manpagez: man pages & more
man kdc.conf(5)
Home | html | info | man
kdc.conf(5)                      MIT Kerberos                      kdc.conf(5)




NAME

       kdc.conf - Kerberos V5 KDC configuration file

       The kdc.conf file supplements krb5.conf(5) for programs which are typi-
       cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
       and  the  kdb5_util(8)  program.  Relations documented here may also be
       specified in krb5.conf; for the KDC programs mentioned,  krb5.conf  and
       kdc.conf will be merged into a single configuration profile.

       Normally,  the  kdc.conf  file  is  found  in  the KDC state directory,
       /opt/local/var/krb5kdc.  You can override the default location by  set-
       ting the environment variable KRB5_KDC_PROFILE.

       Please  note that you need to restart the KDC daemon for any configura-
       tion changes to take effect.


STRUCTURE

       The kdc.conf file is set up in the  same  format  as  the  krb5.conf(5)
       file.


SECTIONS

       The kdc.conf file may contain the following sections:

                    +--------------+----------------------------+
                    |[kdcdefaults] | Default   values  for  KDC |
                    |              | behavior                   |
                    +--------------+----------------------------+
                    |[realms]      | Realm-specific    database |
                    |              | configuration and settings |
                    +--------------+----------------------------+
                    |[dbdefaults]  | Default database settings  |
                    +--------------+----------------------------+
                    |[dbmodules]   | Per-database settings      |
                    +--------------+----------------------------+
                    |[logging]     | Controls how Kerberos dae- |
                    |              | mons perform logging       |
                    +--------------+----------------------------+

   [kdcdefaults]
       Some  relations in the [kdcdefaults] section specify default values for
       realm variables, to be used if the [realms] subsection does not contain
       a  relation  for the tag.  See the [realms] section for the definitions
       of these relations.

       o host_based_services

       o kdc_listen

       o kdc_ports

       o kdc_tcp_listen

       o kdc_tcp_ports

       o no_host_referral

       o restrict_anonymous_to_tgt

       The following [kdcdefaults] variables have no per-realm equivalent:

       kdc_max_dgram_reply_size
              Specifies the maximum packet size that can  be  sent  over  UDP.
              The default value is 4096 bytes.

       kdc_tcp_listen_backlog
              (Integer.)   Set the size of the listen queue length for the KDC
              daemon.  The value may be limited by OS settings.   The  default
              value is 5.

       spake_preauth_kdc_challenge
              (String.)  Specifies the group for a SPAKE optimistic challenge.
              See the spake_preauth_groups variable in libdefaults for  possi-
              ble  values.   The  default  is not to issue an optimistic chal-
              lenge.  (New in release 1.17.)

   [realms]
       Each tag in the [realms] section is the name of a Kerberos realm.   The
       value of the tag is a subsection where the relations define KDC parame-
       ters for that particular realm.  The following  example  shows  how  to
       define one parameter for the ATHENA.MIT.EDU realm:

          [realms]
              ATHENA.MIT.EDU = {
                  max_renewable_life = 7d 0h 0m 0s
              }

       The following tags may be specified in a [realms] subsection:

       acl_file
              (String.)   Location  of  the access control list file that kad-
              mind(8) uses to determine which  principals  are  allowed  which
              permissions on the Kerberos database.  To operate without an ACL
              file, set this relation to the empty string with acl_file =  "".
              The default value is /opt/local/var/krb5kdc/kadm5.acl.  For more
              information on Kerberos ACL file see kadm5.acl(5).

       database_module
              (String.)  This relation indicates the name of the configuration
              section  under [dbmodules] for database-specific parameters used
              by the loadable database library.   The  default  value  is  the
              realm  name.   If  this  configuration  section  does not exist,
              default values will be used for all database parameters.

       database_name
              (String, deprecated.)  This relation specifies the  location  of
              the Kerberos database for this realm, if the DB2 module is being
              used and the [dbmodules] configuration section does not  specify
              a      database      name.      The     default     value     is
              /opt/local/var/krb5kdc/principal.

       default_principal_expiration
              (abstime string.)  Specifies  the  default  expiration  date  of
              principals created in this realm.  The default value is 0, which
              means no expiration date.

       default_principal_flags
              (Flag string.)  Specifies the default attributes  of  principals
              created  in  this  realm.   The  format  for  this  string  is a
              comma-separated list of flags, with '+' before  each  flag  that
              should  be  enabled and '-' before each flag that should be dis-
              abled.  The  postdateable,  forwardable,  tgt-based,  renewable,
              proxiable, dup-skey, allow-tickets, and service flags default to
              enabled.

