Tryag File Manager
Home
-
Turbo Force
Current Path :
/
proc
/
self
/
root
/
usr
/
share
/
doc
/
pkinit-nss-0.7.6
/
Upload File :
New :
File
Dir
//proc/self/root/usr/share/doc/pkinit-nss-0.7.6/CONFIGURATION
In appdefaults: allow_pkinit - Enable or disable the module. Default is "yes". allow_pkinit_server - Enable or disable the module for KDCs. Default is to take the value of the "allow_pkinit" option. Overrides "allow_pkinit". allow_pkinit_client - Enable or disable the module for clients. Default is to take the value of the "allow_pkinit" option. Overrides "allow_pkinit". trusted_guid - GUID extension value which the client will trust if the KDC's cert has no subjectAltName value which can be used. No default. pkinit_signed_data_version - The version number which should be used when creating SignedData items to send to a KDC as part of an RFC4556-style request. Some server implementations will only accept version 1 (MIT Kerberos 1.6.3's default plugin), some will only accept version 3 (Windows Server 2008). Default is 3. Requests which follow the draft version of the specification always use version 1. pkinit_kdc_signed_data_version - The version number which should be used when creating SignedData items to send to a client. Some client implementations will only accept version 1 (MIT Kerberos 1.6.3's default plugin). Default is to use the version that the client used in its request. pkinit_kdc_hostname - In combination with "pkinit_eku_checking", a DNS SAN which would be acceptable for a KDC. No default. pkinit_eku_checking - In combination with "pkinit_kdc_hostname", an EKU value which would be acceptable for a KDC. Recognized values include "kpKDC", "kpServerAuth", and "none". Default is "kpServerAuth". pkinit_cert_match - Alternate combinations of client certificate characteristics which would cause it to be deemed sufficient for use. Rules are specified as combinations of fields and specifications in the form [&&]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...] <FIELD1>spec1[,<FIELD2>spec2[,...]] [...] [||]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...] Recognized fields and the types of specifications to be used include <SUBJECT> Regular expression. <ISSUER> Regular expression. <SAN> Regular expression. <EKU> List of zero or more values, possibly including "pkinit", "msScLogin", "clientAuth", and "emailProtection". <KU> List of zero or more values, possibly including "digitalSignature" and "keyEncipherment". There is no default. ocsp_checking - Enable or disable OCSP checking. Default is "yes" for KDCs, "no" for clients. Also recognized by the name "pkinit_require_ocsp_checking". is_hw - Assume that a PKINIT client also satisfies requires_hwauth requirements. Default is "no". try_dh - Enable DH instead of enckey-based kinit. Default is "yes". minimum_dh_prime_size - Minimum acceptable size for DH primes. Default 1024. Also recognized by the name "pkinit_dh_min_bits". preferred_group - Preferred Oakley group when using DH. The default moduli included with Heimdal correspond to 14. Default is "2". Valid values include 1, 2, 5, 14, 15, 16. mappings_file - Name of a principal-name-to-subject-DN mapping file. No default setting. trust_pkinit_san - Whether or not to trust PKINIT-style subjectAltName values in certificates. Default is "yes". trust_upn_san - Whether or not to trust userPrincipalName subjectAltName values in certificates. Default is "yes". client_database - Location of the certificate/key/token database used by the client. Default is set at compile-time. client_certificate - Location of the certificate used by the client. No default. client_private_key - Location of the private key used by the client. No default. client_certificate_pool - Location of the directory which holds intermediate certificates for use by the client. No default. client_ca_certificate - Location of the client's CA's certificate. No default. client_ca_certificate_pool - Location of the directory which holds certificates of CAs which are trusted by the client. No default. server_database - Location of the certificate/key/token database used by the KDC. Default is set at compile-time. server_certificate - Location of the certificate used by the KDC. No default. server_private_key - Location of the private key used by the KDC. No default. server_certificate_pool - Location of the directory which holds intermediate certificates for use by the KDC. No default. server_ca_certificate - Location of the KDC's CA's certificate. No default. server_ca_certificate_pool - Location of the directory which holds certificates of CAs which are trusted by the KDC. No default. server_pin_file - Location of a file which contains a PIN which might be needed to log into the server database. Default is "pin.txt" in the default server database directory. debug_level - Logging level. Default is "0". debug_syslog - Whether or not to send debug messages to syslog. Default is "yes". debug_stdout - Whether or not to send debug messages to stdout if stdout is a terminal device. Default is "no". debug_stderr - Whether or not to send debug messages to stderr if stderr is a terminal device. Default is "no". trusted_servers - DNS names which, if found in a KDC's certificate, will make it acceptable as an alternate to having a matching principal name or GUID. [appdefaults] allow_pkinit = no pkinit = { BOSTON.REDHAT.COM = { trusted_guid = 9a:37:dd:c9:ad:15:34:4e:9d:36:b4:9f:fd:91:b8:74 } } At the command line (for example, kinit -X): certificate_file - Location of the certificate file. private_key_file - Location of the private key file. certificate_pool - Location of the directory which holds intermediate certificates. ca_certificate_file - Location of the CA's certificate. ca_certificate_pool - Location of the directory which holds CA certificates. debug - Comma-separated list of "stdout", "stderr", "syslog", or debug log level. minimum_dh_prime_size - Minimum acceptable size for DH primes. Default 1024. This is planned to line up with Heimdal and the CITI implementation, so it's very much subject to change.