| Server IP : 170.10.162.208 / Your IP : 216.73.216.181 Web Server : LiteSpeed System : Linux altar19.supremepanel19.com 4.18.0-553.69.1.lve.el8.x86_64 #1 SMP Wed Aug 13 19:53:59 UTC 2025 x86_64 User : deltahospital ( 1806) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /var/tmp/ |
Upload File : |
Copyright (C) 1985-2019 by the Massachusetts Institute of Technology.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Downloading of this software may constitute an export of cryptographic
software from the United States of America that is subject to the
United States Export Administration Regulations (EAR), 15 CFR 730-774.
Additional laws or regulations may apply. It is the responsibility of
the person or entity contemplating export to comply with all
applicable export laws and regulations, including obtaining any
required license from the U.S. government.
The U.S. government prohibits export of encryption source code to
certain countries and individuals, including, but not limited to, the
countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and
nationals of those countries.
Documentation components of this software distribution are licensed
under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
(https://creativecommons.org/licenses/by-sa/3.0/)
Individual source code files are copyright MIT, Cygnus Support,
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
"Commercial use" means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
======================================================================
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in "kadmin/create",
"kadmin/dbutil", "kadmin/passwd", "kadmin/server", "lib/kadm5", and
portions of "lib/rpc":
Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights
Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system
source code, as described below, indicates your acceptance of the
following terms. If you do not agree to the following terms, do
not retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source
Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
OTHER REASON.
OpenVision retains all copyrights in the donated Source Code.
OpenVision also retains copyright to derivative works of the Source
Code, whether created by OpenVision or by a third party. The
OpenVision copyright notice must be preserved if derivative works
are made based on the donated Source Code.
OpenVision Technologies, Inc. has donated this Kerberos
Administration system to MIT for inclusion in the standard Kerberos
5 distribution. This donation underscores our commitment to
continuing Kerberos technology development and our gratitude for
the valuable work which has been performed by MIT and the Kerberos
community.
======================================================================
Portions contributed by Matt Crawford "crawdad@fnal.gov" were work
performed at Fermi National Accelerator Laboratory, which is
operated by Universities Research Association, Inc., under contract
DE-AC02-76CHO3000 with the U.S. Department of Energy.
======================================================================
Portions of "src/lib/crypto" have the following copyright:
Copyright (C) 1998 by the FundsXpress, INC.
All rights reserved.
Export of this software from the United States of America may
require a specific license from the United States Government.
It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of FundsXpress. not be used in advertising or publicity
pertaining to distribution of the software without specific,
written prior permission. FundsXpress makes no representations
about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
======================================================================
The implementation of the AES encryption algorithm in
"src/lib/crypto/builtin/aes" has the following copyright:
Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net",
Worcester, UK.
All rights reserved.
LICENSE TERMS
The free distribution and use of this software in both source and
binary form is allowed (with or without changes) provided that:
1. distributions of this source code include the above copyright
notice, this list of conditions and the following disclaimer;
2. distributions in binary form include the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other associated materials;
3. the copyright holder's name is not used to endorse products
built using this software without specific written permission.
DISCLAIMER
This software is provided 'as is' with no explcit or implied
warranties in respect of any properties, including, but not limited
to, correctness and fitness for purpose.
======================================================================
Portions contributed by Red Hat, including the pre-authentication
plug-in framework and the NSS crypto implementation, contain the
following copyright:
Copyright (C) 2006 Red Hat, Inc.
Portions copyright (C) 2006 Massachusetts Institute of Technology
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of Red Hat, Inc., nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
The bundled verto source code is subject to the following license:
Copyright 2011 Red Hat, Inc.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
======================================================================
The MS-KKDCP client implementation has the following copyright:
Copyright 2013,2014 Red Hat, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
"src/lib/gssapi", including the following files:
lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c
and the initial implementation of incremental propagation, including
the following new or changed files:
include/iprop_hdr.h
kadmin/server/ipropd_svc.c
lib/kdb/iprop.x
lib/kdb/kdb_convert.c
lib/kdb/kdb_log.c
lib/kdb/kdb_log.h
lib/krb5/error_tables/kdb5_err.et
kprop/kpropd_rpc.c
kprop/kproplog.c
are subject to the following license:
Copyright (C) 2004 Sun Microsystems, Inc.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
======================================================================
Kerberos V5 includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:
Copyright (C) 1983 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
======================================================================
Portions contributed by Novell, Inc., including the LDAP database
backend, are subject to the following license:
Copyright (C) 2004-2005, Novell, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* The copyright holder's name is not used to endorse or promote
products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
Portions funded by Sandia National Laboratory and developed by the
University of Michigan's Center for Information Technology
Integration, including the PKINIT implementation, are subject to the
following license:
COPYRIGHT (C) 2006-2007
THE REGENTS OF THE UNIVERSITY OF MICHIGAN
ALL RIGHTS RESERVED
Permission is granted to use, copy, create derivative works and
redistribute this software and such derivative works for any
purpose, so long as the name of The University of Michigan is not
used in any advertising or publicity pertaining to the use of
distribution of this software without specific, written prior
authorization. If the above copyright notice or any other
identification of the University of Michigan is included in any
copy of any portion of this software, then the disclaimer below
must also be included.
THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE
UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND
WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR
ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR
IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR
IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
======================================================================
The pkcs11.h file included in the PKINIT code has the following
license:
Copyright 2006 g10 Code GmbH
Copyright 2006 Andreas Jellinghaus
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
======================================================================
Portions contributed by Apple Inc. are subject to the following
license:
Copyright 2004-2008 Apple Inc. All Rights Reserved.
Export of this software from the United States of America may
require a specific license from the United States Government.
It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Apple Inc. not be used in advertising or publicity
pertaining to distribution of the software without specific,
written prior permission. Apple Inc. makes no representations
about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
======================================================================
The implementations of UTF-8 string handling in src/util/support and
src/lib/krb5/unicode are subject to the following copyright and
permission notice:
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated
documentation ("Software"), with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions in source form must retain copyright
statements and notices,
2. Redistributions in binary form must reproduce applicable
copyright statements and notices, this list of conditions, and
the following disclaimer in the documentation and/or other
materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this
document.
The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number. You may use
this Software under terms of this license revision or under the
terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS
CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The names of the authors and copyright holders must not be used in
advertising or otherwise to promote the sale, use or other dealing
in this Software without specific, written prior permission. Title
to copyright in this Software shall at all times remain with
copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
======================================================================
Marked test programs in src/lib/krb5/krb have the following copyright:
Copyright (C) 2006 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of KTH nor the names of its contributors may
be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
======================================================================
The KCM Mach RPC definition file used on macOS has the following
copyright:
Copyright (C) 2009 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Portions Copyright (C) 2009 Apple Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the Institute nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
======================================================================
Portions of the RPC implementation in src/lib/rpc and
src/include/gssrpc have the following copyright and permission notice:
Copyright (C) 2010, Oracle America, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the "Oracle America, Inc." nor the names
of its contributors may be used to endorse or promote products
derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
Copyright (C) 2006,2007,2009 NTT (Nippon Telegraph and Telephone
Corporation). All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
Copyright 2000 by Carnegie Mellon University
All Rights Reserved
Permission to use, copy, modify, and distribute this software and
its documentation for any purpose and without fee is hereby
granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission
notice appear in supporting documentation, and that the name of
Carnegie Mellon University not be used in advertising or publicity
pertaining to distribution of the software without specific,
written prior permission.