              There are a number of possible flags:

              allow-tickets
                     Enabling this flag means that the KDC will issue  tickets
                     for  this  principal.   Disabling  this  flag essentially
                     deactivates the principal within this realm.

              dup-skey
                     Enabling this flag allows the KDC to  issue  user-to-user
                     service tickets for this principal.

              forwardable
                     Enabling  this  flag  allows the principal to obtain for-
                     wardable tickets.

              hwauth If this flag is enabled, then the principal  is  required
                     to preauthenticate using a hardware device before receiv-
                     ing any tickets.

              no-auth-data-required
                     Enabling this flag prevents  PAC  or  AD-SIGNEDPATH  data
                     from being added to service tickets for the principal.

              ok-as-delegate
                     If this flag is enabled, it hints the client that creden-
                     tials can and should be delegated when authenticating  to
                     the service.

              ok-to-auth-as-delegate
                     Enabling  this  flag  allows the principal to use S4USelf
                     tickets.

              postdateable
                     Enabling this flag allows the principal to  obtain  post-
                     dateable tickets.

              preauth
                     If  this flag is enabled on a client principal, then that
                     principal is  required  to  preauthenticate  to  the  KDC
                     before  receiving  any  tickets.  On a service principal,
                     enabling this flag means that service  tickets  for  this
                     principal  will only be issued to clients with a TGT that
                     has the preauthenticated bit set.

              proxiable
                     Enabling this flag allows the principal to  obtain  proxy
                     tickets.

              pwchange
                     Enabling  this  flag  forces  a  password change for this
                     principal.

              pwservice
                     If this flag is enabled, it marks  this  principal  as  a
                     password  change  service.   This  should only be used in
                     special cases, for example,  if  a  user's  password  has
                     expired,  then the user has to get tickets for that prin-
                     cipal without going through the normal password authenti-
                     cation in order to be able to change the password.

              renewable
                     Enabling  this flag allows the principal to obtain renew-
                     able tickets.

              service
                     Enabling this flag allows the the KDC  to  issue  service
                     tickets  for  this principal.  In release 1.17 and later,
                     user-to-user service tickets are  still  allowed  if  the
                     dup-skey flag is set.

              tgt-based
                     Enabling  this  flag allows a principal to obtain tickets
                     based on a ticket-granting-ticket, rather than  repeating
                     the  authentication  process  that was used to obtain the
                     TGT.

       dict_file
              (String.)  Location of the dictionary  file  containing  strings
              that  are not allowed as passwords.  The file should contain one
              string per line, with no  additional  whitespace.   If  none  is
              specified or if there is no policy assigned to the principal, no
              dictionary checks of passwords will be performed.

       encrypted_challenge_indicator
              (String.)  Specifies the authentication indicator value that the
              KDC asserts into tickets obtained using FAST encrypted challenge
              pre-authentication.  New in 1.16.

       host_based_services
              (Whitespace- or comma-separated  list.)   Lists  services  which
              will get host-based referral processing even if the server prin-
              cipal is not marked as host-based by the client.

       iprop_enable
              (Boolean value.)  Specifies whether incremental database  propa-
              gation is enabled.  The default value is false.

       iprop_ulogsize
              (Integer.)   Specifies  the  maximum number of log entries to be
              retained for incremental  propagation.   The  default  value  is
              1000.   Prior  to release 1.11, the maximum value was 2500.  New
              in release 1.19.

       iprop_master_ulogsize
              The name for iprop_ulogsize prior to release 1.19.  Its value is
              used as a fallback if iprop_ulogsize is not specified.

       iprop_replica_poll
              (Delta  time string.)  Specifies how often the replica KDC polls
              for new updates from the primary.  The default value is 2m (that
              is, two minutes).  New in release 1.17.

       iprop_slave_poll
              (Delta  time  string.)  The name for iprop_replica_poll prior to
              release  1.17.   Its  value   is   used   as   a   fallback   if
              iprop_replica_poll is not specified.

       iprop_listen
              (Whitespace-  or comma-separated list.)  Specifies the iprop RPC
              listening addresses and/or  ports  for  the  kadmind(8)  daemon.
              Each  entry  may  be  an interface address, a port number, or an
              address and port number separated by a colon.   If  the  address
              contains  colons,  enclose it in square brackets.  If no address
              is specified, the wildcard address is used.  If kadmind fails to
              bind  to  any of the specified addresses, it will fail to start.
              The default (when iprop_enable is true) is to bind to the  wild-
              card  address  at  the  port  specified  in  iprop_port.  New in
              release 1.15.

       iprop_port
              (Port number.)  Specifies the port number to be used for  incre-
              mental propagation.  When iprop_enable is true, this relation is
              required in the replica KDC configuration file, and  this  rela-
              tion  or  iprop_listen  is required in the primary configuration
              file, as there is no default port number.  Port  numbers  speci-
              fied  in iprop_listen entries will override this port number for
              the kadmind(8) daemon.

