Provided by: krb5-doc_1.17-1_all bug

NAME

       krb5.conf - Kerberos configuration file

       The krb5.conf file contains Kerberos configuration information, including the locations of
       KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm
       and  for Kerberos applications, and mappings of hostnames onto Kerberos realms.  Normally,
       you should install your krb5.conf file in  the  directory  /etc.   You  can  override  the
       default   location   by   setting   the   environment   variable   KRB5_CONFIG.   Multiple
       colon-separated filenames may be specified in KRB5_CONFIG; all  files  which  are  present
       will  be  read.   Starting  in  release  1.14,  directory  names  can also be specified in
       KRB5_CONFIG; all files within the directory whose names  consist  solely  of  alphanumeric
       characters, dashes, or underscores will be read.

STRUCTURE

       The krb5.conf file is set up in the style of a Windows INI file.  Lines beginning with '#'
       or ';' (possibly after initial whitespace) are ignored as comments.  Sections  are  headed
       by the section name, in square brackets.  Each section may contain zero or more relations,
       of the form:

          foo = bar

       or:

          fubar = {
              foo = bar
              baz = quux
          }

       Placing a '*' at the end of a line indicates that this is the final  value  for  the  tag.
       This  means  that  neither  the  remainder  of  this  configuration  file  nor  any  other
       configuration file will be checked for any other values for this tag.

       For example, if you have the following lines:

          foo = bar*
          foo = baz

       then the second value of foo (baz) would never be read.

       The krb5.conf file can include other files using either of the following directives at the
       beginning of a line:

          include FILENAME
          includedir DIRNAME

       FILENAME or DIRNAME should be an absolute path. The named file or directory must exist and
       be readable.  Including a directory includes all files within the  directory  whose  names
       consist  solely  of  alphanumeric characters, dashes, or underscores.  Starting in release
       1.15, files with names ending in ".conf" are also included, unless the  name  begins  with
       ".".   Included  profile  files  are  syntactically  independent of their parents, so each
       included file must begin with a section header.  Starting in release 1.17, files are  read
       in alphanumeric order; in previous releases, they may be read in any order.

       The  krb5.conf  file  can  specify  that  configuration should be obtained from a loadable
       module, rather than the file itself, using the following directive at the beginning  of  a
       line before any section headers:

          module MODULEPATH:RESIDUAL

       MODULEPATH  may  be relative to the library path of the krb5 installation, or it may be an
       absolute path.  RESIDUAL is provided to the module at initialization time.   If  krb5.conf
       uses a module directive, kdc.conf(5) should also use one if it exists.

SECTIONS

       The krb5.conf file may contain the following sections:

                          ┌───────────────┬──────────────────────────────────┐
                          │[libdefaults]  │ Settings used by the Kerberos V5 │
                          │               │ library                          │
                          ├───────────────┼──────────────────────────────────┤
                          │[realms]       │ Realm-specific           contact │
                          │               │ information and settings         │
                          ├───────────────┼──────────────────────────────────┤
                          │[domain_realm] │ Maps    server    hostnames   to │
                          │               │ Kerberos realms                  │
                          ├───────────────┼──────────────────────────────────┤
                          │[capaths]      │ Authentication     paths     for │
                          │               │ non-hierarchical cross-realm     │
                          ├───────────────┼──────────────────────────────────┤
                          │[appdefaults]  │ Settings  used  by some Kerberos │
                          │               │ V5 applications                  │
                          ├───────────────┼──────────────────────────────────┤
                          │[plugins]      │ Controls      plugin      module │
                          │               │ registration                     │
                          └───────────────┴──────────────────────────────────┘

       Additionally,  krb5.conf may include any of the relations described in kdc.conf(5), but it
       is not a recommended practice.

   [libdefaults]
       The libdefaults section may contain any of the following relations:

       allow_weak_crypto
              If  this  flag  is  set  to  false,  then  weak  encryption  types  (as  noted   in
              Encryption_types   in   kdc.conf(5))   will   be   filtered   out   of   the  lists
              default_tgs_enctypes, default_tkt_enctypes, and  permitted_enctypes.   The  default
              value  for  this  tag is false, which may cause authentication failures in existing
              Kerberos infrastructures that do not support  strong  crypto.   Users  in  affected
              environments should set this tag to true until their infrastructure adopts stronger
              ciphers.

       ap_req_checksum_type
              An integer which specifies the type of AP-REQ checksum to  use  in  authenticators.
              This variable should be unset so the appropriate checksum for the encryption key in
              use will be used.  This can be set if backward compatibility  requires  a  specific
              checksum type.  See the kdc_req_checksum_type configuration option for the possible
              values and their meanings.

       canonicalize
              If this flag is set to true, initial  ticket  requests  to  the  KDC  will  request
              canonicalization  of  the  client principal name, and answers with different client
              principals than the requested principal will be accepted.   The  default  value  is
              false.

       ccache_type
              This  parameter determines the format of credential cache types created by kinit(1)
              or other programs.  The default value is  4,  which  represents  the  most  current
              format.  Smaller values can be used for compatibility with very old implementations
              of Kerberos which interact with credential caches on the same host.

       clockskew
              Sets the maximum allowable amount of clockskew in seconds  that  the  library  will
              tolerate  before assuming that a Kerberos message is invalid.  The default value is
              300 seconds, or five minutes.

