Provided by: krb5-doc_1.10.1+dfsg-2_all bug

NAME

       krb5.conf - Kerberos configuration file

DESCRIPTION

       krb5.conf  contains configuration information needed by the Kerberos V5
       library.  This includes information  describing  the  default  Kerberos
       realm,  and  the  location of the Kerberos key distribution centers for
       known realms.

       The krb5.conf file uses an INI-style format.  Sections are delimited by
       square  braces; within each section, there are relations where tags can
       be  assigned  to  have  specific  values.   Tags  can  also  contain  a
       subsection, which contains further relations or subsections.  A tag can
       be assigned to multiple values.  Here is an example  of  the  INI-style
       format used by krb5.conf:

                 [section1]
                      tag1 = value_a
                      tag1 = value_b
                      tag2 = value_c

                 [section 2]
                      tag3 = {
                           subtag1 = subtag_value_a
                           subtag1 = subtag_value_b
                           subtag2 = subtag_value_c
                      }
                      tag4 = {
                           subtag1 = subtag_value_d
                           subtag2 = subtag_value_e
                      }

       krb5.conf  can  include  other  files  using  the  directives  "include
       FILENAME" or "includedir DIRNAME", which must occur at the beginning of
       a  line.   FILENAME  or  DIRNAME should be an absolute path.  The named
       file or directory must exist and be readable.   Including  a  directory
       includes  all  files within the directory whose names consist solely of
       alphanumeric characters,  dashes,  or  underscores.   Included  profile
       files  are syntactically independent of their parents, so each included
       file must begin with a section header.

       krb5.conf can cause  configuration  to  be  obtained  from  a  loadable
       profile module by placing the directive "module MODULEPATH:RESIDUAL" at
       the beginning of a line before any section headers.  MODULEPATH may  be
       relative  to the library path of the krb5 installation, or it may be an
       absolute path.  RESIDUAL is provided to the  module  at  initialization
       time.   If  krb5.conf uses a module directive, kdc.conf should also use
       one if it exists.

       The following sections are currently used in the krb5.conf file:

       [libdefaults]
              Contains various default values used by the Kerberos V5 library.

       [login]
              Contains default values used by the Kerberos V5  login  program,
              login.krb5(8).

       [appdefaults]
              Contains  default  values  that  can  be  used  by  Kerberos  V5
              applications.

       [realms]
              Contains  subsections  keyed  by  Kerberos  realm  names   which
              describe  where  to  find  the Kerberos servers for a particular
              realm, and other realm-specific information.

       [domain_realm]
              Contains relations which map  subdomains  and  domain  names  to
              Kerberos  realm  names.   This  is used by programs to determine
              what realm a host should be in, given its fully qualified domain
              name.

       [logging]
              Contains  relations which determine how Kerberos entities are to
              perform their logging.

       [capaths]
              Contains the authentication  paths  used  with  non-hierarchical
              cross-realm.  Entries  in  the section are used by the client to
              determine the intermediate realms which may be  used  in  cross-
              realm  authentication.  It  is also used by the end-service when
              checking the transited field for trusted intermediate realms.

       [dbdefaults]
              Contains default values for database specific parameters.

       [dbmodules]
              Contains database  specific  parameters  used  by  the  database
              library.

       [plugins]
              Contains plugin module registration and filtering parameters.

       Each of these sections will be covered in more details in the following
       sections.