       iprop_resync_timeout
              (Delta time string.)  Specifies the amount of time to wait for a
              full propagation to complete.  This is optional in configuration
              files, and is used by replica KDCs only.  The default value is 5
              minutes (5m).  New in release 1.11.

       iprop_logfile
              (File  name.)  Specifies where the update log file for the realm
              database is to be stored.  The  default  is  to  use  the  data-
              base_name entry from the realms section of the krb5 config file,
              with .ulog appended.  (NOTE: If database_name isn't specified in
              the  realms  section, perhaps because the LDAP database back end
              is being used, or the file name is specified in the  [dbmodules]
              section,  then the hard-coded default for database_name is used.
              Determination of the iprop_logfile default value  will  not  use
              values from the [dbmodules] section.)

       kadmind_listen
              (Whitespace- or comma-separated list.)  Specifies the kadmin RPC
              listening addresses and/or  ports  for  the  kadmind(8)  daemon.
              Each  entry  may  be  an interface address, a port number, or an
              address and port number separated by a colon.   If  the  address
              contains  colons,  enclose it in square brackets.  If no address
              is specified, the wildcard address is used.  If kadmind fails to
              bind  to  any of the specified addresses, it will fail to start.
              The default is to bind to the wildcard address at the port spec-
              ified  in  kadmind_port, or the standard kadmin port (749).  New
              in release 1.15.

       kadmind_port
              (Port number.)  Specifies the port on which the kadmind(8)  dae-
              mon is to listen for this realm.  Port numbers specified in kad-
              mind_listen  entries  will  override  this  port  number.    The
              assigned port for kadmind is 749, which is used by default.

       key_stash_file
              (String.)   Specifies the location where the master key has been
              stored    (via    kdb5_util    stash).     The    default     is
              /opt/local/var/krb5kdc/.k5.REALM,  where  REALM  is the Kerberos
              realm.

       kdc_listen
              (Whitespace- or comma-separated list.)  Specifies the  UDP  lis-
              tening  addresses  and/or ports for the krb5kdc(8) daemon.  Each
              entry may be an interface address, a port number, or an  address
              and  port  number separated by a colon.  If the address contains
              colons, enclose it in square brackets.  If no address is  speci-
              fied,  the  wildcard  address is used.  If no port is specified,
              the standard port (88) is used.  If the KDC daemon fails to bind
              to  any  of the specified addresses, it will fail to start.  The
              default is to bind to the wildcard address on the standard port.
              New in release 1.15.

       kdc_ports
              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
              release 1.15, this relation lists the ports for  the  krb5kdc(8)
              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
              later, it has the same meaning as kdc_listen if that relation is
              not defined.

       kdc_tcp_listen
              (Whitespace-  or  comma-separated list.)  Specifies the TCP lis-
              tening addresses and/or ports for the krb5kdc(8)  daemon.   Each
              entry  may be an interface address, a port number, or an address
              and port number separated by a colon.  If the  address  contains
              colons,  enclose it in square brackets.  If no address is speci-
              fied, the wildcard address is used.  If no  port  is  specified,
              the  standard  port  (88) is used.  To disable listening on TCP,
              set this relation to the empty string with kdc_tcp_listen =  "".
              If  the  KDC  daemon  fails  to  bind  to  any  of the specified
              addresses, it will fail to start.  The default is to bind to the
              wildcard address on the standard port.  New in release 1.15.

       kdc_tcp_ports
              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
              release 1.15, this relation lists the ports for  the  krb5kdc(8)
              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
              later, it has the same meaning as kdc_tcp_listen if  that  rela-
              tion is not defined.

       kpasswd_listen
              (Comma-separated   list.)    Specifies   the  kpasswd  listening
              addresses and/or ports for the kadmind(8)  daemon.   Each  entry
              may  be  an  interface address, a port number, or an address and
              port number separated by  a  colon.   If  the  address  contains
              colons,  enclose it in square brackets.  If no address is speci-
              fied, the wildcard address is used.  If kadmind fails to bind to
              any  of  the  specified  addresses,  it will fail to start.  The
              default is to bind to the wildcard address at the port specified
              in  kpasswd_port,  or  the  standard kpasswd port (464).  New in
              release 1.15.

       kpasswd_port
              (Port number.)  Specifies the port on which the kadmind(8)  dae-
              mon  is  to  listen for password change requests for this realm.
              Port numbers specified in kpasswd_listen entries  will  override
              this  port  number.   The  assigned  port  for  password  change
              requests is 464, which is used by default.

       master_key_name
              (String.)  Specifies the name of the principal  associated  with
              the master key.  The default is K/M.

       master_key_type
              (Key  type  string.)   Specifies the master key's key type.  The
              default value for this is aes256-cts-hmac-sha1-96.  For  a  list
              of all possible values, see Encryption types.