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
======================================================================
Copyright (C) 2002 Naval Research Laboratory (NRL/CCS)
Permission to use, copy, modify and distribute this software and
its documentation is hereby granted, provided that both the
copyright notice and this permission notice appear in all copies of
the software, derivative works or modified versions, and any
portions thereof.
NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND
DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER
RESULTING FROM THE USE OF THIS SOFTWARE.
======================================================================
Copyright (C) 1991, 1992, 1994 by Cygnus Support.
Permission to use, copy, modify, and distribute this software and
its documentation for any purpose and without fee is hereby
granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission
notice appear in supporting documentation. Cygnus Support makes no
representations about the suitability of this software for any
purpose. It is provided "as is" without express or implied
warranty.
======================================================================
Copyright (C) 2006 Secure Endpoints Inc.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
======================================================================
Portions of the implementation of the Fortuna-like PRNG are subject to
the following notice:
Copyright (C) 2005 Marko Kreen
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Copyright (C) 1994 by the University of Southern California
EXPORT OF THIS SOFTWARE from the United States of America may
require a specific license from the United States Government. It
is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
this software and its documentation in source and binary forms is
hereby granted, provided that any documentation or other materials
related to such distribution or use acknowledge that the software
was developed by the University of Southern California.
DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The
University of Southern California MAKES NO REPRESENTATIONS OR
WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
limitation, the University of Southern California MAKES NO
REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
PARTICULAR PURPOSE. The University of Southern California shall not
be held liable for any liability nor for any direct, indirect, or
consequential damages with respect to any claim by the user or
distributor of the ksu software.
======================================================================
Copyright (C) 1995
The President and Fellows of Harvard University
This code is derived from software contributed to Harvard by Jeremy
Rassen.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgement:
This product includes software developed by the University of
California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
======================================================================
Copyright (C) 2008 by the Massachusetts Institute of Technology.
Copyright 1995 by Richard P. Basch. All Rights Reserved.
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
Export of this software from the United States of America may
require a specific license from the United States Government. It
is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Richard P. Basch, Lehman Brothers and M.I.T. not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission. Richard P.
Basch, Lehman Brothers and M.I.T. make no representations about the
suitability of this software for any purpose. It is provided "as
is" without express or implied warranty.
======================================================================
The following notice applies to "src/lib/krb5/krb/strptime.c" and
"src/include/k5-queue.h".
Copyright (C) 1997, 1998 The NetBSD Foundation, Inc.
All rights reserved.
This code was contributed to The NetBSD Foundation by Klaus Klein.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgement:
This product includes software developed by the NetBSD
Foundation, Inc. and its contributors.
4. Neither the name of The NetBSD Foundation nor the names of
its contributors may be used to endorse or promote products
derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
======================================================================
The following notice applies to Unicode library files in
"src/lib/krb5/unicode":
Copyright 1997, 1998, 1999 Computing Research Labs,
New Mexico State University
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR
NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
======================================================================
The following notice applies to "src/util/support/strlcpy.c":
Copyright (C) 1998 Todd C. Miller "Todd.Miller@courtesan.com"
Permission to use, copy, modify, and distribute this software for
any purpose with or without fee is hereby granted, provided that
the above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
======================================================================
The following notice applies to "src/util/profile/argv_parse.c" and
"src/util/profile/argv_parse.h":
Copyright 1999 by Theodore Ts'o.
Permission to use, copy, modify, and distribute this software for
any purpose with or without fee is hereby granted, provided that
the above copyright notice and this permission notice appear in all
copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE
AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN
NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't
it sick that the U.S. culture of lawsuit-happy lawyers requires
this kind of disclaimer?)
======================================================================
The following notice applies to SWIG-generated code in
"src/util/profile/profile_tcl.c":
Copyright (C) 1999-2000, The University of Chicago
This file may be freely redistributed without license or fee
provided this copyright message remains intact.
======================================================================
The following notice applies to portiions of "src/lib/rpc" and
"src/include/gssrpc":
Copyright (C) 2000 The Regents of the University of Michigan. All
rights reserved.
Copyright (C) 2000 Dug Song "dugsong@UMICH.EDU". All rights
reserved, all wrongs reversed.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
======================================================================
Implementations of the MD4 algorithm are subject to the following
notice:
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD4 Message Digest
Algorithm" in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD4 Message Digest Algorithm" in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
======================================================================
Implementations of the MD5 algorithm are subject to the following
notice:
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD5 Message- Digest
Algorithm" in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
======================================================================
The following notice applies to
"src/lib/crypto/crypto_tests/t_mddriver.c":
Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
rights reserved.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is" without
express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
======================================================================
Portions of "src/lib/krb5" are subject to the following notice:
Copyright (C) 1994 CyberSAFE Corporation.
Copyright 1990,1991,2007,2008 by the Massachusetts
Institute of Technology.
All Rights Reserved.
Export of this software from the United States of America may
require a specific license from the United States Government. It
is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity
pertaining to distribution of the software without specific,
written prior permission. Furthermore if you modify this software
you must label your software as modified software and not
distribute it in such a fashion that it might be confused with the
original M.I.T. software. Neither M.I.T., the Open Computing
Security Group, nor CyberSAFE Corporation make any representations
about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
======================================================================
Portions contributed by PADL Software are subject to the following
license:
Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of PADL Software nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
======================================================================
The bundled libev source code is subject to the following license:
All files in libev are Copyright (C)2007,2008,2009 Marc Alexander
Lehmann.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Alternatively, the contents of this package may be used under the
terms of the GNU General Public License ("GPL") version 2 or any
later version, in which case the provisions of the GPL are
applicable instead of the above. If you wish to allow the use of
your version of this package only under the terms of the GPL and
not to allow others to use your version of this file under the BSD
license, indicate your decision by deleting the provisions above
and replace them with the notice and other provisions required by
the GPL in this and the other files of this package. If you do not
delete the provisions above, a recipient may use your version of
this file under either the BSD or the GPL.
======================================================================
Files copied from the Intel AESNI Sample Library are subject to the
following license:
Copyright (C) 2010, Intel Corporation All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
* Neither the name of Intel Corporation nor the names of its
contributors may be used to endorse or promote products
derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
The following notice applies to
"src/ccapi/common/win/OldCC/autolock.hxx":
Copyright (C) 1998 by Danilo Almeida. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
======================================================================
The following notice applies to portions of
"src/plugins/preauth/spake/edwards25519.c" and
"src/plugins/preauth/spake/edwards25519_tables.h":
The MIT License (MIT)
Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS
file).
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
======================================================================
The following notice applies to portions of
"src/plugins/preauth/spake/edwards25519.c":
Copyright (c) 2015-2016, Google Inc.
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
.\" Man page generated from reStructuredText.
.
.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos"
.SH NAME
kerberos \- Overview of using Kerberos
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH DESCRIPTION
.sp
The Kerberos system authenticates individual users in a network
environment. After authenticating yourself to Kerberos, you can use
Kerberos\-enabled programs without having to present passwords or
certificates to those programs.
.sp
If you receive the following response from kinit(1):
.sp
kinit: Client not found in Kerberos database while getting initial
credentials
.sp
you haven\(aqt been registered as a Kerberos user. See your system
administrator.
.sp
A Kerberos name usually contains three parts. The first is the
\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second
is the \fBinstance\fP, which in the case of a user is usually null.
Some users may have privileged instances, however, such as \fBroot\fP or
\fBadmin\fP\&. In the case of a service, the instance is the fully
qualified name of the machine on which it runs; i.e. there can be an
ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is
different from the ssh service running on the machine XYZ
(\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&.