LIBDEFAULTS SECTION

       The following relations are defined in the [libdefaults] section:

       default_keytab_name
              This relation specifies the default keytab name to  be  used  by
              application  severs such as telnetd and rlogind.  The default is
              "/etc/krb5.keytab".  This formerly defaulted to "/etc/v5srvtab",
              but was changed to the current value.

       default_realm
              This  relation  identifies  the  default  realm  to be used in a
              client host's Kerberos activity.

       default_tgs_enctypes
              This relation identifies  the  supported  list  of  session  key
              encryption  types  that  should be returned by the KDC. The list
              may be delimited with commas or whitespace.

       default_tkt_enctypes
              This relation identifies  the  supported  list  of  session  key
              encryption  types that should be requested by the client, in the
              same format.

       permitted_enctypes
              This relation identifies  the  permitted  list  of  session  key
              encryption types.

       allow_weak_crypto
              If this is set to 0 (for false), then weak encryption types will
              be filtered out of the previous three lists.  The default  value
              for  this  tag is false, which may cause authentication failures
              in existing Kerberos infrastructures that do not support  strong
              crypto.   Users  in affected environments should set this tag to
              true until their infrastructure adopts stronger ciphers.

       clockskew
              This relation sets the maximum allowable amount of clockskew  in
              seconds  that  the  library will tolerate before assuming that a
              Kerberos message is invalid.  The default value is 300  seconds,
              or five minutes.

       ignore_acceptor_hostname
              When  accepting  GSSAPI or krb5 security contexts for host-based
              service principals, ignore any hostname passed  by  the  calling
              application  and  allow  any  service  principal  present in the
              keytab which matches the service name and realm name (if given).
              This option can improve the administrative flexibility of server
              applications  on  multi-homed  hosts,  but  can  compromise  the
              security  of virtual hosting environments.  The default value is
              false.

       k5login_authoritative
              If the value of this relation is true (the default),  principals
              must  be  listed  in  a  local user's k5login file to be granted
              login access, if a k5login file exists.  If the  value  of  this
              relation is false, a principal may still be granted login access
              through other mechanisms even if a k5login file exists but  does
              not list the principal.

       k5login_directory
              If  set,  the  library will look for a local user's k5login file
              within the named directory, with a filename corresponding to the
              local  username.   If not set, the library will look for k5login
              files in the user's home directory, with the filename  .k5login.
              For  security  reasons, k5login files must be owned by the local
              user or by root.

       kdc_timesync
              If the value of this relation is  non-zero  (the  default),  the
              library will compute the difference between the system clock and
              the time returned by the KDC and in  order  to  correct  for  an
              inaccurate system clock.  This corrective factor is only used by
              the Kerberos library.

       kdc_req_checksum_type
              For compatibility with DCE security servers which do not support
              the  default CKSUMTYPE_RSA_MD5 used by this version of Kerberos.
              Use a value of 2 to  use  the  CKSUMTYPE_RSA_MD4  instead.  This
              applies to DCE 1.1 and earlier.  This value is only used for DES
              keys; other keys use the preferred checksum type for those keys.

       ap_req_checksum_type
              If set  this variable  controls what  ap-req  checksum  will  be
              used  in   authenticators.  This variable should be unset so the
              appropriate checksum for the encryption key in use will be used.
              This  can  be  set if backward compatibility requires a specific
              checksum type.

       safe_checksum_type
              This allows you to set the preferred keyed-checksum type for use
              in  KRB_SAFE  messages.   The  default  value  for  this type is
              CKSUMTYPE_RSA_MD5_DES.   For  compatibility  with   applications
              linked  against  DCE  version 1.1 or earlier Kerberos libraries,
              use a value of 3 to use the CKSUMTYPE_RSA_MD4_DES instead.  This
              field is ignored when its value is incompatible with the session
              key type.

       preferred_preauth_types
              This allows you to set  the  preferred  preauthentication  types
              which  the  client  will  attempt  before  others  which  may be
              advertised by a KDC.  The default value for this setting is "17,
              16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it
              is supported.

       ccache_type
              User this parameter on systems which are DCE clients, to specify
              the  type  of  cache  to  be created by kinit, or when forwarded
              tickets are received. DCE and Kerberos can share the cache,  but
              some versions of DCE do not support the default cache as created
              by this version of Kerberos. Use a value  of  1  on  DCE  1.0.3a
              systems, and a value of 2 on DCE 1.1 systems.