              The clockskew setting is also used when  evaluating  ticket  start  and  expiration
              times.   For  example, tickets that have reached their expiration time can still be
              used (and renewed if they are renewable tickets) if they have been  expired  for  a
              shorter duration than the clockskew setting.

       default_ccache_name
              This  relation  specifies the name of the default credential cache.  The default is
              FILE:/tmp/krb5cc_%{uid}.  This relation is  subject  to  parameter  expansion  (see
              below).  New in release 1.11.

       default_client_keytab_name
              This  relation  specifies  the  name  of  the  default  keytab for obtaining client
              credentials.   The  default  is  FILE:/etc/krb5/user/%{euid}/client.keytab.    This
              relation is subject to parameter expansion (see below).  New in release 1.11.

       default_keytab_name
              This  relation  specifies the default keytab name to be used by application servers
              such as sshd.  The default is FILE:/etc/krb5.keytab.  This relation is  subject  to
              parameter expansion (see below).

       default_realm
              Identifies  the  default  Kerberos  realm  for  the  client.  Set its value to your
              Kerberos realm.  If this value is not set, then a  realm  must  be  specified  with
              every Kerberos principal when invoking programs such as kinit(1).

       default_tgs_enctypes
              Identifies  the  supported  list  of  session  key encryption types that the client
              should request when making a TGS-REQ,  in  order  of  preference  from  highest  to
              lowest.  The list may be delimited with commas or whitespace.  See Encryption_types
              in kdc.conf(5) for a list of the accepted values for this tag.  The  default  value
              is   aes256-cts-hmac-sha1-96   aes128-cts-hmac-sha1-96   aes256-cts-hmac-sha384-192
              aes128-cts-hmac-sha256-128  des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac
              camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but single-DES encryption
              types will be implicitly removed from this list if the value  of  allow_weak_crypto
              is false.

              Do not set this unless required for specific backward compatibility purposes; stale
              values of this setting can prevent clients from taking advantage  of  new  stronger
              enctypes when the libraries are upgraded.

       default_tkt_enctypes
              Identifies  the  supported  list  of  session  key encryption types that the client
              should request when making an AS-REQ,  in  order  of  preference  from  highest  to
              lowest.  The format is the same as for default_tgs_enctypes.  The default value for
              this       tag       is       aes256-cts-hmac-sha1-96       aes128-cts-hmac-sha1-96
              aes256-cts-hmac-sha384-192         aes128-cts-hmac-sha256-128         des3-cbc-sha1
              arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc  des-cbc-md5
              des-cbc-md4,  but  single-DES encryption types will be implicitly removed from this
              list if the value of allow_weak_crypto is false.

              Do not set this unless required for specific backward compatibility purposes; stale
              values  of  this  setting can prevent clients from taking advantage of new stronger
              enctypes when the libraries are upgraded.

       dns_canonicalize_hostname
              Indicate whether name lookups will be used to canonicalize  hostnames  for  use  in
              service  principal  names.   Setting  this  flag  to  false can improve security by
              reducing reliance on DNS, but means that short hostnames will not be  canonicalized
              to fully-qualified hostnames.  The default value is true.

       dns_lookup_kdc
              Indicate  whether  DNS  SRV  records  should  be  used to locate the KDCs and other
              servers for a realm, if they are not listed in the krb5.conf  information  for  the
              realm.   (Note  that  the  admin_server  entry  must  be  in  the  krb5.conf  realm
              information in order to contact kadmind, because the DNS implementation for  kadmin
              is incomplete.)

              Enabling  this  option  does open up a type of denial-of-service attack, if someone
              spoofs the DNS records and redirects you to another server.  However, it's no worse
              than  a  denial of service, because that fake KDC will be unable to decode anything
              you send it (besides the initial ticket request, which has no encrypted data),  and
              anything  the  fake  KDC  sends will not be trusted without verification using some
              secret that it won't know.

       dns_uri_lookup
              Indicate whether DNS URI records should be  used  to  locate  the  KDCs  and  other
              servers  for  a  realm, if they are not listed in the krb5.conf information for the
              realm.  SRV records are used as a fallback if  no  URI  records  were  found.   The
              default value is true.  New in release 1.15.

       err_fmt
              This relation allows for custom error message formatting.  If a value is set, error
              messages will be formatted by substituting a normal error message  for  %M  and  an
              error code for %C in the value.

       extra_addresses
              This  allows a computer to use multiple local addresses, in order to allow Kerberos
              to work in a network that uses NATs while still using  address-restricted  tickets.
              The  addresses  should  be in a comma-separated list.  This option has no effect if
              noaddresses is true.

       forwardable
              If this flag is true, initial tickets will be forwardable by default, if allowed by
              the KDC.  The default value is false.

       ignore_acceptor_hostname
              When  accepting GSSAPI or krb5 security contexts for host-based service principals,
              ignore any hostname passed  by  the  calling  application,  and  allow  clients  to
              authenticate  to  any service principal in the keytab matching the service name and
              realm name (if given).  This option can improve the administrative  flexibility  of
              server  applications  on  multihomed  hosts,  but  could compromise the security of
              virtual hosting environments.  The default value is false.  New in release 1.10.

       k5login_authoritative
              If this flag is true, principals must be listed in a local user's k5login  file  to
              be  granted  login  access, if a .k5login(5) file exists.  If this flag is false, a
              principal may still be granted login access through  other  mechanisms  even  if  a
              k5login file exists but does not list the principal.  The default value is true.

       k5login_directory
              If  set,  the  library  will  look for a local user's k5login file within the named
              directory, with a filename corresponding to the local username.  If  not  set,  the
              library will look for k5login files in the user's home directory, with the filename
              .k5login.  For security reasons, .k5login files must be owned by the local user  or
              by root.

