| |
An Example |
|
|
Subject: An Example
Author: eLDAP
In response to: What's inside krb5.conf? -- The [libdefaults] section
Posted on: 02/10/2010 08:34:53 PM
[libdefaults]
default_realm = ATHENA.MIT.EDU
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
>
> On 02/10/2010 08:32:54 PM eLDAP wrote:
The [libdefaults] section defines default values used by the Kerberos V5 library, which can contain any of the following relations:
database_module
Selects the dbmodule section entry to use to access the Kerberos database. If this parameter is not present the code will use the standard db2based Kerberos database.
default_keytab_name
Specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is /etc/krb5/krb5.keytab.
default_realm
Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm.
default_tgs_enctypes
Identifies the supported list of session key encryption types that should be returned by the KDC. The list can be delimited with commas or whitespace. The supported encryption types are des3-cbc-sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
default_tkt_enctypes
Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The supported encryption types are des3-cbc-sha1-kd, des-cbc-crc, des-cbc-md5, arcfour-hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
clockskew
Sets the maximum allowable amount of clock skew in seconds that the library tolerates before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.
forwardable = [true | false]
Sets the forwardable flag in all tickets. This allows users to transfer their credentials from one host to another without reauthenticating. This option can also be set in the [appdefaults] or [realms] section (see below) to limit its use in particular applications or just to a specific realm.
permitted_enctypes
This relation controls the encryption types for session keys permitted by server applications that use Kerberos for authentication. In addition, it controls the encryption types of keys added to a keytab by means of the kadmin(1M) ktadd command. The default is: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-hmac-sha1-kd, arcfour-hmac-md5, arcfour-hmac-md5-exp, des-cbc-md5, des-cbc-crc.
proxiable = [true | false]
Sets the proxiable flag in all tickets. This allows users to create a proxy ticket that can be transferred to a kerberized service to allow that service to perform some function on behalf of the original user. This option can also be set in the [appdefaults] or [realms] section (see below) to limit its use in particular applications or just to a specific realm.
renew_lifetime =lifetime
Requests renewable tickets, with a total lifetime of lifetime. The value for lifetime must be followed immediately by one of the following delimiters:
Example: renew_lifetime = 90m
max_lifetime =lifetime
Sets the requested maximum lifetime of the ticket. The values for lifetime follow the format described for the renew_lifetime option, above.
dns_lookup_kdc
Indicates whether DNS SRV records need to be used to locate the KDCs and the other servers for a realm, if they have not already been listed in the [realms] section. This option makes the machine vulnerable to a certain type of DoS attack if someone spoofs the DNS records and does a redirect to another server. This is, however, no worse than a DoS, since the bogus KDC is unable to decode anything sent (excepting the initial ticket request, which has no encrypted data). Also, anything the fake KDC sends out is not trusted without verification (the local machine is unaware of the secret key to be used). If dns_lookup_kdc is not specified but dns_fallback is, then that value is used instead. In either case, values (if present) in the [realms] section override DNS. dns_lookup_kdc is enabled by default.
dns_lookup_realm
Indicates whether DNS TXT records need to be used to determine the Kerberos realm information and/or the host/domain name-to-realm mapping of a host, if this information is not already present in the krb5.conf file. Enabling this option might make the host vulnerable to a redirection attack, wherein spoofed DNS replies persuade a client to authenticate to the wrong realm. In a realm with no cross-realm trusts, this a DoS attack. If dns_lookup_realm is not specified but dns_fallback is, then that value is used instead. In either case, values (if present) in the [libdefaults] and [domain_realm] sections override DNS.
dns_fallback
Generic flag controlling the use of DNS for retrieval of information about Kerberos servers and host/domain name-to-realm mapping. If both dns_lookup_kdc and dns_lookup_realm have been specified, this option has no effect.
verify_ap_req_nofail [true | false]
If true, the local keytab file (/etc/krb5/krb5.keytab) must contain an entry for the local host principal, for example, host/foo.bar.com@FOO.COM. This entry is needed to verify that the TGT requested was issued by the same KDC that issued the key for the host principal. If undefined, the behavior is as if this option were set to true. Setting this value to false leaves the system vulnerable to DNS spoofing attacks. This parameter can be in the [realms] section to set it on a per-realm basis, or it can be in the [libdefaults] section to make it a network-wide setting for all realms.
References:
|
|
|
|