       dns_lookup_kdc
              Indicate  whether  DNS  SRV records should be used to locate the
              KDCs and other servers for a realm, if they are  not  listed  in
              the  information  for  the  realm.   The default is to use these
              records.

       dns_lookup_realm
              Indicate whether DNS TXT records should be used to determine the
              Kerberos  realm  of  a  host.   The  default is not to use these
              records.

       dns_fallback
              General  flag  controlling  the  use   of   DNS   for   Kerberos
              information.   If  both  of the preceding options are specified,
              this option has no effect.

       realm_try_domains
              Indicate whether a host's domain components should  be  used  to
              determine  the  Kerberos  realm  of the host.  The value of this
              variable is an integer: -1 means not to search, 0 means  to  try
              the  host's  domain  itself,  1  means  to also try the domain's
              immediate parent, and so forth.  The library's  usual  mechanism
              for  locating  Kerberos  realms  is  used to determine whether a
              domain is a valid realm--which may  involve  consulting  DNS  if
              dns_lookup_kdc  is  set.   The  default  is not to search domain
              components.

       extra_addresses
              This allows a computer to use multiple local addresses, in order
              to  allow  Kerberos  to  work  in a network that uses NATs.  The
              addresses should be in a comma-separated list.

       udp_preference_limit
              When sending a message to the KDC, the library  will  try  using
              TCP   before   UDP   if   the  size  of  the  message  is  above
              "udp_preference_limit".   If  the  message   is   smaller   than
              "udp_preference_limit",  then  UDP  will  be  tried  before TCP.
              Regardless of the size, both protocols  will  be  tried  if  the
              first attempt fails.

       verify_ap_req_nofail
              If  this flag is set, then an attempt to get initial credentials
              will fail if the client machine does not  have  a  keytab.   The
              default for the flag is false.

       ticket_lifetime
              The  value  of  this  tag  is  the  default lifetime for initial
              tickets.  The default value for the tag is 1 day (1d).

       renew_lifetime
              The value of this tag is  the  default  renewable  lifetime  for
              initial tickets.  The default value for the tag is 0.

       noaddresses
              Setting  this  flag  causes  the  initial  Kerberos ticket to be
              addressless.  The default for the flag is true.

       forwardable
              If this  flag  is  set,  initial  tickets  by  default  will  be
              forwardable.  The default value for this flag is false.

       proxiable
              If  this  flag  is  set,  initial  tickets  by  default  will be
              proxiable.  The default value for this flag is false.

       rdns   If set to false, prevent the use of reverse DNS resolution  when
              translating hostnames into service principal names.  Defaults to
              true.  Setting this flag to false is more secure, but may  force
              users  to  exclusively  use  fully  qualified  domain names when
              authenticating to services.

       plugin_base_dir
              If set, determines the base directory  where  krb5  plugins  are
              located.   The  default value is the "krb5/plugins" subdirectory
              of the krb5 library directory.

APPDEFAULTS SECTION

       Each tag in the [appdefaults] section names a Kerberos  V5  application
       or an option that is used by some Kerberos V5 application[s].  The four
       ways that you can set values for options are as follows, in  decreasing
       order of precedence:

                 #1)
                      application = {
                           realm1 = {
                                option = value
                           }
                           realm2 = {
                                option = value
                           }
                      }
                 #2)
                      application = {
                           option1 = value
                           option2 = value
                      }
                 #3)
                      realm = {
                           option = value
                      }
                 #4)
                      option = value

LOGIN SECTION

       The  [login]  section is used to configure the behavior of the Kerberos
       V5 login  program,  login.krb5(8).   Refer  to  the  manual  entry  for
       login.krb5 for a description of the relations allowed in this section.