       kcm_mach_service
              On macOS only, determines the name of the bootstrap service used to contact the KCM
              daemon for the KCM credential cache type.  If the value is -, Mach RPC will not  be
              used to contact the KCM daemon.  The default value is org.h5l.kcm.

       kcm_socket
              Determines the path to the Unix domain socket used to access the KCM daemon for the
              KCM credential cache type.  If the value is -, Unix domain sockets will not be used
              to contact the KCM daemon.  The default value is /var/run/.heim_org.h5l.kcm-socket.

       kdc_default_options
              Default  KDC  options  (Xored for multiple values) when requesting initial tickets.
              By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK).

       kdc_timesync
              Accepted values for this relation are 1 or 0.  If it is  nonzero,  client  machines
              will  compute the difference between their time and the time returned by the KDC in
              the timestamps in the tickets and use this  value  to  correct  for  an  inaccurate
              system  clock  when requesting service tickets or authenticating to services.  This
              corrective factor is only used by the Kerberos library; it is not  used  to  change
              the system clock.  The default value is 1.

       kdc_req_checksum_type
              An  integer  which  specifies the type of checksum to use for the KDC requests, for
              compatibility with very old KDC implementations.  This value is only used  for  DES
              keys; other keys use the preferred checksum type for those keys.

              The possible values and their meanings are as follows.

                                   ┌─────┬──────────────────────────────────┐
                                   │1    │ CRC32                            │
                                   ├─────┼──────────────────────────────────┤
                                   │2    │ RSA MD4                          │
                                   ├─────┼──────────────────────────────────┤
                                   │3    │ RSA MD4 DES                      │
                                   ├─────┼──────────────────────────────────┤
                                   │4    │ DES CBC                          │
                                   ├─────┼──────────────────────────────────┤
                                   │7    │ RSA MD5                          │
                                   ├─────┼──────────────────────────────────┤
                                   │8    │ RSA MD5 DES                      │
                                   ├─────┼──────────────────────────────────┤
                                   │9    │ NIST SHA                         │
                                   ├─────┼──────────────────────────────────┤
                                   │12   │ HMAC SHA1 DES3                   │
                                   ├─────┼──────────────────────────────────┤
                                   │-138 │ Microsoft MD5 HMAC checksum type │
                                   └─────┴──────────────────────────────────┘

       noaddresses
              If  this  flag  is true, requests for initial tickets will not be made with address
              restrictions set, allowing the tickets to be used across NATs.  The  default  value
              is true.

       permitted_enctypes
              Identifies  all  encryption  types  that  are  permitted  for  use  in  session key
              encryption.   The  default  value   for   this   tag   is   aes256-cts-hmac-sha1-96
              aes128-cts-hmac-sha1-96    aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128
              des3-cbc-sha1    arcfour-hmac-md5     camellia256-cts-cmac     camellia128-cts-cmac
              des-cbc-crc  des-cbc-md5  des-cbc-md4,  but  single-DES  encryption  types  will be
              implicitly removed from this list if the value of allow_weak_crypto is false.

       plugin_base_dir
              If set, determines the base directory where krb5 plugins are located.  The  default
              value  is  the  krb5/plugins  subdirectory  of  the  krb5  library directory.  This
              relation is subject to parameter expansion (see below) in release 1.17 and later.

       preferred_preauth_types
              This allows you to set the preferred preauthentication types which the client  will
              attempt before others which may be advertised by a KDC.  The default value for this
              setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is
              supported.

       proxiable
              If  this  flag is true, initial tickets will be proxiable by default, if allowed by
              the KDC.  The default value is false.

       rdns   If this flag is true, reverse name lookup will be used in addition to forward  name
              lookup  to  canonicalizing  hostnames  for  use  in  service  principal  names.  If
              dns_canonicalize_hostname is set to false, this flag has no  effect.   The  default
              value is true.

       realm_try_domains
              Indicate  whether  a  host's  domain  components  should  be  used to determine the
              Kerberos realm of the host.  The value of this variable is an integer: -1 means not
              to  search,  0  means  to  try  the  host's  domain itself, 1 means to also try the
              domain's immediate parent,  and  so  forth.   The  library's  usual  mechanism  for
              locating  Kerberos  realms  is used to determine whether a domain is a valid realm,
              which may involve consulting DNS if dns_lookup_kdc is set.  The default is  not  to
              search domain components.

       renew_lifetime
              (duration  string.)   Sets  the  default  renewable  lifetime  for  initial  ticket
              requests.  The default value is 0.

       safe_checksum_type
              An integer which specifies the type of checksum to use for the  KRB-SAFE  requests.
              By  default  it  is  set  to  8 (RSA MD5 DES).  For compatibility with applications
              linked against DCE version 1.1 or earlier Kerberos libraries, use a value of  3  to
              use  the RSA MD4 DES instead.  This field is ignored when its value is incompatible
              with the session key type.  See the kdc_req_checksum_type configuration option  for
              the possible values and their meanings.

       spake_preauth_groups
              A  whitespace  or  comma-separated list of words which specifies the groups allowed
              for SPAKE preauthentication.  The possible values are:

                                ┌─────────────┬───────────────────────────────┐
                                │edwards25519 │ Edwards25519 curve (RFC 7748) │
                                ├─────────────┼───────────────────────────────┤
                                │P-256        │ NIST P-256 curve (RFC 5480)   │
                                ├─────────────┼───────────────────────────────┤
                                │P-384        │ NIST P-384 curve (RFC 5480)   │
                                ├─────────────┼───────────────────────────────┤
                                │P-521        │ NIST P-521 curve (RFC 5480)   │
                                └─────────────┴───────────────────────────────┘

