Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KRB5.CONF(5)		  FreeBSD File Formats Manual		  KRB5.CONF(5)

     krb5.conf -- configuration	file for Kerberos 5

     #include <krb5/krb5.h>

     The krb5.conf file	specifies several configuration	parameters for the
     Kerberos 5	library, as well as for	some programs.

     The file consists of one or more sections,	containing a number of bind-
     ings.  The	value of each binding can be either a string or	a list of
     other bindings.  The grammar looks	like:

		   /* empty */

		   section sections

		   '[' section_name ']'	bindings


		   binding bindings

		   name	'=' STRING
		   name	'=' '{'	bindings '}'


     STRINGs consists of one or	more non-whitespace characters.

     STRINGs that are specified	later in this man-page uses the	following no-

		values can be either yes/true or no/false.

		values can be a	list of	year, month, day, hour,	min, second.
		Example: 1 month 2 days	30 min.	 If no unit is given, seconds
		is assumed.

		valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
		md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
		and aes256-cts-hmac-sha1-96 .

		an address can be either a IPv4	or a IPv6 address.

     Currently recognised sections and bindings	are:

		Specifies the default values to	be used	for Kerberos applica-
		tions.	You can	specify	defaults per application, realm, or a
		combination of these.  The preference order is:
		1.   application realm option
		2.   application option
		3.   realm option
		4.   option

		The supported options are:

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.

		      no-addresses = boolean
			   When	obtaining initial credentials, request them
			   for an empty	set of addresses, making the tickets
			   valid from any address.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.

		      encrypt =	boolean
			   Use encryption, when	available.

		      forward =	boolean
			   Forward credentials to remote host (for rsh(1),
			   telnet(1), etc).


		      default_realm = REALM
			   Default realm to use, this is also known as your
			   "local realm".  The default is the result of
			   krb5_get_host_realm(local hostname).

		      allow_weak_crypto	= boolean
			   are weak crypto algorithms allowed to be used,
			   among others, DES is	considered weak.

		      clockskew	= time
			   Maximum time	differential (in seconds) allowed when
			   comparing times.  Default is	300 seconds (five min-

		      kdc_timeout = time
			   Maximum time	to wait	for a reply from the kdc, de-
			   fault is 3 seconds.

		      capath = {

				 destination-realm = next-hop-realm


			   This	is deprecated, see the capaths section below.

		      default_cc_type =	cctype
			   sets	the default credentials	type.

		      default_cc_name =	ccname
			   the default credentials cache name.	If you want to
			   change the type only	use default_cc_type.  The
			   string can contain variables	that are expanded on
			   runtime.  The Only supported	variable currently is
			   %{uid} which	expands	to the current user id.

		      default_etypes = etypes ...
			   A list of default encryption	types to use. (De-
			   fault: all enctypes if allow_weak_crypto = TRUE,
			   else	all enctypes except single DES enctypes.)

		      default_as_etypes	= etypes ...
			   A list of default encryption	types to use in	AS re-
			   quests.  (Default: the value	of default_etypes.)

		      default_tgs_etypes = etypes ...
			   A list of default encryption	types to use in	TGS
			   requests.  (Default:	the value of default_etypes.)

		      default_etypes_des = etypes ...
			   A list of default encryption	types to use when re-
			   questing a DES credential.

		      default_keytab_name = keytab
			   The keytab to use if	no other is specified, default
			   is "FILE:/etc/krb5.keytab".

		      dns_lookup_kdc = boolean
			   Use DNS SRV records to lookup KDC services loca-

		      dns_lookup_realm = boolean
			   Use DNS TXT records to lookup domain	to realm map-

		      kdc_timesync = boolean
			   Try to keep track of	the time differential between
			   the local machine and the KDC, and then compensate
			   for that when issuing requests.

		      max_retries = number
			   The max number of times to try to contact each KDC.