REALMS SECTION

       Each  tag  in  the [realms] section of the file names a Kerberos realm.
       The value of the tag is  a  subsection  where  the  relations  in  that
       subsection  define  the  properties  of  that  particular  realm.   For
       example:

                 [realms]
                      ATHENA.MIT.EDU = {
                           admin_server = KERBEROS.MIT.EDU
                           default_domain = MIT.EDU
                           database_module = ldapconf
                           v4_instance_convert = {
                                mit = mit.edu
                                lithium = lithium.lcs.mit.edu
                           }
                           v4_realm = LCS.MIT.EDU
                      }

       For each realm, the following tags may  be  specified  in  the  realm's
       subsection:

       kdc    The  value  of this relation is the name of a host running a KDC
              for that realm.  An optional port number (preceded by  a  colon)
              may  be  appended to the hostname.  This tag should generally be
              used  only  if  the  realm  administrator  has  not   made   the
              information available through DNS.

       admin_server
              This  relation  identifies  the  host  where  the administration
              server is  running.   Typically  this  is  the  Master  Kerberos
              server.

       database_module
              This  relation  indicates  the name of the configuration section
              under dbmodules for database specific  parameters  used  by  the
              loadable database library.

       default_domain
              This  relation  identifies the default domain for which hosts in
              this realm are assumed to be in.  This is needed for translating
              V4  principal  names  (which do not contain a domain name) to V5
              principal names (which do).

       v4_instance_convert
              This subsection allows the administrator to configure exceptions
              to  the  default_domain  mapping rule.  It contains V4 instances
              (the tag name) which  should  be  translated  to  some  specific
              hostname  (the  tag value) as the second component in a Kerberos
              V5 principal name.

       v4_realm
              This relation is  used  by  the  krb524  library  routines  when
              converting  a  V5  principal  name to a V4 principal name. It is
              used when V4 realm name and the V5 realm are not the  same,  but
              still  share  the  same  principal  names and passwords. The tag
              value is the Kerberos V4 realm name.

       auth_to_local_names
              This  subsection  allows  you  to  set  explicit  mappings  from
              principal  names  to  local  user names.  The tag is the mapping
              name, and the value is the corresponding local user name.

       auth_to_local
              This tag allows you to set a general rule for mapping  principal
              names  to  local user names.  It will be used if there is not an
              explicit  mapping  for  the  principal  name   that   is   being
              translated.  The possible values are:

                   DB:<filename>
                        The  principal  will  be  looked  up  in  the database
                        <filename>.   Support  for  this  is   not   currently
                        compiled in by default.
                   RULE:<exp>
                        The local name will be formulated from <exp>.
                   DEFAULT
                        The principal name will be used as the local name.  If
                        the principal has more than one component or is not in
                        the default realm, this rule is not applicable and the
                        conversion will fail.

DOMAIN_REALM SECTION

       The [domain_realm] section provides a translation from  a  hostname  to
       the Kerberos realm name for the services provided by that host.

       The  tag  name  can be a hostname, or a domain name, where domain names
       are indicated by a prefix of a period ('.') character.   The  value  of
       the  relation  is  the  Kerberos realm name for that particular host or
       domain.  Host names and domain names should be in lower case.

       If no translation entry applies, the host's realm is considered  to  be
       the  hostname's  domain  portion converted to upper case.  For example,
       the following [domain_realm] section:

                 [domain_realm]
                      .mit.edu = ATHENA.MIT.EDU
                      mit.edu = ATHENA.MIT.EDU
                      dodo.mit.edu = SMS_TEST.MIT.EDU
                      .ucsc.edu = CATS.UCSC.EDU

       maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other  hosts  in
       the  MIT.EDU  domain  to the ATHENA.MIT.EDU realm, and all hosts in the
       UCSC.EDU domain  into  the  CATS.UCSC.EDU  realm.   ucbvax.berkeley.edu
       would  be  mapped by the default rules to the BERKELEY.EDU realm, while
       sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.

LOGGING SECTION

       The [logging] section indicates how a particular entity is  to  perform
       its  logging.   The  relations  specified in this section assign one or
       more values to the entity name.

