Warning: file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 88

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 215

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 216

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 217

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 218

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 219

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 220
PK!}9}J :ұB&8RI K-^}Ӯ?WRbǓׯ[N0 z+>}o=SF2&z;`{0N1X8'hr4l]0/vd nl~x2TDzmO ڶ'(#uјWZGEawQٷ{Æh̓b0H?M?U}FU<8@ ~{$(="s,45x/&^`1i&K߅sLN'ʇS9!UL++'@#p( mD,GS/swcVAn뇐(ٹ3aȁ/a߂r(%yzM@9>|QiD<c}ysى/ Y]Fgq=<nE)_P3f '0sTkΉQU$#̕PqXަ/e&7Tѧa 1v͡xYH)Eh%^.8OBŮ6Y*wou*u]62!Hו.e^g6(#iR`F5aaB VR=ZRUdrCx{{/ah(*q'ư:H pZ0VhbeP\pA JCy> d[2R0 E/WCR)tLs'P4roK՗(8!BFP ŏ$ğX@ ռȆ \gHH#jɸu-čDO&5TaC4kUfCы8m^,jNnN2;K2@<-P}`k~fk2ݍBK9KE P ʥYRA02P7vήbPJX%2 m Wf`R~J|LN?d Y-Uq %T8"7(9 H[#S [4^a⛰spSz9VvYd Ro"Z]YE!R8C Dn\ |z µh'U\d1ݼQEA ש`Ě崯V U%j\R! ͡V$ơcje#V iPi0|`-+ DM6D-vy hîZY"b^*@4SQ^fPfॳk-Rn@SӟCCbBl`R|Gѓ [xm%s/|%`>Eu@,k5sE8JI@KLd߼V]^GuIixOcf*<T)ļb7.x"/_ \=-O?^7xwZ޲]}'$k1ӂsm[ fI2OeqOo -ʑe3A7l5G !¶G~UM42õ 40 cA\}\PN#i.3k(<0>fvf% AN%⶯aĂkטZϙ7z'6Mv<,ӊw݂;bf״Ѷon@ҞA~zoe)fޮLcI, L[4q ӝBe*ŭB>KzI>ةO"N|eWé¨z8Jχ8|!GkK9KBcM6;\P/I!d #dWBҞ̗g<; =L"%5j4Wzd_nBkcM+1ٗtvkb#³)a0PK!5+}66 shadow.5.gznu[Wn]b`G=$ݛrwvϹ4^ƥĝVADBJ::9Bc{7sw@9j~v}N QKGo狯q@n;nfMȣqkvX&h\ԋ^JTVm_kPBG ʩ)w܋tt-~D'z SֵശJPK!^  manpath.5.gznu[W[oY~8ˮDs<-LID2bz&:Nfx0N| ܝ;Nb2tan;].JRuꫲ:CdD& dK2qa3!wM>\gt= I[g;qvt\9[ rh?א,XBQZ #ZI 8f69/s`sL~П@ vltqY9VwEQ^e0[fSc97Z! PY#H0!FNxv9>\r/hhy  ZT!SH9 Ѐ`{Z*18 S苵(fFODGzG@=o''N4E im.&D7i,R. S'`3i֦H'PQp7N*Z) #ѷc[ ;jq ӣih>(C&%Cùv[~Gԃ%a'©P7+zeeF ?ѵEDMؑ8g_G=nyiGv2搚}H)i(g  ,E2PCV ™اZr }6U1=#DE@)q}4(y6/62QĪ3liͤa+">@ ob?"  -nF PZ1NzЀjOtI/g~.負U.>epi,EPMF/ϋݞD^aOWND:Φ>|CUޢ7Ka|pA]E`f޻ktuU/(W| ɏnwI7n\pZi֦?|b''ib5h{#끾İGqc]MdMntfϵm+ۢdM{YA%y-d)@/-#6S`zj{zv2'in Y{Ʒz^/MmiPR k-K3X˗(0{ĈUHT,GPsYj䓠<""~Fx 0WysAKK j%3/B+ T*6 L*a n[%@0$Zǽ+ݏпBslLbwM.[!+ U0s&Z5krO` TLE%HrM:0?jMz?'6@Ez:ovrkIژ3\jۜD| 8L6wPh)MELYdqm[į* [[DLGPK![ gshadow.5.gznu[V[oG~8(Y;j ) A@_ƻm3fg6&/U$ .PKRJ.NSy/̬Jfϙ9|IGh/-2+ă;Fl9\LӱnP3A(%_ ;6\DQVJ\,!el }b!"Dp4)s t"?LNP~h /{O%ƏRޣ zP!ys(՜ ke4J4}kW9JBce뾝7Mp7kOd?+% e]64{x?=(-[v}<̃ȎScd9fb0Ws-Usܨt&o&ΨxFTV1Mխ$*>&OtL?3:Z2 PK!~eelogin.defs.5.gznu[[sW▧jFNHBmJ{k%y(WZҕK[|زCll2$sOm̍tO]cͮ,9Ms }girv wX 4$78 Kw ;Z)X.떎uwgLFv9. (a} 9|C7Ci1Vys9_џ%-tes{x?yOނnr^,zNYJꋟH#N |kaQxڒ6ڷCxfUdٮ ݝdrpG*Ri/Ez,;}烣9<ʛLA?˻ nV.}ΞE's]]Qs6nF+6D!Q=;U]Nyr]\W7phidM-3e`zˢZ03xeE͆x,ӘltiYfS1 Yp*>bT,Jx"{W$꓍H=N?[gGuf;kbNeq sFG#ts7M Sx ,9xN3(T̜l!]PD49gYx8],UFkotgE,pj90 Ѵdt3鸼Ȭva%J'aU Y6YA06(`dq-S`"3) 'ci0d0$fkEr[0i~\GkaxYvV3<Ḇ˳,=@nNIːyZ32VROl`%oZR|n29-mh MZ9 =*d܆/&HHb>h%Q%5+-N˵Aв inǰ@ K?(Rs<$:ؤY0T"02x.lbZf #B :f`hR0>9҈aIv<Rʸ7O-:sDn{#~^k\MM S#}hUH&ا$]Ҋu`𨜦YnɡL.?6KjX9(#s~NhQ(H 5ñpe1-`* BS#CmP:JrrL%OD,.__(B󽇯~^QoX`T&dGrxׁ2B)@̓ۉ%3Ӡ6)9TdQ;/FcgmBbL69|&qd7Edந\RH`@<;(0#yƢg $#BL&҈N< X"|[EB*] WHNlP Oxo H\>ӬT$M?B; ĘTf2i6řP#ʥPZY.Aj\(;W Zˉ}ИRFC=|!҇0XUX!2Iz = n&놐Jc},*5z5`/W篭_])o=_Y^gjkˀ񣕿?=@S~}{u(ჿ6_˺ A'nvoesjc_{Z۽c/3ӵ̶@;[ rJn r[`VyFLyg'-W/ôʭ/Ywf 'ʼnF-9(6T^$e1΋jy/;QfOXB661:40t.Jd)&'_0o#cD014-tRGGA# :`O)!- n`)A6+.p$HG{A&T|d(k@;MrmQfh2ڪ?w,ܪ] F*2T } ]#ÿSZ =޽٤`@=†;,ec@X[Q}MDvX`HR|@C0?H?"b4.Rhw;BɸJV!DL_hR>l*rW@/~p.XuVhޫTz#k$ R,r1L_eT6{) !i 4zз#+<[ [ uSu۶ IHcͷO`9y A ev:TU9eT9YݶL&¹4x#&!U/R JU1Iu,L6y 9POJ#31~;8 P+ƨ? 5' co~.2 XNW$ O7U Cy0yJ3EՈsޑ*`H76i!#@=1ꕹzN)H4qo2uK&ۑ9(V [L6[P=kWk6cN9' Ӝڏ"dak#'ހ,! ? A?yk[uc_yZ3x/izmE+S0 O]wgnA$M},PNT—)"I,bO._TS)d? DmT4ѠP72CF#S]DSJG=>@<S 0'"D3?vs лixCCW !`ڋG5Xz_]7W|Y.4GN| Mr9Ї"͈-1(D@#¥:%ɀ׫ށJ² (ww;Nq« ' DjǠ (|io;x+Ϥ*?+j !^Vԝ D^ ]8"ؐ%5+ʤ5bn|4)jfw,/q#:BWt![j! ݃ZYVGOBi2b8LVa/9y}뎦WU[: G.HvH=Mۿ>%9ա Zg K&I6f{+?>\# 6o\089>"Io*1=/%dM^ ɾ~ oٿZx֋z>ȩ omT[opSSIF8BRa{W?}i!h3<Z  E kga3*dxZa8]g,U.|ldd ;-ߩ ./o Z lFUSCTU԰*`s[ 7; M+z㽧V: XT#$:{֪k?U\npȥuS鑿(txm+8;yIg4v2U~yҎ}h;UO7]lU@ETyw Yx ?QjKեY1/(ɵ7kQN)aSۭ<(Q048h;kݗ浠ՠڔrax۠S"Pjm 1+vBr|dg9W fHV``̊:-S}$JL.ЪTҰO'CPO$'F 6nSChi<”' )`>f(^ PA*4K"QjSWHQ]?`ZhKҢy%k\ 0_ Eޝ%Qd"ospK"؊q=@rۻobS{dՇkݯ@p1 %3٭ꏏ& Adg]*B3[&y^^OG+!$݅:ђƆ6(o]^}guoWShhvV'3Hi zZDpȰ]ڙ5#X-%hje8  yA'f6[Ly*O՝03 SӋy#o $cMZ0&QU Sމ+6.:Z&.pJA3UY:*>GT"hH1:ٯW4(a:[þ"L^)5롑T۔1m0+mf[;J6FhԒ檻X̠`xD ˷BePP\$WL28o]kVX1ő.\aR.#0r<;l<Ur \>)ƒɉ'ϒraG>{_o$'Y[ K?."]ݠ>8Š܍J&RFUʯ*jo >`d;<l~'0<ח!lWn= Xj?I @Ai `!2É%#dde"@s"|[Ya/[_Sʭ qBfRoK#bݷck"v2~`R۽\w_[w˛ΐ$& 1/~Op I(xDK6 @NdRԣp3tkBY7?:{g;'='2P{E=}PUh@`|x_/1T(D ]:@B ܻ&eh5mCYcH 2`G.L]ZNpǀyZ6㘦::Ha[!Uz] 2״bDZ (.ʛ͎yѽHM@ 2*MQ[ pP:uLk$PZtpn/ۜ` - s8y G2D]: j#x{=篮vj;?b0^}WYy_[}[xIklPX_Pc֧Eq7^݇uE?cT\ju'*g0>uwBMD!f#hglXPG~}G $tIYz,F( S8uVks 蛶5sMAsW,N>$IT J$XT!Bq+mlҨTV %MThEZ!$PޮιUPufwvgKo2YK`PI={EP1=:L!*)hݿw_#5~qLsgOLt?0¹aDt"OBb\n\4mmXЫOpa}aY(ձ vP+{0nxWhl{vZO;(sRT>fnX2`t+ 6}oR/#*IDc0dJN ;4jc *d5uFO;b^:`إZc\*~ŚAd Vb88@$M Э#/YJG׊"Rup@s1 hch3JY# ꣯7D)C[Dd,t56.`l6h6vx34)d|s,BQ>:2hj.u}sTK_c5hVNPXFF.ł'/շW&pjjq)2`HDhT<]D/"$Fw y9ypGxSޗI-VKѩ]*(њŵ7Vw_8+ȐIȖhb21aGkp.?5σSG65 :P t5thxFkvb!1iEzPk:oPS{Co/霁؁ =hHs>|4RCv*B  """d1tlYf A0 nWʍLW6, PKppM ]EVc e"aIڲ8>0SlPmp1h3:<@QF#N(33\07A vgd|l2OǯP&"8K˰4lNrCA'b*`+{`{keh)V p"$I()e(i߻^yѣEnxX9 g {`f&QG791èԭ&\ArSW&,J;jl8n ~~|rZn>9Z8J "f?e ~ TCq[QowAWj.q.?sACŐx#b\7zs4,<2cX C΂Li48lhxpIM;d\UvBKUVu 0_YJs2KkCW=ة ELףNM$qbE@ҽfI B#XM:jfnj*k% %N-$i3R55zE}IQ&0% ь2IjM[_C~']ً;w9y"H/!Szqm ݉>64pV?wK ,cG-Ι hl#8PlI|njNp[e=L7g.~O?zݿ޾`7"M +K.XR#6Nh+`^ 宝jǔ͝,NvۍUԳF°"^JYVdr%mf%uiBA1(g ]j՟N1r%"Š` Y0Ga‚e JZQ@*hoZe7*=xu\@0Ԏ&h5 ě>foԍ8̭MdԝxƆ[N  )ugj.]%SPK!"lBB ldap.conf.5nu[.lf 1 stdin .TH LDAP.CONF 5 "2018/03/22" "OpenLDAP 2.4.46" .\" $OpenLDAP$ .\" Copyright 1998-2018 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .SH NAME ldap.conf, .ldaprc \- LDAP configuration file/environment variables .SH SYNOPSIS /opt/alt/openldap11/etc/openldap/ldap.conf, ldaprc, .ldaprc, $LDAP .SH DESCRIPTION If the environment variable \fBLDAPNOINIT\fP is defined, all defaulting is disabled. .LP The .I ldap.conf configuration file is used to set system-wide defaults to be applied when running .I ldap clients. .LP Users may create an optional configuration file, .I ldaprc or .IR .ldaprc , in their home directory which will be used to override the system-wide defaults file. The file .I ldaprc in the current working directory is also used. .LP .LP Additional configuration files can be specified using the \fBLDAPCONF\fP and \fBLDAPRC\fP environment variables. \fBLDAPCONF\fP may be set to the path of a configuration file. This path can be absolute or relative to the current working directory. The \fBLDAPRC\fP, if defined, should be the basename of a file in the current working directory or in the user's home directory. .LP Environmental variables may also be used to augment the file based defaults. The name of the variable is the option name with an added prefix of \fBLDAP\fP. For example, to define \fBBASE\fP via the environment, set the variable \fBLDAPBASE\fP to the desired value. .LP Some options are user-only. Such options are ignored if present in the .I ldap.conf (or file specified by .BR LDAPCONF ). .LP Thus the following files and variables are read, in order: .nf variable $LDAPNOINIT, and if that is not set: system file /opt/alt/openldap11/etc/openldap/ldap.conf, user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, system file $LDAPCONF, user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, variables $LDAP. .fi Settings late in the list override earlier ones. .SH SYNTAX The configuration options are case-insensitive; their value, on a case by case basis, may be case-sensitive. .LP Blank lines are ignored. .br Lines beginning with a hash mark (`#') are comments, and ignored. .LP Valid lines are made of an option's name (a sequence of non-blanks, conventionally written in uppercase, although not required), followed by a value. The value starts with the first non-blank character after the option's name, and terminates at the end of the line, or at the last sequence of blanks before the end of the line. The tokenization of the value, if any, is delegated to the handler(s) for that option, if any. Quoting values that contain blanks may be incorrect, as the quotes would become part of the value. For example, .nf # Wrong - erroneous quotes: URI "ldap:// ldaps://" # Right - space-separated list of URIs, without quotes: URI ldap:// ldaps:// # Right - DN syntax needs quoting for Example, Inc: BASE ou=IT staff,o="Example, Inc",c=US # or: BASE ou=IT staff,o=Example2C Inc,c=US # Wrong - comment on same line as option: DEREF never # Never follow aliases .fi .LP A line cannot be longer than LINE_MAX, which should be more than 2000 bytes on all platforms. There is no mechanism to split a long line on multiple lines, either for beautification or to overcome the above limit. .SH OPTIONS The different configuration options are: .TP .B URI Specifies the URI(s) of an LDAP server(s) to which the .I LDAP library should connect. The URI scheme may be any of .BR ldap , .B ldaps or .BR ldapi , which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively. Each server's name can be specified as a domain-style name or an IP address literal. Optionally, the server's name can followed by a ':' and the port number the LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC, .B name is the name of the socket, and no .B port is required, nor allowed; note that directory separators must be URL-encoded, like any other characters that are special to URLs; so the socket /usr/local/var/ldapi must be specified as ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi A space separated list of URIs may be provided. .TP .B BASE Specifies the default base DN to use when performing ldap operations. The base must be specified as a Distinguished Name in LDAP format. .TP .B BINDDN Specifies the default bind DN to use when performing ldap operations. The bind DN must be specified as a Distinguished Name in LDAP format. .B This is a user-only option. .TP .B DEREF Specifies how alias dereferencing is done when performing a search. The .B can be specified as one of the following keywords: .RS .TP .B never Aliases are never dereferenced. This is the default. .TP .B searching Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search. .TP .B finding Aliases are only dereferenced when locating the base object of the search. .TP .B always Aliases are dereferenced both in searching and in locating the base object of the search. .RE .TP .TP .B HOST Specifies the name(s) of an LDAP server(s) to which the .I LDAP library should connect. Each server's name can be specified as a domain-style name or an IP address and optionally followed by a ':' and the port number the ldap server is listening on. A space separated list of hosts may be provided. .B HOST is deprecated in favor of .BR URI . .TP .B NETWORK_TIMEOUT Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. .TP .B PORT Specifies the default port used when connecting to LDAP servers(s). The port may be specified as a number. .B PORT is deprecated in favor of .BR URI. .TP .B REFERRALS Specifies if the client should automatically follow referrals returned by LDAP servers. The default is on. Note that the command line tools .BR ldapsearch (1) &co always override this option. .\" This should only be allowed via ldap_set_option(3) .\".TP .\".B RESTART .\"Determines whether the library should implicitly restart connections (FIXME). .TP .B SIZELIMIT Specifies a size limit (number of entries) to use when performing searches. The number should be a non-negative integer. \fISIZELIMIT\fP of zero (0) specifies a request for unlimited search size. Please note that the server may still apply any server-side limit on the amount of entries that can be returned by a search operation. .TP .B TIMELIMIT Specifies a time limit (in seconds) to use when performing searches. The number should be a non-negative integer. \fITIMELIMIT\fP of zero (0) specifies unlimited search time to be used. Please note that the server may still apply any server-side limit on the duration of a search operation. .B VERSION {2|3} Specifies what version of the LDAP protocol should be used. .TP .B TIMEOUT Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also used for any .BR ldap_result (3) calls where a NULL timeout parameter is supplied. .SH SASL OPTIONS If OpenLDAP is built with Simple Authentication and Security Layer support, there are more options you can specify. .TP .B SASL_MECH Specifies the SASL mechanism to use. .TP .B SASL_REALM Specifies the SASL realm. .TP .B SASL_AUTHCID Specifies the authentication identity. .B This is a user-only option. .TP .B SASL_AUTHZID Specifies the proxy authorization identity. .B This is a user-only option. .TP .B SASL_SECPROPS Specifies Cyrus SASL security properties. The .B can be specified as a comma-separated list of the following: .RS .TP .B none (without any other properties) causes the properties defaults ("noanonymous,noplain") to be cleared. .TP .B noplain disables mechanisms susceptible to simple passive attacks. .TP .B noactive disables mechanisms susceptible to active attacks. .TP .B nodict disables mechanisms susceptible to passive dictionary attacks. .TP .B noanonymous disables mechanisms which support anonymous login. .TP .B forwardsec requires forward secrecy between sessions. .TP .B passcred requires mechanisms which pass client credentials (and allows mechanisms which can pass credentials to do so). .TP .B minssf= specifies the minimum acceptable .I security strength factor as an integer approximating the effective key length used for encryption. 0 (zero) implies no protection, 1 implies integrity protection only, 56 allows DES or other weak ciphers, 112 allows triple DES and other strong ciphers, 128 allows RC4, Blowfish and other modern strong ciphers. The default is 0. .TP .B maxssf= specifies the maximum acceptable .I security strength factor as an integer (see .B minssf description). The default is .BR INT_MAX . .TP .B maxbufsize= specifies the maximum security layer receive buffer size allowed. 