The realm corresponds to the Kerberos service providing authentication
for the principal. Realms are conventionally all\-uppercase, and often
match the end of hostnames in the realm (for instance, host01.example.com
might be in realm EXAMPLE.COM).
.sp
When writing a Kerberos name, the principal name is separated from the
instance (if not null) by a slash, and the realm (if not the local
realm) follows, preceded by an "@" sign. The following are examples
of valid Kerberos names:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
david
jennifer/admin
joeuser@BLEEP.COM
cbrown/root@FUBAR.ORG
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
When you authenticate yourself with Kerberos you get an initial
Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol
message that provides authentication.) Kerberos uses this ticket for
network utilities such as ssh. The ticket transactions are done
transparently, so you don\(aqt have to worry about their management.
.sp
Note, however, that tickets expire. Administrators may configure more
privileged tickets, such as those with service or instance of \fBroot\fP
or \fBadmin\fP, to expire in a few minutes, while tickets that carry
more ordinary privileges may be good for several hours or a day. If
your login session extends beyond the time limit, you will have to
re\-authenticate yourself to Kerberos to get new tickets using the
kinit(1) command.
.sp
Some tickets are \fBrenewable\fP beyond their initial lifetime. This
means that \fBkinit \-R\fP can extend their lifetime without requiring
you to re\-authenticate.
.sp
If you wish to delete your local tickets, use the kdestroy(1)
command.
.sp
Kerberos tickets can be forwarded. In order to forward tickets, you
must request \fBforwardable\fP tickets when you kinit. Once you have
forwardable tickets, most Kerberos programs have a command line option
to forward them to the remote host. This can be useful for, e.g.,
running kinit on your local machine and then sshing into another to do
work. Note that this should not be done on untrusted machines since
they will then have your tickets.
.SH ENVIRONMENT VARIABLES
.sp
Several environment variables affect the operation of Kerberos\-enabled
programs. These include:
.INDENT 0.0
.TP
\fBKRB5CCNAME\fP
Default name for the credentials cache file, in the form
\fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine
the availability of a cache collection. \fBFILE\fP is not a
collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are.
.sp
If not set, the value of \fBdefault_ccache_name\fP from
configuration files (see \fBKRB5_CONFIG\fP) will be used. If that
is also not set, the default \fItype\fP is \fBFILE\fP, and the
\fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the
decimal user ID of the user.
.TP
\fBKRB5_KTNAME\fP
Specifies the location of the default keytab file, in the form
\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is
assumed and \fIresidual\fP is the pathname of the keytab file. If
unset, \fBFILE:/etc/krb5.keytab\fP will be used.
.TP
\fBKRB5_CONFIG\fP
Specifies the location of the Kerberos configuration file. The
default is \fB/etc\fP\fB/krb5.conf\fP\&. Multiple filenames can
be specified, separated by a colon; all files which are present
will be read.
.TP
\fBKRB5_KDC_PROFILE\fP
Specifies the location of the KDC configuration file, which
contains additional configuration directives for the Key
Distribution Center daemon and associated programs. The default
is \fB/opt/alt/krb5/usr/var/kerberos\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&.
.TP
\fBKRB5RCACHETYPE\fP
Specifies the default type of replay cache to use for servers.
Valid types include \fBdfl\fP for the normal file type and \fBnone\fP
for no replay cache. The default is \fBdfl\fP\&.
.TP
\fBKRB5RCACHEDIR\fP
Specifies the default directory for replay caches used by servers.
The default is the value of the \fBTMPDIR\fP environment variable,
or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
.TP
\fBKRB5_TRACE\fP
Specifies a filename to write trace log output to. Trace logs can
help illuminate decisions made internally by the Kerberos
libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP
would send tracing information for kinit(1) to
\fB/dev/stderr\fP\&. The default is not to write trace log output
anywhere.
.TP
\fBKRB5_CLIENT_KTNAME\fP
Default client keytab file name. If unset, \fBFILE:/opt/alt/krb5/usr/var/kerberos/krb5/user/%{euid}/client.keytab\fP will be
used).
.TP
\fBKPROP_PORT\fP
kprop(8) port to use. Defaults to 754.
.UNINDENT
.sp
Most environment variables are disabled for certain programs, such as
login system programs and setuid programs, which are designed to be
secure when run within an untrusted process environment.
.SH SEE ALSO
.sp
kdestroy(1), kinit(1), klist(1),
kswitch(1), kpasswd(1), ksu(1),
krb5.conf(5), kdc.conf(5), kadmin(1),
kadmind(8), kdb5_util(8), krb5kdc(8)
.SH BUGS
.SH AUTHORS
.nf
Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
Greg Hudson, MIT Kerberos Consortium
Robbie Harwood, Red Hat, Inc.
.fi
.sp
.SH HISTORY
.sp
The MIT Kerberos 5 implementation was developed at MIT, with
contributions from many outside parties. It is currently maintained
by the MIT Kerberos Consortium.
.SH RESTRICTIONS
.sp
Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts
Institute of Technology
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2019, MIT
.\" Generated by docutils manpage writer.
.
.so man5/k5login.5
.\" Man page generated from reStructuredText.
.
.TH "K5LOGIN" "5" " " "1.17" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH DESCRIPTION
.sp
The .k5login file, which resides in a user\(aqs home directory, contains
a list of the Kerberos principals. Anyone with valid tickets for a
principal in the file is allowed host access with the UID of the user
in whose home directory the file resides. One common use is to place
a .k5login file in root\(aqs home directory, thereby granting system
administrators remote root access to the host via Kerberos.
.SH EXAMPLES
.sp
Suppose the user \fBalice\fP had a .k5login file in her home directory
containing just the following line:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
bob@FOOBAR.ORG
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
This would allow \fBbob\fP to use Kerberos network applications, such as
ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
tickets. In a default configuration (with \fBk5login_authoritative\fP set
to true in krb5.conf(5)), this .k5login file would not let
\fBalice\fP use those network applications to access her account, since
she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP
set to false, a default rule would permit the principal \fBalice\fP in the
machine\(aqs default realm to access the \fBalice\fP account.
.sp
Let us further suppose that \fBalice\fP is a system administrator.
Alice and the other system administrators would have their principals
in root\(aqs .k5login file on each host:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
alice@BLEEP.COM
joeadmin/root@BLEEP.COM
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
This would allow either system administrator to log in to these hosts
using their Kerberos tickets instead of having to type the root
password. Note that because \fBbob\fP retains the Kerberos tickets for
his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the
privileges that require \fBalice\fP\(aqs tickets, such as root access to
any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs
password.
.SH SEE ALSO
.sp
kerberos(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2019, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.sp
The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your krb5.conf file in the directory
\fB/etc\fP\&. You can override the default location by setting the
environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated
filenames may be specified in \fBKRB5_CONFIG\fP; all files which are
present will be read. Starting in release 1.14, directory names can
also be specified in \fBKRB5_CONFIG\fP; all files within the directory
whose names consist solely of alphanumeric characters, dashes, or
underscores will be read.
.SH STRUCTURE
.sp
The krb5.conf file is set up in the style of a Windows INI file.
Lines beginning with \(aq#\(aq or \(aq;\(aq (possibly after initial whitespace)
are ignored as comments. Sections are headed by the section name, in
square brackets. Each section may contain zero or more relations, of
the form:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
foo = bar
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
or:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
fubar = {
foo = bar
baz = quux
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP
value for the tag. This means that neither the remainder of this
configuration file nor any other configuration file will be checked
for any other values for this tag.