       Currently, the following entities are used:

       kdc    These entries specify how the KDC is to perform its logging.

       admin_server
              These entries  specify  how  the  administrative  server  is  to
              perform its logging.

       default
              These  entries  specify how to perform logging in the absence of
              explicit specifications otherwise.

       Values are of the following forms:

       FILE=<filename>

       FILE:<filename>
              This value causes the entity's logging messages  to  go  to  the
              specified  file.   If  the  =  form  is  used,  then the file is
              overwritten.  Otherwise, the file is appended to.

       STDERR This value causes the entity's logging messages  to  go  to  its
              standard error stream.

       CONSOLE
              This  value  causes  the  entity's logging messages to go to the
              console, if the system supports it.

       DEVICE=<devicename>
              This causes the entity's logging messages to go to the specified
              device.

       SYSLOG[:<severity>[:<facility>]]
              This  causes  the  entity's logging messages to go to the system
              log.

              The severity argument specifies the default severity  of  system
              log  messages.   This  may  be  any  of the following severities
              supported  by  the  syslog(3)  call  minus  the   LOG_   prefix:
              LOG_EMERG,    LOG_ALERT,    LOG_CRIT,    LOG_ERR,   LOG_WARNING,
              LOG_NOTICE, LOG_INFO, and LOG_DEBUG.  For  example,  to  specify
              LOG_CRIT severity, one would use CRIT for severity.

              The  facility  argument  specifies  the facility under which the
              messages  are  logged.   This  may  be  any  of  the   following
              facilities  supported  by  the  syslog(3)  call  minus  the LOG_
              prefix:  LOG_KERN,  LOG_USER,  LOG_MAIL,  LOG_DAEMON,  LOG_AUTH,
              LOG_LPR,  LOG_NEWS,  LOG_UUCP,  LOG_CRON, and LOG_LOCAL0 through
              LOG_LOCAL7.

              If no severity is specified, the  default  is  ERR,  and  if  no
              facility is specified, the default is AUTH.

       In  the following example, the logging messages from the KDC will go to
       the console and to the system log under the  facility  LOG_DAEMON  with
       default  severity  of  LOG_INFO;  and  the  logging  messages  from the
       administrative server will be appended to the file  /var/log/kadmin.log
       and sent to the device /dev/tty04.

                 [logging]
                      kdc = CONSOLE
                      kdc = SYSLOG:INFO:DAEMON
                      admin_server = FILE:/var/log/kadmin.log
                      admin_server = DEVICE=/dev/tty04

CAPATHS SECTION

       Cross-realm authentication is typically organized hierarchically.  This
       hierarchy is based on  the  name  of  the  realm,  which  thus  imposes
       restrictions  on  the choice of realm names, and on who may participate
       in a cross-realm authentication. A non hierarchical organization may be
       used,  but  requires  a  database to construct the authentication paths
       between the realms. This section defines that database.

       A client will use this section to find the authentication path  between
       its realm and the realm of the server. The server will use this section
       to verify the authentication path used be the client, by  checking  the
       transited field of the received ticket.

       There  is  a  tag  name  for each participating realm, and each tag has
       subtags for each of  the  realms.  The  value  of  the  subtags  is  an
       intermediate   realm   which   may   participate   in  the  cross-realm
       authentication. The subtags may be repeated if there is more  then  one
       intermediate realm. A value of "." means that the two realms share keys
       directly, and no intermediate realms should be allowed to participate.

       There are n**2 possible entries in this table, but only  those  entries
       which  will  be  needed on the client or the server need to be present.
       The client needs a tag for its local realm, with subtags  for  all  the
       realms  of servers it will need to authenticate with.  A server needs a
       tag for each realm of the clients it will serve.

