4 All hosts running Kerberos software, whether they are clients,
5 application servers, or KDCs, can be configured using
6 :ref:`krb5.conf(5)`. Here we describe some of the behavior changes
7 you might want to make.
13 In the :ref:`libdefaults` section, the **default_realm** realm
14 relation sets the default Kerberos realm. For example::
17 default_realm = ATHENA.MIT.EDU
19 The default realm affects Kerberos behavior in the following ways:
21 * When a principal name is parsed from text, the default realm is used
22 if no ``@REALM`` component is specified.
24 * The default realm affects login authorization as described below.
26 * For programs which operate on a Kerberos database, the default realm
27 is used to determine which database to operate on, unless the **-r**
28 parameter is given to specify a realm.
30 * A server program may use the default realm when looking up its key
31 in a :ref:`keytab file <keytab_file>`, if its realm is not
32 determined by :ref:`domain_realm` configuration or by the server
35 * If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous
36 tickets from the default realm.
38 In some situations, these uses of the default realm might conflict.
39 For example, it might be desirable for principal name parsing to use
40 one realm by default, but for login authorization to use a second
41 realm. In this situation, the first realm can be configured as the
42 default realm, and **auth_to_local** relations can be used as
43 described below to use the second realm for login authorization.
46 .. _login_authorization:
51 If a host runs a Kerberos-enabled login service such as OpenSSH with
52 GSSAPIAuthentication enabled, login authorization rules determine
53 whether a Kerberos principal is allowed to access a local account.
55 By default, a Kerberos principal is allowed access to an account if
56 its realm matches the default realm and its name matches the account
57 name. (For historical reasons, access is also granted by default if
58 the name has two components and the second component matches the
59 default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU``
60 is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is
63 The simplest way to control local access is using :ref:`.k5login(5)`
64 files. To use these, place a ``.k5login`` file in the home directory
65 of each account listing the principal names which should have login
66 access to that account. If it is not desirable to use ``.k5login``
67 files located in account home directories, the **k5login_directory**
68 relation in the :ref:`libdefaults` section can specify a directory
69 containing one file per account uname.
71 By default, if a ``.k5login`` file is present, it controls
72 authorization both positively and negatively--any principal name
73 contained in the file is granted access and any other principal name
74 is denied access, even if it would have had access if the ``.k5login``
75 file didn't exist. The **k5login_authoritative** relation in the
76 :ref:`libdefaults` section can be set to false to make ``.k5login``
77 files provide positive authorization only.
79 The **auth_to_local** relation in the :ref:`realms` section for the
80 default realm can specify pattern-matching rules to control login
81 authorization. For example, the following configuration allows access
82 to principals from a different realm than the default realm::
86 # Allow access to principals from OTHER.REALM.
88 # [1:$1@$0] matches single-component principal names and creates
89 # a selection string containing the principal name and realm.
91 # (.*@OTHER\.REALM) matches against the selection string, so that
92 # only principals in OTHER.REALM are matched.
94 # s/@OTHER\.REALM$// removes the realm name, leaving behind the
95 # principal name as the acount name.
96 auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$//
98 # Also allow principals from the default realm. Omit this line
99 # to only allow access to principals in OTHER.REALM.
100 auth_to_local = DEFAULT
103 The **auth_to_local_names** subsection of the :ref:`realms` section
104 for the default realm can specify explicit mappings from principal
105 names to local accounts. The key used in this subsection is the
106 principal name without realm, so it is only safe to use in a Kerberos
107 environment with a single realm or a tightly controlled set of realms.
108 An example use of **auth_to_local_names** might be::
112 auth_to_local_names = {
113 # Careful, these match principals in any realm!
114 host/example.com = hostaccount
119 Local authorization behavior can also be modified using plugin
120 modules; see :ref:`hostrealm_plugin` for details.
125 Plugin module configuration
126 ---------------------------
128 Many aspects of Kerberos behavior, such as client preauthentication
129 and KDC service location, can be modified through the use of plugin
130 modules. For most of these behaviors, you can use the :ref:`plugins`
131 section of krb5.conf to register third-party modules, and to switch
132 off registered or built-in modules.
134 A plugin module takes the form of a Unix shared object
135 (``modname.so``) or Windows DLL (``modname.dll``). If you have
136 installed a third-party plugin module and want to register it, you do
137 so using the **module** relation in the appropriate subsection of the
138 [plugins] section. The value for **module** must give the module name
139 and the path to the module, separated by a colon. The module name
140 will often be the same as the shared object's name, but in unusual
141 cases (such as a shared object which implements multiple modules for
142 the same interface) it might not be. For example, to register a
143 client preauthentication module named ``mypreauth`` installed at
144 ``/path/to/mypreauth.so``, you could write::
148 module = mypreauth:/path/to/mypreauth.so
151 Many of the pluggable behaviors in MIT krb5 contain built-in modules
152 which can be switched off. You can disable a built-in module (or one
153 you have registered) using the **disable** directive in the
154 appropriate subsection of the [plugins] section. For example, to
155 disable the use of .k5identity files to select credential caches, you
163 If you want to disable multiple modules, specify the **disable**
164 directive multiple times, giving one module to disable each time.
166 Alternatively, you can explicitly specify which modules you want to be
167 enabled for that behavior using the **enable_only** directive. For
168 example, to make :ref:`kadmind(8)` check password quality using only a
169 module you have registered, and no other mechanism, you could write::
173 module = mymodule:/path/to/mymodule.so
174 enable_only = mymodule
177 Again, if you want to specify multiple modules, specify the
178 **enable_only** directive multiple times, giving one module to enable
181 Some Kerberos interfaces use different mechanisms to register plugin
188 For historical reasons, modules to control how KDC servers are located
189 are registered simply by placing the shared object or DLL into the
190 "libkrb5" subdirectory of the krb5 plugin directory, which defaults to
191 |libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5
192 locator plugin would be registered by placing its shared object in
193 |libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``.
196 .. _gssapi_plugin_config:
198 GSSAPI mechanism modules
199 ~~~~~~~~~~~~~~~~~~~~~~~~
201 GSSAPI mechanism modules are registered using the file
202 ``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/``
203 directory. Only files with a ``.conf`` suffix will be read from the
204 ``/etc/gss/mech.d/`` directory. Each line in these files has the
207 oid pathname [options] <type>
209 Only the oid and pathname are required. *oid* is the object
210 identifier of the GSSAPI mechanism to be registered. *pathname* is a
211 path to the module shared object or DLL. *options* (if present) are
212 options provided to the plugin module, surrounded in square brackets.
213 *type* (if present) can be used to indicate a special type of module.
214 Currently the only special module type is "interposer", for a module
215 designed to intercept calls to other mechanisms.
218 .. _profile_plugin_config:
220 Configuration profile modules
221 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
223 A configuration profile module replaces the information source for
224 :ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf
227 module PATHNAME:STRING
229 where *PATHNAME* is a path to the module shared object or DLL, and
230 *STRING* is a string to provide to the module. The module will then
231 take over, and the rest of krb5.conf will be ignored.