0 disables security layers. The default is 65536. .RE .TP .B SASL_NOCANON Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. .SH GSSAPI OPTIONS If OpenLDAP is built with Generic Security Services Application Programming Interface support, there are more options you can specify. .TP .B GSSAPI_SIGN Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used. The default is off. .TP .B GSSAPI_ENCRYPT Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) should be used. The default is off. .TP .B GSSAPI_ALLOW_REMOTE_PRINCIPAL Specifies if GSSAPI based authentication should try to form the target principal name out of the ldapServiceName or dnsHostName attribute of the targets RootDSE entry. The default is off. .SH TLS OPTIONS If OpenLDAP is built with Transport Layer Security support, there are more options you can specify. These options are used when an .B ldaps:// URI is selected (by default or otherwise) or when the application negotiates TLS by issuing the LDAP StartTLS operation. .LP When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP is set, the system-wide default set of CA certificates is used. .TP .B TLS_CACERT Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. .TP .B TLS_CACERTDIR Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. The .B TLS_CACERT is always used before .B TLS_CACERTDIR. The specified directory must be managed with the OpenSSL c_rehash utility. This parameter is ignored with GnuTLS. When using Mozilla NSS, may contain a Mozilla NSS cert/key database. If contains a Mozilla NSS cert/key database and CA cert files, OpenLDAP will use the cert/key database and will ignore the CA cert files. .TP .B TLS_CERT Specifies the file that contains the client certificate. .B This is a user-only option. When using Mozilla NSS, if using a cert/key database (specified with TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use: .nf TLS_CERT Certificate for Sam Carter .fi If using a token other than the internal built in token, specify the token name first, followed by a colon: .nf TLS_CERT my hardware device:Certificate for Sam Carter .fi Use certutil \-L to list the certificates by name: .nf certutil \-d /path/to/certdbdir \-L .fi .TP .B TLS_KEY Specifies the file that contains the private key that matches the certificate stored in the .B TLS_CERT file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. .B This is a user-only option. When using Mozilla NSS, TLS_KEY specifies the name of a file that contains the password for the key for the certificate specified with TLS_CERT. The modutil command can be used to turn off password protection for the cert/key database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as the location of the cert/key database, use modutil to change the password to the empty string: .nf modutil \-dbdir ~/.moznss \-changepw 'NSS Certificate DB' .fi You must have the old password, if any. Ignore the WARNING about the running browser. Press 'Enter' for the new password. .TP .B TLS_CIPHER_SUITE Specifies acceptable cipher suite and preference order. should be a cipher specification for the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS). Example: .RS .RS .TP .I OpenSSL: TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2 .TP .I GnuTLS: TLS_CIPHER_SUITE SECURE256:!AES-128-CBC .RE To check what ciphers a given spec selects in OpenSSL, use: .nf openssl ciphers \-v .fi With GnuTLS the available specs can be found in the manual page of .BR gnutls\-cli (1) (see the description of the option .BR \-\-priority ). In older versions of GnuTLS, where gnutls\-cli does not support the option \-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: .nf gnutls\-cli \-l .fi When using Mozilla NSS, the OpenSSL cipher suite specifications are used and translated into the format used internally by Mozilla NSS. There isn't an easy way to list the cipher suites from the command line. The authoritative list is in the source code for Mozilla NSS in the file sslinfo.c in the structure .nf static const SSLCipherSuiteInfo suiteInfo[] .fi .RE .TP .B TLS_PROTOCOL_MIN [.] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g., .nf TLS_PROTOCOL_MIN 3.2 .fi would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This parameter is ignored with GnuTLS. .TP .B TLS_RANDFILE Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. This parameter is ignored with GnuTLS and Mozilla NSS. .TP .B TLS_REQCERT Specifies what checks to perform on server certificates in a TLS session, if any. The .B can be specified as one of the following keywords: .RS .TP .B never The client will not request or check any server certificate. .TP .B allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. .TP .B try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. .TP .B demand | hard These keywords are equivalent. The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting. .RE .TP .B TLS_CRLCHECK Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the server certificates have not been revoked. This requires .B TLS_CACERTDIR parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. .B can be specified as one of the following keywords: .RS .TP .B none No CRL checks are performed .TP .B peer Check the CRL of the peer certificate .TP .B all Check the CRL for a whole certificate chain .RE .TP .B TLS_CRLFILE Specifies the file containing a Certificate Revocation List to be used to verify if the server certificates have not been revoked. This parameter is only supported with GnuTLS and Mozilla NSS. .SH "ENVIRONMENT VARIABLES" .TP LDAPNOINIT disable all defaulting .TP LDAPCONF path of a configuration file .TP LDAPRC basename of ldaprc file in $HOME or $CWD .TP LDAP Set as from ldap.conf .SH FILES .TP .I /opt/alt/openldap11/etc/openldap/ldap.conf system-wide ldap configuration file .TP .I $HOME/ldaprc, $HOME/.ldaprc user ldap configuration file .TP .I $CWD/ldaprc local ldap configuration file .SH "SEE ALSO" .BR ldap (3), .BR ldap_set_option (3), .BR ldap_result (3), .BR openssl (1), .BR sasl (3) .SH AUTHOR Kurt Zeilenga, The OpenLDAP Project .SH ACKNOWLEDGEMENTS .lf 1 ./../Project .\" Shared Project Acknowledgement Text .B "OpenLDAP Software" is developed and maintained by The OpenLDAP Project . .B "OpenLDAP Software" is derived from the University of Michigan LDAP 3.3 Release. .lf 521 stdin PK!lNNldif.5nu[.lf 1 stdin .TH LDIF 5 "2018/03/22" "OpenLDAP 2.4.46" .\" $OpenLDAP$ .\" Copyright 1998-2018 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .SH NAME ldif \- LDAP Data Interchange Format .SH DESCRIPTION The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries and change records in text form. LDAP tools, such as .BR ldapadd (1) and .BR ldapsearch (1), read and write LDIF entry records. .BR ldapmodify (1) reads LDIF change records. .LP This manual page provides a basic description of LDIF. A formal specification of LDIF is published in RFC 2849. .SH ENTRY RECORDS .LP LDIF entry records are used to represent directory entries. The basic form of an entry record is: .LP .nf .ft tt dn: : : :: :< ... .ft .fi .LP The value may be specified as UTF-8 text or as base64 encoded data, or a URI may be provided to the location of the attribute value. .LP A line may be continued by starting the next line with a single space or tab, e.g., .LP .nf .ft tt dn: cn=Barbara J Jensen,dc=exam ple,dc=com .ft .fi .LP Lines beginning with a sharp sign ('#') are ignored. .LP Multiple attribute values are specified on separate lines, e.g., .LP .nf .ft tt cn: Barbara J Jensen cn: Babs Jensen .ft .fi .LP If an value contains a non-printing character, or begins with a space or a colon ':', the is followed by a double colon and the value is encoded in base 64 notation. e.g., the value " begins with a space" would be encoded like this: .LP .nf .ft tt cn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U= .ft .fi .LP If the attribute value is located in a file, the is followed by a ':<' and a file: URI. e.g., the value contained in the file /tmp/value would be listed like this: .LP .nf .ft tt cn:< file:///tmp/value .ft .fi Other URI schemes (ftp,http) may be supported as well. .LP Multiple entries within the same LDIF file are separated by blank lines. .SH ENTRY RECORD EXAMPLE Here is an example of an LDIF file containing three entries. .LP .nf .ft tt dn: cn=Barbara J Jensen,dc=example,dc=com cn: Barbara J Jensen cn: Babs Jensen objectclass: person description:< file:///tmp/babs sn: Jensen dn: cn=Bjorn J Jensen,dc=example,dc=com cn: Bjorn J Jensen cn: Bjorn Jensen objectclass: person sn: Jensen dn: cn=Jennifer J Jensen,dc=example,dc=com cn: Jennifer J Jensen cn: Jennifer Jensen objectclass: person sn: Jensen jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG ... .ft .fi .LP Note that the description in Barbara Jensen's entry is read from file:///tmp/babs and the jpegPhoto in Jennifer Jensen's entry is encoded using base 64. .SH CHANGE RECORDS LDIF change records are used to represent directory change requests. Each change record starts with line indicating the distinguished name of the entry being changed: .LP .nf dn: .fi .LP .nf changetype: <[modify|add|delete|modrdn]> .fi .LP Finally, the change information itself is given, the format of which depends on what kind of change was specified above. For a \fIchangetype\fP of \fImodify\fP, the format is one or more of the following: .LP .nf add: : : ... \- .fi .LP Or, for a replace modification: .LP .nf replace: : : ... \- .fi .LP If no \fIattributetype\fP lines are given to replace, the entire attribute is to be deleted (if present). .LP Or, for a delete modification: .LP .nf delete: : : ... \- .fi .LP If no \fIattributetype\fP lines are given to delete, the entire attribute is to be deleted. .LP For a \fIchangetype\fP of \fIadd\fP, the format is: .LP .nf : : ... : : .fi .LP For a \fIchangetype\fP of \fImodrdn\fP or \fImoddn\fP, the format is: .LP .nf newrdn: deleteoldrdn: 0 | 1 newsuperior: .fi .LP where a value of 1 for deleteoldrdn means to delete the values forming the old rdn from the entry, and a value of 0 means to leave the values as non-distinguished attributes in the entry. The newsuperior line is optional and, if present, specifies the new superior to move the entry to. .LP For a \fIchangetype\fP of \fIdelete\fP, no additional information is needed in the record. .LP Note that attribute values may be presented using base64 or in files as described for entry records. Lines in change records may be continued in the manner described for entry records as well. .SH CHANGE RECORD EXAMPLE The following sample LDIF file contains a change record of each type of change. .LP .nf dn: cn=Babs Jensen,dc=example,dc=com changetype: add objectclass: person objectclass: extensibleObject cn: babs cn: babs jensen sn: jensen dn: cn=Babs Jensen,dc=example,dc=com changetype: modify add: givenName givenName: Barbara givenName: babs \- replace: description description: the fabulous babs \- delete: sn sn: jensen \- dn: cn=Babs Jensen,dc=example,dc=com changetype: modrdn newrdn: cn=Barbara J Jensen deleteoldrdn: 0 newsuperior: ou=People,dc=example,dc=com dn: cn=Barbara J Jensen,ou=People,dc=example,dc=com changetype: delete .fi .SH INCLUDE STATEMENT The LDIF parser has been extended to support an .B include statement for referencing other LDIF files. The .B include statement must be separated from other records by a blank line. The referenced file is specified using a file: URI and all of its contents are incorporated as if they were part of the original LDIF file. As above, other URI schemes may be supported. For example: .LP .nf dn: dc=example,dc=com objectclass: domain dc: example include: file:///tmp/example.com.ldif dn: dc=example,dc=org objectclass: domain dc: example .fi This feature is not part of the LDIF specification in RFC 2849 but is expected to appear in a future revision of this spec. It is supported by the .BR ldapadd (1), .BR ldapmodify (1), and .BR slapadd (8) commands. .SH SEE ALSO .BR ldap (3), .BR ldapsearch (1), .BR ldapadd (1), .BR ldapmodify (1), .BR slapadd (8), .BR slapcat (8), .BR slapd\-ldif (5). .LP "LDAP Data Interchange Format," Good, G., RFC 2849. .SH ACKNOWLEDGEMENTS .lf 1 ./../Project .\" Shared Project Acknowledgement Text .B "OpenLDAP Software" is developed and maintained by The OpenLDAP Project . .B "OpenLDAP Software" is derived from the University of Michigan LDAP 3.3 Release. .lf 278 stdin PK!0-@@freetds.conf.5nu[.Dd May 2, 2017 .Os FreeTDS 1.5.16 .Dt FREETDS.CONF "FreeTDS 5" "FreeTDS Reference Manual" . .Sh NAME .Nm freetds.conf .Nd configuration file for FreeTDS . .Sh SYNOPSIS The .Pa freetds.conf file describes Sybase and Microsoft database servers to the FreeTDS library. It comprises sections headed by a servername, followed by a list of connection properties denoted as name-value pairs. Defaults are defined via a .Bq global section. This file supersedes the .Pa interfaces file that Sybase defines for the same purpose, although the latter is still supported. . .Sh DESCRIPTION A section begins with a servername \(em the name of the server \(em in square brackets. The servername is chosen at the client's descretion. (One exception: with Sybase ASA the servername must match the database name to be used.) .Pp Sections contain properties, one per line, in the form .Pp .Dl name = value .Pp where .Ar name is the connection property to be described. Servernames and properties are not case sensitive. Values are case-preserving i.e., copied literally. Comments begin with either a semicolon .Pq So ; Sc or pound sign .Pq So # Sc and continue to end of line. Blank lines are ignored. Whitespace surrounding the .So = Sc is ignored. . .Sh PROPERTIES .Bl -tag -width "emulate little endian" -compact . .It client charset encoding of client data; overrides locale(1) settings .Bl -tag -width "default:" -compact .It Domain: iconv character set names .It Default: ISO-8859-1 .El . .It connect timeout seconds to wait for response from connect request .Bl -tag -width "default:" -compact .It Domain: 0 to MAX_INT .It Default: none .El . .It debug flags logging granularity .Bl -tag -width "default:" -compact .It Domain: 32-bit integer .It Default: 0x4fff .El . .It dump file specifies location of a logfile and turns on logging .Bl -tag -width "default:" -compact .It Domain: valid file name .It Default: none .El . .It dump file append log data appended to file instead of re-writing for each connection .Bl -tag -width "default:" -compact .It Domain: yes/no .It Default: no .El . .It emulate little endian forces big endian machines to act as little endian to communicate with Microsoft Servers .Bl -tag -width "default:" -compact .It Domain: yes/no .It Default: no .El . .It encryption .Bl -tag -compact .It Em off disables encryption .It Em request use if available (default when tds version greater than 7.0) .It Em required allow encrypted connections only .El . .It host Name of the host the server is running on. .Bl -tag -width "default:" -compact .It Domain: host name or IP address .It Default: SYBASE .El . .It initial block size maximum size of a protocol block .Bl -tag -width "default:" -compact .It Domain: multiple of 512 .It Default: 