       max_life
              (duration  string.)  Specifies the maximum time period for which
              a ticket may be valid in this realm.  The default  value  is  24
              hours.

       max_renewable_life
              (duration  string.)   Specifies  the  maximum time period during
              which a valid ticket may be renewed in this realm.  The  default
              value is 0.

       no_host_referral
              (Whitespace-  or comma-separated list.)  Lists services to block
              from getting host-based referral processing, even if the  client
              marks  the server principal as host-based or the service is also
              listed in host_based_services.  no_host_referral = *  will  dis-
              able referral processing altogether.

       reject_bad_transit
              (Boolean value.)  If set to true, the KDC will check the list of
              transited realms for cross-realm  tickets  against  the  transit
              path  computed  from  the realm names and the capaths section of
              its krb5.conf(5) file; if the path in the ticket  to  be  issued
              contains  any  realms  not in the computed path, the ticket will
              not be issued, and an error  will  be  returned  to  the  client
              instead.   If  this  value is set to false, such tickets will be
              issued anyways, and it will be left up to the application server
              to validate the realm transit path.

              If  the  disable-transited-check  flag  is  set  in the incoming
              request, this  check  is  not  performed  at  all.   Having  the
              reject_bad_transit  option will cause such ticket requests to be
              rejected always.

              This transit path checking  and  config  file  option  currently
              apply only to TGS requests.

              The default value is true.

       restrict_anonymous_to_tgt
              (Boolean  value.)   If  set  to true, the KDC will reject ticket
              requests from anonymous principals to service  principals  other
              than  the  realm's  ticket-granting service.  This option allows
              anonymous PKINIT to be enabled for use  as  FAST  armor  tickets
              without  allowing  anonymous  authentication  to  services.  The
              default value is false.  New in release 1.9.

       spake_preauth_indicator
              (String.)  Specifies an authentication indicator value that  the
              KDC  asserts  into  tickets obtained using SPAKE pre-authentica-
              tion.  The default is not to add any  indicators.   This  option
              may be specified multiple times.  New in release 1.17.

       supported_enctypes
              (List of key:salt strings.)  Specifies the default key/salt com-
              binations of principals for this realm.  Any principals  created
              through  kadmin(1)  will  have keys of these types.  The default
              value   for   this   tag    is    aes256-cts-hmac-sha1-96:normal
              aes128-cts-hmac-sha1-96:normal.   For  lists of possible values,
              see Keysalt lists.

   [dbdefaults]
       The [dbdefaults] section specifies default  values  for  some  database
       parameters, to be used if the [dbmodules] subsection does not contain a
       relation for the tag.  See the [dbmodules] section for the  definitions
       of these relations.

       o ldap_kerberos_container_dn

       o ldap_kdc_dn

       o ldap_kdc_sasl_authcid

       o ldap_kdc_sasl_authzid

       o ldap_kdc_sasl_mech

       o ldap_kdc_sasl_realm

       o ldap_kadmind_dn

       o ldap_kadmind_sasl_authcid

       o ldap_kadmind_sasl_authzid

       o ldap_kadmind_sasl_mech

       o ldap_kadmind_sasl_realm

       o ldap_service_password_file

       o ldap_conns_per_server

   [dbmodules]
       The  [dbmodules]  section  contains parameters used by the KDC database
       library and database modules.  Each tag in the [dbmodules]  section  is
       the  name  of a Kerberos realm or a section name specified by a realm's
       database_module parameter.  The following example shows how  to  define
       one database parameter for the ATHENA.MIT.EDU realm:

          [dbmodules]
              ATHENA.MIT.EDU = {
                  disable_last_success = true
              }

       The following tags may be specified in a [dbmodules] subsection:

       database_name
              This  DB2-specific tag indicates the location of the database in
              the filesystem.  The default  is  /opt/local/var/krb5kdc/princi-
              pal.

       db_library
              This  tag  indicates  the  name of the loadable database module.
              The value should be db2 for the DB2 module, klmdb for  the  LMDB
              module, or kldap for the LDAP module.

       disable_last_success
              If  set  to true, suppresses KDC updates to the "Last successful
              authentication" field of principal entries requiring  preauthen-
              tication.   Setting this flag may improve performance.  (Princi-
              pal entries which do not require preauthentication never  update
              the  "Last successful authentication" field.).  First introduced
              in release 1.9.

       disable_lockout
              If set to true, suppresses  KDC  updates  to  the  "Last  failed
              authentication" and "Failed password attempts" fields of princi-
              pal entries requiring preauthentication.  Setting this flag  may
              improve  performance,  but also disables account lockout.  First
              introduced in release 1.9.

       ldap_conns_per_server
              This LDAP-specific tag indicates the number of connections to be
              maintained per LDAP server.