.sp
For example, if you have the following lines:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
foo = bar*
foo = baz
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
then the second value of \fBfoo\fP (\fBbaz\fP) would never be read.
.sp
The krb5.conf file can include other files using either of the
following directives at the beginning of a line:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
include FILENAME
includedir DIRNAME
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
1.15, files with names ending in ".conf" are also included, unless the
name begins with ".". Included profile files are syntactically
independent of their parents, so each included file must begin with a
section header. Starting in release 1.17, files are read in
alphanumeric order; in previous releases, they may be read in any
order.
.sp
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
headers:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
module MODULEPATH:RESIDUAL
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fIMODULEPATH\fP may be relative to the library path of the krb5
installation, or it may be an absolute path. \fIRESIDUAL\fP is provided
to the module at initialization time. If krb5.conf uses a module
directive, kdc.conf(5) should also use one if it exists.
.SH SECTIONS
.sp
The krb5.conf file may contain the following sections:
.TS
center;
|l|l|.
_
T{
\fI\%[libdefaults]\fP
T} T{
Settings used by the Kerberos V5 library
T}
_
T{
\fI\%[realms]\fP
T} T{
Realm\-specific contact information and settings
T}
_
T{
\fI\%[domain_realm]\fP
T} T{
Maps server hostnames to Kerberos realms
T}
_
T{
\fI\%[capaths]\fP
T} T{
Authentication paths for non\-hierarchical cross\-realm
T}
_
T{
\fI\%[appdefaults]\fP
T} T{
Settings used by some Kerberos V5 applications
T}
_
T{
\fI\%[plugins]\fP
T} T{
Controls plugin module registration
T}
_
.TE
.sp
Additionally, krb5.conf may include any of the relations described in
kdc.conf(5), but it is not a recommended practice.
.SS [libdefaults]
.sp
The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
\fBallow_weak_crypto\fP
If this flag is set to false, then weak encryption types (as noted
in Encryption_types in kdc.conf(5)) will be filtered
out of the lists \fBdefault_tgs_enctypes\fP,
\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default
value for this tag is false, which may cause authentication
failures in existing Kerberos infrastructures that do not support
strong crypto. Users in affected environments should set this tag
to true until their infrastructure adopts stronger ciphers.
.TP
\fBap_req_checksum_type\fP
An integer which specifies the type of AP\-REQ checksum to use in
authenticators. This variable should be unset so the appropriate
checksum for the encryption key in use will be used. This can be
set if backward compatibility requires a specific checksum type.
See the \fBkdc_req_checksum_type\fP configuration option for the
possible values and their meanings.
.TP
\fBcanonicalize\fP
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
answers with different client principals than the requested
principal will be accepted. The default value is false.
.TP
\fBccache_type\fP
This parameter determines the format of credential cache types
created by kinit(1) or other programs. The default value
is 4, which represents the most current format. Smaller values
can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.
.TP
\fBclockskew\fP
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
.sp
The clockskew setting is also used when evaluating ticket start
and expiration times. For example, tickets that have reached
their expiration time can still be used (and renewed if they are
renewable tickets) if they have been expired for a shorter
duration than the \fBclockskew\fP setting.
.TP
\fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
The default is \fBFILE:/tmp/krb5cc_%{uid}\fP\&. This relation is subject to parameter
expansion (see below). New in release 1.11.
.TP
\fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
obtaining client credentials. The default is \fBFILE:/opt/alt/krb5/usr/var/kerberos/krb5/user/%{euid}/client.keytab\fP\&. This
relation is subject to parameter expansion (see below).
New in release 1.11.
.TP
\fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
application servers such as sshd. The default is \fBFILE:/etc/krb5.keytab\fP\&. This
relation is subject to parameter expansion (see below).
.TP
\fBdefault_realm\fP
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
invoking programs such as kinit(1)\&.
.TP
\fBdefault_tgs_enctypes\fP
Identifies the supported list of session key encryption types that
the client should request when making a TGS\-REQ, in order of
preference from highest to lowest. The list may be delimited with
commas or whitespace. See Encryption_types in
kdc.conf(5) for a list of the accepted values for this tag.
The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
.sp
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.
.TP
\fBdefault_tkt_enctypes\fP
Identifies the supported list of session key encryption types that
the client should request when making an AS\-REQ, in order of
preference from highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.sp
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.
.TP
\fBdns_canonicalize_hostname\fP
Indicate whether name lookups will be used to canonicalize
hostnames for use in service principal names. Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
fully\-qualified hostnames. The default value is true.
.TP
\fBdns_lookup_kdc\fP
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. (Note that the admin_server
entry must be in the krb5.conf realm information in order to
contact kadmind, because the DNS implementation for kadmin is
incomplete.)
.sp
Enabling this option does open up a type of denial\-of\-service
attack, if someone spoofs the DNS records and redirects you to
another server. However, it\(aqs no worse than a denial of service,
because that fake KDC will be unable to decode anything you send
it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
\fBdns_uri_lookup\fP
Indicate whether DNS URI records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. SRV records are used as a
fallback if no URI records were found. The default value is true.
New in release 1.15.
.TP
\fBerr_fmt\fP
This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
normal error message for %M and an error code for %C in the value.
.TP
\fBextra_addresses\fP
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
using address\-restricted tickets. The addresses should be in a
comma\-separated list. This option has no effect if
\fBnoaddresses\fP is true.
.TP
\fBforwardable\fP
If this flag is true, initial tickets will be forwardable by
default, if allowed by the KDC. The default value is false.
.TP
\fBignore_acceptor_hostname\fP
When accepting GSSAPI or krb5 security contexts for host\-based
service principals, ignore any hostname passed by the calling
application, and allow clients to authenticate to any service
principal in the keytab matching the service name and realm name
(if given). This option can improve the administrative
flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
default value is false. New in release 1.10.
.TP
\fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
k5login file to be granted login access, if a \&.k5login(5)
file exists. If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal. The default value is
true.
.TP
\fBk5login_directory\fP
If set, the library will look for a local user\(aqs k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
files in the user\(aqs home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.
.TP
\fBkcm_mach_service\fP
On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is \fB\-\fP, Mach RPC will not be used to contact the KCM
daemon. The default value is \fBorg.h5l.kcm\fP\&.
.TP
\fBkcm_socket\fP
Determines the path to the Unix domain socket used to access the
KCM daemon for the KCM credential cache type. If the value is
\fB\-\fP, Unix domain sockets will not be used to contact the KCM
daemon. The default value is
\fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
.TP
\fBkdc_default_options\fP
Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
(KDC_OPT_RENEWABLE_OK).
.TP
\fBkdc_timesync\fP
Accepted values for this relation are 1 or 0. If it is nonzero,
client machines will compute the difference between their time and
the time returned by the KDC in the timestamps in the tickets and
use this value to correct for an inaccurate system clock when
requesting service tickets or authenticating to services. This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.
.TP
\fBkdc_req_checksum_type\fP
An integer which specifies the type of checksum to use for the KDC
requests, for compatibility with very old KDC implementations.
This value is only used for DES keys; other keys use the preferred
checksum type for those keys.
.sp
The possible values and their meanings are as follows.
.TS
center;
|l|l|.