		      large_msg_size = number
			   The threshold where protocols with tiny maximum
			   message sizes are not considered usable to send
			   messages to the KDC.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.  This option is also valid in
			   the [realms]	section.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.	This option is also valid in
			   the [realms]	section.

		      verify_ap_req_nofail = boolean
			   If enabled, failure to verify credentials against a
			   local key is	a fatal	error.	The application	has to
			   be able to read the corresponding service key for
			   this	to work.  Some applications, like su(1), en-
			   able	this option unconditionally.

		      warn_pwexpire = time
			   How soon to warn for	expiring password.  Default is
			   seven days.

		      http_proxy = proxy-spec
			   A HTTP-proxy	to use when talking to the KDC via

		      dns_proxy	= proxy-spec
			   Enable using	DNS via	HTTP.

		      extra_addresses =	address	...
			   A list of addresses to get tickets for along	with
			   all local addresses.

		      time_format = string
			   How to print	time strings in	logs, this string is
			   passed to strftime(3).

		      date_format = string
			   How to print	date strings in	logs, this string is
			   passed to strftime(3).

		      log_utc =	boolean
			   Write log-entries using UTC instead of your local
			   time	zone.

		      scan_interfaces =	boolean
			   Scan	all network interfaces for addresses, as op-
			   posed to simply using the address associated	with
			   the system's	host name.

		      fcache_version = int
			   Use file credential cache format version specified.

		      fcc-mit-ticketflags = boolean
			   Use MIT compatible format for file credential
			   cache.  It's	the field ticketflags that is stored
			   in reverse bit order	for older than Heimdal 0.7.
			   Setting this	flag to	TRUE makes it store the	MIT
			   way,	this is	default	for Heimdal 0.7.

			   If set to "ignore", the framework will ignore any
			   of the server input to krb5_rd_req(3), this is very
			   useful when the GSS-API server input	the wrong
			   server name into the	gss_accept_sec_context call.

		      k5login_directory	= directory
			   Alternative location	for user .k5login files. This
			   option is provided for compatibility	with MIT krb5
			   configuration files.

		      k5login_authoritative = boolean
			   If true then	if a principal is not found in k5login
			   files then krb5_userok(3) will not fallback on
			   principal to	username mapping. This option is pro-
			   vided for compatibility with	MIT krb5 configuration

		      kuserok =	rule ...
			   Specifies krb5_userok(3) behavior.  If multiple
			   values are given, then krb5_userok(3) will evaluate
			   them	in order until one succeeds or all fail.
			   Rules are implemented by plugins, with three	built-
			   in plugins described	below. Default:	USER-K5LOGIN

		      kuserok =	DENY
			   If set and evaluated	then krb5_userok(3) will deny
			   access to the given username	no matter what the
			   principal name might	be.

		      kuserok =	SIMPLE
			   If set and evaluated	then krb5_userok(3) will use
			   principal to	username mapping (see auth_to_local
			   below).  If the principal maps to the requested
			   username then access	is allowed.

		      kuserok =	SYSTEM-K5LOGIN[:directory]
			   If set and evaluated	then krb5_userok(3) will use
			   k5login files named after the luser argument	to
			   krb5_userok(3) in the given directory or in
			   /etc/k5login.d/.  K5login files are text files,
			   with	each line containing just a principal name;
			   principals apearing in a user's k5login file	are
			   permitted access to the user's account. Note: this
			   rule	performs no ownership nor permissions checks
			   on k5login files; proper ownership and permis-
			   sions/ACLs are expected due to the k5login location
			   being a system location.

		      kuserok =	USER-K5LOGIN
			   If set and evaluated	then krb5_userok(3) will use
			   ~luser/.k5login and ~luser/.k5login.d/*.  User
			   k5login files and directories must be owned by the
			   user	and must not have world	nor group write	per-

		      aname2lname-text-db = filename
			   The named file must be a sorted (in increasing or-
			   der)	text file where	every line consists of an un-
			   parsed principal name optionally followed by	white-
			   space and a username.  The aname2lname function
			   will	do a binary search on this file, if config-
			   ured, looking for lines that	match the given	prin-
			   cipal name, and if found the	given username will be
			   used, or, if	the username is	missing, an error will
			   be returned.	 If the	file doesn't exist, or if no
			   matching line is found then other plugins will be
			   allowed to run.

