HP-UX Reference (11i v1 00/12) - 4 File Formats (vol 8)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man4/!!!intro.4
________________________________________________________________
___ ___
k
krb5.conf(4) krb5.conf(4)
default_tkt_enctypes
This relation identifies the supported list of session key encryption types that
should be requested by the client, in the same format.
clockskew This relation sets the maximum allowable amount of clockskew in seconds that
the library will tolerate before assuming that a Kerberos message is invalid. The
default value is 300 seconds, or five minutes.
kdc_timesync If the value of this relation is non-zero, the library will compute the difference
between the system clock and the time returned by the Key DistributionCenter.
The difference is computed to correct an inaccurate system clock. This corrective
factor is only used by the Kerberos library.
kdc_req_checksum_type
This relation is used for compatibility with DCE security servers which do not
support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos.
Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to
DCE 1.1 and earlier.
ap_req_checksum_type
This relation allows you to set the checksum type used in the authenticator of
KRB_AP_REQ messages. The default value for this type is
CKSUMTYPE_RSA_MD5. For compatibility with applications linked against
DCE Kerberos libraries, use a value of 2 so that
CKSUMTYPE_RSA_MD4
is used
instead. This applies to DCE 1.1 and earlier.
safe_checksum_type
This relation allows you to set the keyed-checksum type used in
KRB_SAFE
messages. The default value for this type is CKSUMTYPE_RSA_MD5_DES
.For
compatibility with applications linked against DCE Kerberos libraries, use a
value of 3 so that
CKSUMTYPE_RSA_MD4_DES
is used instead. This applies to
DCE 1.1 and earlier.
ccache_type This relation is used on systems which are DCE clients, to specify the type of
cache to be created by
kinit, or when forwarded tickets are received. DCE and
Kerberos can share the cache, but some versions of DCE do not support the
default cache as created by this version of Kerberos. Use a value of 1 on DCE
1.0.3a systems, and use a value of 2 on DCE 1.1 systems.
login Section
The [login] section is used to configure the behavior of the Kerberos V5 login program,
login.krb5.
realms Section
Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection
where the relations in that subsection define the properties of that particular realm. For example:
[realms]
ATHENA.MIT.EDU = {
kdc = KERBEROS.MIT.EDU
kdc = KERBEROS-1.MIT.EDU:750
kdc = KERBEROS-2.MIT.EDU:88
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
mit = mit.edu
lithium = lithium.lcs.mit.edu
}
}
For each realm, the following tags may be specified in the realm’s subsection:
kdc The value of this relation is the name of a host running a Key Distribution Center for that
realm. An optional port number (preceded by a colon) may be appended to the hostname.
admin_server
This relation identifies the host where the administration server is running. Typically this
is the Master Kerberos server.
HP-UX Release 11i: December 2000 − 2 − Section 4−−147
___
___