       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
       realm  as  an  intermediate  realm. ANL has a sub realm of TEST.ANL.GOV
       which will authenticate with NERSC.GOV but not PNL.GOV.   The  [capath]
       section for ANL.GOV systems would look like this:

                 [capaths]
                      ANL.GOV = {
                           TEST.ANL.GOV = .
                           PNL.GOV = ES.NET
                           NERSC.GOV = ES.NET
                           ES.NET = .
                      }
                      TEST.ANL.GOV = {
                           ANL.GOV = .
                      }
                      PNL.GOV = {
                           ANL.GOV = ES.NET
                      }
                      NERSC.GOV = {
                           ANL.GOV = ES.NET
                      }
                      ES.NET = {
                           ANL.GOV = .
                      }

       The  [capath]  section  of  the  configuration  file  used on NERSC.GOV
       systems would look like this:

                 [capaths]
                      NERSC.GOV = {
                           ANL.GOV = ES.NET
                           TEST.ANL.GOV = ES.NET
                           TEST.ANL.GOV = ANL.GOV
                           PNL.GOV = ES.NET
                           ES.NET = .
                      }
                      ANL.GOV = {
                           NERSC.GOV = ES.NET
                      }
                      PNL.GOV = {
                           NERSC.GOV = ES.NET
                      }
                      ES.NET = {
                           NERSC.GOV = .
                      }
                      TEST.ANL.GOV = {
                           NERSC.GOV = ANL.GOV
                           NERSC.GOV = ES.NET
                      }

       In the above examples, the ordering is not important, except  when  the
       same  subtag  name  is used more then once. The client will use this to
       determine the path. (It is not  important  to  the  server,  since  the
       transited field is not sorted.)

       If  this section is not present, or if the client or server cannot find
       a client/server path, then normal hierarchical organization is assumed.

       This feature is not currently supported by DCE.  DCE  security  servers
       can  be used with Kerberized clients and servers, but versions prior to
       DCE 1.1 did not fill in the transited field, and should  be  used  with
       caution.

DATABASE DEFAULT SECTION

       The  [dbdefaults]  section  indicates  default  values for the database
       specific parameters.  It can also  specify  the  configuration  section
       under  dbmodules  for database specific parameters used by the loadable
       database library.

       The following tags are used in this section:

       database_module
              This relation indicates the name of  the  configuration  section
              under  dbmodules  for  database  specific parameters used by the
              loadable database library.

       ldap_kerberos_container_dn
              This LDAP specific tag indicates the DN of the container  object
              where  the  realm objects will be located. This value is used if
              no object DN is mentioned in  the  configuration  section  under
              dbmodules.

       ldap_kdc_dn
              This LDAP specific tag indicates the default bind DN for the KDC
              server.  The KDC server does a login to the  directory  as  this
              object.  This  value is used if no object DN is mentioned in the
              configuration section under dbmodules.

       ldap_kadmind_dn
              This LDAP specific tag indicates the default  bind  DN  for  the
              Administration server. The Administration server does a login to
              the directory as this object. This value is used if no object DN
              is mentioned in the configuration section under dbmodules.

       ldap_service_password_file
              This LDAP specific tag indicates the file containing the stashed
              passwords  for  the  objects  used  for  starting  the  Kerberos
              servers.  This  value  is  used  if  no service password file is
              mentioned in the configuration section under dbmodules.

       ldap_servers
              This LDAP specific tag indicates the list of LDAP  servers.  The
              list of LDAP servers is whitespace-separated. The LDAP server is
              specified by a LDAP URI.  This value is used if no LDAP  servers
              are mentioned in the configuration section under dbmodules.

       ldap_conns_per_server
              This LDAP specific tag indicates the number of connections to be
              maintained per LDAP server. This value is used if the number  of
              connections   per   LDAP   server   are  not  mentioned  in  the
              configuration section under dbmodules. The default value is 5.

DATABASE MODULE SECTION

       Each tag in the [dbmodules] section of the file names  a  configuration
       section  for  database specific parameters that can be referred to by a
       realm.  The value of the tag is a subsection  where  the  relations  in
       that subsection define the database specific parameters.