       ldap_kdc_dn and ldap_kadmind_dn
              These  LDAP-specific tags indicate the default DN for binding to
              the LDAP server.  The krb5kdc(8) daemon uses ldap_kdc_dn,  while
              the  kadmind(8)  daemon  and  other  administrative programs use
              ldap_kadmind_dn.  The kadmind DN must have the  rights  to  read
              and  write  the  Kerberos data in the LDAP database.  The KDC DN
              must have the  same  rights,  unless  disable_lockout  and  dis-
              able_last_success  are true, in which case it only needs to have
              rights to read the Kerberos data.  These tags are ignored  if  a
              SASL  mechanism  is  set  with  ldap_kdc_sasl_mech  or ldap_kad-
              mind_sasl_mech.

       ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
              These LDAP-specific tags specify the  SASL  mechanism  (such  as
              EXTERNAL)  to  use  when  binding  to  the  LDAP server.  New in
              release 1.13.

       ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
              These LDAP-specific tags specify the SASL  authentication  iden-
              tity to use when binding to the LDAP server.  Not all SASL mech-
              anisms require an authentication identity.  If the  SASL  mecha-
              nism  requires  a  secret (such as the password for DIGEST-MD5),
              these tags also determine the name within the ldap_service_pass-
              word_file where the secret is stashed.  New in release 1.13.

       ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
              These LDAP-specific tags specify the SASL authorization identity
              to use when binding to the LDAP server.  In  most  circumstances
              they do not need to be specified.  New in release 1.13.

       ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
              These  LDAP-specific  tags  specify  the  SASL realm to use when
              binding to the LDAP server.  In most circumstances they  do  not
              need to be set.  New in release 1.13.

       ldap_kerberos_container_dn
              This  LDAP-specific tag indicates the DN of the container object
              where the realm objects will be located.

       ldap_servers
              This LDAP-specific tag indicates the list of LDAP  servers  that
              the  Kerberos  servers can connect to.  The list of LDAP servers
              is whitespace-separated.  The LDAP server is specified by a LDAP
              URI.   It is recommended to use ldapi: or ldaps: URLs to connect
              to the LDAP server.

       ldap_service_password_file
              This LDAP-specific tag indicates the file containing the stashed
              passwords   (created   by  kdb5_ldap_util  stashsrvpw)  for  the
              ldap_kdc_dn   and   ldap_kadmind_dn   objects,   or   for    the
              ldap_kdc_sasl_authcid  or  ldap_kadmind_sasl_authcid  names  for
              SASL authentication.  This file must be kept secure.

       mapsize
              This LMDB-specific tag indicates the maximum  size  of  the  two
              database  environments  in megabytes.  The default value is 128.
              Increase  this  value  to  address  "Environment  mapsize  limit
              reached" errors.  New in release 1.17.

       max_readers
              This  LMDB-specific  tag indicates the maximum number of concur-
              rent reading processes for the databases.  The default value  is
              128.  New in release 1.17.

       nosync This  LMDB-specific  tag can be set to improve the throughput of
              kadmind and other administrative agents, at the expense of dura-
              bility  (recent  database changes may not survive a power outage
              or other sudden reboot).  It does not affect the  throughput  of
              the KDC.  The default value is false.  New in release 1.17.

       unlockiter
              If  set  to  true, this DB2-specific tag causes iteration opera-
              tions to release the database lock while processing each princi-
              pal.  Setting this flag to true can prevent extended blocking of
              KDC or kadmin operations when dumps of large  databases  are  in
              progress.  First introduced in release 1.13.

       The  following tag may be specified directly in the [dbmodules] section
       to control where database modules are loaded from:

       db_module_dir
              This tag controls where the plugin  system  looks  for  database
              modules.  The value should be an absolute path.

   [logging]
       The  [logging]  section indicates how krb5kdc(8) and kadmind(8) perform
       logging.  It may contain the following relations:

       admin_server
              Specifies how kadmind(8) performs logging.

       kdc    Specifies how krb5kdc(8) performs logging.

       default
              Specifies how either daemon performs logging in the  absence  of
              relations specific to the daemon.

       debug  (Boolean  value.)   Specifies  whether  debugging  messages  are
              included in log outputs other than SYSLOG.   Debugging  messages
              are always included in the system log output because syslog per-
              forms its own priority filtering.  The default value  is  false.
              New in release 1.15.

       Logging specifications may have the following forms:

       FILE=filename or FILE:filename
              This  value  causes  the  daemon's logging messages to go to the
              filename.  If the = form is used, the file is  overwritten.   If
              the : form is used, the file is appended to.

       STDERR This  value  causes  the  daemon's logging messages to go to its
              standard error stream.

       CONSOLE
              This value causes the daemon's logging messages  to  go  to  the
              console, if the system supports it.

