span><span class="o">.</span><span class="n">client</span> \ + <span class="o">-</span><span class="n">days</span> <span class="mi">365</span> <span class="o">-</span><span class="n">out</span> <span class="n">client</span><span class="o">.</span><span class="n">pem</span> +<span class="n">rm</span> <span class="n">client</span><span class="o">.</span><span class="n">req</span> </pre></div> </div> <p>Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be -set to any values. In the third command, substitute your realm’s name -for YOUR_REALMNAME and the client’s principal name (without realm) for -YOUR_PRINCNAME. You can adjust the certificate’s expiration date by -changing the number after <tt class="docutils literal"><span class="pre">-days</span></tt>.</p> +set to any values. In the third command, substitute your realm’s name +for YOUR_REALMNAME and the client’s principal name (without realm) for +YOUR_PRINCNAME. You can adjust the certificate’s expiration date by +changing the number after <code class="docutils literal"><span class="pre">-days</span></code>.</p> <p>The result of this operation will be two files, clientkey.pem and -client.pem. Both files must be present on the client’s host; -clientkey.pem, which contains the client’s private key, must be +client.pem. Both files must be present on the client’s host; +clientkey.pem, which contains the client’s private key, must be protected from access by others.</p> <p>As in the KDC certificate, OpenSSL will display the client principal -name as <tt class="docutils literal"><span class="pre">othername:<unsupported></span></tt> in the Subject Alternative Name +name as <code class="docutils literal"><span class="pre">othername:<unsupported></span></code> in the Subject Alternative Name extension of a PKINIT client certificate.</p> <p>If the client principal name contains more than one component -(e.g. <tt class="docutils literal"><span class="pre">host/example.com@REALM</span></tt>), the <tt class="docutils literal"><span class="pre">[principals]</span></tt> section of -<tt class="docutils literal"><span class="pre">extensions.client</span></tt> must be altered to contain multiple entries. -(Simply setting <tt class="docutils literal"><span class="pre">CLIENT</span></tt> to <tt class="docutils literal"><span class="pre">host/example.com</span></tt> would generate a -certificate for <tt class="docutils literal"><span class="pre">host\/example.com@REALM</span></tt> which would not match the +(e.g. <code class="docutils literal"><span class="pre">host/example.com@REALM</span></code>), the <code class="docutils literal"><span class="pre">[principals]</span></code> section of +<code class="docutils literal"><span class="pre">extensions.client</span></code> must be altered to contain multiple entries. +(Simply setting <code class="docutils literal"><span class="pre">CLIENT</span></code> to <code class="docutils literal"><span class="pre">host/example.com</span></code> would generate a +certificate for <code class="docutils literal"><span class="pre">host\/example.com@REALM</span></code> which would not match the multi-component principal name.) For a two-component principal, the section should read:</p> -<div class="highlight-python"><div class="highlight"><pre>[principals] +<div class="highlight-default"><div class="highlight"><pre><span></span>[principals] princ1=GeneralString:${ENV::CLIENT1} princ2=GeneralString:${ENV::CLIENT2} </pre></div> </div> -<p>The environment variables <tt class="docutils literal"><span class="pre">CLIENT1</span></tt> and <tt class="docutils literal"><span class="pre">CLIENT2</span></tt> must then be set -to the first and second components when running <tt class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span></tt>.</p> +<p>The environment variables <code class="docutils literal"><span class="pre">CLIENT1</span></code> and <code class="docutils literal"><span class="pre">CLIENT2</span></code> must then be set +to the first and second components when running <code class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span></code>.</p> </div> </div> <div class="section" id="configuring-the-kdc"> <h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Permalink to this headline">¶</a></h2> <p>The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following -relation in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file, either in the -<a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section or in a <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection (with +relation in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file, either in the +<a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> section or in a <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection (with appropriate pathnames):</p> -<div class="highlight-python"><div class="highlight"><pre>pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_identity</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">pem</span><span class="p">,</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdckey</span><span class="o">.</span><span class="n">pem</span> </pre></div> </div> <p>If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname):</p> -<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> </pre></div> </div> <p>Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span> </pre></div> </div> -<p>Restart the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to pick up the configuration +<p>Restart the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon to pick up the configuration changes.</p> <p>The principal entry for each PKINIT-using client must be configured to require preauthentication. Ensure this with the command:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'modprinc +requires_preauth YOUR_PRINCNAME'</span> </pre></div> </div> <p>Starting with release 1.12, it is possible to remove the long-term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT-related error conditions by not asking for a password:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin -q 'purgekeys -all YOUR_PRINCNAME' +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'purgekeys -all YOUR_PRINCNAME'</span> </pre></div> </div> <p>These principal options can also be specified at principal creation time as follows:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'add_principal +requires_preauth -nokey YOUR_PRINCNAME'</span> </pre></div> </div> <p>By default, the KDC requires PKINIT client certificates to have the @@ -273,16 +271,16 @@ client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the <strong>pkinit_cert_match</strong> string attribute on each client principal entry. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$" +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="n">set_string</span> <span class="n">user</span><span class="nd">@REALM</span> <span class="n">pkinit_cert_match</span> <span class="s2">"<SUBJECT>CN=user@REALM$"</span> </pre></div> </div> <p>The <strong>pkinit_cert_match</strong> string attribute follows the syntax used by -the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>pkinit_cert_match</strong> relation. To allow the +the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> <strong>pkinit_cert_match</strong> relation. To allow the use of non-PKINIT client certificates, it will also be necessary to disable key usage checking using the <strong>pkinit_eku_checking</strong> relation; for example:</p> -<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults] - pkinit_eku_checking = none +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> + <span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">none</span> </pre></div> </div> </div> @@ -291,22 +289,22 @@ for example:</p> <p>Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate -(cacert.pem) and the following relation in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> in the -appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection (with appropriate pathnames):</p> -<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = FILE:/etc/krb5/cacert.pem +(cacert.pem) and the following relation in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> in the +appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection (with appropriate pathnames):</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span> </pre></div> </div> <p>If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so:</p> -<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = DIR:/etc/ssl/certs +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_anchors</span> <span class="o">=</span> <span class="n">DIR</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span> </pre></div> </div> <p>A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">kpServerAuth</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">kpServerAuth</span> <span class="n">pkinit_kdc_hostname</span> <span class="o">=</span> <span class="n">hostname</span><span class="o">.