Kerberos V5 System Administrator's Guide

Node:libdefaults, Next:appdefaults, Previous:krb5.conf, Up:krb5.conf

[libdefaults]

The libdefaults section may contain any of the following relations:

default_keytab_name

This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is /etc/krb5.keytab.

default_realm

Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see Using DNS), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned.

default_tgs_enctypes

Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see Supported Encryption Types for a list of the accepted values for this tag). The default value is aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4.

default_tkt_enctypes

Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4.

permitted_enctypes

Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4.

clockskew

Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.

kdc_timesync

If this is set to 1 (for true), then client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock. This corrective factor is only used by the Kerberos library. The default is 1.

kdc_req_checksum_type

ap_req_checksum_type

safe_checksum_type

An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default RSA MD5 used by this version of Kerberos. The possible values and their meanings are as follows.

1: CRC32
2: RSA MD4
3: RSA MD4 DES
4: DES CBC
7: RSA MD5
8: RSA MD5 DES
9: NIST SHA
12: HMAC SHA1 DES3
-138: Microsoft MD5 HMAC checksum type

ccache_type

Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4.

krb4_srvtab

Specifies the location of the Kerberos V4 srvtab file. Default is /etc/srvtab.

krb4_config

Specifies the location of hte Kerberos V4 configuration file. Default is /etc/krb.conf.

krb4_realms

Specifies the location of the Kerberos V4 domain/realm translation file. Default is /etc/krb.realms.

dns_lookup_kdc

Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. (Note that the admin_server entry must be in the file, because the DNS implementation for it is incomplete.)

Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know.

If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to enable this option. If the DNS support is not compiled in, this entry has no effect.

dns_lookup_realm

Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host.

Enabling this option may permit a redirection attack, where spoofed DNS replies persuade a client to authenticate to the wrong realm, when talking to the wrong host (either by spoofing yet more DNS records or by intercepting the net traffic). Depending on how the client software manages hostnames, however, it could already be vulnerable to such attacks. We are looking at possible ways to minimize or eliminate this exposure. For now, we encourage more adventurous sites to try using Secure DNS.

If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to disable this option. If the DNS support is not compiled in, this entry has no effect.

dns_fallback

General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect.

extra_addresses

This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma-separated list.

udp_preference_limit

When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.

verify_ap_req_nofail

If this flag is set, then an attempt to get initial credentials will fail if the client machine does not have a keytab. The default for the flag is not set.

renew_lifetime

The value of this tag is the default renewable lifetime for initial tickets. The default value for the tag is 0.

noaddresses

Setting this flag causes the initial Kerberos ticket to be addressless. The default for the flag is set.

forwardable

If this flag is set, initial tickets by default will be forwardable. The default value for this flag is not set.

proxiable

If this flag is set, initial tickets by default will be proxiable. The default value for this flag is not set.