diff options
Diffstat (limited to 'crypto/heimdal/lib/krb5/krb5.conf.5')
-rw-r--r-- | crypto/heimdal/lib/krb5/krb5.conf.5 | 133 |
1 files changed, 84 insertions, 49 deletions
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index 9ee85aa..c9f8771 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -1,42 +1,44 @@ -.\" Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $ +.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ .\" -.Dd April 11, 1999 +.Dd March 9, 2004 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME -.Nm /etc/krb5.conf +.Nm krb5.conf .Nd configuration file for Kerberos 5 +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm @@ -88,7 +90,8 @@ values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, -des3-cbc-sha1. +des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and +aes256-cts-hmac-sha1-96 . .It address an address can be either a IPv4 or a IPv6 address. .El @@ -124,6 +127,13 @@ addresses, making the tickets valid from any address. Default ticket lifetime. .It Li renew_lifetime = Va time Default renewable ticket lifetime. +.It Li encrypt = Va boolean +Use encryption, when available. +.It Li forward = Va boolean +Forward credentials to remote host (for +.Xr rsh 1 , +.Xr telnet 1 , +etc). .El .It Li [libdefaults] .Bl -tag -width "xxx" -offset indent @@ -147,23 +157,14 @@ manual page. .Bl -tag -width "xxx" -offset indent .It Va destination-realm Li = Va next-hop-realm .It ... -.El -Normally, all requests to realms different from the one of the current -client are sent to this KDC to get cross-realm tickets. -If this KDC does not have a cross-realm key with the desired realm and -the hierarchical path to that realm does not work, a path can be -configured using this directive. -The text shown above instructs the KDC to try to obtain a cross-realm -ticket to -.Va next-hop-realm -when the desired realm is -.Va destination-realm . -This configuration should preferably be done on the KDC where it will -help all its clients but can also be done on the client itself. .It Li } -.It Li default_etypes = Va etypes... +.El +This is deprecated, see the +.Li capaths +section below. +.It Li default_etypes = Va etypes ... A list of default encryption types to use. -.It Li default_etypes_des = Va etypes... +.It Li default_etypes_des = Va etypes ... A list of default encryption types to use when requesting a DES credential. .It Li default_keytab_name = Va keytab The keytab to use if no other is specified, default is @@ -193,7 +194,7 @@ fatal error. The application has to be able to read the corresponding service key for this to work. Some applications, like -.Xr su 8 , +.Xr su 1 , enable this option unconditionally. .It Li warn_pwexpire = Va time How soon to warn for expiring password. @@ -202,7 +203,7 @@ Default is seven days. A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec Enable using DNS via HTTP. -.It Li extra_addresses = Va address... +.It Li extra_addresses = Va address ... A list of addresses to get tickets for along with all local addresses. .It Li time_format = Va string How to print time strings in logs, this string is passed to @@ -223,6 +224,13 @@ Also get Kerberos 4 tickets in .Nm login , and other programs. This option is also valid in the [realms] section. +.It Li fcc-mit-ticketflags = Va boolean +Use MIT compatible format for file credential cache. +It's the field ticketflags that is stored in reverse bit order for +older than Heimdal 0.7. +Setting this flag to +.Dv TRUE +make it store the MIT way, this is default for Heimdal 0.7. .El .It Li [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. @@ -259,13 +267,13 @@ specifies over what medium the kdc should be contacted. Possible services are .Dq udp , -.Dq tcp , +.Dq tcp , and .Dq http . Http can also be written as .Dq http:// . Default service is -.Dq udp +.Dq udp and .Dq tcp . .It Li admin_server = Va host[:port] @@ -283,9 +291,31 @@ If it is not mentioned, the krb524 port on the kdcs will be tried. .It Li default_domain See .Xr krb5_425_conv_principal 3 . +.It Li tgs_require_subkey +a boolan variable that defaults to false. +Old DCE secd (pre 1.1) might need this to be true. .El .It Li } .El +.It Li [capaths] +.Bl -tag -width "xxx" -offset indent +.It Va client-realm Li = { +.Bl -tag -width "xxx" -offset indent +.It Va server-realm Li = Va hop-realm ... +This serves two purposes. First the first listed +.Va hop-realm +tells a client which realm it should contact in order to ultimately +obtain credentials for a service in the +.Va server-realm . +Secondly, it tells the KDC (and other servers) which realms are +allowed in a multi-hop traversal from +.Va client-realm +to +.Va server-realm . +Except for the client case, the order of the realms are not important. +.El +.It Va } +.El .It Li [logging] .Bl -tag -width "xxx" -offset indent .It Va entity Li = Va destination @@ -397,7 +427,12 @@ and is only left for backwards compatibility. .Sh ENVIRONMENT .Ev KRB5_CONFIG points to the configuration file to read. -.Sh EXAMPLE +.Sh FILES +.Bl -tag -width "/etc/krb5.conf" +.It Pa /etc/krb5.conf +configuration file for Kerberos 5. +.El +.Sh EXAMPLES .Bd -literal -offset indent [libdefaults] default_realm = FOO.SE |