|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/22697/root/usr/share/doc/pkinit-nss-0.7.6/ |
Upload File : |
In appdefaults:
allow_pkinit - Enable or disable the module. Default is "yes".
allow_pkinit_server - Enable or disable the module for KDCs. Default is
to take the value of the "allow_pkinit" option.
Overrides "allow_pkinit".
allow_pkinit_client - Enable or disable the module for clients. Default is
to take the value of the "allow_pkinit" option.
Overrides "allow_pkinit".
trusted_guid - GUID extension value which the client will trust if the
KDC's cert has no subjectAltName value which can be used.
No default.
pkinit_signed_data_version - The version number which should be used when
creating SignedData items to send to a KDC as
part of an RFC4556-style request. Some server
implementations will only accept version 1 (MIT
Kerberos 1.6.3's default plugin), some will only
accept version 3 (Windows Server 2008). Default
is 3. Requests which follow the draft version of
the specification always use version 1.
pkinit_kdc_signed_data_version - The version number which should be used when
creating SignedData items to send to a
client. Some client implementations will
only accept version 1 (MIT Kerberos 1.6.3's
default plugin). Default is to use the
version that the client used in its request.
pkinit_kdc_hostname - In combination with "pkinit_eku_checking", a DNS SAN
which would be acceptable for a KDC. No default.
pkinit_eku_checking - In combination with "pkinit_kdc_hostname", an EKU value
which would be acceptable for a KDC. Recognized values
include "kpKDC", "kpServerAuth", and "none". Default
is "kpServerAuth".
pkinit_cert_match - Alternate combinations of client certificate
characteristics which would cause it to be deemed
sufficient for use. Rules are specified as combinations
of fields and specifications in the form
[&&]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
<FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
[||]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
Recognized fields and the types of specifications to be
used include
<SUBJECT> Regular expression.
<ISSUER> Regular expression.
<SAN> Regular expression.
<EKU> List of zero or more values, possibly
including "pkinit", "msScLogin",
"clientAuth", and "emailProtection".
<KU> List of zero or more values, possibly
including "digitalSignature" and
"keyEncipherment".
There is no default.
ocsp_checking - Enable or disable OCSP checking. Default is "yes" for
KDCs, "no" for clients. Also recognized by the name
"pkinit_require_ocsp_checking".
is_hw - Assume that a PKINIT client also satisfies requires_hwauth
requirements. Default is "no".
try_dh - Enable DH instead of enckey-based kinit. Default is "yes".
minimum_dh_prime_size - Minimum acceptable size for DH primes. Default 1024.
Also recognized by the name "pkinit_dh_min_bits".
preferred_group - Preferred Oakley group when using DH. The default
moduli included with Heimdal correspond to 14. Default
is "2". Valid values include 1, 2, 5, 14, 15, 16.
mappings_file - Name of a principal-name-to-subject-DN mapping file. No
default setting.
trust_pkinit_san - Whether or not to trust PKINIT-style subjectAltName values
in certificates. Default is "yes".
trust_upn_san - Whether or not to trust userPrincipalName subjectAltName
values in certificates. Default is "yes".
client_database - Location of the certificate/key/token database used by the
client. Default is set at compile-time.
client_certificate - Location of the certificate used by the client. No
default.
client_private_key - Location of the private key used by the client. No
default.
client_certificate_pool - Location of the directory which holds intermediate
certificates for use by the client. No default.
client_ca_certificate - Location of the client's CA's certificate. No
default.
client_ca_certificate_pool - Location of the directory which holds
certificates of CAs which are trusted by the
client. No default.
server_database - Location of the certificate/key/token database used by the
KDC. Default is set at compile-time.
server_certificate - Location of the certificate used by the KDC. No
default.
server_private_key - Location of the private key used by the KDC. No
default.
server_certificate_pool - Location of the directory which holds intermediate
certificates for use by the KDC. No default.
server_ca_certificate - Location of the KDC's CA's certificate. No default.
server_ca_certificate_pool - Location of the directory which holds
certificates of CAs which are trusted by the
KDC. No default.
server_pin_file - Location of a file which contains a PIN which might be
needed to log into the server database. Default is
"pin.txt" in the default server database directory.
debug_level - Logging level. Default is "0".
debug_syslog - Whether or not to send debug messages to syslog. Default
is "yes".
debug_stdout - Whether or not to send debug messages to stdout if stdout
is a terminal device. Default is "no".
debug_stderr - Whether or not to send debug messages to stderr if stderr
is a terminal device. Default is "no".
trusted_servers - DNS names which, if found in a KDC's certificate, will
make it acceptable as an alternate to having a matching
principal name or GUID.
[appdefaults]
allow_pkinit = no
pkinit = {
BOSTON.REDHAT.COM = {
trusted_guid = 9a:37:dd:c9:ad:15:34:4e:9d:36:b4:9f:fd:91:b8:74
}
}
At the command line (for example, kinit -X):
certificate_file - Location of the certificate file.
private_key_file - Location of the private key file.
certificate_pool - Location of the directory which holds intermediate
certificates.
ca_certificate_file - Location of the CA's certificate.
ca_certificate_pool - Location of the directory which holds CA certificates.
debug - Comma-separated list of "stdout", "stderr", "syslog", or debug log
level.
minimum_dh_prime_size - Minimum acceptable size for DH primes. Default 1024.
This is planned to line up with Heimdal and the CITI implementation, so it's
very much subject to change.