1 .\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
2 .\" (Royal Institute of Technology, Stockholm, Sweden).
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" 3. Neither the name of the Institute nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $
39 .Nd configuration file for Kerberos 5
45 file specifies several configuration parameters for the Kerberos 5
46 library, as well as for some programs.
48 The file consists of one or more sections, containing a number of
50 The value of each binding can be either a string or a list of other
52 The grammar looks like:
53 .Bd -literal -offset indent
63 '[' section_name ']' bindings
74 name '=' '{' bindings '}'
81 consists of one or more non-whitespace characters.
83 STRINGs that are specified later in this man-page uses the following
85 .Bl -tag -width "xxx" -offset indent
87 values can be either yes/true or no/false.
89 values can be a list of year, month, day, hour, min, second.
90 Example: 1 month 2 days 30 min.
92 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
93 des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and
94 aes256-cts-hmac-sha1-96 .
96 an address can be either a IPv4 or a IPv6 address.
99 Currently recognised sections and bindings are:
100 .Bl -tag -width "xxx" -offset indent
102 Specifies the default values to be used for Kerberos applications.
103 You can specify defaults per application, realm, or a combination of
105 The preference order is:
108 .Va application Va realm Va option
110 .Va application Va option
117 The supported options are:
118 .Bl -tag -width "xxx" -offset indent
119 .It Li forwardable = Va boolean
120 When obtaining initial credentials, make the credentials forwardable.
121 .It Li proxiable = Va boolean
122 When obtaining initial credentials, make the credentials proxiable.
123 .It Li no-addresses = Va boolean
124 When obtaining initial credentials, request them for an empty set of
125 addresses, making the tickets valid from any address.
126 .It Li ticket_lifetime = Va time
127 Default ticket lifetime.
128 .It Li renew_lifetime = Va time
129 Default renewable ticket lifetime.
130 .It Li encrypt = Va boolean
131 Use encryption, when available.
132 .It Li forward = Va boolean
133 Forward credentials to remote host (for
139 .Bl -tag -width "xxx" -offset indent
140 .It Li default_realm = Va REALM
141 Default realm to use, this is also known as your
143 The default is the result of
144 .Fn krb5_get_host_realm "local hostname" .
145 .It Li clockskew = Va time
146 Maximum time differential (in seconds) allowed when comparing
148 Default is 300 seconds (five minutes).
149 .It Li kdc_timeout = Va time
150 Maximum time to wait for a reply from the kdc, default is 3 seconds.
152 .It v4_instance_resolve
153 These are described in the
154 .Xr krb5_425_conv_principal 3
157 .Bl -tag -width "xxx" -offset indent
158 .It Va destination-realm Li = Va next-hop-realm
162 This is deprecated, see the
165 .It Li default_etypes = Va etypes ...
166 A list of default encryption types to use.
167 .It Li default_etypes_des = Va etypes ...
168 A list of default encryption types to use when requesting a DES credential.
169 .It Li default_keytab_name = Va keytab
170 The keytab to use if no other is specified, default is
171 .Dq FILE:/etc/krb5.keytab .
172 .It Li dns_lookup_kdc = Va boolean
173 Use DNS SRV records to lookup KDC services location.
174 .It Li dns_lookup_realm = Va boolean
175 Use DNS TXT records to lookup domain to realm mappings.
176 .It Li kdc_timesync = Va boolean
177 Try to keep track of the time differential between the local machine
178 and the KDC, and then compensate for that when issuing requests.
179 .It Li max_retries = Va number
180 The max number of times to try to contact each KDC.
181 .It Li ticket_lifetime = Va time
182 Default ticket lifetime.
183 .It Li renew_lifetime = Va time
184 Default renewable ticket lifetime.
185 .It Li forwardable = Va boolean
186 When obtaining initial credentials, make the credentials forwardable.
187 This option is also valid in the [realms] section.
188 .It Li proxiable = Va boolean
189 When obtaining initial credentials, make the credentials proxiable.
190 This option is also valid in the [realms] section.
191 .It Li verify_ap_req_nofail = Va boolean
192 If enabled, failure to verify credentials against a local key is a
194 The application has to be able to read the corresponding service key
196 Some applications, like
198 enable this option unconditionally.
199 .It Li warn_pwexpire = Va time
200 How soon to warn for expiring password.
201 Default is seven days.
202 .It Li http_proxy = Va proxy-spec
203 A HTTP-proxy to use when talking to the KDC via HTTP.
204 .It Li dns_proxy = Va proxy-spec
205 Enable using DNS via HTTP.
206 .It Li extra_addresses = Va address ...
207 A list of addresses to get tickets for along with all local addresses.
208 .It Li time_format = Va string
209 How to print time strings in logs, this string is passed to
211 .It Li date_format = Va string
212 How to print date strings in logs, this string is passed to
214 .It Li log_utc = Va boolean
215 Write log-entries using UTC instead of your local time zone.
216 .It Li scan_interfaces = Va boolean
217 Scan all network interfaces for addresses, as opposed to simply using
218 the address associated with the system's host name.
219 .It Li fcache_version = Va int
220 Use file credential cache format version specified.
221 .It Li krb4_get_tickets = Va boolean
222 Also get Kerberos 4 tickets in
226 This option is also valid in the [realms] section.
227 .It Li fcc-mit-ticketflags = Va boolean
228 Use MIT compatible format for file credential cache.
229 It's the field ticketflags that is stored in reverse bit order for
230 older than Heimdal 0.7.
233 make it store the MIT way, this is default for Heimdal 0.7.
235 .It Li [domain_realm]
236 This is a list of mappings from DNS domain to Kerberos realm.
237 Each binding in this section looks like:
241 The domain can be either a full name of a host or a trailing
242 component, in the latter case the domain-string should start with a
244 The realm may be the token `dns_locate', in which case the actual
245 realm will be determined using DNS (independently of the setting
246 of the `dns_lookup_realm' option).