_
T{
1
T} T{
CRC32
T}
_
T{
2
T} T{
RSA MD4
T}
_
T{
3
T} T{
RSA MD4 DES
T}
_
T{
4
T} T{
DES CBC
T}
_
T{
7
T} T{
RSA MD5
T}
_
T{
8
T} T{
RSA MD5 DES
T}
_
T{
9
T} T{
NIST SHA
T}
_
T{
12
T} T{
HMAC SHA1 DES3
T}
_
T{
\-138
T} T{
Microsoft MD5 HMAC checksum type
T}
_
.TE
.TP
\fBnoaddresses\fP
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs. The default value is true.
.TP
\fBpermitted_enctypes\fP
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
\fBplugin_base_dir\fP
If set, determines the base directory where krb5 plugins are
located. The default value is the \fBkrb5/plugins\fP subdirectory
of the krb5 library directory. This relation is subject to
parameter expansion (see below) in release 1.17 and later.
.TP
\fBpreferred_preauth_types\fP
This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
KDC. The default value for this setting is "17, 16, 15, 14",
which forces libkrb5 to attempt to use PKINIT if it is supported.
.TP
\fBproxiable\fP
If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC. The default value is false.
.TP
\fBrdns\fP
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names. If \fBdns_canonicalize_hostname\fP is set
to false, this flag has no effect. The default value is true.
.TP
\fBrealm_try_domains\fP
Indicate whether a host\(aqs domain components should be used to
determine the Kerberos realm of the host. The value of this
variable is an integer: \-1 means not to search, 0 means to try the
host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
parent, and so forth. The library\(aqs usual mechanism for locating
Kerberos realms is used to determine whether a domain is a valid
realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
set. The default is not to search domain components.
.TP
\fBrenew_lifetime\fP
(duration string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
.TP
\fBsafe_checksum_type\fP
An integer which specifies the type of checksum to use for the
KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
compatibility with applications linked against DCE version 1.1 or
earlier Kerberos libraries, use a value of 3 to use the RSA MD4
DES instead. This field is ignored when its value is incompatible
with the session key type. See the \fBkdc_req_checksum_type\fP
configuration option for the possible values and their meanings.
.TP
\fBspake_preauth_groups\fP
A whitespace or comma\-separated list of words which specifies the
groups allowed for SPAKE preauthentication. The possible values
are:
.TS
center;
|l|l|.
_
T{
edwards25519
T} T{
Edwards25519 curve (\fI\%RFC 7748\fP)
T}
_
T{
P\-256
T} T{
NIST P\-256 curve (\fI\%RFC 5480\fP)
T}
_
T{
P\-384
T} T{
NIST P\-384 curve (\fI\%RFC 5480\fP)
T}
_
T{
P\-521
T} T{
NIST P\-521 curve (\fI\%RFC 5480\fP)
T}
_
.TE
.sp
The default value for the client is \fBedwards25519\fP\&. The default
value for the KDC is empty. New in release 1.17.
.TP
\fBticket_lifetime\fP
(duration string.) Sets the default lifetime for initial
ticket requests. The default value is 1 day.
.TP
\fBudp_preference_limit\fP
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
\fBudp_preference_limit\fP\&. If the message is smaller than
\fBudp_preference_limit\fP, then UDP will be tried before TCP.
Regardless of the size, both protocols will be tried if the first
attempt fails.
.TP
\fBverify_ap_req_nofail\fP
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab. The default value is false.
.UNINDENT
.SS [realms]
.sp
Each tag in the [realms] section of the file is the name of a Kerberos
realm. The value of the tag is a subsection with relations that
define the properties of that particular realm. For each realm, the
following tags may be specified in the realm\(aqs subsection:
.INDENT 0.0
.TP
\fBadmin_server\fP
Identifies the host where the administration server is running.
Typically, this is the master Kerberos server. This tag must be
given a value in order to communicate with the kadmind(8)
server for the realm.
.TP
\fBauth_to_local\fP
This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being
translated. The possible values are:
.INDENT 7.0
.TP
\fBRULE:\fP\fIexp\fP
The local name will be formulated from \fIexp\fP\&.
.sp
The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
The integer \fIn\fP indicates how many components the target
principal should have. If this matches, then a string will be
formed from \fIstring\fP, substituting the realm of the principal
for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then
\fB[2:$2$1foo]\fP would result in the string
\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then
the \fBs//[g]\fP substitution command will be run over the
string. The optional \fBg\fP will cause the substitution to be
global over the \fIstring\fP, instead of replacing only the first
match in the \fIstring\fP\&.
.TP
\fBDEFAULT\fP
The principal name will be used as the local user name. If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
will fail.
.UNINDENT
.sp
For example:
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auth_to_local = DEFAULT
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
would result in any principal without \fBroot\fP or \fBadmin\fP as the
second component to be translated with the default rule. A
principal with a second component of \fBadmin\fP will become its
first component. \fBroot\fP will be used as the local name for any
principal with a second component of \fBroot\fP\&. The exception to
these two rules are any principals \fBjohndoe/*\fP, which will
always get the local name \fBguest\fP\&.
.TP
\fBauth_to_local_names\fP
This subsection allows you to set explicit mappings from principal
names to local user names. The tag is the mapping name, and the
value is the corresponding local user name.
.TP
\fBdefault_domain\fP
This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \fBrcmd.hostname\fP to
\fBhost/hostname.domain\fP).
.TP
\fBdisable_encrypted_timestamp\fP
If this flag is true, the client will not perform encrypted
timestamp preauthentication if requested by the KDC. Setting this
flag can help to prevent dictionary attacks by active attackers,
if the realm\(aqs KDCs support SPAKE preauthentication or if initial
authentication always uses another mechanism or always uses FAST.
This flag persists across client referrals during initial
authentication. This flag does not prevent the KDC from offering
encrypted timestamp. New in release 1.17.
.TP
\fBhttp_anchors\fP
When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
can be used to specify the location of the CA certificate which should be
trusted to issue the certificate for a proxy server. If left unspecified,
the system\-wide default set of CA certificates is used.
.sp
The syntax for values is similar to that of values for the
\fBpkinit_anchors\fP tag:
.sp
\fBFILE:\fP \fIfilename\fP
.sp
\fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file.
.sp
\fBDIR:\fP \fIdirname\fP
.sp
\fIdirname\fP is assumed to be an directory which contains CA certificates.
All files in the directory will be examined; if they contain certificates
(in PEM format), they will be used.
.sp
\fBENV:\fP \fIenvvar\fP
.sp
\fIenvvar\fP specifies the name of an environment variable which has been set
to a value conforming to one of the previous values. For example,
\fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
.TP
\fBkdc\fP
The name or address of a host running a KDC for that realm. An
optional port number, separated from the hostname by a colon, may
be included. If the name or address contains colons (for example,
if it is an IPv6 address), enclose it in square brackets to
distinguish the colon from a port separator. For your computer to
be able to communicate with the KDC for each realm, this tag must
be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.
.TP
\fBkpasswd_server\fP
Points to the server where all the password changes are performed.
If there is no such entry, DNS will be queried (unless forbidden
by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP
host will be tried.
.TP
\fBmaster_kdc\fP
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
master KDC, in case the user\(aqs password has just been changed, and
the updated database has not been propagated to the replica
servers yet.
.TP
\fBv4_instance_convert\fP
This subsection allows the administrator to configure exceptions
to the \fBdefault_domain\fP mapping rule. It contains V4 instances
(the tag name) which should be translated to some specific
hostname (the tag value) as the second component in a Kerberos V5
principal name.
.TP
\fBv4_realm\fP
This relation is used by the krb524 library routines when
converting a V5 principal name to a V4 principal name. It is used
when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords. The tag value
is the Kerberos V4 realm name.
