diff options
Diffstat (limited to 'doc/html/admin/conf_files/kdc_conf.html')
| -rw-r--r-- | doc/html/admin/conf_files/kdc_conf.html | 149 |
1 files changed, 70 insertions, 79 deletions
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html index dc6876d608ec..e6bc02ccbb55 100644 --- a/doc/html/admin/conf_files/kdc_conf.html +++ b/doc/html/admin/conf_files/kdc_conf.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kdc.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="kdc-conf"> -<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1> +<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h1> <p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program. @@ -66,18 +64,14 @@ environment variable <strong>KRB5_KDC_PROFILE</strong>.</p> <p>Please note that you need to restart the KDC daemon for any configuration changes to take effect.</p> <section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> +<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> <p>The kdc.conf file is set up in the same format as the <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p> </section> <section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> +<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> <p>The kdc.conf file may contain the following sections:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 29%" /> -<col style="width: 71%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></p></td> <td><p>Default values for KDC behavior</p></td> @@ -97,7 +91,7 @@ changes to take effect.</p> </tbody> </table> <section id="kdcdefaults"> -<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Link to this heading">¶</a></h3> <p>Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for @@ -128,7 +122,7 @@ challenge. (New in release 1.17.)</p> </dl> </section> <section id="realms"> -<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3> +<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> <p>Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how @@ -306,14 +300,16 @@ default value will not use values from the [dbmodules] section.)</p> </dd> <dt><strong>kadmind_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address at the port specified -in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in -release 1.15.</p> +Each entry may be an interface address, a port number, an address +and port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kadmin RPC connections, set this +relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kadmind_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in <strong>kadmind_port</strong>, or the standard kadmin +port (749). New in release 1.15.</p> </dd> <dt><strong>kadmind_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for this realm. Port numbers specified in @@ -323,16 +319,18 @@ assigned port for kadmind is 749, which is used by default.</p> <dt><strong>key_stash_file</strong></dt><dd><p>(String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</p> </dd> -<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the UDP -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. If the KDC daemon fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address on the standard port. -New in release 1.15.</p> +<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the listening +addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. If no port is specified, the standard port (88) is used. +To disable listening on UDP, set this relation to the empty string +with <code class="docutils literal notranslate"><span class="pre">kdc_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If the KDC daemon fails to bind to any +of the specified addresses, it will fail to start. The default is +to bind to the wildcard address on the standard port. New in +release 1.15.</p> </dd> <dt><strong>kdc_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -342,15 +340,10 @@ if that relation is not defined.</p> </dd> <dt><strong>kdc_tcp_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. -If the KDC daemon fails to bind to any of the specified addresses, -it will fail to start. The default is to bind to the wildcard -address on the standard port. New in release 1.15.</p> +The syntax is identical to that of <strong>kdc_listen</strong>. To disable +listening on TCP, set this relation to the empty string with +<code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. The default is to bind to the same +addresses and ports as for UDP. New in release 1.15.</p> </dd> <dt><strong>kdc_tcp_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -358,15 +351,18 @@ release 1.15, this relation lists the ports for the release 1.15 and later, it has the same meaning as <strong>kdc_tcp_listen</strong> if that relation is not defined.</p> </dd> -<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening addresses -and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be -an interface address, a port number, or an address and port number -separated by a colon. If the address contains colons, enclose it -in square brackets. If no address is specified, the wildcard -address is used. If kadmind fails to bind to any of the specified -addresses, it will fail to start. The default is to bind to the -wildcard address at the port specified in <strong>kpasswd_port</strong>, or the -standard kpasswd port (464). New in release 1.15.</p> +<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening +addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kpasswd requests, set this +relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kpasswd_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd +port (464). New in release 1.15.</p> </dd> <dt><strong>kpasswd_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for password change requests for this realm. @@ -433,7 +429,7 @@ possible values, see <a class="reference internal" href="#keysalt-lists"><span c </dl> </section> <section id="dbdefaults"> -<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Link to this heading">¶</a></h3> <p>The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the @@ -455,7 +451,7 @@ definitions of these relations.</p> </ul> </section> <section id="dbmodules"> -<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Link to this heading">¶</a></h3> <p>The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm’s @@ -569,7 +565,7 @@ modules. The value should be an absolute path.</p> </dl> </section> <section id="logging"> -<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3> +<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h3> <p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following relations:</p> @@ -631,7 +627,7 @@ to the file <code class="docutils literal notranslate"><span class="pre">/var/ad To disable logging entirely, specify <code class="docutils literal notranslate"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p> </section> <section id="otp"> -<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Link to this heading">¶</a></h3> <p>Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server.</p> @@ -691,7 +687,7 @@ something applicable for your situation:</p> </section> </section> <section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2> +<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> <div class="admonition note"> <p class="admonition-title">Note</p> <p>The following are pkinit-specific options. These values may @@ -725,8 +721,11 @@ the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times.</p> </dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum number of bits the KDC is willing to accept -for a client’s Diffie-Hellman key. The default is 2048.</p> +<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum strength of Diffie-Hellman group the KDC is +willing to accept for key exchange. Valid values in order of +increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. +The default is 2048. (P-256, P-384, and P-521 are new in release +1.22.)</p> </dd> <dt><strong>pkinit_allow_upn</strong></dt><dd><p>Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative @@ -734,7 +733,7 @@ Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false.</p> <p>Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently +the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently no option to disable SAN checking in the KDC.</p> </dd> <dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage (EKU) values the KDC @@ -743,7 +742,7 @@ recognized in the kdc.conf file are:</p> <dl class="simple"> <dt><strong>kpClientAuth</strong></dt><dd><p>This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as -defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> +defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> </dd> <dt><strong>scLogin</strong></dt><dd><p>If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be @@ -791,16 +790,12 @@ in PKINIT requests. The default value is false. (New in release </dl> </section> <section id="encryption-types"> -<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2> +<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h2> <p>Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as “weak” and “deprecated” are available for compatibility but not recommended for use.</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 30%" /> -<col style="width: 70%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>des3-cbc-raw</p></td> <td><p>Triple DES cbc mode raw (weak)</p></td> @@ -866,7 +861,7 @@ these newer encryption types must not be given keys of these encryption types in the KDC database.</p> </section> <section id="keysalt-lists"> -<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2> +<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Link to this heading">¶</a></h2> <p>Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt @@ -884,10 +879,6 @@ the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 25%" /> -<col style="width: 75%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>normal</p></td> <td><p>default for Kerberos Version 5</p></td> @@ -905,7 +896,7 @@ follows:</p> </table> </section> <section id="sample-kdc-conf-file"> -<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2> +<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Link to this heading">¶</a></h2> <p>Here’s an example of a kdc.conf file:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> @@ -945,11 +936,11 @@ follows:</p> </div> </section> <section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kdc.conf</span></code></p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p> </section> </section> @@ -1049,8 +1040,8 @@ follows:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> |