</span><span class="n">of</span><span class="o">.</span><span class="n">kdc</span><span class="o">.</span><span class="n">certificate</span> </pre></div> </div> @@ -318,14 +316,14 @@ necessary, but it should not be necessary to set <p>To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). -Configure the following relations in the client host’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection +Configure the following relations in the client host’s +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection (with appropriate pathnames):</p> -<div class="highlight-python"><div class="highlight"><pre>pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">pkinit_identities</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">client</span><span class="o">.</span><span class="n">pem</span><span class="p">,</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">clientkey</span><span class="o">.</span><span class="n">pem</span> </pre></div> </div> <p>If the KDC and client are properly configured, it should now be -possible to run <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">username</span></tt> without entering a password.</p> +possible to run <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">username</span></code> without entering a password.</p> </div> <div class="section" id="anonymous-pkinit"> <span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Permalink to this headline">¶</a></h2> @@ -338,14 +336,14 @@ a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the <strong>pkinit_identity</strong> variable to provide the KDC certificate, but do not need to set the <strong>pkinit_anchors</strong> variable or store the issuing -certificate if you won’t have any client certificates to verify. On +certificate if you won’t have any client certificates to verify. On client hosts, you must set the <strong>pkinit_anchors</strong> variable (and possibly <strong>pkinit_kdc_hostname</strong> and <strong>pkinit_eku_checking</strong>) in order to trust the issuing authority for the KDC certificate, but do not need to set the <strong>pkinit_identities</strong> variable.</p> <p>Anonymity support is not enabled by default. To enable it, you must -create the principal <tt class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS</span></tt> using the command:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' +create the principal <code class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS</span></code> using the command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span> <span class="o">-</span><span class="n">q</span> <span class="s1">'addprinc -randkey WELLKNOWN/ANONYMOUS'</span> </pre></div> </div> <p>Some Kerberos deployments include application servers which lack @@ -354,12 +352,34 @@ can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set -the variable <strong>restrict_anonymous_to_tgt</strong> to <tt class="docutils literal"><span class="pre">true</span></tt> in the -appropriate <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection of the KDC’s -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.</p> -<p>To obtain anonymous credentials on a client, run <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></tt>, or -<tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span> <span class="pre">@REALMNAME</span></tt> to specify a realm. The resulting tickets -will have the client name <tt class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS</span></tt>.</p> +the variable <strong>restrict_anonymous_to_tgt</strong> to <code class="docutils literal"><span class="pre">true</span></code> in the +appropriate <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection of the KDC’s +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file.</p> +<p>To obtain anonymous credentials on a client, run <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></code>, or +<code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span> <span class="pre">@REALMNAME</span></code> to specify a realm. The resulting tickets +will have the client name <code class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS</span></code>.</p> +</div> +<div class="section" id="freshness-tokens"> +<h2>Freshness tokens<a class="headerlink" href="#freshness-tokens" title="Permalink to this headline">¶</a></h2> +<p>Freshness tokens can ensure that the client has recently had access to +its certificate private key. If freshness tokens are not required by +the KDC, a client program with temporary possession of the private key +can compose requests for future timestamps and use them later.</p> +<p>In release 1.17 and later, freshness tokens are supported by the +client and are sent by the KDC when the client indicates support for +them. Because not all clients support freshness tokens yet, they are +not required by default. To check if freshness tokens are supported +by a realm’s clients, look in the KDC logs for the lines:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">PKINIT</span><span class="p">:</span> <span class="n">freshness</span> <span class="n">token</span> <span class="n">received</span> <span class="kn">from</span> <span class="o"><</span><span class="n">client</span> <span class="n">principal</span><span class="o">></span> +<span class="n">PKINIT</span><span class="p">:</span> <span class="n">no</span> <span class="n">freshness</span> <span class="n">token</span> <span class="n">received</span> <span class="kn">from</span> <span class="o"><</span><span class="n">client</span> <span class="n">principal</span><span class="o">></span> +</pre></div> +</div> +<p>To require freshness tokens for all clients in a realm (except for +clients authenticating anonymously), set the +<strong>pkinit_require_freshness</strong> variable to <code class="docutils literal"><span class="pre">true</span></code> in the appropriate +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> subsection of the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file. To +test that this option is in effect, run <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-X</span> <span class="pre">disable_freshness</span></code> +and verify that authentication is unsuccessful.</p> </div> </div> @@ -381,6 +401,7 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO <li><a class="reference internal" href="#configuring-the-kdc">Configuring the KDC</a></li> <li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li> <li><a class="reference internal" href="#anonymous-pkinit">Anonymous PKINIT</a></li> +<li><a class="reference internal" href="#freshness-tokens">Freshness tokens</a></li> </ul> </li> </ul> @@ -394,15 +415,16 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">PKINIT configuration</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -442,8 +464,8 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html index ecf6c969c612..87715a2cfc52 100644 --- a/doc/html/admin/princ_dns.html +++ b/doc/html/admin/princ_dns.html @@ -1,35 +1,33 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Principal names and DNS — MIT Kerberos Documentation</title> - + <title>Principal names and DNS — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Encryption types" href="enctypes.html" /> - <link rel="prev" title="OTP Preauthentication" href="otp.html" /> + <link rel="prev" title="Addressing dictionary attack risks" href="dictionary.html" /> </head> <body> <div class="header-wrapper"> @@ -42,7 +40,7 @@ <a href="../index.html" title="Full Table of Contents" accesskey="C">Contents</a> | - <a href="otp.html" title="OTP Preauthentication" + <a href="dictionary.html" title="Addressing dictionary attack risks" accesskey="P">previous</a> | <a href="enctypes.html" title="Encryption types" accesskey="N">next</a> | @@ -61,54 +59,58 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="principal-names-and-dns"> <h1>Principal names and DNS<a class="headerlink" href="#principal-names-and-dns" title="Permalink to this headline">¶</a></h1> <p>Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos -application servers, especially when the client’s name for the service +application servers, especially when the client’s name for the service is different from what the service thinks its name is.