512 .El . .It instance name of Microsoft SQL Server instance to connect to (supersedes .Em port ) .Bl -tag -width "default:" -compact .It Domain: instance name .It Default: none .El . .It port port number that the server is listening to .Bl -tag -width "default:" -compact .It Domain: any valid port .It Default: TDS 5.0, 5000; TDS 7.0 and up, 1433 .El . .It tds version TDS protocol version to use .Bl -tag -width "default:" -compact .It Domain: 4.2, 5.0, 7.0, 7.1, 7.2 .It Default: .Fl -with-tdsver value (5.0 if unspecified) .El . .It text size default value of TEXTSIZE, in bytes .Bl -tag -width "default:" -compact .It Domain: 0 to 4,294,967,295 .It Default: 4,294,967,295 .El . .It timeout seconds to wait for response to a query .Bl -tag -width "default:" -compact .It Domain: 0 to MAX_INT .It Default: none (wait forever) .El . .El .Pp Do not define both .Fa port and .Fa instance Ns \&. One implies the other. .Pp Boolean property values may be denoted as on/off, true/false, or 1/0. . .Ss DEBUG FLAGS The log's granularity can be controlled with the .Em debug flags property. .Bl -column -offset indent ".Sy 0x8000" ".Sy show source level info (source file and line)" .It Sy Value Ta Sy Meaning .It Li \ \ 0x02 severe error .It Li \ \ 0x04 error .It Li \ \ 0x08 warning .It Li \ \ 0x10 network .It Li \ \ 0x20 information level 1 .It Li \ \ 0x40 information level 2 .It Li \ \ 0x80 function trace and info .It Li 0x1000 show pid .It Li 0x2000 show time .It Li 0x4000 show source level info (source file and line) .It Li 0x8000 thread id (not implemented). .El . .Sh NAMES AND LOCATIONS The file is normally named .Pa /etc/freetds.conf or .Pa ${HOME}/.freetds.conf . That name can be overridden with the FREETDSCONF environment variable. .Pp FreeTDS will search conf files for a servername in the following order: .Bl -enum -offset indent -compact .It a filename set programmatically via dbsetifile() that is in .conf format .It a filename in the environment variable FREETDSCONF that is in .conf format .It .Pa ${HOME}/.freetds.conf if extant .It .Pa /opt/alt/freetds11/etc/freetds.conf .El .Pp The search stops with the first file containing the servername. .Pp If no conf file is found, FreeTDS searches for an .Pa interfaces file in the following order: .Bl -enum -offset indent -compact .It a filename set programmatically via dbsetifile() that is in .Pa interfaces format .It .Pa ${HOME}/.interfaces .It .Pa $SYBASE/interfaces (where .Ev $SYBASE is an environment variable) .El .Pp If the requested servername is not found in any configuration file, the fallback mechanism is: .Bl -enum -offset indent -compact .It attempt to convert the name to an IP address with inet_addr(3), else .It attempt to convert the name to an IP address with gethostbyname(3), else .It attempt to look up the literal name .Dq SYBASE .El . .Sh ENVIRONMENT .Bl -tag -width "TDSDUMPCONFIG" -compact .It Ev FREETDSCONF overrides name and location of the system-wide conf file .It Ev TDSDUMP overrides the name and location of the FreeTDS log file .It Ev TDSDUMPCONFIG specifies a name and location of a file that logs the search of configuration files .It Ev TDSHOST overrides the host property .It Ev TDSPORT overrides the port property .It Ev TDSQUERY synonym for DSQUERY, the default servername .It Ev TDSVER overrides the version specified in the freetds.conf .El .Pp The environment variables .Ev TDSVER, Ev TDSDUMP, Ev TDSPORT, Ev TDSQUERY, and Ev TDSHOST override values set by a .conf or .Pa interfaces file. . .Sh FILES .Pa /opt/alt/freetds11/etc/freetds.conf , ${HOME}/.freetds.conf . .Sh SEE ALSO .%B FreeTDS User Guide . .Sh HISTORY \&.conf files first appeared with version 0.53 of FreeTDS. PK!$$ npm-json.5.gznu[]nGb+)G $9a9-{A$'pgD3YCt$WꞞ!e;n7v˫v7/'yug3[?OrvC_tL_o,/*W4y.iYT{M[2eV咧z뗯_/EBͫ~)Zpnp tu%Z@5ۖ3jnü2XڦfcqB(e{`eh xb(j)\Q 5Ȃ$2ɢ*V]S[B57W4@2厀.ԙa63z7N Sp/%*LyљVY[ .C7$F=*﨏-@J݂jlR3-DX= u,cErI(`(>%ԀBdvzvr9瑩ffFl6C9G 48>!+ډ\BcY8nL0Nxny&󏴹٥[# Wv~+$XezGYז-RBj#(y$zh*5Mch~V)yC(Z5 dh_~D';OtoDaqJ[[Ҭ$ƿZz9Y,ODSp?YB W 'm^p4]ʒfmgB$3f&qW:1i|vf$I$,q,]2!iyTH 0C>墙-/@l\sZ fLZ (1o#SeɹҦ0'vI((dYW$Ulݶ3a $&H@ DI@Іxfk"[]}Yt޲teskb@RQs@o_&j6*G8OD"{)b狶`']UU[6`_,k/ĭn 9mK4Be^$g"k:mtt minv"+1)$liW$cQ4p-r/i8Pr6giQ*)ZXCźW4I[@l$r*ClŔ(278[W$ј7Dgŝůej(ܖ]xHogH{d*zA$d 'C{ɝ0sln}j,גx#}}dzz1=}\,Epz Z&n5LO=DB7KF:!x! 3(U 8`O\,&{3=nBEufY94?TX:T{v0)6+3MNـ!~m #~#M,'-Kk7][{&99=ߦgFfwAwgp Ʒkvl7_vk;7E- 3wދhc x4Me [A,kh [Bu\5^c[wФ-7do4"e=\9ɨcCHmnZք;'31.·:U͊t5`:''7Q*rֈ:s{lwEf%GAd/*js d"hOSd7jg ,W5VKmg4x4YR;|V.& l'M)`;=z` ؓQ 02 ' `=I5;)$)N"fakqrjEБh8*&bf$PT#l8Vc[ədRcwPH5WCJ2Uc׉9"CG(Ⱥ{"Aͮe9FbƎۼ[k7EM_’/`DbH0`Tm.30|<$ -k[Bꭓ\3]G ]Ż$)E!LDN.KSg`280SMļ4zz䇧wۧ7$ ?{m?Toȿ?>VCf.Q*!qwACƑld:]؇^ m⁳J>r=Hf#zpjy{Qo[5 -=>mOn~i0wRfYwԩ[eg VMu-w|#T S A rr-䅤ɝ !EkSR%le&Y/ko`/}j/9r炯͂5H|7 v^,:RSVmӒ|*Bk[}R:6hj>b2,)f*~FX.B48/@wcդ&~PxNoq~}@zYXhi/VC D~NH-lmy+sI~yttȤ"D 0[*:nYm3Zr4,hUB,n@J̢@.H~~>}м؝" =y5ҋFMõVֵE#$6KZ-x?J@ zߣ]y1h~5OXz'Y5|R{>eoc})Q R zJޅ`C`P'.'>7W#h| ?rh>0{ͪ>XF_N1Y'0mℭ-3x_Y` Bl?dK`F #l,7SI84y XqNc9=$.#9>̉oҗ³mQ<"6}'.^qfL "6eGk V$&S휍3^l|vsH+f$B%ԏ`HG۷AHG0I r7R*TbC"8pT9X3>HKb/|p)oȍg|JQ6;Z'2kۀ:Y}9Z>Ќ$H6onBQK89k8$h}⥩i/rY2Y杫\R" n z2Z{и CtaIF`jxuUw7)y5 }C$ &:E Gm+HjszP4iɐ-m-(1fdk[_ֹU9|9Y-=pS[IU4\&O9[;b2#̬Ā2T/1ZF&s3$ p1 ҇xkFՋ'`t ]`KDfCcӕ6Cy9 RSm=Ga%u%/~7ߵ3w: :\=L  ޗuQ<rÒoδoguw=}NTY@N'ۉt ;R㍭Wf*xMOHXQQpoD J&8Ɂ^W5u Ȍ&bU.B180j8c 5\\jӄ;6_ͬچ:z?M8Dp@V+ivDmoKFɰ^?s~REfj3oҳ/2B0y*[@CԺն,*鄐/U&MHUòVW>6ĺh#ʅ[fA"*3la塴 ŹApx JEGLfY?qWGB/I19=3NY&%ێ"Jq]$r'Qp:@ILv>8%68qL F+X\&#>fN(~F{aKt~_m$^H1>Dy*T{OTµ#RF6Ku5_aǟ]|=3k(_@>Ԓt"/5u\,ҕ(rc'R%"7,K fPb"Gȋ)Uu׀wES Qji!IN:.$㒿8 ?D =$ BDotF!At/ &2'A1X{jB7w*} )Y-N\}G†6$rHZk}Ӹ)!GMB$ P>Lz<%~pC \Rp}q7{7' 7×Dq@aRxye&QJѤL@yhsw=hGFgy%|oJr@q$SblpwG3LBJ-,˵>;oZR]$'(ִ'No/bW PLW$R`mJNJ0x|,9»B!qC.AD@v!@HĨ>7QjHjXݽ2X)LSb~Bq" RK'9[s fTw{h.fE(0ӭx9ҥש.)AjG$|K [Жcv{ 'ŇFj#6o<؇qàWLO+R' g@Oo8[Hf)%'LB8'^V5SJD[Mz*gCp{r ߡo'yœs:T(J; elbf!L\,IlU!;})%|SzHqOk ߦss_Y/u[O;cXM>=bQX߇GԱ 0C:ߖ'tA!,y '$gdm~ zQ4`~^ Jz9VNr(k\SbY ?O4WCjGՅb<Չ^t[.=3[AmSDx2$Jge WV4+yÏpW\K`$zHr[r%Y1-aHKR'_"W01ͅ:$dۜ}.E8f8.{)mIxL^:"Qd JW5Z %yွ'M} Oj>~&9SOPW׹? 5A}6&+Ou"iϷ69ӆ"GZ{AP|3DF} YfOU? ߕ SijZ-}.ѿn/G(Z[5C(/^_\r^jYzSB:4޽vbtֵ ~9B@+hVu.Wit!0.!xlg5!c}\4TG fCIw+Yeipi.s`GnV#p4N\!:%GԚ;ڿҾGwmTA5R?0c[~驒 M@VA^ٳ؏,\VL{ݓ]tQLmz] d!ϻr/{> $F Ƀ:s0b 8EZ:]pZS/XF8|PdoJ%Ճƭ.ܗ֨mZ)LAa NM!|U &К\( 7MR3 i 3U륥Wsa_ףɿp1鉓OF= /!ӗ%s1CVUM[$=0 z H'Rp =΅hhOx~@'#4'}TEC^B5hW==HF>;GcOl@h2>xA:6d,vbt?_wyp ҟ#tW tUf%.<@]t ȣFr{,:Qa|Yջvse/G{>x]Md$Q7#JN5ᴒ_Q` G |hkqg4|\)VCsa rK:w*D`Mw\Pf2H"Wu5HP|YcH8\(@uv;>08[mN ài/vߊ\ L֔6\6]!ÈAh((l] !>gRs攉gr_*z2SoyxP CϞI5xkGp4VA2N5)Z U;G ËX3\S<[<cPe,Dr9ar%X9SɒQPWn6.ga1gB%|҉^7lDѴRw,[O>2*'Ե 6^/Fq$\nFd# C%,a!<,90BX{P:GU.Af<<ؙ|]d2ȳ@xt2& 0!Uq1mǠ̗4xD6ge!sws[y]gRAC&CEOr} ygU~|"zb8ʝ `p5ln  q0Z>jkQTu˓>J\ k4WQr.DiH,4"H!.Z2M[&m]=mra{9I'Og?>ᬵF,939By_tnԫbKkEg ^E)C|%e:QWⵣpUR 9\,m#~nC=d) N³fH0|kITFߜ9&LD]#\,$ q{QԹyo Տ{/,5d^VD>2=nDk/A5տX=4%iC  CUtp4{6Dҏd$ gPK!Hk npm-folders.5.gznu[Yo!8\y9=Ĉ}UУv)fɵ,z{#WN]r8ofw?ɻ?p;rɷg[Zr"WU]^l-VBO7mF;ӹ\$7?\]'f7ez'Uclߘjζl׺Y̤(ŌmRW^nMQH6-cuFӞ[鋿捘}OF.Ζ|*~*Wpj <p]Vůټwi0F2kZeZZOA[7,b 9[ 6{0>(C4o/v%"|hp4Kk}vN5YkVh!ްe\{By4͔WW  Y*nJַN<R(byɑ2Vf6[Lx1v8K~=c,ץ#i#}fv*;.b[KSfG*ԝg( leBT8Se~WwTw_rcqpML2B3HªPk:i?DOvl*/̂$ >lG88f/dL)F|kτμmvK K*ExGκK݄UN*=ol]kQt'*g830Ԫ"Sʃ,x?$j]RO8)IaUW*C($]6 ۹ke,ra1A1!\as!;%qHT,FG=rv[7ޮ59A0\Ej FtS^8. -x7K[@l |Ez-#-$$@Zt})FZs~ntQi7khDi +SD$D9V(T*Nȶ^-c̐B|ӭ..S2τ7^F 8 gc~E5 9̨B˥Fz[=Hq.kLEqDA~5%sƠ`}S[2C7bX߯ %I:Cw|6x;ZDZ@F\^0$4=Ul7ؼmBxX+W&EҡE7čTXDm>vX8Ʋ1ە ڨ2pZ51mP5ؕpGqt־cZL9hjo\}ҿ\:.oMc+jތ}~M}L:82b: Z{MVK&ʅ~E9'2늺koʧsU {8ӵBj $OhX1]\]UWv2LHZi]+CgAg7}c*>4@ݣ/]̞.fϘ);t DuxUB-7P:/s,.IANO&~&lUb70`9~DzEF{8 Ef̉}:R1EBTqCdG}"yseXMb']yVb̑mS[ǥHēqq̼Bp&&!Ιސvbk=pZƯM&YX֝A{+jRpN<@3=r>p]Le" ۊ a!1bʪh^G-k6UfVS.KJ<])v)],4Qe鱻qG8Wi\¬ܴyJy)RvFI0:fSm0neKOP%ާ׻ օɼ =7AXm#ReN@x\BBTbŏ9qKқ0TXqvNd' TЩ&@ \D="Wx v4k7 !v3id<78%'eUYJ<7 (p<)縡F9\ǗK<-v%z6!pT+OΓ!(tjOG|AAb&c ,7*FqPS>fMr3ʛR3kTtYXn!)98}u>>ո t8h-wn\p8bc…YEv^g0&FW NY7i ,?bq!q`L5D_{+[*χ l|G3?Ҷ/ 8yMrϝ<"\  U 0  04٦|ּgѫotq񯗟@qɳ~ɫ "@P/C8$Qy{r.PT\Uo>@;1eNmX|+"S?r# }I $py+ߛpr^qD *͙*N\.7@HO`'r_"݊fDa]g Rn0.g`?Mn{)_Lѷ.c~ z - *..h} 0O_SA Fw/?*M{za.N%¼q][Fp2YzfG!aOX0flC 5i,'ҙtY].niRE$Ov+/BJnՅ{p9.8bnE|o2GI7b/p| O'￶1z7|, .!PK!ݷ}L npmrc.5.gznu[Vo6_X$vZ-]=ۀ(hJ@Rvn{GRCB~wnxW7o4x+\Zzv_6AWmlW7R0R T-]xf2\_eiw;RI^酣ʚ<,i.VZ+enJX%0~L|.i G>B\RdIPז`M'ÛLq׆EM÷y( &X[z8 {;$*Y+}tHʳlx3l8R~8YJ|EGˑ7f3JF0pg!dz^Nw`z3~;k$}1;Uć;7VIel#kZ>k,h˦V(`s`$7'&?0 ;*f4gPWYke"o"Xp[To,%E9Sj#JYFwBV:SU~CƖ D }wʻ_.34ʃ7֊M,rʵPBX d$*>b`4.} *ewuwj ogH,{́l~taQ:F:BIzv9ģ!w"8P-Pb6Ng[f#+-q/ +LxSf4>fSC5]ܱL#\ﵱ_ww #'(=8+o߫$}j^- }B=:a0i4~vF3( PS'8 -"qe{?h { PK!Hk npm-global.5.gznu[Yo!8\y9=Ĉ}UУv)fɵ,z{#WN]r8ofw?ɻ?p;rɷg[Zr"WU]^l-VBO7mF;ӹ\$7?\]'f7ez'Uclߘjζl׺Y̤(ŌmRW^nMQH6-cuFӞ[鋿捘}OF.Ζ|*~*Wpj <p]Vůټwi0F2kZeZZOA[7,b 9[ 6{0>(C4o/v%"|hp4Kk}vN5YkVh!ްe\{By4͔WW  Y*nJַN<R(byɑ2Vf6[Lx1v8K~=c,ץ#i#}fv*;.b[KSfG*ԝg( leBT8Se~WwTw_rcqpML2B3HªPk:i?DOvl*/̂$ >lG88f/dL)F|kτμmvK K*ExGκK݄UN*=ol]kQt'*g830Ԫ"Sʃ,x?$j]RO8)IaUW*C($]6 ۹ke,ra1A1!\as!;%qHT,FG=rv[7ޮ59A0\Ej FtS^8. -x7K[@l |Ez-#-$$@Zt})FZs~ntQi7khDi +SD$D9V(T*Nȶ^-c̐B|ӭ..S2τ7^F 8 gc~E5 9̨B˥Fz[=Hq.kLEqDA~5%sƠ`}S[2C7bX߯ %I:Cw|6x;ZDZ@F\^0$4=Ul7ؼmBxX+W&EҡE7čTXDm>vX8Ʋ1ە ڨ2pZ51mP5ؕpGqt־cZL9hjo\}ҿ\:.oMc+jތ}~M}L:82b: Z{MVK&ʅ~E9'2늺koʧsU {8ӵBj $OhX1]\]UWv2LHZi]+CgAg7}c*>4@ݣ/]̞.fϘ);t DuxUB-7P:/s,.IANO&~&lUb70`9~DzEF{8 Ef̉}:R1EBTqCdG}"yseXMb']yVb̑mS[ǥHēqq̼Bp&&!Ιސvbk=pZƯM&YX֝A{+jRpN<@3=r>p]Le" ۊ a!1bʪh^G-k6UfVS.KJ<])v)],4Qe鱻qG8Wi\¬ܴyJy)RvFI0:fSm0neKOP%ާ׻ օɼ =7AXm#ReN@x\BBTbŏ9qKқ0TXqvNd' TЩ&@ \D="Wx v4k7 !v3id<78%'eUYJ<7 (p<)縡F9\ǗK<-v%z6!pT+OΓ!(tjOG|AAb&c ,7*FqPS>fMr3ʛR3kTtYXn!)98}u>>ո t8h-wn\p8bc…YEv^g0&FW NY7i ,?bq!q`L5D_{+[*χ l|G3?Ҷ/ 8yMrϝ<"\  U 0  04٦|ּgѫotq񯗟@qɳ~ɫ "@P/C8$Qy{r.PT\Uo>@;1eNmX|+"S?r# }I $py+ߛpr^qD *͙*N\.7@HO`'r_"݊fDa]g Rn0.g`?Mn{)_Lѷ.c~ z - *..h} 0O_SA Fw/?*M{za.N%¼q][Fp2YzfG!aOX0flC 5i,'ҙtY].niRE$Ov+/BJnՅ{p9.8bnE|o2GI7b/p| O'￶1z7|, .!PK!- npm-package-locks.5.gznu[Xmo_P $A%-Fb")qp(@4]Kq$ZQ{}fo-bGrvٙgf9QL~ng?\t;sW*ת'o~-Y|DqrV^nԬ0ɽO"E%ԗtTd$2](Z_ݮ>]]%D+S%v^n*\DWw UQ ]Y hA߭bÌFkxT L>&@g75J]BQu\EU*ʊ"UI!sq] Y *Yit)-܋B+}W idO,؜ &e~Od'.Ue di"7xZzQ># ്|%% 5w'-}t獒l"Rӭ87"~4Jua_ hn%6 > D.X+U o @v;B$s]m-&wN & 4e1vy gQjۡ#pEV%Y#+P~]h @UH$([zR[L*[Vx؃jxV>؅qGXMir(W bǦ|J${C׺12ikLCxD^댢_7N9֙z-ţt ޝq+j81Z܍0HIDԱ -8ZH ;DF:Aڠ+4QeYVy S{N6 T"a|\mܹ^uta4Q<;ZƳ>߃]9T#=6'Z볳2ĞSuF;_ĔGhϱTg'YZeBNӋq&۷Yzq~=Ɵ_;JaJTMV[_2ӗ樲6C= A;)4P]3ea< #F0Cyet<`dEi+p?΢n/m=B?PlHt0ib"Mb(~2g:ч8]Ɩ`QєJV6#ݶdO8vE&Œa( bMҰ@&mK} 5g;Gv ,UۮT8O7 se暏o4ХyODlX[!n#Aso=Xc!_wt!k/O? f`,Q>GG`2`ip̩f+}5nc_F}aTi!=EM5NBKDC5!]{I#Ã1iᵼ8whf@Н$ͳ 43k5m[4 NPlqNӜQY@v@bmW7MchcBi&6n$KWdRV&%L\Q]*2Ba ſ1OQCkj=TAΓ rUw>Pg$&MO!$Ӓ9=e -9G[Z ާ5Oi&zLN 9IY̥TKf AbBS)dʼ&8@|PZKT!W'ljQz[uT.1rw^4uwRh9XgBQ%˭sҳjkmsbr粃kvҞ=>A5dglJ)PK!&\package-lock.json.5.gznu[Xo8}αkݫiĹ=, $f#Z׋ Iɲ-D<73#;4<=y)}ys}.E Þ_L_oIK칞}%i׆|%+?Zljd)NjtZ廻:\2ioa*Uc+NԆqcdv-`Z2!xt!][ Kb`h+clH"~'wlӈ6_ͬ1EU(@dz [umb:jG̈7ZN*'L- Ik M'6kUJX xa`k1NmFK fli V6-E2^ܲeϓƙjUykFX9btq5ѢJj(r 2TKZܪY8Y$ 1(–d`g 粒n瓨-nWk0 J1ěܕѱgU78MxHlctN- SPh[-\:'VWmPבThˣ 2hNYz{;DqYA D7D\)(6](]KY7r,/wׇG22UORkM8&q#vFM@9Bőj $c_T$EXֺSk^!I3Aڠxpj̈6?VZC}DCl9  *e0@єMSCQD:1g%6G߰E *NLBvaq5gn>)ʞw=&{Ht׭uI"ɞQIEund2= ՑjEx:e/iW<j}WyK7ٮQХыI0SUBaߓA _Q.As*B+X]kd"O+ot,d+24VۈN@6jEPJ׾Gb+\E7c_:`NRj=ɸtzb:}}yɋ7?|͛+q 2Όt)e? pq>%Fح~;vIC<)bʤR;S>ϴm%3;<5"zP<]@ grRDҽ>%XtJbh(*ڂfMsBw!Ǻ+3|vք Jᯤc}V=s+aq6B-dm[@{HF0Uډ|5сmrg 8'\Nlo);źPK!$$package.json.5.gznu[]nGb+)G $9a9-{A$'pgD3YCt$WꞞ!e;n7v˫v7/'yug3[?OrvC_tL_o,/*W4y.iYT{M[2eV咧z뗯_/EBͫ~)Zpnp tu%Z@5ۖ3jnü2XڦfcqB(e{`eh xb(j)\Q 5Ȃ$2ɢ*V]S[B57W4@2厀.ԙa63z7N Sp/%*LyљVY[ .C7$F=*﨏-@J݂jlR3-DX= u,cErI(`(>%ԀBdvzvr9瑩ffFl6C9G 48>!+ډ\BcY8nL0Nxny&󏴹٥[# Wv~+$XezGYז-RBj#(y$zh*5Mch~V)yC(Z5 dh_~D';OtoDaqJ[[Ҭ$ƿZz9Y,ODSp?YB W 'm^p4]ʒfmgB$3f&qW:1i|vf$I$,q,]2!iyTH 0C>墙-/@l\sZ fLZ (1o#SeɹҦ0'vI((dYW$Ulݶ3a $&H@ DI@Іxfk"[]}Yt޲teskb@RQs@o_&j6*G8OD"{)b狶`']UU[6`_,k/ĭn 9mK4Be^$g"k:mtt minv"+1)$liW$cQ4p-r/i8Pr6giQ*)ZXCźW4I[@l$r*ClŔ(278[W$ј7Dgŝůej(ܖ]xHogH{d*zA$d 'C{ɝ0sln}j,גx#}}dzz1=}\,Epz Z&n5LO=DB7KF:!x! 3(U 8`O\,&{3=nBEufY94?TX:T{v0)6+3MNـ!~m #~#M,'-Kk7][{&99=ߦgFfwAwgp Ʒkvl7_vk;7E- 3wދhc x4Me [A,kh [Bu\5^c[wФ-7do4"e=\9ɨcCHmnZք;'31.·:U͊t5`:''7Q*rֈ:s{lwEf%GAd/*js d"hOSd7jg ,W5VKmg4x4YR;|V.& l'M)`;=z` ؓQ 02 ' `=I5;)$)N"fakqrjEБh8*&bf$PT#l8Vc[ədRcwPH5WCJ2Uc׉9"CG(Ⱥ{"Aͮe9FbƎۼ[k7EM_’/`DbH0`Tm.30|<$ -k[Bꭓ\3]G ]Ż$)E!LDN.KSg`280SMļ4zz䇧wۧ7$ ?{m?Toȿ?>VCf.Q*!qwACƑld:]؇^ m⁳J>r=Hf#zpjy{Qo[5 -=>mOn~i0wRfYwԩ[eg VMu-w|#T S A rr-䅤ɝ !EkSR%le&Y/ko`/}j/9r炯͂5H|7 v^,:RSVmӒ|*Bk[}R:6hj>b2,)f*~FX.B48/@wcդ&~PxNoq~}@zYXhi/VC D~NH-lmy+sI~yttȤ"D 0[*:nYm3Zr4,hUB,n@J̢@.H~~>}м؝" =y5ҋFMõVֵE#$6KZ-x?J@ zߣ]y1h~5OXz'Y5|R{>eoc})Q R zJޅ`C`P'.'>7W#h| ?rh>0{ͪ>XF_N1Y'0mℭ-3x_Y` Bl?dK`F #l,7SI84y XqNc9=$.#9>̉oҗ³mQ<"6}'.^qfL "6eGk V$&S휍3^l|vsH+f$B%ԏ`HG۷AHG0I r7R*TbC"8pT9X3>HKb/|p)oȍg|JQ6;Z'2kۀ:Y}9Z>Ќ$H6onBQK89k8$h}⥩i/rY2Y杫\R" n z2Z{и CtaIF`jxuUw7)y5 }C$ &:E Gm+HjszP4iɐ-m-(1fdk[_ֹU9|9Y-=pS[IU4\&O9[;b2#̬Ā2T/1ZF&s3$ p1 ҇xkFՋ'`t ]`KDfCcӕ6Cy9 RSm=Ga%u%/~7ߵ3w: :\=L  ޗuQ<rÒoδoguw=}NTY@N'ۉt ;R㍭Wf*xMOHXQQpoD J&8Ɂ^W5u Ȍ&bU.B180j8c 5\\jӄ;6_ͬچ:z?M8Dp@V+ivDmoKFɰ^?s~REfj3oҳ/2B0y*[@CԺն,*鄐/U&MHUòVW>6ĺh#ʅ[fA"*3la塴 ŹApx JEGLfY?qWGB/I19=3NY&%ێ"Jq]$r'Qp:@ILv>8%68qL F+X\&#>fN(~F{aKt~_m$^H1>Dy*T{OTµ#RF6Ku5_aǟ]|=3k(_@>Ԓt"/5u\,ҕ(rc'R%"7,K fPb"Gȋ)Uu׀wES Qji!IN:.$㒿8 ?D =$ BDotF!At/ &2'A1X{jB7w*} )Y-N\}G†6$rHZk}Ӹ)!GMB$ P>Lz<%~pC \Rp}q7{7' 7×Dq@aRxye&QJѤL@yhsw=hGFgy%|oJr@q$SblpwG3LBJ-,˵>;oZR]$'(ִ'No/bW PLW$R`mJNJ0x|,9»B!qC.AD@v!@HĨ>7QjHjXݽ2X)LSb~Bq" RK'9[s fTw{h.fE(0ӭx9ҥש.)AjG$|K [Жcv{ 'ŇFj#6o<؇qàWLO+R' g@Oo8[Hf)%'LB8'^V5SJD[Mz*gCp{r ߡo'yœs:T(J; elbf!L\,IlU!;})%|SzHqOk ߦss_Y/u[O;cXM>=bQX߇GԱ 0C:ߖ'tA!,y '$gdm~ zQ4`~^ Jz9VNr(k\SbY ?O4WCjGՅb<Չ^t[.=3[AmSDx2$Jge WV4+yÏpW\K`$zHr[r%Y1-aHKR'_"W01ͅ:$dۜ}.E8f8.{)mIxL^:"Qd JW5Z %yွ'M} Oj>~&9SOPW׹? 5A}6&+Ou"iϷ69ӆ"GZ{AP|3DF} YfOU? ߕ SijZ-}.ѿn/G(Z[5C(/^_\r^jYzSB:4޽vbtֵ ~9B@+hVu.Wit!0.!xlg5!c}\4TG fCIw+Yeipi.s`GnV#p4N\!:%GԚ;ڿҾGwmTA5R?0c[~驒 M@VA^ٳ؏,\VL{ݓ]tQLmz] d!ϻr/{> $F Ƀ:s0b 8EZ:]pZS/XF8|PdoJ%Ճƭ.ܗ֨mZ)LAa NM!|U &К\( 7MR3 i 3U륥Wsa_ףɿp1鉓OF= /!ӗ%s1CVUM[$=0 z H'Rp =΅hhOx~@'#4'}TEC^B5hW==HF>;GcOl@h2>xA:6d,vbt?_wyp ҟ#tW tUf%.<@]t ȣFr{,:Qa|Yջvse/G{>x]Md$Q7#JN5ᴒ_Q` G |hkqg4|\)VCsa rK:w*D`Mw\Pf2H"Wu5HP|YcH8\(@uv;>08[mN ài/vߊ\ L֔6\6]!ÈAh((l] !>gRs攉gr_*z2SoyxP CϞI5xkGp4VA2N5)Z U;G ËX3\S<[<cPe,Dr9ar%X9SɒQPWn6.ga1gB%|҉^7lDѴRw,[O>2*'Ե 6^/Fq$\nFd# C%,a!<,90BX{P:GU.Af<<ؙ|]d2ȳ@xt2& 0!Uq1mǠ̗4xD6ge!sws[y]gRAC&CEOr} ygU~|"zb8ʝ `p5ln  q0Z>jkQTu˓>J\ k4WQr.DiH,4"H!.Z2M[&m]=mra{9I'Og?>ᬵF,939By_tnԫbKkEg ^E)C|%e:QWⵣpUR 9\,m#~nC=d) N³fH0|kITFߜ9&LD]#\,$ q{QԹyo Տ{/,5d^VD>2=nDk/A5տX=4%iC  CUtp4{6Dҏd$ gPK! Cz6V6V gemfile.5nu[.