Kerberos Administration Guide, Release 1.16.1
clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming
that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.
The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that
have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been
expired for a shorter duration than the clockskew setting.
default_ccache_name This relation specifies the name of the default credential cache. The default is DEFCCNAME.
This relation is subject to parameter expansion (see below). New in release 1.11.
default_client_keytab_name This relation specifies the name of the default keytab for obtaining client credentials.
The default is DEFCKTNAME. This relation is subject to parameter expansion (see below). New in release 1.11.
default_keytab_name This relation specifies the default keytab name to be used by application servers such as sshd.
The default is DEFKTNAME. This relation is subject to parameter expansion (see below).
default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value
is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit(1).
default_tgs_enctypes Identifies the supported list of session key encryption types that the client should re-
quest when making a TGS-REQ, in order of preference from highest to lowest. The list may be de-
limited with commas or whitespace. See Encryption types in kdc.conf for a list of the accepted values
for this tag. The default value is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1
arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc
des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly removed from this list if
the value of allow_weak_crypto is false.
Do not set this unless required for specific backward compatibility purposes; stale values of this setting can
prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.
default_tkt_enctypes Identifies the supported list of session key encryption types that the
client should request when making an AS-REQ, in order of preference from high-
est to lowest. The format is the same as for default_tgs_enctypes. The default
value for this tag is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1
arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc
des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly removed from this list if
the value of allow_weak_crypto is false.
Do not set this unless required for specific backward compatibility purposes; stale values of this setting can
prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.
dns_canonicalize_hostname Indicate whether name lookups will be used to canonicalize hostnames for use in ser-
vice principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means
that short hostnames will not be canonicalized to fully-qualified hostnames. The default value is true.
dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm,
if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in
the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is
incomplete.)
Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and
redirects you to another server. However, it’s no worse than a denial of service, because that fake KDC will
be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and
anything the fake KDC sends will not be trusted without verification using some secret that it won’t know.
dns_uri_lookup Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm,
if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI
records were found. The default value is true. New in release 1.15.
2.1. Contents 13