HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

171

172

173

174

175

176

177

178

179

180

krb5.conf(4) krb5.conf(4)

commas or whitespaces.

default_tkt_enctypes

This relation identiﬁes the supported list of session key encryption types that should

be requested by the client, in the same format.

clockskew This relation sets the maximum allowable amount of clockskew in seconds that the

library will tolerate before assuming that a Kerberos message is invalid. The

default value is 300 seconds, or ﬁve minutes.

kdc_timesync If the value of this relation is non-zero, the library will compute the difference

between the system clock and the time returned by the Key Distribution Center.

The difference is computed to correct an inaccurate system clock. This corrective

factor is only used by the Kerberos library.

kdc_req_checksum_type

This relation is used for compatibility with DCE security servers which do not sup-

port the default

CKSUMTYPE_RSA_MD5

used by this version of Kerberos. Use a

value of 2 to use the

CKSUMTYPE_RSA_MD4

instead. This applies to DCE 1.1 and

earlier.

ap_req_checksum_type

This relation allows you to set the checksum type used in the authenticator of

KRB_AP_REQ messages. The default value for this type is

CKSUMTYPE_RSA_MD5

. For compatibility with applications linked against DCE

Kerberos libraries, use a value of 2 so that

CKSUMTYPE_RSA_MD4

is used instead.

This applies to DCE 1.1 and earlier.

safe_checksum_type

This relation allows you to set the keyed-checksum type used in

KRB_SAFE mes-

sages. The default value for this type is

CKSUMTYPE_RSA_MD5_DES

. For com-

patibility with applications linked against DCE Kerberos libraries, use a value of 3

so that

CKSUMTYPE_RSA_MD4_DES

is used instead. This applies to DCE 1.1 and

earlier.

ccache_type This relation is used on systems which are DCE clients, to specify the type of cache

to be created by

kinit, or when forwarded tickets are received. DCE and Ker-

beros can share the cache, but some versions of DCE do not support the default

cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a sys-

tems, and use a value of 2 on DCE 1.1 systems.

appdefaults Section

Each tag in the [appdefaults]

section names a Kerberos V5 application. The value of the tag is a sub-

section with relations that deﬁne the default behaviors for that application. For example:

[appdefaults]

kinit = {

forwardable = true

}

The list of speciﬁable options for each application may be found in the respective application man pages.

The application defaults speciﬁed in this section are over-ridden by those speciﬁed in the

[realms] sec-

tion.

The [login] section is used to conﬁgure the behavior of the Kerberos V5 login program, login.krb5 .

realms Section

Each tag in the [realms] section of the ﬁle names a Kerberos realm. The value of the tag is a subsection

where the relations in that subsection deﬁne the properties of that particular realm. For example:

[realms]

ATHENA.MIT.EDU = {

kdc = KERBEROS.MIT.EDU

kdc = KERBEROS-1.MIT.EDU:750

kdc = KERBEROS-2.MIT.EDU:88

admin_server = KERBEROS.MIT.EDU

178 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: December 2007 Update