This chapter describes in high detail all parameters, configuration file verbs, etc.
The valid configuration file tokens are described here. The user configuration file is typically located in ~/.shishi/shishi.conf (compare shishi -configuration-file) and the system configuration is typicall located in /usr/local/etc/shishi.conf. All tokens are valid in both files, and have the same meaning. However, as the system file is supposed to apply to all users on a system, it would not make sense to use some tokens in both files. For example, the default-principal is rarely useful in a system configuration file.
Specify the default realm, by default the hostname of the host is used. E.g.,
default-realm JOSEFSSON.ORG
Specify the default principal, by default the login username is used. E.g.,
default-principal jas
Specify which encryption types client asks server to respond in during AS/TGS exchanges. List valid encryption types, in preference order. Supported algorithms include aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1-kd, des-cbc-md5, des-cbc-md4, des-cbc-crc and null. This option also indicates which encryption types are accepted by the client when receiving the response. Note that the preference order is not cryptographically protected, so a man in the middle can modify the order without being detected. Thus, only specify encryption types you trust completely here. The default only includes aes256-cts-hmac-sha1-96, as suggested by RFC1510bis. E.g.,
client-kdc-etypes=aes256-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5
Enable verbose library messages. E.g.,
verbose verbose-noice
Specify KDC addresses for realms. Value is REALM,KDCADDRESS[/PROTOCOL][,KDCADDRESS[/PROTOCOL]...].
KDCADDRESS is the hostname or IP address of KDC.
Optional PROTOCOL is udp for UDP, tcp for TCP, and TLS for TLS connections. By default UDP is tried first, and TCP used as a fallback if the KRB_ERR_RESPONSE_TOO_BIG error is received.
If not specified, Shishi tries to locate the KDC using SRV RRs, which is recommended. This option should normally only be used during experiments, or to access badly maintained realms.
realm-kdc=JOSEFSSON.ORG,ristretto.josefsson.org
Specify realm for servers. Value is REALM,SERVERREGEXP[,SERVERREGEXP...].
SERVERREGEXP is a regular expression matching servers in the realm. The first match is used. E.g.,
server-realm=JOSEFSSON.ORG,.josefsson.org
Note: currently not used.
How long shishi waits for a response from a KDC before continuing to next KDC for realm. The default is 5 seconds. E.g.,
kdc-timeout=10
How many times shishi sends a request to a KDC before giving up. The default is 3 times. E.g.,
kdc-retries=5
How username and passwords entered from the terminal, or taken from the command line, are processed.
"none": no processing is used.
"stringprep": convert from locale charset to UTF-8 and process using experimental RFC 1510 stringprep profile.
It can also be a string indicating a character set supported by iconv via libstringprep, in which case data is converted from locale charset into the indicated character set. E.g., UTF-8, ISO-8859-1, KOI-8, EBCDIC-IS-FRISS are supported on GNU systems. On some systems you can use "locale -m" to list available character sets. By default, the "none" setting is used which is consistent with RFC 1510 that is silent on the issue. In practice, however, converting to UTF-8 improves interoperability.
E.g.,
stringprocess=UTF-8
Specify default ticket life time.
The string can be in almost any common format. It can contain month names, time zones, `am' and `pm', `yesterday', `ago', `next', etc. Refer to the "Date input formats" in the GNU CoreUtils package for entire story (). As an extra feature, if the resulting string you specify has expired within the last 24 hours, an extra day is added to it. This allows you to specify "17:00" to always mean the next 17:00, even if your system clock happens to be 17:30.
The default is 8 hours.
E.g.,
#ticket-life=8 hours #ticket-life=1 day ticket-life=17:00
Specify how long a renewable ticket should remain renewable.
See ticket-life for the syntax. The extra feature that handles negative values within the last 2 hours is not active here.
The default is 7 days.
E.g.,
#renew-life=1 week #renew-life=friday 17:00 renew-life=sunday