			   strict checking in FILE credential caches that
			   owner, no symlink and permissions is	correct.

		      name_canon_rules = rules
			   One or more service principal name canonicalization
			   rules.  Each	rule consists of one or	more tokens
			   separated by	colon (':').  Currently	these rules
			   are used only for hostname canonicalization (usu-
			   ally	when getting a service ticket, from a ccache
			   or a	TGS, but also when acquiring GSS initiator
			   credentials from a keytab).	These rules can	be
			   used	to implement DNS resolver-like search lists
			   without having to use DNS.

			   NOTE: Name canonicalization rules are an experimen-
			   tal feature.

			   The first token is a	rule type, one of: as-is,
			   qualify, or nss.

			   Any remaining tokens	must be	options	tokens:
			   use_fast (use FAST to protect TGS exchanges;	cur-
			   rently not supported), use_dnssec (use DNSSEC to
			   protect hostname lookups; currently not supported),
			   ccache_only , use_referrals,	no_referrals,
			   lookup_realm, mindots=N, maxdots=N, order=N,	do-
			   main= domain, realm=	realm, match_domain= domain,
			   and match_realm= realm.

			   When	trying to obtain a service ticket for a	host-
			   based service principal name, name canonicalization
			   rules are applied to	that name in the order given,
			   one by one, until one succeds (a service ticket is
			   obtained), or all fail.  Similarly when acquiring
			   GSS initiator credentials from a keytab, and	when
			   comparing a non-canonical GSS name to a canonical

			   For each rule the system checks that	the hostname
			   has at least	mindots	periods	(if given) in it, at
			   most	maxdots	periods	(if given), that the hostname
			   ends	in the given match_domain (if given), and that
			   the realm of	the principal matches the match_realm
			   (if given).

			   As-is rules leave the hostname unmodified but may
			   set a realm.	 Qualify rules qualify the hostname
			   with	the given domain and also may set the realm.
			   The nss rule	uses the system	resolver to lookup the
			   host's canonical name and is	usually	not secure.
			   Note	that using the nss rule	type implies having to
			   have	principal aliases in the HDB (though not nec-
			   essarily in keytabs).

			   The empty realm denotes "ask	the client's realm's
			   TGS".  The empty realm may be set as	well as

			   The order in	which rules are	applied	is as follows:
			   first all the rules with explicit order then	all
			   other rules in the order in which they appear.  If
			   any two rules have the same explicit	order, their
			   order of appearance in krb5.conf breaks the tie.
			   Explicitly specifying order can be useful where
			   tools read and write	the configuration file without
			   preserving parameter	order.

			   Malformed rules are ignored.

		      allow_hierarchical_capaths = boolean
			   When	validating cross-realm transit paths, absent
			   any explicit	capath from the	client realm to	the
			   server realm, allow a hierarchical transit path via
			   the common ancestor domain of the two realms.  De-
			   faults to true.  Note, absent an explicit setting,
			   hierarchical	capaths	are always used	by the KDC
			   when	generating a referral to a destination with
			   which is no direct trust.

		This is	a list of mappings from	DNS domain to Kerberos realm.
		Each binding in	this section looks like:

		      domain = realm

		The domain can be either a full	name of	a host or a trailing
		component, in the latter case the domain-string	should start
		with a period.	The trailing component only matches hosts that
		are in the same	domain,	ie "" matches
		"", but not "".

		The realm may be the token `dns_locate', in which case the ac-
		tual realm will	be determined using DNS	(independently of the
		setting	of the `dns_lookup_realm' option).


