Summary

Define krb5.conf default values as security properties.

Problem

The default values for krb5.conf are hardcoded in source code. It will be nice if there is a place to customize them. This is especially useful of an enterprise to deploy their own default settings. (For example, different allow_weak_crypto, default realm, customized host-to-realm mapping, etc).

This also provides a central place to document the default values of these settings.

Solution

Implement them as security properties. If a setting is not available in actual krb5.conf file, the default value will be read from here.

Specification

#
# Default krb5.conf settings
#
# Kerberos 5 reads its configuration from a krb5.conf file, which is a
# system-wide INI-style file shared by all Kerberos 5 vendors. If a setting
# is not defined in this file, a default value can be defined here as a
# security property. The name of the property is "krb5.conf." followed by
# the krb5.conf section name, sub-section names (if exist), and key name
# concatenated with the delimiter character ".".
#
# For example, if the "allow_weak_crypto" setting in the [libdefaults] section
# is missing from the krb5.conf file, value of the security property
# "krb5.conf.libdefaults.allow_weak_crypto" will be used.
#
# If a setting cannot be found in krb5.conf and there is also no default value
# defined here, it is up to the JDK Kerberos 5 implementation to determine
# if the setting is undefined or a hardcoded default value is assigned.
#
# Below are some examples:
# krb5.conf.libdefaults.allow_weak_crypto=false
# krb5.conf.libdefaults.dns_lookup_realm=false
# krb5.conf.libdefaults.dns_lookup_kdc=true
# krb5.conf.libdefaults.dns_canonicalize_hostname=true
# krb5.conf.libdefaults.default_tkt_enctypes=aes256-cts-hmac-sha1-96\
#  aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128\
#  des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5