              The default value for the client is edwards25519.  The default value for the KDC is
              empty.  New in release 1.17.

       ticket_lifetime
              (duration  string.)   Sets  the  default lifetime for initial ticket requests.  The
              default value is 1 day.

       udp_preference_limit
              When sending a message to the KDC, the library will try using TCP before UDP if the
              size  of the message is above udp_preference_limit.  If the message is smaller than
              udp_preference_limit, then UDP will be tried before TCP.  Regardless of  the  size,
              both protocols will be tried if the first attempt fails.

       verify_ap_req_nofail
              If  this  flag  is true, then an attempt to verify initial credentials will fail if
              the client machine does not have a keytab.  The default value is false.

   [realms]
       Each tag in the [realms] section of the file is the name of a Kerberos realm.   The  value
       of  the  tag  is a subsection with relations that define the properties of that particular
       realm.  For each realm, the following tags may be specified in the realm's subsection:

       admin_server
              Identifies the host where the administration server is running.  Typically, this is
              the master Kerberos server.  This tag must be given a value in order to communicate
              with the kadmind(8) server for the realm.

       auth_to_local
              This tag allows you to set a general rule for mapping principal names to local user
              names.   It will be used if there is not an explicit mapping for the principal name
              that is being translated. The possible values are:

              RULE:exp
                     The local name will be formulated from exp.

                     The  format  for  exp  is  [n:string](regexp)s/pattern/replacement/g.    The
                     integer  n  indicates  how many components the target principal should have.
                     If this matches, then a string will be formed from string, substituting  the
                     realm of the principal for $0 and the n'th component of the principal for $n
                     (e.g., if the principal was johndoe/admin then [2:$2$1foo] would  result  in
                     the string adminjohndoefoo).  If this string matches regexp, then the s//[g]
                     substitution command will be run over the string.  The optional g will cause
                     the substitution to be global over the string, instead of replacing only the
                     first match in the string.

              DEFAULT
                     The principal name will be used as the local user name.   If  the  principal
                     has more than one component or is not in the default realm, this rule is not
                     applicable and the conversion will fail.

              For example:

                 [realms]
                     ATHENA.MIT.EDU = {
                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
                         auth_to_local = DEFAULT
                     }

              would result in any principal without root or admin as the second component  to  be
              translated  with  the  default  rule.  A principal with a second component of admin
              will become its first component.  root will be used  as  the  local  name  for  any
              principal  with  a  second component of root.  The exception to these two rules are
              any principals johndoe/*, which will always get the local name guest.

       auth_to_local_names
              This subsection allows you to set explicit mappings from principal names  to  local
              user  names.  The tag is the mapping name, and the value is the corresponding local
              user name.

       default_domain
              This tag specifies the domain used to expand hostnames when translating Kerberos  4
              service   principals  to  Kerberos  5  principals  (for  example,  when  converting
              rcmd.hostname to host/hostname.domain).

       disable_encrypted_timestamp
              If  this  flag  is  true,  the  client  will  not   perform   encrypted   timestamp
              preauthentication  if  requested by the KDC.  Setting this flag can help to prevent
              dictionary  attacks  by  active  attackers,  if  the  realm's  KDCs  support  SPAKE
              preauthentication  or  if  initial  authentication always uses another mechanism or
              always uses FAST.  This  flag  persists  across  client  referrals  during  initial
              authentication.   This  flag  does  not  prevent  the  KDC  from offering encrypted
              timestamp.  New in release 1.17.

       http_anchors
              When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag  can  be
              used to specify the location of the CA certificate which should be trusted to issue
              the certificate for a proxy server.  If left unspecified, the  system-wide  default
              set of CA certificates is used.

              The syntax for values is similar to that of values for the pkinit_anchors tag:

              FILE: filename

              filename is assumed to be the name of an OpenSSL-style ca-bundle file.

              DIR: dirname

              dirname is assumed to be an directory which contains CA certificates.  All files in
              the directory will be examined; if they contain certificates (in PEM format),  they
              will be used.

              ENV: envvar

              envvar  specifies the name of an environment variable which has been set to a value
              conforming to one of the previous values.  For  example,  ENV:X509_PROXY_CA,  where
              environment variable X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.

       kdc    The  name  or  address  of  a  host running a KDC for that realm.  An optional port
              number, separated from the hostname by a colon, may be included.  If  the  name  or
              address  contains  colons  (for  example,  if it is an IPv6 address), enclose it in
              square brackets to distinguish the colon from a port separator.  For your  computer
              to  be  able  to  communicate with the KDC for each realm, this tag must be given a
              value in each realm subsection in the configuration file, or there must be DNS  SRV
              records specifying the KDCs.

       kpasswd_server
              Points  to the server where all the password changes are performed.  If there is no
              such entry, DNS will be queried (unless  forbidden  by  dns_lookup_kdc).   Finally,
              port 464 on the admin_server host will be tried.

       master_kdc
              Identifies  the master KDC(s).  Currently, this tag is used in only one case: If an
              attempt to get credentials  fails  because  of  an  invalid  password,  the  client
              software  will  attempt  to contact the master KDC, in case the user's password has
              just been changed, and the updated database has not been propagated to the  replica
              servers yet.

       v4_instance_convert
              This   subsection   allows   the  administrator  to  configure  exceptions  to  the
              default_domain mapping rule.  It contains V4 instances (the tag name) which  should
              be  translated to some specific hostname (the tag value) as the second component in
              a Kerberos V5 principal name.

       v4_realm
              This relation is used by the krb524 library routines when converting a V5 principal
              name  to  a  V4 principal name.  It is used when the V4 realm name and the V5 realm
              name are not the same, but still share the same principal names and passwords.  The
              tag value is the Kerberos V4 realm name.