		      REALM = {

				 kdc = [service/]host[:port]
				      Specifies	a list of kdcs for this	realm.
				      If the optional port is absent, the de-
				      fault value for the "kerberos/udp"
				      "kerberos/tcp", and "http/tcp" port (de-
				      pending on service) will be used.	 The
				      kdcs will	be used	in the order that they
				      are specified.

				      The optional service specifies over what
				      medium the kdc should be contacted.
				      Possible services	are "udp", "tcp", and
				      "http".  Http can	also be	written	as
				      "http://".  Default service is "udp" and

				 admin_server =	host[:port]
				      Specifies	the admin server for this
				      realm, where all the modifications to
				      the database are performed.

				 kpasswd_server	= host[:port]
				      Points to	the server where all the pass-
				      word changes are performed.  If there is
				      no such entry, the kpasswd port on the
				      admin_server host	will be	tried.

				      a	boolan variable	that defaults to
				      false.  Old DCE secd (pre	1.1) might
				      need this	to be true.

				 auth_to_local_names = {

					    principal_name = username
						 The given principal_name will
						 be mapped to the given
						 username if the REALM is a
						 default realm.


				 auth_to_local = HEIMDAL_DEFAULT
				      Use the Heimdal default principal	to
				      username mapping.	 Applies to principals
				      from the REALM if	and only if REALM is a
				      default realm.

				 auth_to_local = DEFAULT
				      Use the MIT default principal to user-
				      name mapping.  Applies to	principals
				      from the REALM if	and only if REALM is a
				      default realm.

				 auth_to_local = DB:/path/to/db.txt
				      Use a binary search of the given DB.
				      The DB must be a flat-text file sortedf
				      in the "C" locale, with each record be-
				      ing a line (separated by either LF or
				      CRLF) consisting of a principal name
				      followed by whitespace followed by a
				      username.	 Applies to principals from
				      the REALM	if and only if REALM is	a de-
				      fault realm.

				 auth_to_local = DB:/path/to/db
				      Use the given DB,	if there's a plugin
				      for it.  Applies to principals from the
				      REALM if and only	if REALM is a default

				 auth_to_local = RULE:...
				      Use the given rule, if there's a plugin
				      for it.  Applies to principals from the
				      REALM if and only	if REALM is a default

				 auth_to_local = NONE
				      No additional principal to username map-
				      ping is done. Note that
				      auth_to_local_names and any preceding
				      auth_to_local rules have precedence.



		      client-realm = {

				 server-realm =	hop-realm ...
				      This serves two purposes.	First the
				      first listed hop-realm tells a client
				      which realm it should contact in order
				      to ultimately obtain credentials for a
				      service in the server-realm.  Secondly,
				      it tells the KDC (and other servers)
				      which realms are allowed in a multi-hop
				      traversal	from client-realm to
				      server-realm.  Except for	the client
				      case, the	order of the realms are	not



		      entity = destination
			   Specifies that entity should	use the	specified
			   destination for logging.  See the krb5_openlog(3)
			   manual page for a list of defined destinations.


		      database = {

				      Use this database	for this realm.	 The
				      DATABASETYPE should be one of 'lmdb',
				      'db3', 'db1', 'db', 'sqlite', or 'ldap'.
				      See the info documetation	how to config-
				      ure different database backends.

				 realm = REALM
				      Specifies	the realm that will be stored
				      in this database.	 It realm isn't	set,
				      it will used as the default database,
				      there can	only be	one entry that doesn't
				      have a realm stanza.

				 mkey_file = FILENAME
				      Use this keytab file for the master key
				      of this database.	 If not	specified
				      DATABASENAME.mkey	will be	used.