       DEVICE=<devicename>
              This causes the daemon's logging messages to go to the specified
              device.

       SYSLOG[:severity[:facility]]
              This causes the daemon's logging messages to go  to  the  system
              log.

              For  backward  compatibility,  a severity argument may be speci-
              fied, and must be specified in  order  to  specify  a  facility.
              This argument will be ignored.

              The  facility  argument  specifies  the facility under which the
              messages are logged.  This may be any of the  following  facili-
              ties  supported  by  the  syslog(3)  call minus the LOG_ prefix:
              KERN, USER, MAIL, DAEMON,  AUTH,  LPR,  NEWS,  UUCP,  CRON,  and
              LOCAL0 through LOCAL7.  If no facility is specified, the default
              is AUTH.

       In the following example, the logging messages from the KDC will go  to
       the  console  and  to the system log under the facility LOG_DAEMON, and
       the logging messages from the administrative server will be appended to
       the file /var/adm/kadmin.log and sent to the device /dev/tty04.

          [logging]
              kdc = CONSOLE
              kdc = SYSLOG:INFO:DAEMON
              admin_server = FILE:/var/adm/kadmin.log
              admin_server = DEVICE=/dev/tty04

       If no logging specification is given, the default is to use syslog.  To
       disable logging entirely, specify default = DEVICE=/dev/null.

   [otp]
       Each subsection of [otp] is the name of an OTP token  type.   The  tags
       within  the  subsection  define the configuration required to forward a
       One Time Password request to a RADIUS server.

       For each token type, the following tags may be specified:

       server This is the server to send the RADIUS request to.  It can  be  a
              hostname  with  optional port, an ip address with optional port,
              or   a   Unix   domain   socket   address.    The   default   is
              /opt/local/var/krb5kdc/<name>.socket.

       secret This  tag  indicates  a  filename  (which  may  be  relative  to
              /opt/local/var/krb5kdc) containing the secret  used  to  encrypt
              the  RADIUS packets.  The secret should appear in the first line
              of the file by itself; leading and trailing  whitespace  on  the
              line  will  be removed.  If the value of server is a Unix domain
              socket address, this tag is optional, and an empty  secret  will
              be  used  if  it  is  not  specified.   Otherwise,  this  tag is
              required.

       timeout
              An integer which specifies the time in seconds during which  the
              KDC  should  attempt  to contact the RADIUS server.  This tag is
              the total time across all retries and should be  less  than  the
              time  which  an  OTP  value remains valid for.  The default is 5
              seconds.

       retries
              This tag specifies the number of retries to make to  the  RADIUS
              server.  The default is 3 retries (4 tries).

       strip_realm
              If  this  tag  is  true, the principal without the realm will be
              passed to the RADIUS  server.   Otherwise,  the  realm  will  be
              included.  The default value is true.

       indicator
              This tag specifies an authentication indicator to be included in
              the ticket if this token type is  used  to  authenticate.   This
              option  may be specified multiple times.  (New in release 1.14.)

       In the following example, requests are sent to a remote server via UDP:

          [otp]
              MyRemoteTokenType = {
                  server = radius.mydomain.com:1812
                  secret = SEmfiajf42$
                  timeout = 15
                  retries = 5
                  strip_realm = true
              }

       An  implicit  default  token type named DEFAULT is defined for when the
       per-principal configuration does not specify a token type.  Its config-
       uration  is shown below.  You may override this token type to something
       applicable for your situation:

          [otp]
              DEFAULT = {
                  strip_realm = false
              }


PKINIT OPTIONS

       NOTE:
          The following are pkinit-specific  options.   These  values  may  be
          specified   in   [kdcdefaults]  as  global  defaults,  or  within  a
          realm-specific subsection of [realms].  Also note that a  realm-spe-
          cific  value  over-rides,  does  not add to, a generic [kdcdefaults]
          specification.  The search order is:

       1. realm-specific subsection of [realms]:

             [realms]
                 EXAMPLE.COM = {
                     pkinit_anchors = FILE:/usr/local/example.com.crt
                 }

       2. generic value in the [kdcdefaults] section:

             [kdcdefaults]
                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/

       For information about the syntax of some of these options, see Specify-
       ing PKINIT identity information in krb5.conf(5).

       pkinit_anchors
              Specifies  the  location  of  trusted anchor (root) certificates
              which the KDC trusts to sign client certificates.   This  option
              is  required  if  pkinit  is  to  be supported by the KDC.  This
              option may be specified multiple times.

       pkinit_dh_min_bits
              Specifies the minimum number of  bits  the  KDC  is  willing  to
              accept  for a client's Diffie-Hellman key.  The default is 2048.

       pkinit_allow_upn
              Specifies that the KDC is willing to accept client  certificates
              with  the  Microsoft UserPrincipalName (UPN) Subject Alternative
              Name (SAN).  This means the KDC accepts the binding of  the  UPN
              in  the certificate to the Kerberos principal name.  The default
              value is false.