.UNINDENT
.SS [domain_realm]
.sp
The [domain_realm] section provides a translation from a domain name
or hostname to a Kerberos realm name. The tag name can be a host name
or domain name, where domain names are indicated by a prefix of a
period (\fB\&.\fP). The value of the relation is the Kerberos realm name
for that particular host or domain. A host name relation implicitly
provides the corresponding domain name relation, unless an explicit domain
name relation is provided. The Kerberos realm may be
identified either in the \fI\%realms\fP section or using DNS SRV records.
Host names and domain names should be in lower case. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU
.dev.mit.edu = TEST.ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
maps the host with the name \fBcrash.mit.edu\fP into the
\fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the
domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not
the host with the name \fBdev.mit.edu\fP\&. That host is matched
by the third entry, which maps the host \fBmit.edu\fP and all hosts
under the domain \fBmit.edu\fP that do not match a preceding rule
into the realm \fBATHENA.MIT.EDU\fP\&.
.sp
If no translation entry applies to a hostname used for a service
principal for a service ticket request, the library will try to get a
referral to the appropriate realm from the client realm\(aqs KDC. If
that does not succeed, the host\(aqs realm is considered to be the
hostname\(aqs domain portion converted to uppercase, unless the
\fBrealm_try_domains\fP setting in [libdefaults] causes a different
parent domain to be used.
.SS [capaths]
.sp
In order to perform direct (non\-hierarchical) cross\-realm
authentication, configuration is needed to determine the
authentication paths between realms.
.sp
A client will use this section to find the authentication path between
its realm and the realm of the server. The server will use this
section to verify the authentication path used by the client, by
checking the transited field of the received ticket.
.sp
There is a tag for each participating client realm, and each tag has
subtags for each of the server realms. The value of the subtags is an
intermediate realm which may participate in the cross\-realm
authentication. The subtags may be repeated if there is more then one
intermediate realm. A value of "." means that the two realms share
keys directly, and no intermediate realms should be allowed to
participate.
.sp
Only those entries which will be needed on the client or the server
need to be present. A client needs a tag for its local realm with
subtags for all the realms of servers it will need to authenticate to.
A server needs a tag for each realm of the clients it will serve, with
a subtag of the server realm.
.sp
For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub
realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems
would look like this:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[capaths]
ANL.GOV = {
TEST.ANL.GOV = .
PNL.GOV = ES.NET
NERSC.GOV = ES.NET
ES.NET = .
}
TEST.ANL.GOV = {
ANL.GOV = .
}
PNL.GOV = {
ANL.GOV = ES.NET
}
NERSC.GOV = {
ANL.GOV = ES.NET
}
ES.NET = {
ANL.GOV = .
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The [capaths] section of the configuration file used on \fBNERSC.GOV\fP
systems would look like this:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[capaths]
NERSC.GOV = {
ANL.GOV = ES.NET
TEST.ANL.GOV = ES.NET
TEST.ANL.GOV = ANL.GOV
PNL.GOV = ES.NET
ES.NET = .
}
ANL.GOV = {
NERSC.GOV = ES.NET
}
PNL.GOV = {
NERSC.GOV = ES.NET
}
ES.NET = {
NERSC.GOV = .
}
TEST.ANL.GOV = {
NERSC.GOV = ANL.GOV
NERSC.GOV = ES.NET
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
When a subtag is used more than once within a tag, clients will use
the order of values to determine the path. The order of values is not
important to servers.
.SS [appdefaults]
.sp
Each tag in the [appdefaults] section names a Kerberos V5 application
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
.sp
For example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[appdefaults]
telnet = {
ATHENA.MIT.EDU = {
option1 = false
}
}
telnet = {
option1 = true
option2 = true
}
ATHENA.MIT.EDU = {
option2 = false
}
option2 = true
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The above four ways of specifying the value of an option are shown in
order of decreasing precedence. In this example, if telnet is running
in the realm EXAMPLE.COM, it should, by default, have option1 and
option2 set to true. However, a telnet program in the realm
\fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and
\fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should
have \fBoption2\fP set to false by default. Any programs running in
other realms should have \fBoption2\fP set to true.
.sp
The list of specifiable options for each application may be found in
that application\(aqs man pages. The application defaults specified here
are overridden by those specified in the \fI\%realms\fP section.
.SS [plugins]
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%pwqual\fP interface
.IP \(bu 2
\fI\%kadm5_hook\fP interface
.IP \(bu 2
\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Tags in the [plugins] section can be used to register dynamic plugin
modules and to turn modules on and off. Not every krb5 pluggable
interface uses the [plugins] section; the ones that do are documented
here.
.sp
New in release 1.9.
.sp
Each pluggable interface corresponds to a subsection of [plugins].
All subsections support the same tags:
.INDENT 0.0
.TP
\fBdisable\fP
This tag may have multiple values. If there are values for this
tag, then the named modules will be disabled for the pluggable
interface.
.TP
\fBenable_only\fP
This tag may have multiple values. If there are values for this
tag, then only the named modules will be enabled for the pluggable
interface.
.TP
\fBmodule\fP
This tag may have multiple values. Each value is a string of the
form \fBmodulename:pathname\fP, which causes the shared object
located at \fIpathname\fP to be registered as a dynamic module named
\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an
absolute path, it will be treated as relative to the
\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&.
.UNINDENT
.sp
For pluggable interfaces where module order matters, modules
registered with a \fBmodule\fP tag normally come first, in the order
they are registered, followed by built\-in modules in the order they
are documented below. If \fBenable_only\fP tags are used, then the
order of those tags overrides the normal module order.
.sp
The following subsections are currently supported within the [plugins]
section:
.SS ccselect interface
.sp
The ccselect subsection controls modules for credential cache
selection within a cache collection. In addition to any registered
dynamic modules, the following built\-in modules exist (and may be
disabled with the disable tag):
.INDENT 0.0
.TP
\fBk5identity\fP
Uses a .k5identity file in the user\(aqs home directory to select a
client principal
.TP
\fBrealm\fP
Uses the service realm to guess an appropriate cache from the
collection
.TP
\fBhostname\fP
If the service principal is host\-based, uses the service hostname
to guess an appropriate cache from the collection
.UNINDENT
.SS pwqual interface
.sp
The pwqual subsection controls modules for the password quality
interface, which is used to reject weak passwords when passwords are
changed. The following built\-in modules exist for this interface:
.INDENT 0.0
.TP
\fBdict\fP
Checks against the realm dictionary file
.TP
\fBempty\fP
Rejects empty passwords
.TP
\fBhesiod\fP
Checks against user information stored in Hesiod (only if Kerberos
was built with Hesiod support)
.TP
\fBprinc\fP
Checks against components of the principal name
.UNINDENT
.SS kadm5_hook interface
.sp
The kadm5_hook interface provides plugins with information on
principal creation, modification, password changes and deletion. This
interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
.SS kadm5_auth interface
.sp
The kadm5_auth section (introduced in release 1.16) controls modules
for the kadmin authorization interface, which determines whether a
client principal is allowed to perform a kadmin operation. The
following built\-in modules exist for this interface:
.INDENT 0.0
.TP
\fBacl\fP
This module reads the kadm5.acl(5) file, and authorizes
operations which are allowed according to the rules in the file.
.TP
\fBself\fP
This module authorizes self\-service operations including password
changes, creation of new random keys, fetching the client\(aqs
principal record or string attributes, and fetching the policy
record associated with the client principal.
