Next: , Previous: Realm and Principal Naming, Up: Reference Manual


4.4 Shishi Configuration

The valid configuration file tokens are described here. The user configuration file is typically located in ~/.shishi/shishi.conf (compare ‘shishi --configuration-file’) and the system configuration is typically located in /usr/local/etc/shishi/shishi.conf (compare ‘shishi --system-configuration-file’). If the first non white space character of a line is a '#', the line is ignored. Empty lines are also ignored.

All tokens are valid in both the system and the user configuration files, and have the same meaning. However, as the system file is supposed to apply to all users on a system, it would not make sense to use some tokens in that file. For example, the ‘default-principal’ is rarely useful in a system configuration file.

4.4.1 ‘default-realm

Specify the default realm, by default the hostname of the host is used. E.g.,

     default-realm JOSEFSSON.ORG

4.4.2 ‘default-principal

Specify the default principal, by default the login username is used. E.g.,

     default-principal jas

4.4.3 ‘client-kdc-etypes

Specify which encryption types client asks server to respond in during AS/TGS exchanges. List valid encryption types, in preference order. Supported algorithms include aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1-kd, des-cbc-md5, des-cbc-md4, des-cbc-crc and null. This option also indicates which encryption types are accepted by the client when receiving the response. Note that the preference order is not cryptographically protected, so a man in the middle can modify the order without being detected. Thus, only specify encryption types you trust completely here. The default only includes aes256-cts-hmac-sha1-96, as suggested by RFC1510bis. E.g.,

     client-kdc-etypes=aes256-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5

4.4.4 ‘verbose’, ‘verbose-asn1’, ‘verbose-noise’, ‘verbose-crypto’, ‘verbose-crypto-noise

Enable verbose library messages. E.g.,

     verbose
     verbose-noise

4.4.5 ‘realm-kdc

Specify KDC addresses for realms. Value is ‘REALM,KDCADDRESS[/TRANSPORT][,KDCADDRESS[/TRANSPORT]...]’.

KDCADDRESS is the hostname or IP address of KDC.

Optional TRANSPORT is “udp” for UDP, “tcp” for TCP, and “tls” for TLS connections. By default UDP is tried first, and TCP used as a fallback if the KRB_ERR_RESPONSE_TOO_BIG error is received.

If not specified, Shishi tries to locate the KDC using SRV RRs, which is recommended. This option should normally only be used during experiments, or to access badly maintained realms.

     realm-kdc=JOSEFSSON.ORG,ristretto.josefsson.org

4.4.6 ‘server-realm

Specify realm for servers. Value is ‘REALM,SERVERREGEXP[,SERVERREGEXP...]’.

SERVERREGEXP is a regular expression matching servers in the realm. The first match is used. E.g.,

     server-realm=JOSEFSSON.ORG,.josefsson.org

Note: currently not used.

4.4.7 ‘kdc-timeout’, ‘kdc-retries

How long shishi waits for a response from a KDC before continuing to next KDC for realm. The default is 5 seconds. E.g.,

     kdc-timeout=10

How many times shishi sends a request to a KDC before giving up. The default is 3 times. E.g.,

     kdc-retries=5

4.4.8 ‘stringprocess

How username and passwords entered from the terminal, or taken from the command line, are processed.

"none": no processing is used.

"stringprep": convert from locale charset to UTF-8 and process using experimental RFC 1510 stringprep profile.

It can also be a string indicating a character set supported by iconv via libstringprep, in which case data is converted from locale charset into the indicated character set. E.g., UTF-8, ISO-8859-1, KOI-8, EBCDIC-IS-FRISS are supported on GNU systems. On some systems you can use "locale -m" to list available character sets. By default, the "none" setting is used which is consistent with RFC 1510 that is silent on the issue. In practice, however, converting to UTF-8 improves interoperability.

E.g.,

     stringprocess=UTF-8

4.4.9 ‘ticket-life

Specify default ticket life time.

The string can be in almost any common format. It can contain month names, time zones, `am' and `pm', `yesterday', `ago', `next', etc. See Date input formats, for the long story.

As an extra feature, if the time specified by your string correspond to a time during the last 24 hours, an extra day is added to it. This allows you to specify relative times such as "17:00" to always mean the next 17:00, even if your system clock happens to be 17:30.

The default is 8 hours.

E.g.,

     #ticket-life=8 hours
     #ticket-life=1 day
     ticket-life=17:00

4.4.10 ‘renew-life

Specify how long a renewable ticket should remain renewable.

See ticket-life for the syntax. The extra feature that handles negative values within the last 2 hours is not active here.

The default is 7 days.

E.g.,

     #renew-life=1 week
     #renew-life=friday 17:00
     renew-life=sunday