krb5.conf.4 (2010 09)
k
krb5.conf(4) krb5.conf(4)
default_tkt_enctypes
Identifies the supported list of session key encryption types that should be
requested by the client, in the same format. See kerberos(5) for a list of supported
encryption types for this tag.
permitted_enctypes
Identifies the permitted list of session key encryption types. See kerberos(5) for a
list of supported encryption types for this tag.
clockskew Sets the maximum allowable amount of clockskew in seconds that the library will
tolerate before assuming that a Kerberos message is invalid. The default value is
300 seconds, or five minutes.
kpasswd_timeout
Sets the timeout value for the amount of time (in seconds) to wait for a response
from an admin server. This can be any value between 1 and 300; if a value is
specified outside this range, the timeout value will be set to the default value, 10.
kdc_timesync If the value of this relation is non-zero, the library will compute the difference
between the system clock and the time returned by the Key Distribution Center.
The difference is computed to correct an inaccurate system clock. This corrective
factor is only used by the Kerberos library.
kdc_req_checksum_type
This relation is used for compatibility with DCE security servers which do not
support the default
CKSUMTYPE_RSA_MD5
used by this version of Kerberos.
Use a value of 2 to use the
CKSUMTYPE_RSA_MD4
instead. This applies to DCE
1.1 and earlier.
ap_req_checksum_type
Allows you to set the checksum type used in the authenticator of
KRB_AP_REQ
messages. The default value for this type is CKSUMTYPE_RSA_MD5
. For compa-
tibility with applications linked against DCE Kerberos libraries, use a value of 2
so that
CKSUMTYPE_RSA_MD4
is used instead. This applies to DCE 1.1 and ear-
lier.
safe_checksum_type
Allows you to set the keyed-checksum type used in
KRB_SAFE messages. The
default value for this type is
CKSUMTYPE_RSA_MD5_DES
. For compatibility
with applications linked against DCE Kerberos libraries, use a value of 3 so that
CKSUMTYPE_RSA_MD4_DES
is used instead. This applies to DCE 1.1 and ear-
lier.
ccache_type Is used on systems which are DCE clients, to specify the type of cache to be
created by
kinit, or when forwarded tickets are received. DCE and Kerberos
can share the cache, but some versions of DCE do not support the default cache
as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems,
and use a value of 2 on DCE 1.1 systems.
ldapux_multidomain
This flag need to be set to 1 by the administrator if the realm name of the user
needs to be obtained from the W2K multidomain. Refer to the ldapux (5) man
page for more information on configuring the W2K multidomain.
extra_addresses This allows a computer to use multiple local addresses in order to allow Kerberos
to work in a network that uses NATs. The addresses should be in a comma-
separated list.
udp_preference_limit
When sending a message to the Key Distribution Center (KDC), the library will
try using TCP before UDP if the size of the message is above
"udp_preference_limit". If the message is smaller than "udp_preference_limit",
then UDP will be tried before TCP. Regardless of the size, both protocols will be
tried if the first attempt fails.
renew_lifetime The value of this tag is the default renewable lifetime for initial tickets. The
default value for the tag is 0.
noaddresses Setting this flag causes the initial Kerberos ticket to be addressless. The default
for the flag is true.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010