</p> <div class="section" id="service-principal-names"> <h2>Service principal names<a class="headerlink" href="#service-principal-names" title="Permalink to this headline">¶</a></h2> <p>A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a -service name and a hostname. For example, <tt class="docutils literal"><span class="pre">imap/imap.example.com</span></tt> -is the principal name of the “imap” service on the host -“imap.example.com”. Other possible service names for the first -component include “host” (remote login services such as ssh), “HTTP”, -and “nfs” (Network File System).</p> +service name and a hostname. For example, <code class="docutils literal"><span class="pre">imap/imap.example.com</span></code> +is the principal name of the “imap” service on the host +“imap.example.com”. Other possible service names for the first +component include “host” (remote login services such as ssh), “HTTP”, +and “nfs” (Network File System).</p> <p>Service administrators often publish well-known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named -“long-vanity-hostname.example.com”, but users will naturally prefer to -type something like “login.example.com”. Hostname aliases also allow +“long-vanity-hostname.example.com”, but users will naturally prefer to +type something like “login.example.com”. Hostname aliases also allow for administrators to set up load balancing for some sorts of services -based on rotating <tt class="docutils literal"><span class="pre">CNAME</span></tt> records in DNS.</p> +based on rotating <code class="docutils literal"><span class="pre">CNAME</span></code> records in DNS.</p> </div> <div class="section" id="service-principal-canonicalization"> <h2>Service principal canonicalization<a class="headerlink" href="#service-principal-canonicalization" title="Permalink to this headline">¶</a></h2> -<p>MIT Kerberos clients currently always do forward resolution (looking -up the IPv4 and possibly IPv6 addresses using <tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt>) of -the hostname part of a host-based service principal to canonicalize -the hostname. They obtain the “canonical” name of the host when doing -so. By default, MIT Kerberos clients will also then do reverse DNS -resolution (looking up the hostname associated with the IPv4 or IPv6 -address using <tt class="docutils literal"><span class="pre">getnameinfo()</span></tt>) of the hostname. Using the -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> setting:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - rdns = false -</pre></div> -</div> -<p>will disable reverse DNS lookup on clients. The default setting is -“true”.</p> -<p>Operating system bugs may prevent a setting of <tt class="docutils literal"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></tt> from -disabling reverse DNS lookup. Some versions of GNU libc have a bug in -<tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt> that cause them to look up <tt class="docutils literal"><span class="pre">PTR</span></tt> records even when -not required. MIT Kerberos releases krb5-1.10.2 and newer have a -workaround for this problem, as does the krb5-1.9.x series as of -release krb5-1.9.4.</p> +<p>In the MIT krb5 client library, canonicalization of host-based service +principals is controlled by the <strong>dns_canonicalize_hostname</strong>, +<strong>rnds</strong>, and <strong>qualify_shortname</strong> variables in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> +<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal"><span class="pre">true</span></code> (the default +value), the client performs forward resolution by looking up the IPv4 +and/or IPv6 addresses of the hostname using <code class="docutils literal"><span class="pre">getaddrinfo()</span></code>. This +process will typically add a domain suffix to the hostname if needed, +and follow CNAME records in the DNS. If <strong>rdns</strong> is also set to +<code class="docutils literal"><span class="pre">true</span></code> (the default), the client will then perform a reverse lookup +of the first returned Internet address using <code class="docutils literal"><span class="pre">getnameinfo()</span></code>, +finding the name associated with the PTR record.</p> +<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal"><span class="pre">false</span></code>, the hostname is +not canonicalized using DNS. If the hostname has only one component +(i.e. it contains no “.” characters), the host’s primary DNS search +domain will be appended, if there is one. The <strong>qualify_shortname</strong> +variable can be used to override or disable this suffix.</p> +<p>If <strong>dns_canonicalize_hostname</strong> is set to <code class="docutils literal"><span class="pre">fallback</span></code> (added in +release 1.18), the hostname is initially treated according to the +rules for <code class="docutils literal"><span class="pre">dns_canonicalize_hostname=false</span></code>. If a ticket request +fails because the service principal is unknown, the hostname will be +canonicalized according to the rules for +<code class="docutils literal"><span class="pre">dns_canonicalize_hostname=true</span></code> and the request will be retried.</p> +<p>In all cases, the hostname is converted to lowercase, and any trailing +dot is removed.</p> </div> <div class="section" id="reverse-dns-mismatches"> <h2>Reverse DNS mismatches<a class="headerlink" href="#reverse-dns-mismatches" title="Permalink to this headline">¶</a></h2> @@ -117,7 +119,7 @@ not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and -reverse DNS to match, it is best to set <tt class="docutils literal"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></tt> on client +reverse DNS to match, it is best to set <code class="docutils literal"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></code> on client machines.</p> </div> <div class="section" id="overriding-application-behavior"> @@ -125,22 +127,22 @@ machines.</p> <p>Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant -applications do this yet, using the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> setting:</p> -<div class="highlight-python"><div class="highlight"><pre>[libdefaults] - ignore_acceptor_hostname = true +applications do this yet, using the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> setting:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">ignore_acceptor_hostname</span> <span class="o">=</span> <span class="n">true</span> </pre></div> </div> -<p>will allow the Kerberos library to override the application’s choice +<p>will allow the Kerberos library to override the application’s choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting -defaults to “false” and is available in releases krb5-1.10 and later.</p> +defaults to “false” and is available in releases krb5-1.10 and later.</p> </div> <div class="section" id="provisioning-keytabs"> <h2>Provisioning keytabs<a class="headerlink" href="#provisioning-keytabs" title="Permalink to this headline">¶</a></h2> <p>One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that -<tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt> reports for all known aliases for the host. If the +<code class="docutils literal"><span class="pre">getaddrinfo()</span></code> reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname.</p> @@ -149,13 +151,21 @@ different hostname.</p> <h2>Specific application advice<a class="headerlink" href="#specific-application-advice" title="Permalink to this headline">¶</a></h2> <div class="section" id="secure-shell-ssh"> <h3>Secure shell (ssh)<a class="headerlink" href="#secure-shell-ssh" title="Permalink to this headline">¶</a></h3> -<p>Setting <tt class="docutils literal"><span class="pre">GSSAPIStrictAcceptorCheck</span> <span class="pre">=</span> <span class="pre">no</span></tt> in the configuration file +<p>Setting <code class="docutils literal"><span class="pre">GSSAPIStrictAcceptorCheck</span> <span class="pre">=</span> <span class="pre">no</span></code> in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking -for the keytab entry that matches the host’s own idea of its name -(typically the name that <tt class="docutils literal"><span class="pre">gethostname()</span></tt> returns). This requires +for the keytab entry that matches the host’s own idea of its name +(typically the name that <code class="docutils literal"><span class="pre">gethostname()</span></code> returns). This requires krb5-1.10 or later.