\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . .TH "GEMFILE" "5" "November 2018" "" "" . .SH "NAME" \fBGemfile\fR \- A format for describing gem dependencies for Ruby programs . .SH "SYNOPSIS" A \fBGemfile\fR describes the gem dependencies required to execute associated Ruby code\. . .P Place the \fBGemfile\fR in the root of the directory containing the associated code\. For instance, in a Rails application, place the \fBGemfile\fR in the same directory as the \fBRakefile\fR\. . .SH "SYNTAX" A \fBGemfile\fR is evaluated as Ruby code, in a context which makes available a number of methods used to describe the gem requirements\. . .SH "GLOBAL SOURCES" At the top of the \fBGemfile\fR, add a line for the \fBRubygems\fR source that contains the gems listed in the \fBGemfile\fR\. . .IP "" 4 . .nf source "https://rubygems\.org" . .fi . .IP "" 0 . .P It is possible, but not recommended as of Bundler 1\.7, to add multiple global \fBsource\fR lines\. Each of these \fBsource\fRs \fBMUST\fR be a valid Rubygems repository\. . .P Sources are checked for gems following the heuristics described in \fISOURCE PRIORITY\fR\. If a gem is found in more than one global source, Bundler will print a warning after installing the gem indicating which source was used, and listing the other sources where the gem is available\. A specific source can be selected for gems that need to use a non\-standard repository, suppressing this warning, by using the \fI\fB:source\fR option\fR or a \fI\fBsource\fR block\fR\. . .SS "CREDENTIALS" Some gem sources require a username and password\. Use bundle config(1) \fIbundle\-config\.1\.html\fR to set the username and password for any of the sources that need it\. The command must be run once on each computer that will install the Gemfile, but this keeps the credentials from being stored in plain text in version control\. . .IP "" 4 . .nf bundle config gems\.example\.com user:password . .fi . .IP "" 0 . .P For some sources, like a company Gemfury account, it may be easier to include the credentials in the Gemfile as part of the source URL\. . .IP "" 4 . .nf source "https://user:password@gems\.example\.com" . .fi . .IP "" 0 . .P Credentials in the source URL will take precedence over credentials set using \fBconfig\fR\. . .SH "RUBY" If your application requires a specific Ruby version or engine, specify your requirements using the \fBruby\fR method, with the following arguments\. All parameters are \fBOPTIONAL\fR unless otherwise specified\. . .SS "VERSION (required)" The version of Ruby that your application requires\. If your application requires an alternate Ruby engine, such as JRuby, Rubinius or TruffleRuby, this should be the Ruby version that the engine is compatible with\. . .IP "" 4 . .nf ruby "1\.9\.3" . .fi . .IP "" 0 . .SS "ENGINE" Each application \fImay\fR specify a Ruby engine\. If an engine is specified, an engine version \fImust\fR also be specified\. . .P What exactly is an Engine? \- A Ruby engine is an implementation of the Ruby language\. . .IP "\(bu" 4 For background: the reference or original implementation of the Ruby programming language is called Matz\'s Ruby Interpreter \fIhttps://en\.wikipedia\.org/wiki/Ruby_MRI\fR, or MRI for short\. This is named after Ruby creator Yukihiro Matsumoto, also known as Matz\. MRI is also known as CRuby, because it is written in C\. MRI is the most widely used Ruby engine\. . .IP "\(bu" 4 Other implementations \fIhttps://www\.ruby\-lang\.org/en/about/\fR of Ruby exist\. Some of the more well\-known implementations include Rubinius \fIhttps://rubinius\.com/\fR, and JRuby \fIhttp://jruby\.org/\fR\. Rubinius is an alternative implementation of Ruby written in Ruby\. JRuby is an implementation of Ruby on the JVM, short for Java Virtual Machine\. . .IP "" 0 . .SS "ENGINE VERSION" Each application \fImay\fR specify a Ruby engine version\. If an engine version is specified, an engine \fImust\fR also be specified\. If the engine is "ruby" the engine version specified \fImust\fR match the Ruby version\. . .IP "" 4 . .nf ruby "1\.8\.7", :engine => "jruby", :engine_version => "1\.6\.7" . .fi . .IP "" 0 . .SS "PATCHLEVEL" Each application \fImay\fR specify a Ruby patchlevel\. . .IP "" 4 . .nf ruby "2\.0\.0", :patchlevel => "247" . .fi . .IP "" 0 . .SH "GEMS" Specify gem requirements using the \fBgem\fR method, with the following arguments\. All parameters are \fBOPTIONAL\fR unless otherwise specified\. . .SS "NAME (required)" For each gem requirement, list a single \fIgem\fR line\. . .IP "" 4 . .nf gem "nokogiri" . .fi . .IP "" 0 . .SS "VERSION" Each \fIgem\fR \fBMAY\fR have one or more version specifiers\. . .IP "" 4 . .nf gem "nokogiri", ">= 1\.4\.2" gem "RedCloth", ">= 4\.1\.0", "< 4\.2\.0" . .fi . .IP "" 0 . .SS "REQUIRE AS" Each \fIgem\fR \fBMAY\fR specify files that should be used when autorequiring via \fBBundler\.require\fR\. You may pass an array with multiple files or \fBtrue\fR if file you want \fBrequired\fR has same name as \fIgem\fR or \fBfalse\fR to prevent any file from being autorequired\. . .IP "" 4 . .nf gem "redis", :require => ["redis/connection/hiredis", "redis"] gem "webmock", :require => false gem "debugger", :require => true . .fi . .IP "" 0 . .P The argument defaults to the name of the gem\. For example, these are identical: . .IP "" 4 . .nf gem "nokogiri" gem "nokogiri", :require => "nokogiri" gem "nokogiri", :require => true . .fi . .IP "" 0 . .SS "GROUPS" Each \fIgem\fR \fBMAY\fR specify membership in one or more groups\. Any \fIgem\fR that does not specify membership in any group is placed in the \fBdefault\fR group\. . .IP "" 4 . .nf gem "rspec", :group => :test gem "wirble", :groups => [:development, :test] . .fi . .IP "" 0 . .P The Bundler runtime allows its two main methods, \fBBundler\.setup\fR and \fBBundler\.require\fR, to limit their impact to particular groups\. . .IP "" 4 . .nf # setup adds gems to Ruby\'s load path Bundler\.setup # defaults to all groups require "bundler/setup" # same as Bundler\.setup Bundler\.setup(:default) # only set up the _default_ group Bundler\.setup(:test) # only set up the _test_ group (but `not` _default_) Bundler\.setup(:default, :test) # set up the _default_ and _test_ groups, but no others # require requires all of the gems in the specified groups Bundler\.require # defaults to the _default_ group Bundler\.require(:default) # identical Bundler\.require(:default, :test) # requires the _default_ and _test_ groups Bundler\.require(:test) # requires the _test_ group . .fi . .IP "" 0 . .P The Bundler CLI allows you to specify a list of groups whose gems \fBbundle install\fR should not install with the \fB\-\-without\fR option\. To specify multiple groups to ignore, specify a list of groups separated by spaces\. . .IP "" 4 . .nf bundle install \-\-without test bundle install \-\-without development test . .fi . .IP "" 0 . .P After running \fBbundle install \-\-without test\fR, bundler will remember that you excluded the test group in the last installation\. The next time you run \fBbundle install\fR, without any \fB\-\-without option\fR, bundler will recall it\. . .P Also, calling \fBBundler\.setup\fR with no parameters, or calling \fBrequire "bundler/setup"\fR will setup all groups except for the ones you excluded via \fB\-\-without\fR (since they are not available)\. . .P Note that on \fBbundle install\fR, bundler downloads and evaluates all gems, in order to create a single canonical list of all of the required gems and their dependencies\. This means that you cannot list different versions of the same gems in different groups\. For more details, see Understanding Bundler \fIhttp://bundler\.io/rationale\.html\fR\. . .SS "PLATFORMS" If a gem should only be used in a particular platform or set of platforms, you can specify them\. Platforms are essentially identical to groups, except that you do not need to use the \fB\-\-without\fR install\-time flag to exclude groups of gems for other platforms\. . .P There are a number of \fBGemfile\fR platforms: . .TP \fBruby\fR C Ruby (MRI), Rubinius or TruffleRuby, but \fBNOT\fR Windows . .TP \fBmri\fR Same as \fIruby\fR, but only C Ruby (MRI) . .TP \fBmingw\fR Windows 32 bit \'mingw32\' platform (aka RubyInstaller) . .TP \fBx64_mingw\fR Windows 64 bit \'mingw32\' platform (aka RubyInstaller x64) . .TP \fBrbx\fR Rubinius . .TP \fBjruby\fR JRuby . .TP \fBtruffleruby\fR TruffleRuby . .TP \fBmswin\fR Windows . .P You can restrict further by platform and version for all platforms \fIexcept\fR for \fBrbx\fR, \fBjruby\fR, \fBtruffleruby\fR and \fBmswin\fR\. . .P To specify a version in addition to a platform, append the version number without the delimiter to the platform\. For example, to specify that a gem should only be used on platforms with Ruby 2\.3, use: . .IP "" 4 . .nf ruby_23 . .fi . .IP "" 0 . .P The full list of platforms and supported versions includes: . .TP \fBruby\fR 1\.8, 1\.9, 2\.0, 2\.1, 2\.2, 2\.3, 2\.4, 2\.5 . .TP \fBmri\fR 1\.8, 1\.9, 2\.0, 2\.1, 2\.2, 2\.3, 2\.4, 2\.5 . .TP \fBmingw\fR 1\.8, 1\.9, 2\.0, 2\.1, 2\.2, 2\.3, 2\.4, 2\.5 . .TP \fBx64_mingw\fR 2\.0, 2\.1, 2\.2, 2\.3, 2\.4, 2\.5 . .P As with groups, you can specify one or more platforms: . .IP "" 4 . .nf gem "weakling", :platforms => :jruby gem "ruby\-debug", :platforms => :mri_18 gem "nokogiri", :platforms => [:mri_18, :jruby] . .fi . .IP "" 0 . .P All operations involving groups (\fBbundle install\fR \fIbundle\-install\.1\.html\fR, \fBBundler\.setup\fR, \fBBundler\.require\fR) behave exactly the same as if any groups not matching the current platform were explicitly excluded\. . .SS "SOURCE" You can select an alternate Rubygems repository for a gem using the \':source\' option\. . .IP "" 4 . .nf gem "some_internal_gem", :source => "https://gems\.example\.com" . .fi . .IP "" 0 . .P This forces the gem to be loaded from this source and ignores any global sources declared at the top level of the file\. If the gem does not exist in this source, it will not be installed\. . .P Bundler will search for child dependencies of this gem by first looking in the source selected for the parent, but if they are not found there, it will fall back on global sources using the ordering described in \fISOURCE PRIORITY\fR\. . .P Selecting a specific source repository this way also suppresses the ambiguous gem warning described above in \fIGLOBAL SOURCES (#source)\fR\. . .P Using the \fB:source\fR option for an individual gem will also make that source available as a possible global source for any other gems which do not specify explicit sources\. Thus, when adding gems with explicit sources, it is recommended that you also ensure all other gems in the Gemfile are using explicit sources\. . .SS "GIT" If necessary, you can specify that a gem is located at a particular git repository using the \fB:git\fR parameter\. The repository can be accessed via several protocols: . .TP \fBHTTP(S)\fR gem "rails", :git => "https://github\.com/rails/rails\.git" . .TP \fBSSH\fR gem "rails", :git => "git@github\.com:rails/rails\.git" . .TP \fBgit\fR gem "rails", :git => "git://github\.com/rails/rails\.git" . .P If using SSH, the user that you use to run \fBbundle install\fR \fBMUST\fR have the appropriate keys available in their \fB$HOME/\.ssh\fR\. . .P \fBNOTE\fR: \fBhttp://\fR and \fBgit://\fR URLs should be avoided if at all possible\. These protocols are unauthenticated, so a man\-in\-the\-middle attacker can deliver malicious code and compromise your system\. HTTPS and SSH are strongly preferred\. . .P The \fBgroup\fR, \fBplatforms\fR, and \fBrequire\fR options are available and behave exactly the same as they would for a normal gem\. . .P A git repository \fBSHOULD\fR have at least one file, at the root of the directory containing the gem, with the extension \fB\.gemspec\fR\. This file \fBMUST\fR contain a valid gem specification, as expected by the \fBgem build\fR command\. . .P If a git repository does not have a \fB\.gemspec\fR, bundler will attempt to create one, but it will not contain any dependencies, executables, or C extension compilation instructions\. As a result, it may fail to properly integrate into your application\. . .P If a git repository does have a \fB\.gemspec\fR for the gem you attached it to, a version specifier, if provided, means that the git repository is only valid if the \fB\.gemspec\fR specifies a version matching the version specifier\. If not, bundler will print a warning\. . .IP "" 4 . .nf gem "rails", "2\.3\.8", :git => "https://github\.com/rails/rails\.git" # bundle install will fail, because the \.gemspec in the rails # repository\'s master branch specifies version 3\.0\.0 . .fi . .IP "" 0 . .P If a git repository does \fBnot\fR have a \fB\.gemspec\fR for the gem you attached it to, a version specifier \fBMUST\fR be provided\. Bundler will use this version in the simple \fB\.gemspec\fR it creates\. . .P Git repositories support a number of additional options\. . .TP \fBbranch\fR, \fBtag\fR, and \fBref\fR You \fBMUST\fR only specify at most one of these options\. The default is \fB:branch => "master"\fR . .TP For example: . .IP git "https://github\.com/rails/rails\.git", :branch => "5\-0\-stable" do . .IP git "https://github\.com/rails/rails\.git", :tag => "v5\.0\.0" do . .IP git "https://github\.com/rails/rails\.git", :ref => "4aded" do . .TP \fBsubmodules\fR For reference, a git submodule \fIhttps://git\-scm\.com/book/en/v2/Git\-Tools\-Submodules\fR lets you have another git repository within a subfolder of your repository\. Specify \fB:submodules => true\fR to cause bundler to expand any submodules included in the git repository . .P If a git repository contains multiple \fB\.gemspecs\fR, each \fB\.gemspec\fR represents a gem located at the same place in the file system as the \fB\.gemspec\fR\. . .IP "" 4 . .nf |~rails [git root] | |\-rails\.gemspec [rails gem located here] |~actionpack | |\-actionpack\.gemspec [actionpack gem located here] |~activesupport | |\-activesupport\.gemspec [activesupport gem located here] |\.\.