 |
 |
Strong Auth Index Page | Presentation Outline |
|
||||||||
The Kerberos Configuration File: krb5.conf
About krb5.conf
- A /etc/krb5.conf file must exist on each node that is running Kerberos.
- Template file is provided in krb5conf product (under ftp://ftp.fnal.gov/products/krb5conf/vx_y ).
- Fermi kerberos installed via UPS/UPD or RPM installs krb5.conf automatically for you.
- New versions are announced on the kerberos-users@fnal.gov mailing list.
- See Chapter 17: The Kerberos Configuration File: krb5.conf .
What does krb5.conf control?
- [libdefaults]
- sets defaults for Kerberos on your system, e.g., default realm, default ticket lifetime
- [realms]
- tells where to find the KDCs for each realm
- [instancemapping]
- maps client principal properly (for things like cron jobs which require a special principal)
- [domain_realm]
- maps domains to realms
- [logging]
- tells Kerberos where and how to log errors
- [appdefaults]
- lists default settings for outgoing Kerberized network connection applications and for incoming portal mode connections (see below)
Let's look at [appdefaults]
Default values it sets include:
- default flags for tickets that application requests
- connection encryption on/off
- for AFS, path to aklog program
The initial list contains default settings for supported network connection programs:
Next it lists application-specific default settings that override those in above list:
login is invoked for incoming connections by telnetd (not telnet), sshd (not ssh), and CRYPTOCard logins. It may be invoked by the OS for a local (console) login.
A number of applications on Linux use authentication checks via the PAM libraries. To enable this, you need to include the following pam entry:
The ticket lifetime listed under ftpd is only invoked for incoming CRYPTOCard (nonKerberized) FTP access.
Command line arguments can be used to override default values set in [appdefaults].
|
|||||||