248 .Bl -tag -width "xxx" -offset indent
250 .Bl -tag -width "xxx" -offset indent
251 .It Li kdc = Va [service/]host[:port]
252 Specifies a list of kdcs for this realm.
256 default value for the
261 port (depending on service) will be used.
262 The kdcs will be used in the order that they are specified.
266 specifies over what medium the kdc should be
268 Possible services are
273 Http can also be written as
279 .It Li admin_server = Va host[:port]
280 Specifies the admin server for this realm, where all the modifications
281 to the database are performed.
282 .It Li kpasswd_server = Va host[:port]
283 Points to the server where all the password changes are performed.
284 If there is no such entry, the kpasswd port on the admin_server host
286 .It Li krb524_server = Va host[:port]
287 Points to the server that does 524 conversions.
288 If it is not mentioned, the krb524 port on the kdcs will be tried.
289 .It Li v4_instance_convert
290 .It Li v4_name_convert
291 .It Li default_domain
293 .Xr krb5_425_conv_principal 3 .
294 .It Li tgs_require_subkey
295 a boolan variable that defaults to false.
296 Old DCE secd (pre 1.1) might need this to be true.
301 .Bl -tag -width "xxx" -offset indent
302 .It Va client-realm Li = {
303 .Bl -tag -width "xxx" -offset indent
304 .It Va server-realm Li = Va hop-realm ...
305 This serves two purposes. First the first listed
307 tells a client which realm it should contact in order to ultimately
308 obtain credentials for a service in the
310 Secondly, it tells the KDC (and other servers) which realms are
311 allowed in a multi-hop traversal from
315 Except for the client case, the order of the realms are not important.
320 .Bl -tag -width "xxx" -offset indent
321 .It Va entity Li = Va destination
324 should use the specified
329 manual page for a list of defined destinations.
332 .Bl -tag -width "xxx" -offset indent
334 .Bl -tag -width "xxx" -offset indent
335 .It dbname Li = Va DATABASENAME
336 Use this database for this realm.
337 .It realm Li = Va REALM
338 Specifies the realm that will be stored in this database.
339 .It mkey_file Li = Pa FILENAME
340 Use this keytab file for the master key of this database.
342 .Va DATABASENAME Ns .mkey
344 .It acl_file Li = PA FILENAME
345 Use this file for the ACL list of this database.
346 .It log_file Li = Pa FILENAME
347 Use this file as the log of changes performed to the database.
350 for propagating changes to slaves.
353 .It max-request = Va SIZE
354 Maximum size of a kdc request.
355 .It require-preauth = Va BOOL
356 If set pre-authentication is required.
357 Since krb4 requests are not pre-authenticated they will be rejected.
358 .It ports = Va "list of ports"
359 List of ports the kdc should listen to.
360 .It addresses = Va "list of interfaces"
361 List of addresses the kdc should bind to.
362 .It enable-kerberos4 = Va BOOL
363 Turn on Kerberos 4 support.
364 .It v4-realm = Va REALM
365 To what realm v4 requests should be mapped.
366 .It enable-524 = Va BOOL
367 Should the Kerberos 524 converting facility be turned on.
369 .Va enable-kerberos4 .
370 .It enable-http = Va BOOL
371 Should the kdc answer kdc-requests over http.
372 .It enable-kaserver = Va BOOL
373 If this kdc should emulate the AFS kaserver.
374 .It check-ticket-addresses = Va BOOL
375 verify the addresses in the tickets used in tgs requests.
377 .It allow-null-ticket-addresses = Va BOOL
378 Allow addresses-less tickets.
380 .It allow-anonymous = Va BOOL
381 If the kdc is allowed to hand out anonymous tickets.
382 .It encode_as_rep_as_tgs_rep = Va BOOL
383 Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
385 .It kdc_warn_pwexpire = Va TIME
386 The time before expiration that the user should be warned that her
387 password is about to expire.
388 .It logging = Va Logging
389 What type of logging the kdc should use, see also [logging]/kdc.
390 .It use_2b = Va principal list
391 List of principals to use AFS 2b tokens for.
394 .Bl -tag -width "xxx" -offset indent
395 .It require-preauth = Va BOOL
396 If pre-authentication is required to talk to the kadmin server.
397 .It default_keys = Va keytypes...
400 try to parse it as a sequence of
401 .Va etype:salttype:salt
402 syntax of this if something like:
404 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
408 is omitted it means everything, and if string is omitted it means the
409 default salt string (for that principal and encryption type).
410 Additional special values of keytypes are:
411 .Bl -tag -width "xxx" -offset indent
419 .It use_v4_salt = Va BOOL
420 When true, this is the same as
422 .Va default_keys = Va des3:pw-salt Va v4
424 and is only left for backwards compatibility.
429 points to the configuration file to read.
431 .Bl -tag -width "/etc/krb5.conf"
432 .It Pa /etc/krb5.conf
433 configuration file for Kerberos 5.
436 .Bd -literal -offset indent
438 default_realm = FOO.SE
444 kdc = kerberos.foo.se
448 v4_instance_convert = {
451 default_domain = foo.se
454 kdc = FILE:/var/heimdal/kdc.log
456 default = SYSLOG:INFO:USER
461 is read and parsed by the krb5 library, there is not a lot of
462 opportunities for programs to report parsing errors in any useful
464 To help overcome this problem, there is a program
468 and tries to emit useful diagnostics from parsing errors.
469 Note that this program does not have any way of knowing what options
470 are actually used and thus cannot warn about unknown or misspelled
474 .Xr krb5_425_conv_principal 3 ,
477 .Xr verify_krb5_conf 8