\. . .fi . .IP "" 0 . .P To install a gem located in a git repository, bundler changes to the directory containing the gemspec, runs \fBgem build name\.gemspec\fR and then installs the resulting gem\. The \fBgem build\fR command, which comes standard with Rubygems, evaluates the \fB\.gemspec\fR in the context of the directory in which it is located\. . .SS "GIT SOURCE" A custom git source can be defined via the \fBgit_source\fR method\. Provide the source\'s name as an argument, and a block which receives a single argument and interpolates it into a string to return the full repo address: . .IP "" 4 . .nf git_source(:stash){ |repo_name| "https://stash\.corp\.acme\.pl/#{repo_name}\.git" } gem \'rails\', :stash => \'forks/rails\' . .fi . .IP "" 0 . .P In addition, if you wish to choose a specific branch: . .IP "" 4 . .nf gem "rails", :stash => "forks/rails", :branch => "branch_name" . .fi . .IP "" 0 . .SS "GITHUB" \fBNOTE\fR: This shorthand should be avoided until Bundler 2\.0, since it currently expands to an insecure \fBgit://\fR URL\. This allows a man\-in\-the\-middle attacker to compromise your system\. . .P If the git repository you want to use is hosted on GitHub and is public, you can use the :github shorthand to specify the github username and repository name (without the trailing "\.git"), separated by a slash\. If both the username and repository name are the same, you can omit one\. . .IP "" 4 . .nf gem "rails", :github => "rails/rails" gem "rails", :github => "rails" . .fi . .IP "" 0 . .P Are both equivalent to . .IP "" 4 . .nf gem "rails", :git => "git://github\.com/rails/rails\.git" . .fi . .IP "" 0 . .P Since the \fBgithub\fR method is a specialization of \fBgit_source\fR, it accepts a \fB:branch\fR named argument\. . .SS "GIST" If the git repository you want to use is hosted as a Github Gist and is public, you can use the :gist shorthand to specify the gist identifier (without the trailing "\.git")\. . .IP "" 4 . .nf gem "the_hatch", :gist => "4815162342" . .fi . .IP "" 0 . .P Is equivalent to: . .IP "" 4 . .nf gem "the_hatch", :git => "https://gist\.github\.com/4815162342\.git" . .fi . .IP "" 0 . .P Since the \fBgist\fR method is a specialization of \fBgit_source\fR, it accepts a \fB:branch\fR named argument\. . .SS "BITBUCKET" If the git repository you want to use is hosted on Bitbucket and is public, you can use the :bitbucket shorthand to specify the bitbucket username and repository name (without the trailing "\.git"), separated by a slash\. If both the username and repository name are the same, you can omit one\. . .IP "" 4 . .nf gem "rails", :bitbucket => "rails/rails" gem "rails", :bitbucket => "rails" . .fi . .IP "" 0 . .P Are both equivalent to . .IP "" 4 . .nf gem "rails", :git => "https://rails@bitbucket\.org/rails/rails\.git" . .fi . .IP "" 0 . .P Since the \fBbitbucket\fR method is a specialization of \fBgit_source\fR, it accepts a \fB:branch\fR named argument\. . .SS "PATH" You can specify that a gem is located in a particular location on the file system\. Relative paths are resolved relative to the directory containing the \fBGemfile\fR\. . .P Similar to the semantics of the \fB:git\fR option, the \fB:path\fR option requires that the directory in question either contains a \fB\.gemspec\fR for the gem, or that you specify an explicit version that bundler should use\. . .P Unlike \fB:git\fR, bundler does not compile C extensions for gems specified as paths\. . .IP "" 4 . .nf gem "rails", :path => "vendor/rails" . .fi . .IP "" 0 . .P If you would like to use multiple local gems directly from the filesystem, you can set a global \fBpath\fR option to the path containing the gem\'s files\. This will automatically load gemspec files from subdirectories\. . .IP "" 4 . .nf path \'components\' do gem \'admin_ui\' gem \'public_ui\' end . .fi . .IP "" 0 . .SH "BLOCK FORM OF SOURCE, GIT, PATH, GROUP and PLATFORMS" The \fB:source\fR, \fB:git\fR, \fB:path\fR, \fB:group\fR, and \fB:platforms\fR options may be applied to a group of gems by using block form\. . .IP "" 4 . .nf source "https://gems\.example\.com" do gem "some_internal_gem" gem "another_internal_gem" end git "https://github\.com/rails/rails\.git" do gem "activesupport" gem "actionpack" end platforms :ruby do gem "ruby\-debug" gem "sqlite3" end group :development, :optional => true do gem "wirble" gem "faker" end . .fi . .IP "" 0 . .P In the case of the group block form the :optional option can be given to prevent a group from being installed unless listed in the \fB\-\-with\fR option given to the \fBbundle install\fR command\. . .P In the case of the \fBgit\fR block form, the \fB:ref\fR, \fB:branch\fR, \fB:tag\fR, and \fB:submodules\fR options may be passed to the \fBgit\fR method, and all gems in the block will inherit those options\. . .P The presence of a \fBsource\fR block in a Gemfile also makes that source available as a possible global source for any other gems which do not specify explicit sources\. Thus, when defining source blocks, it is recommended that you also ensure all other gems in the Gemfile are using explicit sources, either via source blocks or \fB:source\fR directives on individual gems\. . .SH "INSTALL_IF" The \fBinstall_if\fR method allows gems to be installed based on a proc or lambda\. This is especially useful for optional gems that can only be used if certain software is installed or some other conditions are met\. . .IP "" 4 . .nf install_if \-> { RUBY_PLATFORM =~ /darwin/ } do gem "pasteboard" end . .fi . .IP "" 0 . .SH "GEMSPEC" The \fB\.gemspec\fR \fIhttp://guides\.rubygems\.org/specification\-reference/\fR file is where you provide metadata about your gem to Rubygems\. Some required Gemspec attributes include the name, description, and homepage of your gem\. This is also where you specify the dependencies your gem needs to run\. . .P If you wish to use Bundler to help install dependencies for a gem while it is being developed, use the \fBgemspec\fR method to pull in the dependencies listed in the \fB\.gemspec\fR file\. . .P The \fBgemspec\fR method adds any runtime dependencies as gem requirements in the default group\. It also adds development dependencies as gem requirements in the \fBdevelopment\fR group\. Finally, it adds a gem requirement on your project (\fB:path => \'\.\'\fR)\. In conjunction with \fBBundler\.setup\fR, this allows you to require project files in your test code as you would if the project were installed as a gem; you need not manipulate the load path manually or require project files via relative paths\. . .P The \fBgemspec\fR method supports optional \fB:path\fR, \fB:glob\fR, \fB:name\fR, and \fB:development_group\fR options, which control where bundler looks for the \fB\.gemspec\fR, the glob it uses to look for the gemspec (defaults to: "{,\fI,\fR/*}\.gemspec"), what named \fB\.gemspec\fR it uses (if more than one is present), and which group development dependencies are included in\. . .P When a \fBgemspec\fR dependency encounters version conflicts during resolution, the local version under development will always be selected \-\- even if there are remote versions that better match other requirements for the \fBgemspec\fR gem\. . .SH "SOURCE PRIORITY" When attempting to locate a gem to satisfy a gem requirement, bundler uses the following priority order: . .IP "1." 4 The source explicitly attached to the gem (using \fB:source\fR, \fB:path\fR, or \fB:git\fR) . .IP "2." 4 For implicit gems (dependencies of explicit gems), any source, git, or path repository declared on the parent\. This results in bundler prioritizing the ActiveSupport gem from the Rails git repository over ones from \fBrubygems\.org\fR . .IP "3." 4 The sources specified via global \fBsource\fR lines, searching each source in your \fBGemfile\fR from last added to first added\. . .IP "" 0 PK!vg30[0[x509v3_config.5nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X509V3_CONFIG 5" .TH X509V3_CONFIG 5 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" x509v3_config \- X509 V3 certificate extension configuration format .SH "DESCRIPTION" .IX Header "DESCRIPTION" Several of the OpenSSL utilities can add extensions to a certificate or certificate request based on the contents of a configuration file. .PP Typically the application will contain an option to point to an extension section. Each line of the extension section takes the form: .PP .Vb 1 \& extension_name=[critical,] extension_options .Ve .PP If \fBcritical\fR is present then the extension will be critical. .PP The format of \fBextension_options\fR depends on the value of \fBextension_name\fR. .PP There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR extensions, \fIraw\fR and \fIarbitrary\fR extensions. .PP String extensions simply have a string which contains either the value itself or how it is obtained. .PP For example: .PP .Vb 1 \& nsComment="This is a Comment" .Ve .PP Multi-valued extensions have a short form and a long form. The short form is a list of names and values: .PP .Vb 1 \& basicConstraints=critical,CA:true,pathlen:1 .Ve .PP The long form allows the values to be placed in a separate section: .PP .Vb 1 \& basicConstraints=critical,@bs_section \& \& [bs_section] \& \& CA=true \& pathlen=1 .Ve .PP Both forms are equivalent. .PP The syntax of raw extensions is governed by the extension code: it can for example contain data in multiple sections. The correct syntax to use is defined by the extension code itself: check out the certificate policies extension for an example. .PP If an extension type is unsupported then the \fIarbitrary\fR extension syntax must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details. .SH "STANDARD EXTENSIONS" .IX Header "STANDARD EXTENSIONS" The following sections describe each supported extension in detail. .SS "Basic Constraints." .IX Subsection "Basic Constraints." This is a multi valued extension which indicates whether a certificate is a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or \&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by a nonnegative value can be included. .PP For example: .PP .Vb 1 \& basicConstraints=CA:TRUE \& \& basicConstraints=CA:FALSE \& \& basicConstraints=critical,CA:TRUE, pathlen:0 .Ve .PP A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the extension entirely. Some software may require the inclusion of basicConstraints with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates. .PP The pathlen parameter indicates the maximum number of CAs that can appear below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can only be used to sign end user certificates and not further CAs. .SS "Key Usage." .IX Subsection "Key Usage." Key usage is a multi valued extension consisting of a list of names of the permitted key usages. .PP The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly. .PP Examples: .PP .Vb 1 \& keyUsage=digitalSignature, nonRepudiation \& \& keyUsage=critical, keyCertSign .Ve .SS "Extended Key Usage." .IX Subsection "Extended Key Usage." This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for, .PP These can either be object short names or the dotted numerical form of OIDs. While any \s-1OID\s0 can be used only certain values make sense. In particular the following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful: .PP .Vb 10 \& Value Meaning \& \-\-\-\-\- \-\-\-\-\-\-\- \& serverAuth SSL/TLS Web Server Authentication. \& clientAuth SSL/TLS Web Client Authentication. \& codeSigning Code signing. \& emailProtection E\-mail Protection (S/MIME). \& timeStamping Trusted Timestamping \& OCSPSigning OCSP Signing \& ipsecIKE ipsec Internet Key Exchange \& msCodeInd Microsoft Individual Code Signing (authenticode) \& msCodeCom Microsoft Commercial Code Signing (authenticode) \& msCTLSign Microsoft Trust List Signing \& msEFS Microsoft Encrypted File System .Ve .PP Examples: .PP .Vb 2 \& extendedKeyUsage=critical,codeSigning,1.2.3.4 \& extendedKeyUsage=serverAuth,clientAuth .Ve .SS "Subject Key Identifier." .IX Subsection "Subject Key Identifier." This is really a string extension and can take two possible values. Either the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0 or a hex string giving the extension value to include. The use of the hex string is strongly discouraged. .PP Example: .PP .Vb 1 \& subjectKeyIdentifier=hash .Ve .SS "Authority Key Identifier." .IX Subsection "Authority Key Identifier." The authority key identifier extension permits two options. keyid and issuer: both can take the optional value \*(L"always\*(R". .PP If the keyid option is present an attempt is made to copy the subject key identifier from the parent certificate. If the value \*(L"always\*(R" is present then an error is returned if the option fails. .PP The issuer option copies the issuer and serial number from the issuer certificate. This will only be done if the keyid option fails or is not included unless the \*(L"always\*(R" flag will always include the value. .PP Example: .PP .Vb 1 \& authorityKeyIdentifier=keyid,issuer .Ve .SS "Subject Alternative Name." .IX Subsection "Subject Alternative Name." The subject alternative name extension allows various literal values to be included in the configuration file. These include \fBemail\fR (an email address) \&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR (a distinguished name) and otherName. .PP The email option include a special 'copy' value. This will automatically include any email addresses contained in the certificate subject name in the extension. .PP The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format. .PP The value of \fBdirName\fR should point to a section containing the distinguished name to use as a set of name value pairs. Multi values AVAs can be formed by prefacing the name with a \fB+\fR character. .PP otherName can include arbitrary data associated with an \s-1OID:\s0 the value should be the \s-1OID\s0 followed by a semicolon and the content in standard \&\fBASN1_generate_nconf\fR\|(3) format. .PP Examples: .PP .Vb 5 \& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ \& subjectAltName=IP:192.168.7.1 \& subjectAltName=IP:13::17 \& subjectAltName=email:my@other.address,RID:1.2.3.4 \& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier \& \& subjectAltName=dirName:dir_sect \& \& [dir_sect] \& C=UK \& O=My Organization \& OU=My Unit \& CN=My Name .Ve .SS "Issuer Alternative Name." .IX Subsection "Issuer Alternative Name." The issuer alternative name option supports all the literal options of subject alternative name. It does \fBnot\fR support the email:copy option because that would not make sense. It does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate (if possible). .PP Example: .PP .Vb 1 \& issuerAltName = issuer:copy .Ve .SS "Authority Info Access." .IX Subsection "Authority Info Access." The authority information access extension gives details about how to access certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location where \fIlocation\fR has the same syntax as subject alternative name (except that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only certain values are meaningful, for example \s-1OCSP\s0 and caIssuers. .PP Example: .PP .Vb 2 \& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ \& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html .Ve .SS "\s-1CRL\s0 distribution points" .IX Subsection "CRL distribution points" This is a multi-valued extension whose options can be either in name:value pair using the same form as subject alternative name or a single value representing a section name containing all the distribution point fields. .PP For a name:value pair a new DistributionPoint with the fullName field set to the given value both the cRLissuer and reasons fields are omitted in this case. .PP In the single option case the section indicated contains values for each field. In this section: .PP If the name is \*(L"fullname\*(R" the value field should contain the full name of the distribution point in the same format as subject alternative name. .PP If the name is \*(L"relativename\*(R" then the value field should contain a section name whose contents represent a \s-1DN\s0 fragment to be placed in this field. .PP The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in subject alternative name format. .PP If the name is \*(L"reasons\*(R" the value field should consist of a comma separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R", \&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R", \&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R". .PP Simple examples: .PP .Vb 2 \& crlDistributionPoints=URI:http://myhost.com/myca.crl \& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl .Ve .PP Full distribution point example: .PP .Vb 1 \& crlDistributionPoints=crldp1_section \& \& [crldp1_section] \& \& fullname=URI:http://myhost.com/myca.crl \& CRLissuer=dirName:issuer_sect \& reasons=keyCompromise, CACompromise \& \& [issuer_sect] \& C=UK \& O=Organisation \& CN=Some Name .Ve .SS "Issuing Distribution Point" .IX Subsection "Issuing Distribution Point" This extension should only appear in CRLs. It is a multi valued extension whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution points extension with a few differences. .PP The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized. .PP The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field. .PP The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of the corresponding field. .PP Example: .PP .Vb 1 \& issuingDistributionPoint=critical, @idp_section \& \& [idp_section] \& \& fullname=URI:http://myhost.com/myca.crl \& indirectCRL=TRUE \& onlysomereasons=keyCompromise, CACompromise \& \& [issuer_sect] \& C=UK \& O=Organisation \& CN=Some Name .Ve .SS "Certificate Policies." .IX Subsection "Certificate Policies." This is a \fIraw\fR extension. All the fields of this extension can be set by using the appropriate syntax. .PP If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas, for example: .PP .Vb 1 \& certificatePolicies= 1.2.4.5, 1.1.3.4 .Ve .PP If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to be specified in a separate section: this is done by using the \f(CW@section\fR syntax instead of a literal \s-1OID\s0 value. .PP The section referred to must include the policy \s-1OID\s0 using the name policyIdentifier, cPSuri qualifiers can be included using the syntax: .PP .Vb 1 \& CPS.nnn=value .Ve .PP userNotice qualifiers can be set using the syntax: .PP .Vb 1 \& userNotice.nnn=@notice .Ve .PP The value of the userNotice qualifier is specified in the relevant section. This section can include explicitText, organization and noticeNumbers options. explicitText and organization are text strings, noticeNumbers is a comma separated list of numbers. The organization and noticeNumbers options (if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0 then you need the 'ia5org' option at the top level to modify the encoding: otherwise it will not be interpreted properly. .PP Example: .PP .Vb 1 \& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect \& \& [polsect] \& \& policyIdentifier = 1.3.5.8 \& CPS.1="http://my.host.name/" \& CPS.2="http://my.your.name/" \& userNotice.1=@notice \& \& [notice] \& \& explicitText="Explicit Text Here" \& organization="Organisation Name" \& noticeNumbers=1,2,3,4 .Ve .PP The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0 it can only be of type DisplayText. In \s-1RFC3280\s0 IA5String is also permissible. Some software (for example some versions of \s-1MSIE\s0) may require ia5org. .PP \&\s-1ASN1\s0 type of explicitText can be specified by prepending \fB\s-1UTF8\s0\fR, \&\fB\s-1BMP\s0\fR or \fB\s-1VISIBLE\s0\fR prefix followed by colon. For example: .PP .Vb 2 \& [notice] \& explicitText="UTF8:Explicit Text Here" .Ve .SS "Policy Constraints" .IX Subsection "Policy Constraints" This is a multi-valued extension which consisting of the names \&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative integer value. At least one component must be present. .PP Example: .PP .Vb 1 \& policyConstraints = requireExplicitPolicy:3 .Ve .SS "Inhibit Any Policy" .IX Subsection "Inhibit Any Policy" This is a string extension whose value must be a non negative integer. .PP Example: .PP .Vb 1 \& inhibitAnyPolicy = 2 .Ve .SS "Name Constraints" .IX Subsection "Name Constraints" The name constraints extension is a multi-valued extension. The name should begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of the name and the value follows the syntax of subjectAltName except email:copy is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and subnet mask separated by a \fB/\fR. .PP Examples: .PP .Vb 1 \& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 \& \& nameConstraints=permitted;email:.somedomain.com \& \& nameConstraints=excluded;email:.com .Ve .SS "\s-1OCSP\s0 No Check" .IX Subsection "OCSP No Check" The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored. .PP Example: .PP .Vb 1 \& noCheck = ignored .Ve .SS "\s-1TLS\s0 Feature (aka Must Staple)" .IX Subsection "TLS Feature (aka Must Staple)" This is a multi-valued extension consisting of a list of \s-1TLS\s0 extension identifiers. Each identifier may be a number (0..65535) or a supported name. When a \s-1TLS\s0 client sends a listed extension, the \s-1TLS\s0 server is expected to include that extension in its reply. .PP The supported names are: \fBstatus_request\fR and \fBstatus_request_v2\fR. .PP Example: .PP .Vb 1 \& tlsfeature = status_request .Ve .SH "DEPRECATED EXTENSIONS" .IX Header "DEPRECATED EXTENSIONS" The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged. .SS "Netscape String extensions." .IX Subsection "Netscape String extensions." Netscape Comment (\fBnsComment\fR) is a string extension containing a comment which will be displayed when the certificate is viewed in some browsers. .PP Example: .PP .Vb 1 \& nsComment = "Some Random Comment" .Ve .PP Other supported extensions in this category are: \fBnsBaseUrl\fR, \&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR and \fBnsSslServerName\fR. .SS "Netscape Certificate Type" .IX Subsection "Netscape Certificate Type" This is a multi-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used instead. .PP Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR, \&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR. .SH "ARBITRARY EXTENSIONS" .IX Header "ARBITRARY EXTENSIONS" If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. .PP There are two ways to encode arbitrary extensions. .PP The first way is to use the word \s-1ASN1\s0 followed by the extension content using the same syntax as \fBASN1_generate_nconf\fR\|(3). For example: .PP .Vb 1 \& 1.2.3.4=critical,ASN1:UTF8String:Some random data \& \& 1.2.3.4=ASN1:SEQUENCE:seq_sect \& \& [seq_sect] \& \& field1 = UTF8:field1 \& field2 = UTF8:field2 .Ve .PP It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any extension. .PP .Vb 2 \& 1.2.3.4=critical,DER:01:02:03:04 \& 1.2.3.4=DER:01020304 .Ve .PP The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension Any extension can be placed in this form to override the default behaviour. For example: .PP .Vb 1 \& basicConstraints=critical,DER:00:01:02:03 .Ve .SH "WARNINGS" .IX Header "WARNINGS" There is no guarantee that a specific implementation will process a given extension. It may therefore be sometimes possible to use certificates for purposes prohibited by their extensions because a specific application does not recognize or honour the values of the relevant extensions. .PP The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create totally invalid extensions if they are not used carefully. .SH "NOTES" .IX Header "NOTES" If an extension is multi-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. For example: .PP .Vb 1 \& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar .Ve .PP will produce an error but the equivalent form: .PP .Vb 1 \& subjectAltName=@subject_alt_section \& \& [subject_alt_section] \& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar .Ve .PP is valid. .PP Due to the behaviour of the OpenSSL \fBconf\fR library the same field name can only occur once in a section. This means that: .PP .Vb 1 \& subjectAltName=@alt_section \& \& [alt_section] \& \& email=steve@here \& email=steve@there .Ve .PP will only recognize the last value. This can be worked around by using the form: .PP .Vb 1 \& [alt_section] \& \& email.1=steve@here \& email.2=steve@there .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBreq\fR\|(1), \fBca\fR\|(1), \fBx509\fR\|(1), \&\fBASN1_generate_nconf\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!q;"}S}Sconfig.5nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CONFIG 5" .TH CONFIG 5 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" config \- OpenSSL CONF library configuration files .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \s-1CONF\s0 library can be used to read configuration files. It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension files for the \fBx509\fR utility. OpenSSL applications can also use the \&\s-1CONF\s0 library for their own purposes. .PP A configuration file is divided into a number of sections. Each section starts with a line \fB[ section_name ]\fR and ends when a new section is started or end of file is reached. A section name can consist of alphanumeric characters and underscores. .PP The first section of a configuration file is special and is referred to as the \fBdefault\fR section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. .PP The environment is mapped onto a section called \fB\s-1ENV\s0\fR. .PP Comments can be included by preceding them with the \fB#\fR character .PP Other files can be included using the \fB.include\fR directive followed by a path. If the path points to a directory all files with names ending with \fB.cnf\fR or \fB.conf\fR are included from the directory. Recursive inclusion of directories from files in such directory is not supported. That means the files in the included directory can also contain \&\fB.include\fR directives but only inclusion of regular files is supported there. The inclusion of directories is not supported on systems without \&\s-1POSIX IO\s0 support. .PP It is strongly recommended to use absolute paths with the \fB.include\fR directive. Relative paths are evaluated based on the application current working directory so unless the configuration file containing the \&\fB.include\fR directive is application specific the inclusion will not work as expected. .PP There can be optional \fB=\fR character and whitespace characters between \&\fB.include\fR directive and the path which can be useful in cases the configuration file needs to be loaded by old OpenSSL versions which do not support the \fB.include\fR syntax. They would bail out with error if the \fB=\fR character is not present but with it they just ignore the include. .PP Each section in a configuration file consists of a number of name and value pairs of the form \fBname=value\fR .PP The \fBname\fR string can contain any alphanumeric characters as well as a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. .PP The \fBvalue\fR string consists of the string following the \fB=\fR character until end of line with any leading and trailing white space removed. .PP The value string undergoes variable expansion. This can be done by including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value of the named variable in the current section. It is also possible to substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment variables can be substituted. It is also possible to assign values to environment variables by using the name \fBENV::name\fR, this will work if the program looks up environment variables using the \fB\s-1CONF\s0\fR library instead of calling \fBgetenv()\fR directly. The value string must not exceed 64k in length after variable expansion. Otherwise an error will occur. .PP It is possible to escape certain characters by using any kind of quote or the \fB\e\fR character. By making the last character of a line a \fB\e\fR a \fBvalue\fR string can be spread across multiple lines. In addition the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. .PP All expansion and escape rules as described above that apply to \fBvalue\fR also apply to the path of the \fB.include\fR directive. .SH "OPENSSL LIBRARY CONFIGURATION" .IX Header "OPENSSL LIBRARY CONFIGURATION" Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The \fBopenssl\fR utility includes this functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file. .PP To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other applications may use an alternative name such as \fBmyapplication_conf\fR. All library configuration lines appear in the default section at the start of the configuration file. .PP The configuration section should consist of a set of name value pairs which contain specific module configuration information. The \fBname\fR represents the name of the \fIconfiguration module\fR. The meaning of the \fBvalue\fR is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g.: .PP .Vb 2 \& # This must be in the default section \& openssl_conf = openssl_init \& \& [openssl_init] \& \& oid_section = new_oids \& engines = engine_section \& \& [new_oids] \& \& ... new oids here ... \& \& [engine_section] \& \& ... engine stuff here ... .Ve .PP The features of each configuration module are described below. .SS "\s-1ASN1\s0 Object Configuration Module" .IX Subsection "ASN1 Object Configuration Module" This module has the name \fBoid_section\fR. The value of this variable points to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short and long name, the value is the numerical form of the \s-1OID.