</p> </div> +<div class="section" id="openldap-ldapsearch-etc"> +<h3>OpenLDAP (ldapsearch, etc.)<a class="headerlink" href="#openldap-ldapsearch-etc" title="Permalink to this headline">¶</a></h3> +<p>OpenLDAP’s SASL implementation performs reverse DNS lookup in order to +canonicalize service principal names, even if <strong>rdns</strong> is set to +<code class="docutils literal"><span class="pre">false</span></code> in the Kerberos configuration. To disable this behavior, +add <code class="docutils literal"><span class="pre">SASL_NOCANON</span> <span class="pre">on</span></code> to <code class="docutils literal"><span class="pre">ldap.conf</span></code>, or set the +<code class="docutils literal"><span class="pre">LDAPSASL_NOCANON</span></code> environment variable.</p> +</div> </div> </div> @@ -175,6 +185,7 @@ krb5-1.10 or later.</p> <li><a class="reference internal" href="#provisioning-keytabs">Provisioning keytabs</a></li> <li><a class="reference internal" href="#specific-application-advice">Specific application advice</a><ul> <li><a class="reference internal" href="#secure-shell-ssh">Secure shell (ssh)</a></li> +<li><a class="reference internal" href="#openldap-ldapsearch-etc">OpenLDAP (ldapsearch, etc.)</a></li> </ul> </li> </ul> @@ -190,6 +201,7 @@ krb5-1.10 or later.</p> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -197,9 +209,9 @@ krb5-1.10 or later.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Principal names and DNS</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> @@ -238,14 +250,14 @@ krb5-1.10 or later.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> <a href="../index.html" title="Full Table of Contents" >Contents</a> | - <a href="otp.html" title="OTP Preauthentication" + <a href="dictionary.html" title="Addressing dictionary attack risks" >previous</a> | <a href="enctypes.html" title="Encryption types" >next</a> | diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html index 2d5ca3ae7918..cec418366e0a 100644 --- a/doc/html/admin/realm_config.html +++ b/doc/html/admin/realm_config.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Realm configuration decisions — MIT Kerberos Documentation</title> - + <title>Realm configuration decisions — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Database administration" href="database.html" /> <link rel="prev" title="kadm5.acl" href="conf_files/kadm5_acl.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="realm-configuration-decisions"> <h1>Realm configuration decisions<a class="headerlink" href="#realm-configuration-decisions" title="Permalink to this headline">¶</a></h1> @@ -73,23 +71,23 @@ need more than one).</li> <li>How you will assign your hostnames to Kerberos realms.</li> <li>Which ports your KDC and and kadmind services will use, if they will not be using the default ports.</li> -<li>How many slave KDCs you need and where they should be located.</li> -<li>The hostnames of your master and slave KDCs.</li> -<li>How frequently you will propagate the database from the master KDC -to the slave KDCs.</li> +<li>How many replica KDCs you need and where they should be located.</li> +<li>The hostnames of your primary and replica KDCs.</li> +<li>How frequently you will propagate the database from the primary KDC +to the replica KDCs.</li> </ul> <div class="section" id="realm-name"> <h2>Realm name<a class="headerlink" href="#realm-name" title="Permalink to this headline">¶</a></h2> <p>Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters.</p> -<p>For example, hosts in the domain <tt class="docutils literal"><span class="pre">example.com</span></tt> would be in the +<p>For example, hosts in the domain <code class="docutils literal"><span class="pre">example.com</span></code> would be in the Kerberos realm:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> </pre></div> </div> <p>If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">BOSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">BOSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">HOUSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> </pre></div> </div> @@ -98,33 +96,33 @@ descriptive names which end with your domain name, such as:</p> <span id="mapping-hostnames"></span><h2>Mapping hostnames onto Kerberos realms<a class="headerlink" href="#mapping-hostnames-onto-kerberos-realms" title="Permalink to this headline">¶</a></h2> <p>Mapping hostnames onto Kerberos realms is done in one of three ways.</p> <p>The first mechanism works through a set of rules in the -<a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. You can specify +<a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. You can specify mappings for an entire domain or on a per-hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions.</p> <p>The second mechanism is to use KDC host-based service referrals. With -this method, the KDC’s krb5.conf has a full [domain_realm] mapping for +this method, the KDC’s krb5.conf has a full [domain_realm] mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server -host for which it has no mapping, it will ask the client realm’s KDC +host for which it has no mapping, it will ask the client realm’s KDC for the service ticket, and will receive a referral to the appropriate service realm.</p> <p>To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The <strong>host_based_services</strong> and <strong>no_host_referral</strong> variables in the -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> section of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> can be used to +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><span class="std std-ref">[realms]</span></a> section of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> can be used to fine-tune referral behavior on the KDC.</p> <p>It is also possible for clients to use DNS TXT records, if -<strong>dns_lookup_realm</strong> is enabled in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Such lookups +<strong>dns_lookup_realm</strong> is enabled in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix -<tt class="docutils literal"><span class="pre">_kerberos</span></tt> to the hostname in question. If that record is not -found, the client will attempt a lookup by prepending <tt class="docutils literal"><span class="pre">_kerberos</span></tt> to the -host’s domain name, then its parent domain, up to the top-level domain. -For the hostname <tt class="docutils literal"><span class="pre">boston.engineering.example.com</span></tt>, the names looked up +<code class="docutils literal"><span class="pre">_kerberos</span></code> to the hostname in question. If that record is not +found, the client will attempt a lookup by prepending <code class="docutils literal"><span class="pre">_kerberos</span></code> to the +host’s domain name, then its parent domain, up to the top-level domain. +For the hostname <code class="docutils literal"><span class="pre">boston.engineering.example.com</span></code>, the names looked up would be:</p> -<div class="highlight-python"><div class="highlight"><pre><span class="n">_kerberos</span><span class="o">.</span><span class="n">boston</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">_kerberos</span><span class="o">.</span><span class="n">boston</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">_kerberos</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">_kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">_kerberos</span><span class="o">.</span><span class="n">com</span> @@ -138,44 +136,44 @@ you may wish to set it up anyway, for use when interacting with other sites.</p> <h2>Ports for the KDC and admin services<a class="headerlink" href="#ports-for-the-kdc-and-admin-services" title="Permalink to this headline">¶</a></h2> <p>The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other -ports, as long as they are specified in each host’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> files or in DNS SRV records, and the -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file on each KDC. For a more thorough treatment of +ports, as long as they are specified in each host’s +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> files or in DNS SRV records, and the +<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the -<a class="reference internal" href="appl_servers.html#conf-firewall"><em>Configuring your firewall to work with Kerberos V5</em></a>.