              Without this option, the KDC will only accept certificates  with
              the id-pkinit-san as defined in RFC 4556.  There is currently no
              option to disable SAN checking in the KDC.

       pkinit_eku_checking
              This option specifies what Extended Key Usage (EKU)  values  the
              KDC  is  willing  to  accept in client certificates.  The values
              recognized in the kdc.conf file are:

              kpClientAuth
                     This is the default value and specifies that client  cer-
                     tificates  must  have  the  id-pkinit-KPClientAuth EKU as
                     defined in RFC 4556.

              scLogin
                     If scLogin is specified,  client  certificates  with  the
                     Microsoft  Smart  Card Login EKU (id-ms-kp-sc-logon) will
                     be accepted.

              none   If none is specified, then client certificates  will  not
                     be  checked  to  verify they have an acceptable EKU.  The
                     use of this option is not recommended.

       pkinit_identity
              Specifies the location of the KDC's X.509 identity  information.
              This option is required if pkinit is to be supported by the KDC.

       pkinit_indicator
              Specifies an authentication indicator to include in  the  ticket
              if pkinit is used to authenticate.  This option may be specified
              multiple times.  (New in release 1.14.)

       pkinit_pool
              Specifies the location of intermediate certificates which may be
              used  by  the KDC to complete the trust chain between a client's
              certificate and a trusted anchor.  This option may be  specified
              multiple times.

       pkinit_revoke
              Specifies  the  location  of  Certificate  Revocation List (CRL)
              information to be used by the KDC when verifying the validity of
              client  certificates.   This  option  may  be specified multiple
              times.

       pkinit_require_crl_checking
              The default certificate verification process will  always  check
              the available revocation information to see if a certificate has
              been revoked.  If a match is found for the certificate in a CRL,
              verification  fails.   If  the certificate being verified is not
              listed in a CRL, or there is no CRL present for its issuing  CA,
              and pkinit_require_crl_checking is false, then verification suc-
              ceeds.

              However, if pkinit_require_crl_checking is true and there is  no
              CRL  information available for the issuing CA, then verification
              fails.

              pkinit_require_crl_checking should be set to true if the  policy
              is such that up-to-date CRLs must be present for every CA.

       pkinit_require_freshness
              Specifies  whether  to  require  clients  to include a freshness
              token in PKINIT requests.  The default value is false.  (New  in
              release 1.17.)


ENCRYPTION TYPES

       Any  tag in the configuration files which requires a list of encryption
       types can be set to some combination of the following strings.  Encryp-
       tion types marked as "weak" and "deprecated" are available for compati-
       bility but not recommended for use.

             +---------------------------+-----------------------------+
             |des3-cbc-raw               | Triple DES  cbc  mode  raw  |
             |                           | (weak)                      |
             +---------------------------+-----------------------------+
             |des3-cbc-sha1              | Triple  DES  cbc mode with  |
             |des3-hmac-sha1             | HMAC/sha1 (deprecated)      |
             |des3-cbc-sha1-kd           |                             |
             +---------------------------+-----------------------------+
             |aes256-cts-hmac-sha1-96    | AES-256   CTS   mode  with  |
             |aes256-cts aes256-sha1     | 96-bit SHA-1 HMAC           |
             +---------------------------+-----------------------------+
             |aes128-cts-hmac-sha1-96    | AES-128   CTS   mode  with  |
             |aes128-cts aes128-sha1     | 96-bit SHA-1 HMAC           |
             +---------------------------+-----------------------------+
             |aes256-cts-hmac-sha384-192 | AES-256   CTS   mode  with  |
             |aes256-sha2                | 192-bit SHA-384 HMAC        |
             +---------------------------+-----------------------------+
             |aes128-cts-hmac-sha256-128 | AES-128   CTS   mode  with  |
             |aes128-sha2                | 128-bit SHA-256 HMAC        |
             +---------------------------+-----------------------------+
             |arcfour-hmac rc4-hmac arc- | RC4  with HMAC/MD5 (depre-  |
             |four-hmac-md5              | cated)                      |
             +---------------------------+-----------------------------+
             |arcfour-hmac-exp           | Exportable    RC4     with  |
             |rc4-hmac-exp          arc- | HMAC/MD5 (weak)             |
             |four-hmac-md5-exp          |                             |
             +---------------------------+-----------------------------+
             |camellia256-cts-cmac       | Camellia-256 CTS mode with  |
             |camellia256-cts            | CMAC                        |
             +---------------------------+-----------------------------+
             |camellia128-cts-cmac       | Camellia-128 CTS mode with  |
             |camellia128-cts            | CMAC                        |
             +---------------------------+-----------------------------+
             |des3                       | The   triple  DES  family:  |
             |                           | des3-cbc-sha1               |
             +---------------------------+-----------------------------+
             |aes                        | The      AES       family:  |
             |                           | aes256-cts-hmac-sha1-96,    |
             |                           | aes128-cts-hmac-sha1-96,    |
             |                           | aes256-cts-hmac-sha384-192, |
             |                           | and                         |
             |                           | aes128-cts-hmac-sha256-128  |
             +---------------------------+-----------------------------+
             |rc4                        | The   RC4   family:    arc- |
             |                           | four-hmac                   |
             +---------------------------+-----------------------------+
             |camellia                   | The Camellia family: camel- |
             |                           | lia256-cts-cmac and  camel- |
             |                           | lia128-cts-cmac             |
             +---------------------------+-----------------------------+