\s0 Although some of the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module \&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well as any compliant applications. For example: .PP .Vb 1 \& [new_oids] \& \& some_new_oid = 1.2.3.4 \& some_other_oid = 1.2.3.5 .Ve .PP It is also possible to set the value to the long name followed by a comma and the numerical \s-1OID\s0 form. For example: .PP .Vb 1 \& shortName = some object long name, 1.2.3.4 .Ve .SS "Engine Configuration Module" .IX Subsection "Engine Configuration Module" This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this variable points to a section containing further \s-1ENGINE\s0 configuration information. .PP The section pointed to by \fBengines\fR is a table of engine names (though see \&\fBengine_id\fR below) and further sections containing configuration information specific to each \s-1ENGINE.\s0 .PP Each \s-1ENGINE\s0 specific section is used to set default algorithms, load dynamic, perform initialization and send ctrls. The actual operation performed depends on the \fIcommand\fR name which is the name of the name value pair. The currently supported commands are listed below. .PP For example: .PP .Vb 1 \& [engine_section] \& \& # Configure ENGINE named "foo" \& foo = foo_section \& # Configure ENGINE named "bar" \& bar = bar_section \& \& [foo_section] \& ... foo ENGINE specific commands ... \& \& [bar_section] \& ... "bar" ENGINE specific commands ... .Ve .PP The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this command must be first. For example: .PP .Vb 3 \& [engine_section] \& # This would normally handle an ENGINE named "foo" \& foo = foo_section \& \& [foo_section] \& # Override default name and use "myfoo" instead. \& engine_id = myfoo .Ve .PP The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is not the required behaviour then alternative ctrls can be sent directly to the dynamic \s-1ENGINE\s0 using ctrl commands. .PP The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in its section have been processed. .PP The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will supply using the functions \fBENGINE_set_default_string()\fR. .PP If the name matches none of the above command names it is assumed to be a ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no value is sent to the command. .PP For example: .PP .Vb 1 \& [engine_section] \& \& # Configure ENGINE named "foo" \& foo = foo_section \& \& [foo_section] \& # Load engine from DSO \& dynamic_path = /some/path/fooengine.so \& # A foo specific ctrl. \& some_ctrl = some_value \& # Another ctrl that doesn\*(Aqt take a value. \& other_ctrl = EMPTY \& # Supply all default algorithms \& default_algorithms = ALL .Ve .SS "\s-1EVP\s0 Configuration Module" .IX Subsection "EVP Configuration Module" This modules has the name \fBalg_section\fR which points to a section containing algorithm commands. .PP Currently the only algorithm command supported is \fBfips_mode\fR whose value can only be the boolean string \fBoff\fR. If \fBfips_mode\fR is set to \fBon\fR, an error occurs as this library version is not \s-1FIPS\s0 capable. .SS "\s-1SSL\s0 Configuration Module" .IX Subsection "SSL Configuration Module" This module has the name \fBssl_conf\fR which points to a section containing \&\s-1SSL\s0 configurations. .PP Each line in the \s-1SSL\s0 configuration section contains the name of the configuration and the section containing it. .PP Each configuration section consists of command value pairs for \fB\s-1SSL_CONF\s0\fR. Each pair will be passed to a \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structure if it calls \&\fBSSL_CTX_config()\fR or \fBSSL_config()\fR with the appropriate configuration name. .PP Note: any characters before an initial dot in the configuration section are ignored so the same command can be used multiple times. .PP For example: .PP .Vb 1 \& ssl_conf = ssl_sect \& \& [ssl_sect] \& \& server = server_section \& \& [server_section] \& \& RSA.Certificate = server\-rsa.pem \& ECDSA.Certificate = server\-ecdsa.pem \& Ciphers = ALL:!RC4 .Ve .PP The system default configuration with name \fBsystem_default\fR if present will be applied during any creation of the \fB\s-1SSL_CTX\s0\fR structure. .PP Example of a configuration with the system default: .PP .Vb 1 \& ssl_conf = ssl_sect \& \& [ssl_sect] \& system_default = system_default_sect \& \& [system_default_sect] \& MinProtocol = TLSv1.2 \& MinProtocol = DTLSv1.2 .Ve .SH "NOTES" .IX Header "NOTES" If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't exist. For example in a previous version of OpenSSL the default OpenSSL master configuration file used the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems and would cause an error. .PP This can be worked around by including a \fBdefault\fR section to provide a default value: then if the environment lookup fails the default value will be used instead. For this to work properly the default value must be defined earlier in the configuration file than the expansion. See the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this. .PP If the same variable exists in the same section then all but the last value will be silently ignored. In certain circumstances such as with DNs the same field may occur multiple times. This is usually worked around by ignoring any characters before an initial \fB.\fR e.g. .PP .Vb 2 \& 1.OU="My first OU" \& 2.OU="My Second OU" .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" Here is a sample configuration file using some of the features mentioned above. .PP .Vb 1 \& # This is the default section. \& \& HOME=/temp \& RANDFILE= ${ENV::HOME}/.rnd \& configdir=$ENV::HOME/config \& \& [ section_one ] \& \& # We are now in section one. \& \& # Quotes permit leading and trailing whitespace \& any = " any variable name " \& \& other = A string that can \e \& cover several lines \e \& by including \e\e characters \& \& message = Hello World\en \& \& [ section_two ] \& \& greeting = $section_one::message .Ve .PP This next example shows how to expand environment variables safely. .PP Suppose you want a variable called \fBtmpfile\fR to refer to a temporary filename. The directory it is placed in can determined by the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the default section both values can be looked up with \fB\s-1TEMP\s0\fR taking priority and \fB/tmp\fR used if neither is defined: .PP .Vb 5 \& TMP=/tmp \& # The above value is used if TMP isn\*(Aqt in the environment \& TEMP=$ENV::TMP \& # The above value is used if TEMP isn\*(Aqt in the environment \& tmpfile=${ENV::TEMP}/tmp.filename .Ve .PP Simple OpenSSL library configuration example to enter \s-1FIPS\s0 mode: .PP .Vb 3 \& # Default appname: should match "appname" parameter (if any) \& # supplied to CONF_modules_load_file et al. \& openssl_conf = openssl_conf_section \& \& [openssl_conf_section] \& # Configuration module list \& alg_section = evp_sect \& \& [evp_sect] \& # Set to "yes" to enter FIPS mode if supported \& fips_mode = yes .Ve .PP Note: in the above example you will get an error in non \s-1FIPS\s0 capable versions of OpenSSL. .PP Simple OpenSSL library configuration to make \s-1TLS 1.2\s0 and \s-1DTLS 1.2\s0 the system-default minimum \s-1TLS\s0 and \s-1DTLS\s0 versions, respectively: .PP .Vb 2 \& # Toplevel section for openssl (including libssl) \& openssl_conf = default_conf_section \& \& [default_conf_section] \& # We only specify configuration for the "ssl module" \& ssl_conf = ssl_section \& \& [ssl_section] \& system_default = system_default_section \& \& [system_default_section] \& MinProtocol = TLSv1.2 \& MinProtocol = DTLSv1.2 .Ve .PP The minimum \s-1TLS\s0 protocol is applied to \fB\s-1SSL_CTX\s0\fR objects that are TLS-based, and the minimum \s-1DTLS\s0 protocol to those are DTLS-based. The same applies also to maximum versions set with \fBMaxProtocol\fR. .PP More complex OpenSSL library configuration. Add \s-1OID\s0 and don't enter \s-1FIPS\s0 mode: .PP .Vb 3 \& # Default appname: should match "appname" parameter (if any) \& # supplied to CONF_modules_load_file et al. \& openssl_conf = openssl_conf_section \& \& [openssl_conf_section] \& # Configuration module list \& alg_section = evp_sect \& oid_section = new_oids \& \& [evp_sect] \& # This will have no effect as FIPS mode is off by default. \& # Set to "yes" to enter FIPS mode, if supported \& fips_mode = no \& \& [new_oids] \& # New OID, just short name \& newoid1 = 1.2.3.4.1 \& # New OID shortname and long name \& newoid2 = New OID 2 long name, 1.2.3.4.2 .Ve .PP The above examples can be used with any application supporting library configuration if \*(L"openssl_conf\*(R" is modified to match the appropriate \*(L"appname\*(R". .PP For example if the second sample file above is saved to \*(L"example.cnf\*(R" then the command line: .PP .Vb 1 \& OPENSSL_CONF=example.cnf openssl asn1parse \-genstr OID:1.2.3.4.1 .Ve .PP will output: .PP .Vb 1 \& 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 .Ve .PP showing that the \s-1OID\s0 \*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R". .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" .IP "\fB\s-1OPENSSL_CONF\s0\fR" 4 .IX Item "OPENSSL_CONF" The path to the config file. Ignored in set-user-ID and set-group-ID programs. .IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. Ignored in set-user-ID and set-group-ID programs. .SH "BUGS" .IX Header "BUGS" Currently there is no way to include characters using the octal \fB\ennn\fR form. Strings are all null terminated so nulls cannot form part of the value. .PP The escaping isn't quite right: if you want to use sequences like \fB\en\fR you can't use any quote escaping on the same line. .PP Files are loaded in a single pass. This means that a variable expansion will only work if the variables referenced are defined earlier in the file. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBx509\fR\|(1), \fBreq\fR\|(1), \fBca\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!q;"}S}S config.5sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CONFIG 5" .TH CONFIG 5 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" config \- OpenSSL CONF library configuration files .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \s-1CONF\s0 library can be used to read configuration files. It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension files for the \fBx509\fR utility. OpenSSL applications can also use the \&\s-1CONF\s0 library for their own purposes. .PP A configuration file is divided into a number of sections. Each section starts with a line \fB[ section_name ]\fR and ends when a new section is started or end of file is reached. A section name can consist of alphanumeric characters and underscores. .PP The first section of a configuration file is special and is referred to as the \fBdefault\fR section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. .PP The environment is mapped onto a section called \fB\s-1ENV\s0\fR. .PP Comments can be included by preceding them with the \fB#\fR character .PP Other files can be included using the \fB.include\fR directive followed by a path. If the path points to a directory all files with names ending with \fB.cnf\fR or \fB.conf\fR are included from the directory. Recursive inclusion of directories from files in such directory is not supported. That means the files in the included directory can also contain \&\fB.include\fR directives but only inclusion of regular files is supported there. The inclusion of directories is not supported on systems without \&\s-1POSIX IO\s0 support. .PP It is strongly recommended to use absolute paths with the \fB.include\fR directive. Relative paths are evaluated based on the application current working directory so unless the configuration file containing the \&\fB.include\fR directive is application specific the inclusion will not work as expected. .PP There can be optional \fB=\fR character and whitespace characters between \&\fB.include\fR directive and the path which can be useful in cases the configuration file needs to be loaded by old OpenSSL versions which do not support the \fB.include\fR syntax. They would bail out with error if the \fB=\fR character is not present but with it they just ignore the include. .PP Each section in a configuration file consists of a number of name and value pairs of the form \fBname=value\fR .PP The \fBname\fR string can contain any alphanumeric characters as well as a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. .PP The \fBvalue\fR string consists of the string following the \fB=\fR character until end of line with any leading and trailing white space removed. .PP The value string undergoes variable expansion. This can be done by including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value of the named variable in the current section. It is also possible to substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment variables can be substituted. It is also possible to assign values to environment variables by using the name \fBENV::name\fR, this will work if the program looks up environment variables using the \fB\s-1CONF\s0\fR library instead of calling \fBgetenv()\fR directly. The value string must not exceed 64k in length after variable expansion. Otherwise an error will occur. .PP It is possible to escape certain characters by using any kind of quote or the \fB\e\fR character. By making the last character of a line a \fB\e\fR a \fBvalue\fR string can be spread across multiple lines. In addition the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. .PP All expansion and escape rules as described above that apply to \fBvalue\fR also apply to the path of the \fB.include\fR directive. .SH "OPENSSL LIBRARY CONFIGURATION" .IX Header "OPENSSL LIBRARY CONFIGURATION" Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The \fBopenssl\fR utility includes this functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file. .PP To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other applications may use an alternative name such as \fBmyapplication_conf\fR. All library configuration lines appear in the default section at the start of the configuration file. .PP The configuration section should consist of a set of name value pairs which contain specific module configuration information. The \fBname\fR represents the name of the \fIconfiguration module\fR. The meaning of the \fBvalue\fR is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g.: .PP .Vb 2 \& # This must be in the default section \& openssl_conf = openssl_init \& \& [openssl_init] \& \& oid_section = new_oids \& engines = engine_section \& \& [new_oids] \& \& ... new oids here ... \& \& [engine_section] \& \& ... engine stuff here ... .Ve .PP The features of each configuration module are described below. .SS "\s-1ASN1\s0 Object Configuration Module" .IX Subsection "ASN1 Object Configuration Module" This module has the name \fBoid_section\fR. The value of this variable points to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short and long name, the value is the numerical form of the \s-1OID.