aboutsummaryrefslogtreecommitdiffstats
path: root/doc/html/_sources/admin
diff options
context:
space:
mode:
Diffstat (limited to 'doc/html/_sources/admin')
-rw-r--r--doc/html/_sources/admin/admin_commands/kadmin_local.txt7
-rw-r--r--doc/html/_sources/admin/admin_commands/kpropd.txt5
-rw-r--r--doc/html/_sources/admin/admin_commands/ktutil.txt2
-rw-r--r--doc/html/_sources/admin/conf_files/kadm5_acl.txt40
-rw-r--r--doc/html/_sources/admin/conf_files/kdc_conf.txt17
-rw-r--r--doc/html/_sources/admin/conf_files/krb5_conf.txt59
-rw-r--r--doc/html/_sources/admin/pkinit.txt20
-rw-r--r--doc/html/_sources/admin/realm_config.txt2
8 files changed, 126 insertions, 26 deletions
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
@@ -661,6 +661,13 @@ KDC:
*principal*. The *value* is a JSON string representing an array
of objects, each having optional ``type`` and ``username`` fields.
+**pkinit_cert_match**
+ Specifies a matching expression that defines the certificate
+ attributes required for the client certificate used by the
+ principal during PKINIT authentication. The matching expression
+ is in the same format as those used by the **pkinit_cert_match**
+ option in :ref:`krb5.conf(5)`. (New in release 1.16.)
+
This command requires the **modify** privilege.
Alias: **setstr**
diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/html/_sources/admin/admin_commands/kpropd.txt
+++ b/doc/html/_sources/admin/admin_commands/kpropd.txt
@@ -14,6 +14,7 @@ SYNOPSIS
[**-F** *principal_database*]
[**-p** *kdb5_util_prog*]
[**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
[**-d**]
[**-t**]
@@ -104,6 +105,10 @@ OPTIONS
Allows the user to specify the path to the kpropd.acl file; by
default the path used is |kdcdir|\ ``/kpropd.acl``.
+**--pid-file**\ =\ *pid_file*
+ In standalone mode, write the process ID of the daemon into
+ *pid_file*.
+
ENVIRONMENT
-----------
diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/html/_sources/admin/admin_commands/ktutil.txt
+++ b/doc/html/_sources/admin/admin_commands/ktutil.txt
@@ -87,7 +87,7 @@ add_entry
~~~~~~~~~
**add_entry** {**-key**\|\ **-password**} **-p** *principal*
- **-k** *kvno* **-e** *enctype*
+ **-k** *kvno* **-e** *enctype* [**-s** *salt*]
Add *principal* to keylist using key or password.
diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt
+++ b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
*/root@ATHENA.MIT.EDU l * # line 5
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1). He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2). His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
principals.
(line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`. The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
SEE ALSO
--------
diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/html/_sources/admin/conf_files/kdc_conf.txt
+++ b/doc/html/_sources/admin/conf_files/kdc_conf.txt
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
**acl_file**
(String.) Location of the access control list file that
:ref:`kadmind(8)` uses to determine which principals are allowed
- which permissions on the Kerberos database. The default value is
- |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL
- file see :ref:`kadm5.acl(5)`.
+ which permissions on the Kerberos database. To operate without an
+ ACL file, set this relation to the empty string with ``acl_file =
+ ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more
+ information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
**database_module**
(String.) This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
+**encrypted_challenge_indicator**
+ (String.) Specifies the authentication indicator value that the KDC
+ asserts into tickets obtained using FAST encrypted challenge
+ pre-authentication. New in 1.16.
+
**host_based_services**
(Whitespace- or comma-separated list.) Lists services which will
get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
pkinit is used to authenticate. This option may be specified
multiple times. (New in release 1.14.)
-**pkinit_kdc_ocsp**
- Specifies the location of the KDC's OCSP.
-
**pkinit_pool**
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3 The triple DES family: des3-cbc-sha1
-aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
rc4 The RC4 family: arcfour-hmac
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
==================================================== =========================================================
diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/html/_sources/admin/conf_files/krb5_conf.txt
+++ b/doc/html/_sources/admin/conf_files/krb5_conf.txt
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in ".conf" are also included. Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
the local user or by root.
**kcm_mach_service**
- On OS X only, determines the name of the bootstrap service used to
+ On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is ``-``, Mach RPC will not be used to contact the KCM
daemon. The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
Uses the service realm to guess an appropriate cache from the
collection
+**hostname**
+ If the service principal is host-based, uses the service hostname
+ to guess an appropriate cache from the collection
+
.. _pwqual:
pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation. The
+following built-in modules exist for this interface:
+
+**acl**
+ This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+ operations which are allowed according to the rules in the file.
+
+**self**
+ This module authorizes self-service operations including password
+ changes, creation of new random keys, fetching the client's
+ principal record or string attributes, and fetching the policy
+ record associated with the client principal.
+
.. _clpreauth:
.. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
This module authorizes a principal to a local account if the
principal name maps to the local account name.
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+ This module authorizes the certificate if it contains a PKINIT
+ Subject Alternative Name for the requested client principal, or a
+ Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+ is set to true for the realm.
+
+**pkinit_eku**
+ This module rejects the certificate if it does not contain an
+ Extended Key Usage attribute consistent with the
+ **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+ This module authorizes or rejects the certificate according to
+ whether it matches the **pkinit_cert_match** string attribute on
+ the client principal, if that attribute is present.
+
PKINIT options
--------------
diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/html/_sources/admin/pkinit.txt
+++ b/doc/html/_sources/admin/pkinit.txt
@@ -223,6 +223,26 @@ time as follows::
kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT. Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+ kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+ [kdcdefaults]
+ pkinit_eku_checking = none
+
+
Configuring the clients
-----------------------
diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt
index c016d720fded..c7d9164f5e78 100644
--- a/doc/html/_sources/admin/realm_config.txt
+++ b/doc/html/_sources/admin/realm_config.txt
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
The client performs a query for the following URI records:
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
* ``_kerberos-adm.REALM`` for finding kadmin services.
* ``_kpasswd.REALM`` for finding password services.