</p> +<a class="reference internal" href="appl_servers.html#conf-firewall"><span class="std std-ref">Configuring your firewall to work with Kerberos V5</span></a>.</p> </div> -<div class="section" id="slave-kdcs"> -<h2>Slave KDCs<a class="headerlink" href="#slave-kdcs" title="Permalink to this headline">¶</a></h2> -<p>Slave KDCs provide an additional source of Kerberos ticket-granting -services in the event of inaccessibility of the master KDC. The -number of slave KDCs you need and the decision of where to place them, +<div class="section" id="replica-kdcs"> +<h2>Replica KDCs<a class="headerlink" href="#replica-kdcs" title="Permalink to this headline">¶</a></h2> +<p>Replica KDCs provide an additional source of Kerberos ticket-granting +services in the event of inaccessibility of the primary KDC. The +number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network.</p> <p>Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a slave KDC to take up the slack.</p> +be unavailable and have a replica KDC to take up the slack.</p> <p>Some considerations include:</p> <ul class="simple"> -<li>Have at least one slave KDC as a backup, for when the master KDC is -down, is being upgraded, or is otherwise unavailable.</li> +<li>Have at least one replica KDC as a backup, for when the primary KDC +is down, is being upgraded, or is otherwise unavailable.</li> <li>If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network -to become cut off or isolated from other segments), have a slave KDC -accessible to each segment.</li> -<li>If possible, have at least one slave KDC in a different building -from the master, in case of power outages, fires, or other localized -disasters.</li> +to become cut off or isolated from other segments), have a replica +KDC accessible to each segment.</li> +<li>If possible, have at least one replica KDC in a different building +from the primary, in case of power outages, fires, or other +localized disasters.</li> </ul> </div> <div class="section" id="hostnames-for-kdcs"> <span id="kdc-hostnames"></span><h2>Hostnames for KDCs<a class="headerlink" href="#hostnames-for-kdcs" title="Permalink to this headline">¶</a></h2> <p>MIT recommends that your KDCs have a predefined set of CNAME records -(DNS hostname aliases), such as <tt class="docutils literal"><span class="pre">kerberos</span></tt> for the master KDC and -<tt class="docutils literal"><span class="pre">kerberos-1</span></tt>, <tt class="docutils literal"><span class="pre">kerberos-2</span></tt>, ... for the slave KDCs. This way, if -you need to swap a machine, you only need to change a DNS entry, +(DNS hostname aliases), such as <code class="docutils literal"><span class="pre">kerberos</span></code> for the primary KDC and +<code class="docutils literal"><span class="pre">kerberos-1</span></code>, <code class="docutils literal"><span class="pre">kerberos-2</span></code>, … for the replica KDCs. This way, +if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.</p> -<p>As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS -using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is +<p>As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS +using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the @@ -187,36 +185,38 @@ used:</p> the most often. Normally you should list port 88 on each of your KDCs.</dd> <dt>_kerberos._tcp</dt> -<dd>This is for contacting any KDC by TCP. The MIT KDC by default -will not listen on any TCP ports, so unless you’ve changed the -configuration or you’re running another KDC implementation, you -should leave this unspecified. If you do enable TCP support, -normally you should use port 88.</dd> +<dd>This is for contacting any KDC by TCP. Normally you should use +port 88. This entry should be omitted if the KDC does not listen +on TCP ports, as was the default prior to release 1.13.</dd> <dt>_kerberos-master._udp</dt> <dd><p class="first">This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the -client will retry with the master KDC before failing with an -“incorrect password” error given.</p> +client will retry with the primary KDC before failing with an +“incorrect password” error given.</p> <p class="last">If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the -others, you do not need to define this entry.</p> -</dd> -<dt>_kerberos-adm._tcp</dt> -<dd>This should list port 749 on your master KDC. Support for it is +others, you do not need to define this entry. _kerberos-adm._tcp +This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> program and related utilities. For now, you will -also need the <strong>admin_server</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</dd> +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program and related utilities. For now, you will +also need the <strong>admin_server</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> +</dd> +<dt>_kerberos-master._tcp</dt> +<dd>The corresponding TCP port for _kerberos-master._udp, assuming the +primary KDC listens on a TCP port.</dd> <dt>_kpasswd._udp</dt> -<dd>This should list port 464 on your master KDC. It is used when a -user changes her password. If this entry is not defined but a -_kerberos-adm._tcp entry is defined, the client will use the -_kerberos-adm._tcp entry with the port number changed to 749.</dd> +<dd>This entry should list port 464 on your primary KDC. It is used +when a user changes her password. If this entry is not defined +but a _kerberos-adm._tcp entry is defined, the client will use the +_kerberos-adm._tcp entry with the port number changed to 464.</dd> +<dt>_kpasswd._tcp</dt> +<dd>The corresponding TCP port for _kpasswd._udp.</dd> </dl> <p>The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file:</p> -<div class="highlight-python"><div class="highlight"><pre>$ORIGIN foobar.com. +<div class="highlight-default"><div class="highlight"><pre><span></span>$ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke @@ -231,35 +231,35 @@ _kpasswd._udp SRV 0 0 464 daisy </div> <p>Clients can also be configured with the explicit location of services using the <strong>kdc</strong>, <strong>master_kdc</strong>, <strong>admin_server</strong>, and -<strong>kpasswd_server</strong> variables in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section of -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Even if some clients will be configured with +<strong>kpasswd_server</strong> variables in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section of +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites.</p> </div> <div class="section" id="kdc-discovery"> <span id="id1"></span><h2>KDC Discovery<a class="headerlink" href="#kdc-discovery" title="Permalink to this headline">¶</a></h2> <p>As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (<span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc7553.html"><strong>RFC 7553</strong></a>). Limitations with the SRV record format may +records (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7553.html"><strong>RFC 7553</strong></a>). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover -to other transport types, or find a master server. The URI record can -convey more information about a realm’s KDCs with a single query.</p> +to other transport types, or find a primary server. The URI record +can convey more information about a realm’s KDCs with a single query.</p> <p>The client performs a query for the following URI records:</p> <ul class="simple"> -<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for finding KDCs.</li> -<li><tt class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></tt> for finding kadmin services.</li> -<li><tt class="docutils literal"><span class="pre">_kpasswd.REALM</span></tt> for finding password services.</li> +<li><code class="docutils literal"><span class="pre">_kerberos.REALM</span></code> for finding KDCs.</li> +<li><code class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></code> for finding kadmin services.</li> +<li><code class="docutils literal"><span class="pre">_kpasswd.REALM</span></code> for finding password services.</li> </ul> <p>The URI record includes a priority, weight, and a URI string that consists of case-insensitive colon separated fields, in the form -<tt class="docutils literal"><span class="pre">scheme:[flags]:transport:residual</span></tt>.</p> +<code class="docutils literal"><span class="pre">scheme:[flags]:transport:residual</span></code>.