   [domain_realm]
       The  [domain_realm]  section  provides  a  translation from a domain name or hostname to a
       Kerberos realm name.  The tag name can be a host name or domain name, where  domain  names
       are  indicated  by  a  prefix  of a period (.).  The value of the relation is the Kerberos
       realm name for that particular host or domain.  A host name relation  implicitly  provides
       the  corresponding  domain  name  relation,  unless  an  explicit  domain name relation is
       provided.  The Kerberos realm may be identified either in the realms section or using  DNS
       SRV records.  Host names and domain names should be in lower case.  For example:

          [domain_realm]
              crash.mit.edu = TEST.ATHENA.MIT.EDU
              .dev.mit.edu = TEST.ATHENA.MIT.EDU
              mit.edu = ATHENA.MIT.EDU

       maps  the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU realm.  The second
       entry maps all hosts under the domain dev.mit.edu into the TEST.ATHENA.MIT.EDU realm,  but
       not  the  host  with the name dev.mit.edu.  That host is matched by the third entry, which
       maps the host mit.edu and all hosts under the domain mit.edu that do not match a preceding
       rule into the realm ATHENA.MIT.EDU.

       If  no  translation entry applies to a hostname used for a service principal for a service
       ticket request, the library will try to get a referral to the appropriate realm  from  the
       client  realm's  KDC.   If that does not succeed, the host's realm is considered to be the
       hostname's domain portion converted to uppercase, unless the realm_try_domains setting  in
       [libdefaults] causes a different parent domain to be used.

   [capaths]
       In order to perform direct (non-hierarchical) cross-realm authentication, configuration is
       needed to determine the authentication paths between realms.

       A client will use this section to find the authentication path between its realm  and  the
       realm  of  the server.  The server will use this section to verify the authentication path
       used by the client, by checking the transited field of the received ticket.

       There is a tag for each participating client realm, and each tag has subtags for  each  of
       the  server  realms.   The  value  of  the  subtags  is  an  intermediate  realm which may
       participate in the cross-realm authentication.  The subtags may be repeated  if  there  is
       more  then  one  intermediate  realm.  A value of "." means that the two realms share keys
       directly, and no intermediate realms should be allowed to participate.

       Only those entries which will be needed on the client or the server need to be present.  A
       client  needs a tag for its local realm with subtags for all the realms of servers it will
       need to authenticate to.  A server needs a tag for each  realm  of  the  clients  it  will
       serve, with a subtag of the server realm.

       For  example,  ANL.GOV,  PNL.GOV,  and  NERSC.GOV  all  wish to use the ES.NET realm as an
       intermediate realm.  ANL has a sub realm of  TEST.ANL.GOV  which  will  authenticate  with
       NERSC.GOV  but  not  PNL.GOV.   The  [capaths] section for ANL.GOV systems would look like
       this:

          [capaths]
              ANL.GOV = {
                  TEST.ANL.GOV = .
                  PNL.GOV = ES.NET
                  NERSC.GOV = ES.NET
                  ES.NET = .
              }
              TEST.ANL.GOV = {
                  ANL.GOV = .
              }
              PNL.GOV = {
                  ANL.GOV = ES.NET
              }
              NERSC.GOV = {
                  ANL.GOV = ES.NET
              }
              ES.NET = {
                  ANL.GOV = .
              }

       The [capaths] section of the configuration file used on NERSC.GOV systems would look  like
       this:

          [capaths]
              NERSC.GOV = {
                  ANL.GOV = ES.NET
                  TEST.ANL.GOV = ES.NET
                  TEST.ANL.GOV = ANL.GOV
                  PNL.GOV = ES.NET
                  ES.NET = .
              }
              ANL.GOV = {
                  NERSC.GOV = ES.NET
              }
              PNL.GOV = {
                  NERSC.GOV = ES.NET
              }
              ES.NET = {
                  NERSC.GOV = .
              }
              TEST.ANL.GOV = {
                  NERSC.GOV = ANL.GOV
                  NERSC.GOV = ES.NET
              }

       When a subtag is used more than once within a tag, clients will use the order of values to
       determine the path.  The order of values is not important to servers.

   [appdefaults]
       Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is
       used  by  some  Kerberos  V5  application[s].   The  value  of the tag defines the default
       behaviors for that application.

       For example:

          [appdefaults]
              telnet = {
                  ATHENA.MIT.EDU = {
                      option1 = false
                  }
              }
              telnet = {
                  option1 = true
                  option2 = true
              }
              ATHENA.MIT.EDU = {
                  option2 = false
              }
              option2 = true

       The above four ways of specifying the value of an option are shown in order of  decreasing
       precedence.  In this example, if telnet is running in the realm EXAMPLE.COM, it should, by
       default, have option1 and option2 set to true.  However, a telnet  program  in  the  realm
       ATHENA.MIT.EDU  should  have  option1  set  to  false  and option2 set to true.  Any other
       programs in ATHENA.MIT.EDU should have option2 set to  false  by  default.   Any  programs
       running in other realms should have option2 set to true.

       The  list  of  specifiable options for each application may be found in that application's
       man pages.  The application defaults specified here are overridden by those  specified  in
       the realms section.