       The string DEFAULT can be used to refer to the default set of types for
       the variable in question.  Types or families can be  removed  from  the
       current list by prefixing them with a minus sign ("-").  Types or fami-
       lies can be prefixed with a plus sign ("+") for symmetry;  it  has  the
       same meaning as just listing the type or family.  For example, "DEFAULT
       -rc4" would be the default set  of  encryption  types  with  RC4  types
       removed,  and  "des3  DEFAULT"  would  be the default set of encryption
       types with triple DES types moved to the front.

       While aes128-cts and aes256-cts are supported for all  Kerberos  opera-
       tions, they are not supported by very old versions of our GSSAPI imple-
       mentation (krb5-1.3.1 and earlier).  Services running versions of  krb5
       without AES support must not be given keys of these encryption types in
       the KDC database.

       The aes128-sha2 and aes256-sha2 encryption types  are  new  in  release
       1.15.   Services  running  versions  of  krb5 without support for these
       newer encryption types must not be given keys of these encryption types
       in the KDC database.


KEYSALT LISTS

       Kerberos  keys  for users are usually derived from passwords.  Kerberos
       commands and configuration parameters that affect  generation  of  keys
       take  lists  of  enctype-salttype  ("keysalt")  pairs, known as keysalt
       lists.  Each keysalt pair is an enctype name  followed  by  a  salttype
       name, in the format enc:salt.  Individual keysalt list members are sep-
       arated by comma (",") characters or space characters.  For example:

          kadmin -e aes256-cts:normal,aes128-cts:normal

       would start up kadmin so  that  by  default  it  would  generate  pass-
       word-derived  keys  for the aes256-cts and aes128-cts encryption types,
       using a normal salt.

       To ensure that people who happen to pick the same password do not  have
       the  same  key,  Kerberos  5 incorporates more information into the key
       using something called a salt.  The supported salt types  are  as  fol-
       lows:

                      +----------+----------------------------+
                      |normal    | default  for Kerberos Ver- |
                      |          | sion 5                     |
                      +----------+----------------------------+
                      |norealm   | same as the default, with- |
                      |          | out  using  realm informa- |
                      |          | tion                       |
                      +----------+----------------------------+
                      |onlyrealm | uses only  realm  informa- |
                      |          | tion as the salt           |
                      +----------+----------------------------+
                      |special   | generate a random salt     |
                      +----------+----------------------------+


SAMPLE KDC.CONF FILE

       Here's an example of a kdc.conf file:

          [kdcdefaults]
              kdc_listen = 88
              kdc_tcp_listen = 88
          [realms]
              ATHENA.MIT.EDU = {
                  kadmind_port = 749
                  max_life = 12h 0m 0s
                  max_renewable_life = 7d 0h 0m 0s
                  master_key_type = aes256-cts-hmac-sha1-96
                  supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
                  database_module = openldap_ldapconf
              }

          [logging]
              kdc = FILE:/usr/local/var/krb5kdc/kdc.log
              admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log

          [dbdefaults]
              ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu

          [dbmodules]
              openldap_ldapconf = {
                  db_library = kldap
                  disable_last_success = true
                  ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
                      # this object needs to have read rights on
                      # the realm container and principal subtrees
                  ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
                      # this object needs to have read and write rights on
                      # the realm container and principal subtrees
                  ldap_service_password_file = /etc/kerberos/service.keyfile
                  ldap_servers = ldaps://kerberos.mit.edu
                  ldap_conns_per_server = 5
              }


FILES

       /opt/local/var/krb5kdc/kdc.conf


SEE ALSO

       krb5.conf(5), krb5kdc(8), kadm5.acl(5)


AUTHOR

       MIT


COPYRIGHT

       1985-2021, MIT



1.19                                                               kdc.conf(5)

kerberos5 1.19 - Generated Thu Feb 11 15:32:45 CST 2021
© manpagez.com 2000-2021
Individual documents may contain additional copyright information.