				 acl_file = PA FILENAME
				      Use this file for	the ACL	list of	this

				 log_file = FILENAME
				      Use this file as the log of changes per-
				      formed to	the database.  This file is
				      used by ipropd-master for	propagating
				      changes to slaves.  It is	also used by
				      kadmind and kadmin (when used with the
				      -l option), and by all applications us-
				      ing libkadm5 with	the local backend, for
				      two-phase	commit functionality.  Slaves
				      also use this.  Setting this to
				      /dev/null	disables two-phase commit and
				      incremental propagation.	Use iprop-log
				      to show the contents of this log file.

				 log-max-size =	number
				      When the log reaches this	size (in
				      bytes), the log will be truncated, sav-
				      ing some entries,	and keeping the	latest
				      version number so	as to not disrupt in-
				      cremental	propagation.  If set to	a neg-
				      ative value then automatic log trunca-
				      tion will	be disabled.  Defaults to
				      52428800 (50MB).


		      max-request = SIZE
			   Maximum size	of a kdc request.

		      require-preauth =	BOOL
			   If set pre-authentication is	required.

		      ports = list of ports
			   List	of ports the kdc should	listen to.

		      addresses	= list of interfaces
			   List	of addresses the kdc should bind to.

		      enable-http = BOOL
			   Should the kdc answer kdc-requests over http.

		      tgt-use-strongest-session-key = BOOL
			   If this is TRUE then	the KDC	will prefer the
			   strongest key from the client's AS-REQ or TGS-REQ
			   enctype list	for the	ticket session key that	is
			   supported by	the KDC	and the	target principal when
			   the target principal	is a krbtgt principal.	Else
			   it will prefer the first key	from the client's AS-
			   REQ enctype list that is also supported by the KDC
			   and the target principal.  Defaults to FALSE.

		      svc-use-strongest-session-key = BOOL
			   Like	tgt-use-strongest-session-key, but applies to
			   the session key enctype of tickets for services
			   other than krbtgt principals. Defaults to FALSE.

		      preauth-use-strongest-session-key	= BOOL
			   If TRUE then	select the strongest possible enctype
			   from	the client's AS-REQ for	PA-ETYPE-INFO2 (i.e.,
			   for password-based pre-authentication).  Else pick
			   the first supported enctype from the	client's AS-
			   REQ.	 Defaults to FALSE.

		      use-strongest-server-key = BOOL
			   If TRUE then	the KDC	picks, for the ticket en-
			   crypted part's key, the first supported enctype
			   from	the target service principal's hdb entry's
			   current keyset. Else	the KDC	picks the first	sup-
			   ported enctype from the target service principal's
			   hdb entry's current keyset.	Defaults to TRUE.

		      check-ticket-addresses = BOOL
			   Verify the addresses	in the tickets used in tgs re-

		      allow-null-ticket-addresses = BOOL
			   Allow address-less tickets.

		      allow-anonymous =	BOOL
			   If the kdc is allowed to hand out anonymous tick-

		      encode_as_rep_as_tgs_rep = BOOL
			   Encode as-rep as tgs-rep tobe compatible with mis-
			   takes older DCE secd	did.

		      kdc_warn_pwexpire	= TIME
			   The time before expiration that the user should be
			   warned that her password is about to	expire.

		      logging =	Logging
			   What	type of	logging	the kdc	should use, see	also

		      hdb-ldap-structural-object structural object
			   If the LDAP backend is used for storing principals,
			   this	is the structural object that will be used
			   when	creating and when reading objects.  The	de-
			   fault value is account .

		      hdb-ldap-create-base creation dn
			   is the dn that will be appended to the principal
			   when	creating entries.  Default value is the	search

		      enable-digest = BOOL
			   Should the kdc answer digest	requests. The default
			   is FALSE.

		      digests_allowed =	list of	digests
			   Specifies the digests the kdc will reply to.	The
			   default is ntlm-v2.

		      kx509_ca = file
			   Specifies the PEM credentials for the kx509 certi-
			   fication authority.