   [plugins]
          · pwqual interface

          · kadm5_hook interface

          · clpreauth and kdcpreauth interfaces

       Tags  in  the [plugins] section can be used to register dynamic plugin modules and to turn
       modules on and off.  Not every krb5 pluggable interface uses the  [plugins]  section;  the
       ones that do are documented here.

       New in release 1.9.

       Each  pluggable  interface  corresponds  to  a  subsection  of [plugins].  All subsections
       support the same tags:

       disable
              This tag may have multiple values. If there are values for this tag, then the named
              modules will be disabled for the pluggable interface.

       enable_only
              This  tag may have multiple values. If there are values for this tag, then only the
              named modules will be enabled for the pluggable interface.

       module This  tag  may  have  multiple  values.   Each  value  is  a  string  of  the  form
              modulename:pathname,  which  causes  the  shared  object  located at pathname to be
              registered as a dynamic module named modulename for the  pluggable  interface.   If
              pathname  is  not  an  absolute  path,  it  will  be  treated  as  relative  to the
              plugin_base_dir value from [libdefaults].

       For pluggable interfaces where module order matters, modules registered with a module  tag
       normally come first, in the order they are registered, followed by built-in modules in the
       order they are documented below.  If enable_only tags are used, then the  order  of  those
       tags overrides the normal module order.

       The following subsections are currently supported within the [plugins] section:

   ccselect interface
       The  ccselect  subsection  controls  modules for credential cache selection within a cache
       collection.  In addition to any registered dynamic modules, the following built-in modules
       exist (and may be disabled with the disable tag):

       k5identity
              Uses a .k5identity file in the user's home directory to select a client principal

       realm  Uses the service realm to guess an appropriate cache from the collection

       hostname
              If  the  service  principal  is  host-based,  uses the service hostname to guess an
              appropriate cache from the collection

   pwqual interface
       The pwqual subsection controls modules for the password quality interface, which  is  used
       to reject weak passwords when passwords are changed.  The following built-in modules exist
       for this interface:

       dict   Checks against the realm dictionary file

       empty  Rejects empty passwords

       hesiod Checks against user information stored in Hesiod (only if Kerberos was  built  with
              Hesiod support)

       princ  Checks against components of the principal name

   kadm5_hook interface
       The  kadm5_hook  interface  provides  plugins  with  information  on  principal  creation,
       modification, password changes and deletion.  This interface can be used to write a plugin
       to  synchronize  MIT  Kerberos with another database such as Active Directory.  No plugins
       are built in for this interface.

   kadm5_auth interface
       The kadm5_auth section (introduced in  release  1.16)  controls  modules  for  the  kadmin
       authorization interface, which determines whether a client principal is allowed to perform
       a kadmin operation.  The following built-in modules exist for this interface:

       acl    This module reads the  kadm5.acl(5)  file,  and  authorizes  operations  which  are
              allowed according to the rules in the file.

       self   This module authorizes self-service operations including password changes, creation
              of new random keys, fetching the client's principal record  or  string  attributes,
              and fetching the policy record associated with the client principal.

   clpreauth and kdcpreauth interfaces
       The  clpreauth  and  kdcpreauth  interfaces allow plugin modules to provide client and KDC
       preauthentication mechanisms.  The following built-in modules exist for these interfaces:

       pkinit This module implements the PKINIT preauthentication mechanism.

       encrypted_challenge
              This module implements the encrypted challenge FAST factor.

       encrypted_timestamp
              This module implements the encrypted timestamp mechanism.

   hostrealm interface
       The hostrealm section (introduced in release 1.12) controls modules for the  host-to-realm
       interface,  which  affects the local mapping of hostnames to realm names and the choice of
       default realm.  The following built-in modules exist for this interface:

       profile
              This module consults the [domain_realm] section of the  profile  for  authoritative
              host-to-realm mappings, and the default_realm variable for the default realm.

       dns    This  module  looks  for  DNS  records  for fallback host-to-realm mappings and the
              default realm.  It only operates if the dns_lookup_realm variable is set to true.

       domain This module applies heuristics for fallback host-to-realm mappings.  It  implements
              the  realm_try_domains  variable,  and  uses  the  uppercased  parent domain of the
              hostname if that does not produce a result.

   localauth interface
       The localauth section  (introduced  in  release  1.12)  controls  modules  for  the  local
       authorization  interface,  which  affects the relationship between Kerberos principals and
       local system accounts.  The following built-in modules exist for this interface:

       default
              This module implements the DEFAULT type for auth_to_local values.

       rule   This module implements the RULE type for auth_to_local values.

       names  This module looks for an auth_to_local_names mapping for the principal name.

       auth_to_local
              This module processes auth_to_local values in  the  default  realm's  section,  and
              applies the default method if no auth_to_local values exist.

       k5login
              This  module  authorizes  a principal to a local account according to the account's
              .k5login(5) file.

       an2ln  This module authorizes a principal to a local account if the principal name maps to
              the local account name.

   certauth interface
       The  certauth  section  (introduced  in release 1.16) controls modules for the certificate
       authorization  interface,  which  determines  whether  a   certificate   is   allowed   to
       preauthenticate  a  user  via  PKINIT.   The  following  built-in  modules  exist for this
       interface:

       pkinit_san
              This module authorizes the certificate if it contains a PKINIT Subject  Alternative
              Name  for  the  requested  client  principal,  or  a Microsoft UPN SAN matching the
              principal if pkinit_allow_upn is set to true for the realm.

       pkinit_eku
              This module rejects the certificate if it does not contain an  Extended  Key  Usage
              attribute consistent with the pkinit_eku_checking value for the realm.

       dbmatch
              This  module  authorizes or rejects the certificate according to whether it matches
              the pkinit_cert_match string attribute on the client principal, if  that  attribute
              is present.