</p> <ul class="simple"> <li><em>scheme</em> defines the registered URI type. It should always be -<tt class="docutils literal"><span class="pre">krb5srv</span></tt>.</li> +<code class="docutils literal"><span class="pre">krb5srv</span></code>.</li> <li><em>flags</em> contains zero or more flag characters. Currently the only -valid flag is <tt class="docutils literal"><span class="pre">m</span></tt>, which indicates that the record is for a master -server.</li> +valid flag is <code class="docutils literal"><span class="pre">m</span></code>, which indicates that the record is for a +primary server.</li> <li><em>transport</em> defines the transport type of the residual URL or -address. Accepted values are <tt class="docutils literal"><span class="pre">tcp</span></tt>, <tt class="docutils literal"><span class="pre">udp</span></tt>, or <tt class="docutils literal"><span class="pre">kkdcp</span></tt> for the +address. Accepted values are <code class="docutils literal"><span class="pre">tcp</span></code>, <code class="docutils literal"><span class="pre">udp</span></code>, or <code class="docutils literal"><span class="pre">kkdcp</span></code> for the MS-KKDCP type.</li> <li><em>residual</em> contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port @@ -267,34 +267,34 @@ extension. The MS-KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension.</li> </ul> <p>An example of URI records in a zone file:</p> -<div class="highlight-python"><div class="highlight"><pre>_kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com - URI 20 1 krb5srv:m:udp:kdc2.example.com:89 - URI 40 1 krb5srv::udp:10.10.0.23 - URI 30 1 krb5srv::kkdcp:https://proxy:89/auth +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">_kerberos</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">URI</span> <span class="mi">10</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">:</span><span class="n">m</span><span class="p">:</span><span class="n">tcp</span><span class="p">:</span><span class="n">kdc1</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> + <span class="n">URI</span> <span class="mi">20</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">:</span><span class="n">m</span><span class="p">:</span><span class="n">udp</span><span class="p">:</span><span class="n">kdc2</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="mi">89</span> + <span class="n">URI</span> <span class="mi">40</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">::</span><span class="n">udp</span><span class="p">:</span><span class="mf">10.10</span><span class="o">.</span><span class="mf">0.23</span> + <span class="n">URI</span> <span class="mi">30</span> <span class="mi">1</span> <span class="n">krb5srv</span><span class="p">::</span><span class="n">kkdcp</span><span class="p">:</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">proxy</span><span class="p">:</span><span class="mi">89</span><span class="o">/</span><span class="n">auth</span> </pre></div> </div> <p>URI lookups are enabled by default, and can be disabled by setting -<strong>dns_uri_lookup</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section of -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> to False. When enabled, URI lookups take +<strong>dns_uri_lookup</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section of +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found.</p> </div> <div class="section" id="database-propagation"> <span id="db-prop"></span><h2>Database propagation<a class="headerlink" href="#database-propagation" title="Permalink to this headline">¶</a></h2> -<p>The Kerberos database resides on the master KDC, and must be -propagated regularly (usually by a cron job) to the slave KDCs. In +<p>The Kerberos database resides on the primary KDC, and must be +propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect.</p> <p>If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of -slaves, or you experience frequent network delays), you may wish to +replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in -parallel. To do this, have the master KDC propagate the database to -one set of slaves, and then have each of these slaves propagate the -database to additional slaves.</p> -<p>See also <a class="reference internal" href="database.html#incr-db-prop"><em>Incremental database propagation</em></a></p> +parallel. To do this, have the primary KDC propagate the database to +one set of replicas, and then have each of these replicas propagate +the database to additional replicas.</p> +<p>See also <a class="reference internal" href="database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a></p> </div> </div> @@ -310,7 +310,7 @@ database to additional slaves.</p> <li><a class="reference internal" href="#realm-name">Realm name</a></li> <li><a class="reference internal" href="#mapping-hostnames-onto-kerberos-realms">Mapping hostnames onto Kerberos realms</a></li> <li><a class="reference internal" href="#ports-for-the-kdc-and-admin-services">Ports for the KDC and admin services</a></li> -<li><a class="reference internal" href="#slave-kdcs">Slave KDCs</a></li> +<li><a class="reference internal" href="#replica-kdcs">Replica KDCs</a></li> <li><a class="reference internal" href="#hostnames-for-kdcs">Hostnames for KDCs</a></li> <li><a class="reference internal" href="#kdc-discovery">KDC Discovery</a></li> <li><a class="reference internal" href="#database-propagation">Database propagation</a></li> @@ -325,10 +325,9 @@ database to additional slaves.</p> <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Realm configuration decisions</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -336,6 +335,8 @@ database to additional slaves.</p> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -375,8 +376,8 @@ database to additional slaves.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/spake.html b/doc/html/admin/spake.html new file mode 100644 index 000000000000..49de9936fefe --- /dev/null +++ b/doc/html/admin/spake.html @@ -0,0 +1,205 @@ + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>SPAKE Preauthentication — MIT Kerberos Documentation</title> + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.21.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="next" title="Addressing dictionary attack risks" href="dictionary.html" /> + <link rel="prev" title="OTP Preauthentication" href="otp.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="otp.html" title="OTP Preauthentication" + accesskey="P">previous</a> | + <a href="dictionary.html" title="Addressing dictionary attack risks" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body" role="main"> + + <div class="section" id="spake-preauthentication"> +<span id="spake"></span><h1>SPAKE Preauthentication<a class="headerlink" href="#spake-preauthentication" title="Permalink to this headline">¶</a></h1> +<p>SPAKE preauthentication (added in release 1.17) uses public key +cryptography techniques to protect against <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">password dictionary +attacks</span></a>. Unlike <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a>, it does not +require any additional infrastructure such as certificates; it simply +needs to be turned on. Using SPAKE preauthentication may modestly +increase the CPU and network load on the KDC.</p> +<p>SPAKE preauthentication can use one of four elliptic curve groups for +its password-authenticated key exchange. The recommended group is +<code class="docutils literal"><span class="pre">edwards25519</span></code>; three NIST curves (<code class="docutils literal"><span class="pre">P-256</span></code>, <code class="docutils literal"><span class="pre">P-384</span></code>, and +<code class="docutils literal"><span class="pre">P-521</span></code>) are also supported.</p> +<p>By default, SPAKE with the <code class="docutils literal"><span class="pre">edwards25519</span></code> group is enabled on +clients, but the KDC does not offer SPAKE by default. To turn it on, +set the <strong>spake_preauth_groups</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> to a +list of allowed groups. This variable affects both the client and the +KDC. Simply setting it to <code class="docutils literal"><span class="pre">edwards25519</span></code> is recommended:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> + <span class="n">spake_preauth_groups</span> <span class="o">=</span> <span class="n">edwards25519</span> +</pre></div> +</div> +<p>Set the <strong>+requires_preauth</strong> and <strong>-allow_svr</strong> flags on client +principal entries, as you would for any preauthentication mechanism:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">PRINCNAME</span> +</pre></div> +</div> +<p>Clients which do not implement SPAKE preauthentication will fall back +to encrypted timestamp.