		      require_initial_kca_tickets = boolean
			   Specified whether to	require	that tickets for the
			   kca_service service principal be INITIAL.  This may
			   be set on a per-realm basis as well as globally.
			   Defaults to true for	the global setting.

		      kx509_include_pkinit_san = boolean
			   If true then	the kx509 client principal's name and
			   realm will be included in an	id-pkinit-san certifi-
			   cate	extension.  This can be	set on a per-realm ba-
			   sis as well as globally.  Defaults to true for the
			   global setting.

		      kx509_template = file
			   Specifies the PEM file with a template for the cer-
			   tificates to	be issued.  The	following variables
			   can be interpolated in the subject name using
			   ${variable} syntax:

				      The full name of the kx509 client	prin-

				      The full name of the kx509 client	prin-
				      cipal, excluding the realm name.

				      The name of the client principal's
		The kx509, kx509_template, kx509_include_pkinit_san, and
		require_initial_kca_tickets parameters may be set on a per-
		realm basis as well.


		      password_lifetime	= time
			   If a	principal already have its password set	for
			   expiration, this is the time	it will	be valid for
			   after a change.

		      default_keys = keytypes...
			   For each entry in default_keys try to parse it as a
			   sequence of etype:salttype:salt syntax of this if
			   something like:


			   If etype is omitted it means	everything, and	if
			   string is omitted it	means the default salt string
			   (for	that principal and encryption type).  Addi-
			   tional special values of keytypes are:

				 v5   The Kerberos 5 salt pw-salt

		      default_key_rules	= {

				 globing-rule =	keytypes...
				      a	globbing rule to matching a principal,
				      and when true, use the keytypes as spec-
				      ified the	same format as [kadmin]de-
				      fault_keys .


		      prune-key-history	= BOOL
			   When	adding keys to the key history,	drop keys that
			   are too old to match	unexpired tickets (based on
			   the principal's maximum ticket lifetime).  If the
			   KDC keystore	is later compromised traffic protected
			   with	the discarded older keys may remain protected.
			   This	also keeps the HDB records for principals with
			   key history from growing without bound.  The	de-
			   fault (backwards compatible)	value is "false".

		      use_v4_salt = BOOL
			   When	true, this is the same as

			   default_keys	= des3:pw-salt v4

			   and is only left for	backwards compatibility.

			   Check the Password quality assurance	in the info
			   documentation for more information.

				 check_library = library-name
				      Library name that	contains the password

				 check_function	= function-name
				      Function name for	checking passwords in

				 policy_libraries = library1 ... libraryN
				      List of libraries	that can do password
				      policy checks

				 policies = policy1 ...	policyN
				      List of policy names to apply to the
				      password.	Builtin	policies are among
				      other minimum-length, character-class,

     KRB5_CONFIG points	to the configuration file to read.

     /etc/krb5.conf  configuration file	for Kerberos 5.

		   default_realm = FOO.SE
		   name_canon_rules = as-is:realm=FOO.SE
		   name_canon_rules =
		   name_canon_rules =
		   name_canon_rules = nss
	   [domain_realm] = FOO.SE = FOO.SE
		   FOO.SE = {
			   kdc =
			   default_domain =
		   kdc = FILE:/var/heimdal/kdc.log
		   kdc = SYSLOG:INFO
		   default = SYSLOG:INFO:USER
		   default_key_rules = {
			   */ppp@* = arcfour-hmac-md5:pw-salt

     Since krb5.conf is	read and parsed	by the krb5 library, there is not a
     lot of opportunities for programs to report parsing errors	in any useful
     format.  To help overcome this problem, there is a	program
     verify_krb5_conf that reads krb5.conf and tries to	emit useful diagnos-
     tics from parsing errors.	Note that this program does not	have any way
     of	knowing	what options are actually used and thus	cannot warn about un-
     known or misspelled ones.

     kinit(1), krb5_openlog(3),	strftime(3), verify_krb5_conf(8)

FreeBSD	13.0			  May 4, 2005			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help