.UNINDENT
.SS clpreauth and kdcpreauth interfaces
.sp
The clpreauth and kdcpreauth interfaces allow plugin modules to
provide client and KDC preauthentication mechanisms. The following
built\-in modules exist for these interfaces:
.INDENT 0.0
.TP
\fBpkinit\fP
This module implements the PKINIT preauthentication mechanism.
.TP
\fBencrypted_challenge\fP
This module implements the encrypted challenge FAST factor.
.TP
\fBencrypted_timestamp\fP
This module implements the encrypted timestamp mechanism.
.UNINDENT
.SS hostrealm interface
.sp
The hostrealm section (introduced in release 1.12) controls modules
for the host\-to\-realm interface, which affects the local mapping of
hostnames to realm names and the choice of default realm. The following
built\-in modules exist for this interface:
.INDENT 0.0
.TP
\fBprofile\fP
This module consults the [domain_realm] section of the profile for
authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
variable for the default realm.
.TP
\fBdns\fP
This module looks for DNS records for fallback host\-to\-realm
mappings and the default realm. It only operates if the
\fBdns_lookup_realm\fP variable is set to true.
.TP
\fBdomain\fP
This module applies heuristics for fallback host\-to\-realm
mappings. It implements the \fBrealm_try_domains\fP variable, and
uses the uppercased parent domain of the hostname if that does not
produce a result.
.UNINDENT
.SS localauth interface
.sp
The localauth section (introduced in release 1.12) controls modules
for the local authorization interface, which affects the relationship
between Kerberos principals and local system accounts. The following
built\-in modules exist for this interface:
.INDENT 0.0
.TP
\fBdefault\fP
This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
values.
.TP
\fBrule\fP
This module implements the \fBRULE\fP type for \fBauth_to_local\fP
values.
.TP
\fBnames\fP
This module looks for an \fBauth_to_local_names\fP mapping for the
principal name.
.TP
\fBauth_to_local\fP
This module processes \fBauth_to_local\fP values in the default
realm\(aqs section, and applies the default method if no
\fBauth_to_local\fP values exist.
.TP
\fBk5login\fP
This module authorizes a principal to a local account according to
the account\(aqs \&.k5login(5) file.
.TP
\fBan2ln\fP
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
.SS certauth interface
.sp
The certauth section (introduced in release 1.16) controls modules for
the certificate authorization interface, which determines whether a
certificate is allowed to preauthenticate a user via PKINIT. The
following built\-in modules exist for this interface:
.INDENT 0.0
.TP
\fBpkinit_san\fP
This module authorizes the certificate if it contains a PKINIT
Subject Alternative Name for the requested client principal, or a
Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
is set to true for the realm.
.TP
\fBpkinit_eku\fP
This module rejects the certificate if it does not contain an
Extended Key Usage attribute consistent with the
\fBpkinit_eku_checking\fP value for the realm.
.TP
\fBdbmatch\fP
This module authorizes or rejects the certificate according to
whether it matches the \fBpkinit_cert_match\fP string attribute on
the client principal, if that attribute is present.
.UNINDENT
.SH PKINIT OPTIONS
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
The following are PKINIT\-specific options. These values may
be specified in [libdefaults] as global defaults, or within
a realm\-specific subsection of [libdefaults], or may be
specified as realm\-specific values in the [realms] section.
A realm\-specific value overrides, not adds to, a generic
[libdefaults] specification. The search order is:
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP 1. 3
realm\-specific subsection of [libdefaults]:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
EXAMPLE.COM = {
pkinit_anchors = FILE:/usr/local/example.com.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
realm\-specific value in the [realms] section:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[realms]
OTHERREALM.ORG = {
pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
generic value in the [libdefaults] section:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SS Specifying PKINIT identity information
.sp
The syntax for specifying Public Key identity, trust, and revocation
information for PKINIT is as follows:
.INDENT 0.0
.TP
\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
specifies the name of a PEM\-format file containing the user\(aqs
certificate. If \fIkeyfilename\fP is not specified, the user\(aqs
private key is expected to be in \fIfilename\fP as well. Otherwise,
\fIkeyfilename\fP is the name of the file containing the private key.
.sp
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
be the name of an OpenSSL\-style ca\-bundle file.
.TP
\fBDIR:\fP\fIdirname\fP
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
where the first part of the file name is the same for matching
pairs of certificate and private key files. When a file with a
name ending with \fB\&.crt\fP is found, a matching file ending with
\fB\&.key\fP is assumed to contain the private key. If no such file
is found, then the certificate in the \fB\&.crt\fP is not used.
.sp
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
be an OpenSSL\-style hashed CA directory where each CA cert is
stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure
is encouraged, but all files in the directory will be examined and
if they contain certificates (in PEM format), they will be used.
.sp
In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
hashed CA directory where each revocation list is stored in a file
named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.
.TP
\fBPKCS12:\fP\fIfilename\fP
\fIfilename\fP is the name of a PKCS #12 format file, containing the
user\(aqs certificate and private key.
.TP
\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the \fImodname\fP\&. If no
module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
a particular smard card reader or token if there is more than one
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
force the selection of a particular certificate on the device.
See the \fBpkinit_cert_match\fP configuration option for more ways
to select a particular certificate to use for PKINIT.
.TP
\fBENV:\fP\fIenvvar\fP
\fIenvvar\fP specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fP, where environment variable
\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
.UNINDENT
.SS PKINIT krb5.conf options
.INDENT 0.0
.TP
\fBpkinit_anchors\fP
Specifies the location of trusted anchor (root) certificates which
the client trusts to sign KDC certificates. This option may be
specified multiple times. These values from the config file are
not used if the user specifies X509_anchors on the command line.
.TP
\fBpkinit_cert_match\fP
Specifies matching rules that the client certificate must match
before it is used to attempt PKINIT authentication. If a user has
multiple certificates available (on a smart card, or via other
media), there must be exactly one certificate chosen before
attempting PKINIT authentication. This option may be specified
multiple times. All the available certificates are checked
against each rule in order until there is a match of exactly one
certificate.
.sp
The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP
string representations from the certificate Subject DN and Issuer
DN values.
.sp
The syntax of the matching rules is:
.INDENT 7.0
.INDENT 3.5
[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
.UNINDENT
.UNINDENT
.sp
where:
.INDENT 7.0
.TP
.B \fIrelation\-operator\fP
can be either \fB&&\fP, meaning all component rules must match,
or \fB||\fP, meaning only one component rule must match. The
default is \fB&&\fP\&.
.TP
.B \fIcomponent\-rule\fP
can be one of the following. Note that there is no
punctuation or whitespace between component rules.