</p> +<p>An active attacker can force a fallback to encrypted timestamp by +modifying the initial KDC response, defeating the protection against +dictionary attacks. To prevent this fallback on clients which do +implement SPAKE preauthentication, set the +<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal"><span class="pre">true</span></code> in the +<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection for realms whose KDCs offer SPAKE +preauthentication.</p> +<p>By default, SPAKE preauthentication requires an extra network round +trip to the KDC during initial authentication. If most of the clients +in a realm support SPAKE, this extra round trip can be eliminated +using an optimistic challenge, by setting the +<strong>spake_preauth_kdc_challenge</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> to a +single group name:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> + <span class="n">spake_preauth_kdc_challenge</span> <span class="o">=</span> <span class="n">edwards25519</span> +</pre></div> +</div> +<p>Using optimistic challenge will cause the KDC to do extra work for +initial authentication requests that do not result in SPAKE +preauthentication, but will save work when SPAKE preauthentication is +used.</p> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">SPAKE Preauthentication</a></li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> +<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> +<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="otp.html" title="OTP Preauthentication" + >previous</a> | + <a href="dictionary.html" title="Addressing dictionary attack risks" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__SPAKE Preauthentication">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html index 96d17b09d369..4d93b0d9beaf 100644 --- a/doc/html/admin/troubleshoot.html +++ b/doc/html/admin/troubleshoot.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Troubleshooting — MIT Kerberos Documentation</title> - + <title>Troubleshooting — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="Advanced topics" href="advanced/index.html" /> <link rel="prev" title="Environment variables" href="env_variables.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="troubleshooting"> <span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h1> @@ -71,22 +69,22 @@ information about internal krb5 library operations using trace logging. To enable this, set the <strong>KRB5_TRACE</strong> environment variable to a filename before running the program. On many operating systems, -the filename <tt class="docutils literal"><span class="pre">/dev/stdout</span></tt> can be used to send trace logging output +the filename <code class="docutils literal"><span class="pre">/dev/stdout</span></code> can be used to send trace logging output to standard output.</p> <p>Some programs do not honor <strong>KRB5_TRACE</strong>, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API.</p> <p>Here is a short example showing trace logging output for an invocation -of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno-1"><em>kvno</em></a> command:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM -[9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> - krbtgt/KRBTEST.COM@KRBTEST.COM using ccache - FILE:/me/krb5/build/testdir/ccache -[9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> - krbtgt/KRBTEST.COM@KRBTEST.COM from - FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 -krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 +of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno-1"><span class="std std-ref">kvno</span></a> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">env</span> <span class="n">KRB5_TRACE</span><span class="o">=/</span><span class="n">dev</span><span class="o">/</span><span class="n">stdout</span> <span class="n">kvno</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span> +<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823276</span><span class="p">:</span> <span class="n">Getting</span> <span class="n">credentials</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span> + <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="n">using</span> <span class="n">ccache</span> + <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span> +<span class="p">[</span><span class="mi">9138</span><span class="p">]</span> <span class="mf">1332348778.823381</span><span class="p">:</span> <span class="n">Retrieving</span> <span class="n">user</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="o">-></span> + <span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="kn">from</span> + <span class="nn">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">me</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">testdir</span><span class="o">/</span><span class="n">ccache</span> <span class="k">with</span> <span class="n">result</span><span class="p">:</span> <span class="mi">0</span><span class="o">/</span><span class="n">Unknown</span> <span class="n">code</span> <span class="mi">0</span> +<span class="n">krbtgt</span><span class="o">/</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> <span class="n">kvno</span> <span class="o">=</span> <span class="mi">1</span> </pre></div> </div> </div> @@ -95,17 +93,17 @@ krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 <div class="section" id="frequently-seen-errors"> <h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Permalink to this headline">¶</a></h3> <ol class="arabic simple"> -<li><a class="reference internal" href="#init-creds-etype-nosupp"><em>KDC has no support for encryption type while getting initial credentials</em></a></li> -<li><a class="reference internal" href="#cert-chain-etype-nosupp"><em>credential verification failed: KDC has no support for encryption type</em></a></li> -<li><a class="reference internal" href="#err-cert-chain-cert-expired"><em>Cannot create cert chain: certificate has expired</em></a></li> +<li><a class="reference internal" href="#init-creds-etype-nosupp"><span class="std std-ref">KDC has no support for encryption type while getting initial credentials</span></a></li> +<li><a class="reference internal" href="#cert-chain-etype-nosupp"><span class="std std-ref">credential verification failed: KDC has no support for encryption type</span></a></li> +<li><a class="reference internal" href="#err-cert-chain-cert-expired"><span class="std std-ref">Cannot create cert chain: certificate has expired</span></a></li> </ol> </div> <div class="section" id="errors-seen-by-admins"> <h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Permalink to this headline">¶</a></h3> <ol class="arabic simple" id="prop-failed-start"> -<li><a class="reference internal" href="#kprop-no-route"><em>kprop: No route to host while connecting to server</em></a></li> -<li><a class="reference internal" href="#kprop-con-refused"><em>kprop: Connection refused while connecting to server</em></a></li> -<li><a class="reference internal" href="#kprop-sendauth-exchange"><em>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</em></a></li> +<li><a class="reference internal" href="#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></li> +<li><a class="reference internal" href="#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></li> +<li><a class="reference internal" href="#kprop-sendauth-exchange"><span class="std std-ref">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</span></a></li> </ol> <hr class="docutils" id="prop-failed-end" /> <div class="section" id="kdc-has-no-support-for-encryption-type-while-getting-initial-credentials"> @@ -117,8 +115,8 @@ krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re-enable DES -by adding <tt class="docutils literal"><span class="pre">allow_weak_crypto</span> <span class="pre">=</span> <span class="pre">true</span></tt> to the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> -section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p> +by adding <code class="docutils literal"><span class="pre">allow_weak_crypto</span> <span class="pre">=</span> <span class="pre">true</span></code> to the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> +section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> </div> <div class="section" id="cannot-create-cert-chain-certificate-has-expired"> <span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Permalink to this headline">¶</a></h4> @@ -126,39 +124,39 @@ section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-co the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired.</p> <p>If the KDC certificate has expired, this message appears in the KDC -log file, and the client will receive a “Preauthentication failed” +log file, and the client will receive a “Preauthentication failed” error. (Prior to release 1.11, the KDC log file message erroneously -appears as “Out of memory”. Prior to release 1.12, the client will -receive a “Generic error”.)</p> +appears as “Out of memory”. Prior to release 1.12, the client will +receive a “Generic error”.)</p> <p>If the client or a signing certificate has expired, this message may -appear in <a class="reference internal" href="#trace-logging">trace_logging</a> output from <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or, starting in +appear in <a class="reference internal" href="#trace-logging">trace_logging</a> output from <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys.</p> </div> <div class="section" id="kprop-no-route-to-host-while-connecting-to-server"> <span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Permalink to this headline">¶</a></h4> -<p>Make sure that the hostname of the slave (as given to kprop) is -correct, and that any firewalls between the master and the slave allow -a connection on port 754.</p> +<p>Make sure that the hostname of the replica KDC (as given to kprop) is +correct, and that any firewalls between the primary and the replica +allow a connection on port 754.</p> </div> <div class="section" id="kprop-connection-refused-while-connecting-to-server"> <span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Permalink to this headline">¶</a></h4> -<p>If the slave is intended to run kpropd out of inetd, make sure that -inetd is configured to accept krb5_prop connections. inetd may need -to be restarted or sent a SIGHUP to recognize the new configuration. -If the slave is intended to run kpropd in standalone mode, make sure -that it is running.</p> +<p>If the replica KDC is intended to run kpropd out of inetd, make sure +that inetd is configured to accept krb5_prop connections. inetd may +need to be restarted or sent a SIGHUP to recognize the new +configuration. If the replica is intended to run kpropd in standalone +mode, make sure that it is running.</p> </div> <div class="section" id="kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server"> <span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Permalink to this headline">¶</a></h4> <p>Make sure that:</p> <ol class="arabic simple"> -<li>The time is synchronized between the master and slave KDCs.</li> -<li>The master stash file was copied from the master to the expected -location on the slave.</li> -<li>The slave has a keytab file in the default location containing a -<tt class="docutils literal"><span class="pre">host</span></tt> principal for the slave’s hostname.</li> +<li>The time is synchronized between the primary and replica KDCs.</li> +<li>The master stash file was copied from the primary to the expected +location on the replica.</li> +<li>The replica has a keytab file in the default location containing a +<code class="docutils literal"><span class="pre">host</span></code> principal for the replica’s hostname.</li> </ol> </div> </div> @@ -201,6 +199,7 @@ location on the slave.</li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -208,6 +207,8 @@ location on the slave.</li> <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -215,9 +216,7 @@ location on the slave.</li> <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> <li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Troubleshooting</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Troubleshooting</a></li> <li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> <li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> </ul> @@ -249,8 +248,8 @@ location on the slave.</li> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html index 7dfb6478b4e0..f2b6b573b193 100644 --- a/doc/html/admin/various_envs.html +++ b/doc/html/admin/various_envs.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Various links — MIT Kerberos Documentation</title> - + <title>Various links — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> <link rel="next" title="For application developers" href="../appdev/index.html" /> <link rel="prev" title="Retiring DES" href="advanced/retiring-des.html" /> </head> @@ -61,33 +59,30 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="various-links"> <h1>Various links<a class="headerlink" href="#various-links" title="Permalink to this headline">¶</a></h1> <div class="section" id="whitepapers"> <h2>Whitepapers<a class="headerlink" href="#whitepapers" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> -<li><a class="reference external" href="http://kerberos.org/software/whitepapers.html">http://kerberos.org/software/whitepapers.html</a></li> +<li><a class="reference external" href="https://kerberos.org/software/whitepapers.html">https://kerberos.org/software/whitepapers.html</a></li> </ol> </div> <div class="section" id="tutorials"> <h2>Tutorials<a class="headerlink" href="#tutorials" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> -<li>Fulvio Ricciardi <<a class="reference external" href="http://www.kerberos.org/software/tutorial.html">http://www.kerberos.org/software/tutorial.html</a>>_</li> +<li>Fulvio Ricciardi <<a class="reference external" href="https://www.kerberos.org/software/tutorial.html">https://www.kerberos.org/software/tutorial.html</a>>_</li> </ol> </div> <div class="section" id="troubleshooting"> <h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> -<li><a class="reference external" href="http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html">http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html</a></li> -<li><a class="reference external" href="http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto_v3.pdf">http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto_v3.pdf</a></li> -<li><a class="reference external" href="http://sysdoc.doors.ch/HP/T1417-90005.pdf">http://sysdoc.doors.ch/HP/T1417-90005.pdf</a></li> -<li><a class="reference external" href="http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html">http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html</a></li> -<li><a class="reference external" href="http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html">http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html</a></li> -<li><a class="reference external" href="http://technet.microsoft.com/en-us/library/bb463167.aspx#EBAA">http://technet.microsoft.com/en-us/library/bb463167.aspx#EBAA</a></li> +<li><a class="reference external" href="https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting">https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting</a></li> +<li><a class="reference external" href="https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html">https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html</a></li> +<li><a class="reference external" href="https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html">https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html</a></li> +<li><a class="reference external" href="https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10">https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10</a>)#EBAA</li> <li><a class="reference external" href="https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528">https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528</a></li> -<li><a class="reference external" href="http://h71000.www7.hp.com/doc/83final/ba548_90007/ch06s05.html">http://h71000.www7.hp.com/doc/83final/ba548_90007/ch06s05.html</a></li> </ol> </div> </div> @@ -117,6 +112,7 @@ <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -124,6 +120,8 @@ <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -133,9 +131,7 @@ <li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> <li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> <li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Various links</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Various links</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> @@ -165,8 +161,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> |