       For   each  section,  the  following  tags  may  be  specified  in  the
       subsection:

       database_name
              This DB2-specific tag indicates the location of the database  in
              the filesystem.

       db_library
              This  tag  indicates  the name of the loadable database library.
              The value should be db2 for db2  database  and  kldap  for  LDAP
              database.

       disable_last_success
              If  set  to true, suppresses KDC updates to the "Last successful
              authentication"   field   of   principal    entries    requiring
              preauthentication.   Setting  this flag may improve performance.
              (Principal entries which do not require preauthentication  never
              update the "Last successful authentication" field.)

       disable_lockout
              If  set  to  true,  suppresses  KDC  updates to the "Last failed
              authentication"  and  "Failed  password  attempts"   fields   of
              principal  entries  requiring  preauthentication.   Setting this
              flag may improve performance, but also disables account lockout.

       ldap_kerberos_container_dn
              This LDAP specific tag indicates the DN of the container  object
              where the realm objects will be located.

       ldap_kdc_dn
              This LDAP specific tag indicates the bind DN for the KDC server.
              The KDC does a login to the directory as this object.

       ldap_kadmind_dn
              This  LDAP  specific  tag  indicates  the  bind   DN   for   the
              Administration  server.   The Administration server does a login
              to the directory as this object.

       ldap_service_password_file
              This LDAP specific tag indicates the file containing the stashed
              passwords  for  the  objects  used  for  starting  the  Kerberos
              servers.

       ldap_servers
              This LDAP specific tag indicates the list of LDAP  servers.  The
              list of LDAP servers is whitespace-separated. The LDAP server is
              specified by a LDAP URI.

       ldap_conns_per_server
              This LDAP specific tag indicates the number of connections to be
              maintained per LDAP server.

PLUGINS SECTION

       Tags  in  the  [plugins] section can be used to register dynamic plugin
       modules and to turn modules on  and  off.   Not  every  krb5  pluggable
       interface  uses  the [plugins] section; the ones that do are documented
       here.

       Each pluggable interface corresponds to a subsection of [plugins].  All
       subsections support the same tags:

       module This  tag  may  have multiple values.  Each value is a string of
              the form "modulename:pathname", which causes the  shared  object
              located  at  pathname to be registered as a dynamic module named
              modulename for the pluggable interface.  If pathname is  not  an
              absolute path, it will be treated as relative to the plugin base
              directory.

       enable_only
              This tag may have multiple values.  If there are values for this
              tag,  then  only  the  named  modules  will  be  enabled for the
              pluggable interface.

       disable
              This tag may have multiple values.  If there are values for this
              tag,  then  the named modules will be disabled for the pluggable
              interface.

       The following subsections are currently supported within the  [plugins]
       section:

   pwqual interface
       The  pwqual  subsection  controls  modules  for  the  password  quality
       interface, which is used to reject weak passwords  when  passwords  are
       changed.   In addition to any registered dynamic modules, the following
       built-in modules exist (and may be disabled with the disable tag):

       dict   Checks against the realm dictionary file

       empty  Rejects empty passwords

       hesiod Checks against  user  information  stored  in  Hesiod  (only  if
              Kerberos was built with Hesiod support)

       princ  Checks against components of the principal name

   kadm5_hook interface
       The kadm5_hook interface provides plugins with information on principal
       creation, modification, password changes and deletion.  This  interface
       can  be used to write a plugin to synchronize MIT Kerberos with another
       database such as Active Directory. No plugins are  built  in  for  this
       interface.

   clpreauth and kdcpreauth interfaces
       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
       client and KDC preauthentication mechanisms.   The  following  built-in
       modules exist for these interfaces:

       pkinit This module implements the PKINIT preauthentication mechanism.

       encrypted_challenge
              This module implements the encrypted challenge FAST factor.

       encrypted_timestamp
              This module implements the encrypted timestamp mechanism.

FILES

       /etc/krb5.conf

SEE ALSO

       syslog(3)

                                                                  KRB5.CONF(5)