PKINIT OPTIONS

       NOTE:
          The   following  are  PKINIT-specific  options.   These  values  may  be  specified  in
          [libdefaults]  as  global  defaults,  or  within   a   realm-specific   subsection   of
          [libdefaults], or may be specified as realm-specific values in the [realms] section.  A
          realm-specific value overrides, not adds to,  a  generic  [libdefaults]  specification.
          The search order is:

       1. realm-specific subsection of [libdefaults]:

             [libdefaults]
                 EXAMPLE.COM = {
                     pkinit_anchors = FILE:/usr/local/example.com.crt
                 }

       2. realm-specific value in the [realms] section:

             [realms]
                 OTHERREALM.ORG = {
                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
                 }

       3. generic value in the [libdefaults] section:

             [libdefaults]
                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/

   Specifying PKINIT identity information
       The  syntax  for  specifying  Public  Key  identity, trust, and revocation information for
       PKINIT is as follows:

       FILE:filename[,keyfilename]
              This option has context-specific behavior.

              In  pkinit_identity  or  pkinit_identities,  filename  specifies  the  name  of   a
              PEM-format   file  containing  the  user's  certificate.   If  keyfilename  is  not
              specified, the  user's  private  key  is  expected  to  be  in  filename  as  well.
              Otherwise, keyfilename is the name of the file containing the private key.

              In  pkinit_anchors  or  pkinit_pool,  filename  is  assumed  to  be  the name of an
              OpenSSL-style ca-bundle file.

       DIR:dirname
              This option has context-specific behavior.

              In pkinit_identity or pkinit_identities, dirname specifies a directory  with  files
              named  *.crt  and  *.key  where  the  first  part  of the file name is the same for
              matching pairs of certificate and private key files.   When  a  file  with  a  name
              ending  with  .crt is found, a matching file ending with .key is assumed to contain
              the private key.  If no such file is found, then the certificate in the .crt is not
              used.

              In  pkinit_anchors or pkinit_pool, dirname is assumed to be an OpenSSL-style hashed
              CA directory where each CA cert is stored in a file named hash-of-ca-cert.#.   This
              infrastructure  is  encouraged, but all files in the directory will be examined and
              if they contain certificates (in PEM format), they will be used.

              In pkinit_revoke, dirname is assumed to be an  OpenSSL-style  hashed  CA  directory
              where  each  revocation  list  is  stored in a file named hash-of-ca-cert.r#.  This
              infrastructure is encouraged, but all files in the directory will be  examined  and
              if they contain a revocation list (in PEM format), they will be used.

       PKCS12:filename
              filename  is  the name of a PKCS #12 format file, containing the user's certificate
              and private key.

       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]
              All  keyword/values  are  optional.   modname  specifies  the location of a library
              implementing PKCS #11.  If a value is encountered with no keyword, it is assumed to
              be  the  modname.  If no module-name is specified, the default is opensc-pkcs11.so.
              slotid= and/or token= may be specified to force the use of a particular smard  card
              reader or token if there is more than one available.  certid= and/or certlabel= may
              be specified to force the selection of a particular certificate on the device.  See
              the  pkinit_cert_match  configuration  option  for more ways to select a particular
              certificate to use for PKINIT.

       ENV:envvar
              envvar specifies the name of an environment variable which has been set to a  value
              conforming  to  one  of  the  previous  values.  For example, ENV:X509_PROXY, where
              environment variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

   PKINIT krb5.conf options
       pkinit_anchors
              Specifies the location of trusted  anchor  (root)  certificates  which  the  client
              trusts  to  sign  KDC  certificates.   This option may be specified multiple times.
              These values from the config file are not used if the user  specifies  X509_anchors
              on the command line.

       pkinit_cert_match
              Specifies  matching  rules that the client certificate must match before it is used
              to attempt PKINIT authentication.  If a user has  multiple  certificates  available
              (on a smart card, or via other media), there must be exactly one certificate chosen
              before attempting PKINIT authentication.  This option  may  be  specified  multiple
              times.  All the available certificates are checked against each rule in order until
              there is a match of exactly one certificate.

              The Subject and Issuer comparison strings are the RFC 2253  string  representations
              from the certificate Subject DN and Issuer DN values.

              The syntax of the matching rules is:
                 [relation-operator]component-rule ...

              where:

              relation-operator
                     can  be  either  &&,  meaning all component rules must match, or ||, meaning
                     only one component rule must match.  The default is &&.

              component-rule
                     can be one  of  the  following.   Note  that  there  is  no  punctuation  or
                     whitespace between component rules.
                        <SUBJECT>regular-expression
                        <ISSUER>regular-expression
                        <SAN>regular-expression
                        <EKU>extended-key-usage-list
                        <KU>key-usage-list

                     extended-key-usage-list  is  a comma-separated list of required Extended Key
                     Usage values.  All values in the list must be present  in  the  certificate.
                     Extended Key Usage values can be:

                     · pkinit

                     · msScLogin

                     · clientAuth

                     · emailProtection

                     key-usage-list  is a comma-separated list of required Key Usage values.  All
                     values in the list must be present in the certificate.  Key Usage values can
                     be:

                     · digitalSignature

                     · keyEncipherment

              Examples:

                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature

       pkinit_eku_checking
              This  option  specifies what Extended Key Usage value the KDC certificate presented
              to the client must contain.  (Note that if  the  KDC  certificate  has  the  pkinit
              SubjectAlternativeName  encoded  as  the  Kerberos  TGS  name,  EKU checking is not
              necessary since the issuing CA has certified  this  as  a  KDC  certificate.)   The
              values recognized in the krb5.conf file are:

              kpKDC  This  is  the  default  value  and  specifies  that  the  KDC  must have the
                     id-pkinit-KPKdc EKU as defined in RFC 4556.

              kpServerAuth
                     If kpServerAuth is specified, a KDC certificate  with  the  id-kp-serverAuth
                     EKU  will  be  accepted.   This key usage value is used in most commercially
                     issued server certificates.

              none   If none is specified, then the KDC certificate will not be checked to verify
                     it has an acceptable EKU.  The use of this option is not recommended.

       pkinit_dh_min_bits
              Specifies  the  size of the Diffie-Hellman key the client will attempt to use.  The
              acceptable values are 1024, 2048, and 4096.  The default is 2048.

       pkinit_identities
              Specifies the location(s) to be used to find the user's X.509 identity information.
              If this option is specified multiple times, the first valid value is used; this can
              be used to specify an environment variable (with ENV:envvar) followed by a  default
              value.    Note   that   these   values   are   not   used  if  the  user  specifies
              X509_user_identity on the command line.

       pkinit_kdc_hostname
              The presense of this option indicates that the client is willing to  accept  a  KDC
              certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the
              id-pkinit-san as defined in RFC 4556.  This option may be specified multiple times.
              Its  value  should contain the acceptable hostname for the KDC (as contained in its
              certificate).

       pkinit_pool
              Specifies the location of intermediate certificates which may be used by the client
              to  complete  the trust chain between a KDC certificate and a trusted anchor.  This
              option may be specified multiple times.

       pkinit_require_crl_checking
              The default certificate  verification  process  will  always  check  the  available
              revocation  information  to  see  if a certificate has been revoked.  If a match is
              found for the certificate in a CRL, verification fails.  If the  certificate  being
              verified is not listed in a CRL, or there is no CRL present for its issuing CA, and
              pkinit_require_crl_checking is false, then verification succeeds.

              However, if pkinit_require_crl_checking is true and there  is  no  CRL  information
              available for the issuing CA, then verification fails.

              pkinit_require_crl_checking  should  be  set  to  true  if  the policy is such that
              up-to-date CRLs must be present for every CA.

       pkinit_revoke
              Specifies the location of Certificate Revocation List (CRL) information to be  used
              by  the  client when verifying the validity of the KDC certificate presented.  This
              option may be specified multiple times.

PARAMETER EXPANSION

       Starting  with  release  1.11,  several  variables,  such  as  default_keytab_name,  allow
       parameters to be expanded.  Valid parameters are:

                          ┌──────────────────┬──────────────────────────────────┐
                          │%{TEMP}           │ Temporary directory              │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{uid}            │ Unix real UID or Windows SID     │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{euid}           │ Unix   effective   user   ID  or │
                          │                  │ Windows SID                      │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{USERID}         │ Same as %{uid}                   │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{null}           │ Empty string                     │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{LIBDIR}         │ Installation library directory   │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{BINDIR}         │ Installation binary directory    │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{SBINDIR}        │ Installation    admin     binary │
                          │                  │ directory                        │
                          └──────────────────┴──────────────────────────────────┘

                          │%{username}       │ (Unix)   Username  of  effective │
                          │                  │ user ID                          │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{APPDATA}        │ (Windows)  Roaming   application │
                          │                  │ data for current user            │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{COMMON_APPDATA} │ (Windows)  Application  data for │
                          │                  │ all users                        │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{LOCAL_APPDATA}  │ (Windows) Local application data │
                          │                  │ for current user                 │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{SYSTEM}         │ (Windows) Windows system folder  │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{WINDOWS}        │ (Windows) Windows folder         │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{USERCONFIG}     │ (Windows)   Per-user   MIT  krb5 │
                          │                  │ config file directory            │
                          ├──────────────────┼──────────────────────────────────┤
                          │%{COMMONCONFIG}   │ (Windows) Common MIT krb5 config │
                          │                  │ file directory                   │
                          └──────────────────┴──────────────────────────────────┘

SAMPLE KRB5.CONF FILE

       Here is an example of a generic krb5.conf file:

          [libdefaults]
              default_realm = ATHENA.MIT.EDU
              dns_lookup_kdc = true
              dns_lookup_realm = false

          [realms]
              ATHENA.MIT.EDU = {
                  kdc = kerberos.mit.edu
                  kdc = kerberos-1.mit.edu
                  kdc = kerberos-2.mit.edu
                  admin_server = kerberos.mit.edu
                  master_kdc = kerberos.mit.edu
              }
              EXAMPLE.COM = {
                  kdc = kerberos.example.com
                  kdc = kerberos-1.example.com
                  admin_server = kerberos.example.com
              }

          [domain_realm]
              mit.edu = ATHENA.MIT.EDU

          [capaths]
              ATHENA.MIT.EDU = {
                     EXAMPLE.COM = .
              }
              EXAMPLE.COM = {
                     ATHENA.MIT.EDU = .
              }

FILES

       /etc/krb5.conf

SEE ALSO

       syslog(3)

AUTHOR

       MIT

COPYRIGHT

       1985-2019, MIT