.INDENT 7.0
.INDENT 3.5
.nf
\fB<SUBJECT>\fP\fIregular\-expression\fP
\fB<ISSUER>\fP\fIregular\-expression\fP
\fB<SAN>\fP\fIregular\-expression\fP
\fB<EKU>\fP\fIextended\-key\-usage\-list\fP
\fB<KU>\fP\fIkey\-usage\-list\fP
.fi
.sp
.UNINDENT
.UNINDENT
.sp
\fIextended\-key\-usage\-list\fP is a comma\-separated list of
required Extended Key Usage values. All values in the list
must be present in the certificate. Extended Key Usage values
can be:
.INDENT 7.0
.IP \(bu 2
pkinit
.IP \(bu 2
msScLogin
.IP \(bu 2
clientAuth
.IP \(bu 2
emailProtection
.UNINDENT
.sp
\fIkey\-usage\-list\fP is a comma\-separated list of required Key
Usage values. All values in the list must be present in the
certificate. Key Usage values can be:
.INDENT 7.0
.IP \(bu 2
digitalSignature
.IP \(bu 2
keyEncipherment
.UNINDENT
.UNINDENT
.sp
Examples:
.INDENT 7.0
.INDENT 3.5
.sp
.nf
.ft C
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
.ft P
.fi
.UNINDENT
.UNINDENT
.TP
\fBpkinit_eku_checking\fP
This option specifies what Extended Key Usage value the KDC
certificate presented to the client must contain. (Note that if
the KDC certificate has the pkinit SubjectAlternativeName encoded
as the Kerberos TGS name, EKU checking is not necessary since the
issuing CA has certified this as a KDC certificate.) The values
recognized in the krb5.conf file are:
.INDENT 7.0
.TP
\fBkpKDC\fP
This is the default value and specifies that the KDC must have
the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
.TP
\fBkpServerAuth\fP
If \fBkpServerAuth\fP is specified, a KDC certificate with the
id\-kp\-serverAuth EKU will be accepted. This key usage value
is used in most commercially issued server certificates.
.TP
\fBnone\fP
If \fBnone\fP is specified, then the KDC certificate will not be
checked to verify it has an acceptable EKU. The use of this
option is not recommended.
.UNINDENT
.TP
\fBpkinit_dh_min_bits\fP
Specifies the size of the Diffie\-Hellman key the client will
attempt to use. The acceptable values are 1024, 2048, and 4096.
The default is 2048.
.TP
\fBpkinit_identities\fP
Specifies the location(s) to be used to find the user\(aqs X.509
identity information. If this option is specified multiple times,
the first valid value is used; this can be used to specify an
environment variable (with \fBENV:\fP\fIenvvar\fP) followed by a
default value. Note that these values are not used if the user
specifies \fBX509_user_identity\fP on the command line.
.TP
\fBpkinit_kdc_hostname\fP
The presense of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\-pkinit\-san as
defined in \fI\%RFC 4556\fP\&. This option may be specified multiple
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
.TP
\fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
\fBpkinit_require_crl_checking\fP
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
verification fails. If the certificate being verified is not
listed in a CRL, or there is no CRL present for its issuing CA,
and \fBpkinit_require_crl_checking\fP is false, then verification
succeeds.
.sp
However, if \fBpkinit_require_crl_checking\fP is true and there is
no CRL information available for the issuing CA, then verification
fails.
.sp
\fBpkinit_require_crl_checking\fP should be set to true if the
policy is such that up\-to\-date CRLs must be present for every CA.
.TP
\fBpkinit_revoke\fP
Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented. This option may be specified
multiple times.
.UNINDENT
.SH PARAMETER EXPANSION
.sp
Starting with release 1.11, several variables, such as
\fBdefault_keytab_name\fP, allow parameters to be expanded.
Valid parameters are:
.INDENT 0.0
.INDENT 3.5
.TS
center;
|l|l|.
_
T{
%{TEMP}
T} T{
Temporary directory
T}
_
T{
%{uid}
T} T{
Unix real UID or Windows SID
T}
_
T{
%{euid}
T} T{
Unix effective user ID or Windows SID
T}
_
T{
%{USERID}
T} T{
Same as %{uid}
T}
_
T{
%{null}
T} T{
Empty string
T}
_
T{
%{LIBDIR}
T} T{
Installation library directory
T}
_
T{
%{BINDIR}
T} T{
Installation binary directory
T}
_
T{
%{SBINDIR}
T} T{
Installation admin binary directory
T}
_
T{
%{username}
T} T{
(Unix) Username of effective user ID
T}
_
T{
%{APPDATA}
T} T{
(Windows) Roaming application data for current user
T}
_
T{
%{COMMON_APPDATA}
T} T{
(Windows) Application data for all users
T}
_
T{
%{LOCAL_APPDATA}
T} T{
(Windows) Local application data for current user
T}
_
T{
%{SYSTEM}
T} T{
(Windows) Windows system folder
T}
_
T{
%{WINDOWS}
T} T{
(Windows) Windows folder
T}
_
T{
%{USERCONFIG}
T} T{
(Windows) Per\-user MIT krb5 config file directory
T}
_
T{
%{COMMONCONFIG}
T} T{
(Windows) Common MIT krb5 config file directory
T}
_
.TE
.UNINDENT
.UNINDENT
.SH SAMPLE KRB5.CONF FILE
.sp
Here is an example of a generic krb5.conf file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
[libdefaults]
default_realm = ATHENA.MIT.EDU
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos\-1.mit.edu
kdc = kerberos\-2.mit.edu
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
}
EXAMPLE.COM = {
kdc = kerberos.example.com
kdc = kerberos\-1.example.com
admin_server = kerberos.example.com
}
[domain_realm]
mit.edu = ATHENA.MIT.EDU
[capaths]
ATHENA.MIT.EDU = {
EXAMPLE.COM = .
}
EXAMPLE.COM = {
ATHENA.MIT.EDU = .
}
.ft P
.fi
.UNINDENT
.UNINDENT
.SH FILES
.sp
\fB/etc/krb5.conf\fP
.SH SEE ALSO
.sp
syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2019, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
.TH "K5IDENTITY" "5" " " "1.17" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH DESCRIPTION
.sp
The .k5identity file, which resides in a user\(aqs home directory,
contains a list of rules for selecting a client principals based on
the server being accessed. These rules are used to choose a
credential cache within the cache collection when possible.
.sp
Blank lines and lines beginning with \fB#\fP are ignored. Each line has
the form:
.INDENT 0.0
.INDENT 3.5
\fIprincipal\fP \fIfield\fP=\fIvalue\fP ...
.UNINDENT
.UNINDENT
.sp
If the server principal meets all of the field constraints, then
principal is chosen as the client principal. The following fields are
recognized:
.INDENT 0.0
.TP
\fBrealm\fP
If the realm of the server principal is known, it is matched
against \fIvalue\fP, which may be a pattern using shell wildcards.
For host\-based server principals, the realm will generally only be
known if there is a domain_realm section in
krb5.conf(5) with a mapping for the hostname.
.TP
\fBservice\fP
If the server principal is a host\-based principal, its service
component is matched against \fIvalue\fP, which may be a pattern using
shell wildcards.
.TP
\fBhost\fP
If the server principal is a host\-based principal, its hostname
component is converted to lower case and matched against \fIvalue\fP,
which may be a pattern using shell wildcards.
.sp
If the server principal matches the constraints of multiple lines
in the .k5identity file, the principal from the first matching
line is used. If no line matches, credentials will be selected
some other way, such as the realm heuristic or the current primary
cache.
.UNINDENT
.SH EXAMPLE
.sp
The following example .k5identity file selects the client principal
\fBalice@KRBTEST.COM\fP if the server principal is within that realm,
the principal \fBalice/root@EXAMPLE.COM\fP if the server host is within
a servers subdomain, and the principal \fBalice/mail@EXAMPLE.COM\fP when
accessing the IMAP service on \fBmail.example.com\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
alice@KRBTEST.COM realm=KRBTEST.COM
alice/root@EXAMPLE.COM host=*.servers.example.com
alice/mail@EXAMPLE.COM host=mail.example.com service=imap
.ft P
.fi
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
kerberos(1), krb5.conf(5)
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2019, MIT
.\" Generated by docutils manpage writer.
.
.so man5/k5identity.5