\s0 Although some of the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module \&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well as any compliant applications. For example: .PP .Vb 1 \& [new_oids] \& \& some_new_oid = 1.2.3.4 \& some_other_oid = 1.2.3.5 .Ve .PP It is also possible to set the value to the long name followed by a comma and the numerical \s-1OID\s0 form. For example: .PP .Vb 1 \& shortName = some object long name, 1.2.3.4 .Ve .SS "Engine Configuration Module" .IX Subsection "Engine Configuration Module" This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this variable points to a section containing further \s-1ENGINE\s0 configuration information. .PP The section pointed to by \fBengines\fR is a table of engine names (though see \&\fBengine_id\fR below) and further sections containing configuration information specific to each \s-1ENGINE.\s0 .PP Each \s-1ENGINE\s0 specific section is used to set default algorithms, load dynamic, perform initialization and send ctrls. The actual operation performed depends on the \fIcommand\fR name which is the name of the name value pair. The currently supported commands are listed below. .PP For example: .PP .Vb 1 \& [engine_section] \& \& # Configure ENGINE named "foo" \& foo = foo_section \& # Configure ENGINE named "bar" \& bar = bar_section \& \& [foo_section] \& ... foo ENGINE specific commands ... \& \& [bar_section] \& ... "bar" ENGINE specific commands ... .Ve .PP The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this command must be first. For example: .PP .Vb 3 \& [engine_section] \& # This would normally handle an ENGINE named "foo" \& foo = foo_section \& \& [foo_section] \& # Override default name and use "myfoo" instead. \& engine_id = myfoo .Ve .PP The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is not the required behaviour then alternative ctrls can be sent directly to the dynamic \s-1ENGINE\s0 using ctrl commands. .PP The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in its section have been processed. .PP The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will supply using the functions \fBENGINE_set_default_string()\fR. .PP If the name matches none of the above command names it is assumed to be a ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no value is sent to the command. .PP For example: .PP .Vb 1 \& [engine_section] \& \& # Configure ENGINE named "foo" \& foo = foo_section \& \& [foo_section] \& # Load engine from DSO \& dynamic_path = /some/path/fooengine.so \& # A foo specific ctrl. \& some_ctrl = some_value \& # Another ctrl that doesn\*(Aqt take a value. \& other_ctrl = EMPTY \& # Supply all default algorithms \& default_algorithms = ALL .Ve .SS "\s-1EVP\s0 Configuration Module" .IX Subsection "EVP Configuration Module" This modules has the name \fBalg_section\fR which points to a section containing algorithm commands. .PP Currently the only algorithm command supported is \fBfips_mode\fR whose value can only be the boolean string \fBoff\fR. If \fBfips_mode\fR is set to \fBon\fR, an error occurs as this library version is not \s-1FIPS\s0 capable. .SS "\s-1SSL\s0 Configuration Module" .IX Subsection "SSL Configuration Module" This module has the name \fBssl_conf\fR which points to a section containing \&\s-1SSL\s0 configurations. .PP Each line in the \s-1SSL\s0 configuration section contains the name of the configuration and the section containing it. .PP Each configuration section consists of command value pairs for \fB\s-1SSL_CONF\s0\fR. Each pair will be passed to a \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structure if it calls \&\fBSSL_CTX_config()\fR or \fBSSL_config()\fR with the appropriate configuration name. .PP Note: any characters before an initial dot in the configuration section are ignored so the same command can be used multiple times. .PP For example: .PP .Vb 1 \& ssl_conf = ssl_sect \& \& [ssl_sect] \& \& server = server_section \& \& [server_section] \& \& RSA.Certificate = server\-rsa.pem \& ECDSA.Certificate = server\-ecdsa.pem \& Ciphers = ALL:!RC4 .Ve .PP The system default configuration with name \fBsystem_default\fR if present will be applied during any creation of the \fB\s-1SSL_CTX\s0\fR structure. .PP Example of a configuration with the system default: .PP .Vb 1 \& ssl_conf = ssl_sect \& \& [ssl_sect] \& system_default = system_default_sect \& \& [system_default_sect] \& MinProtocol = TLSv1.2 \& MinProtocol = DTLSv1.2 .Ve .SH "NOTES" .IX Header "NOTES" If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't exist. For example in a previous version of OpenSSL the default OpenSSL master configuration file used the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems and would cause an error. .PP This can be worked around by including a \fBdefault\fR section to provide a default value: then if the environment lookup fails the default value will be used instead. For this to work properly the default value must be defined earlier in the configuration file than the expansion. See the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this. .PP If the same variable exists in the same section then all but the last value will be silently ignored. In certain circumstances such as with DNs the same field may occur multiple times. This is usually worked around by ignoring any characters before an initial \fB.\fR e.g. .PP .Vb 2 \& 1.OU="My first OU" \& 2.OU="My Second OU" .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" Here is a sample configuration file using some of the features mentioned above. .PP .Vb 1 \& # This is the default section. \& \& HOME=/temp \& RANDFILE= ${ENV::HOME}/.rnd \& configdir=$ENV::HOME/config \& \& [ section_one ] \& \& # We are now in section one. \& \& # Quotes permit leading and trailing whitespace \& any = " any variable name " \& \& other = A string that can \e \& cover several lines \e \& by including \e\e characters \& \& message = Hello World\en \& \& [ section_two ] \& \& greeting = $section_one::message .Ve .PP This next example shows how to expand environment variables safely. .PP Suppose you want a variable called \fBtmpfile\fR to refer to a temporary filename. The directory it is placed in can determined by the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the default section both values can be looked up with \fB\s-1TEMP\s0\fR taking priority and \fB/tmp\fR used if neither is defined: .PP .Vb 5 \& TMP=/tmp \& # The above value is used if TMP isn\*(Aqt in the environment \& TEMP=$ENV::TMP \& # The above value is used if TEMP isn\*(Aqt in the environment \& tmpfile=${ENV::TEMP}/tmp.filename .Ve .PP Simple OpenSSL library configuration example to enter \s-1FIPS\s0 mode: .PP .Vb 3 \& # Default appname: should match "appname" parameter (if any) \& # supplied to CONF_modules_load_file et al. \& openssl_conf = openssl_conf_section \& \& [openssl_conf_section] \& # Configuration module list \& alg_section = evp_sect \& \& [evp_sect] \& # Set to "yes" to enter FIPS mode if supported \& fips_mode = yes .Ve .PP Note: in the above example you will get an error in non \s-1FIPS\s0 capable versions of OpenSSL. .PP Simple OpenSSL library configuration to make \s-1TLS 1.2\s0 and \s-1DTLS 1.2\s0 the system-default minimum \s-1TLS\s0 and \s-1DTLS\s0 versions, respectively: .PP .Vb 2 \& # Toplevel section for openssl (including libssl) \& openssl_conf = default_conf_section \& \& [default_conf_section] \& # We only specify configuration for the "ssl module" \& ssl_conf = ssl_section \& \& [ssl_section] \& system_default = system_default_section \& \& [system_default_section] \& MinProtocol = TLSv1.2 \& MinProtocol = DTLSv1.2 .Ve .PP The minimum \s-1TLS\s0 protocol is applied to \fB\s-1SSL_CTX\s0\fR objects that are TLS-based, and the minimum \s-1DTLS\s0 protocol to those are DTLS-based. The same applies also to maximum versions set with \fBMaxProtocol\fR. .PP More complex OpenSSL library configuration. Add \s-1OID\s0 and don't enter \s-1FIPS\s0 mode: .PP .Vb 3 \& # Default appname: should match "appname" parameter (if any) \& # supplied to CONF_modules_load_file et al. \& openssl_conf = openssl_conf_section \& \& [openssl_conf_section] \& # Configuration module list \& alg_section = evp_sect \& oid_section = new_oids \& \& [evp_sect] \& # This will have no effect as FIPS mode is off by default. \& # Set to "yes" to enter FIPS mode, if supported \& fips_mode = no \& \& [new_oids] \& # New OID, just short name \& newoid1 = 1.2.3.4.1 \& # New OID shortname and long name \& newoid2 = New OID 2 long name, 1.2.3.4.2 .Ve .PP The above examples can be used with any application supporting library configuration if \*(L"openssl_conf\*(R" is modified to match the appropriate \*(L"appname\*(R". .PP For example if the second sample file above is saved to \*(L"example.cnf\*(R" then the command line: .PP .Vb 1 \& OPENSSL_CONF=example.cnf openssl asn1parse \-genstr OID:1.2.3.4.1 .Ve .PP will output: .PP .Vb 1 \& 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 .Ve .PP showing that the \s-1OID\s0 \*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R". .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" .IP "\fB\s-1OPENSSL_CONF\s0\fR" 4 .IX Item "OPENSSL_CONF" The path to the config file. Ignored in set-user-ID and set-group-ID programs. .IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. Ignored in set-user-ID and set-group-ID programs. .SH "BUGS" .IX Header "BUGS" Currently there is no way to include characters using the octal \fB\ennn\fR form. Strings are all null terminated so nulls cannot form part of the value. .PP The escaping isn't quite right: if you want to use sequences like \fB\en\fR you can't use any quote escaping on the same line. .PP Files are loaded in a single pass. This means that a variable expansion will only work if the variables referenced are defined earlier in the file. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBx509\fR\|(1), \fBreq\fR\|(1), \fBca\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!vg30[0[x509v3_config.5sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X509V3_CONFIG 5" .TH X509V3_CONFIG 5 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" x509v3_config \- X509 V3 certificate extension configuration format .SH "DESCRIPTION" .IX Header "DESCRIPTION" Several of the OpenSSL utilities can add extensions to a certificate or certificate request based on the contents of a configuration file. .PP Typically the application will contain an option to point to an extension section. Each line of the extension section takes the form: .PP .Vb 1 \& extension_name=[critical,] extension_options .Ve .PP If \fBcritical\fR is present then the extension will be critical. .PP The format of \fBextension_options\fR depends on the value of \fBextension_name\fR. .PP There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR extensions, \fIraw\fR and \fIarbitrary\fR extensions. .PP String extensions simply have a string which contains either the value itself or how it is obtained. .PP For example: .PP .Vb 1 \& nsComment="This is a Comment" .Ve .PP Multi-valued extensions have a short form and a long form. The short form is a list of names and values: .PP .Vb 1 \& basicConstraints=critical,CA:true,pathlen:1 .Ve .PP The long form allows the values to be placed in a separate section: .PP .Vb 1 \& basicConstraints=critical,@bs_section \& \& [bs_section] \& \& CA=true \& pathlen=1 .Ve .PP Both forms are equivalent. .PP The syntax of raw extensions is governed by the extension code: it can for example contain data in multiple sections. The correct syntax to use is defined by the extension code itself: check out the certificate policies extension for an example. .PP If an extension type is unsupported then the \fIarbitrary\fR extension syntax must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details. .SH "STANDARD EXTENSIONS" .IX Header "STANDARD EXTENSIONS" The following sections describe each supported extension in detail. .SS "Basic Constraints." .IX Subsection "Basic Constraints." This is a multi valued extension which indicates whether a certificate is a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or \&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by a nonnegative value can be included. .PP For example: .PP .Vb 1 \& basicConstraints=CA:TRUE \& \& basicConstraints=CA:FALSE \& \& basicConstraints=critical,CA:TRUE, pathlen:0 .Ve .PP A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the extension entirely. Some software may require the inclusion of basicConstraints with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates. .PP The pathlen parameter indicates the maximum number of CAs that can appear below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can only be used to sign end user certificates and not further CAs. .SS "Key Usage." .IX Subsection "Key Usage." Key usage is a multi valued extension consisting of a list of names of the permitted key usages. .PP The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly. .PP Examples: .PP .Vb 1 \& keyUsage=digitalSignature, nonRepudiation \& \& keyUsage=critical, keyCertSign .Ve .SS "Extended Key Usage." .IX Subsection "Extended Key Usage." This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for, .PP These can either be object short names or the dotted numerical form of OIDs. While any \s-1OID\s0 can be used only certain values make sense. In particular the following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful: .PP .Vb 10 \& Value Meaning \& \-\-\-\-\- \-\-\-\-\-\-\- \& serverAuth SSL/TLS Web Server Authentication. \& clientAuth SSL/TLS Web Client Authentication. \& codeSigning Code signing. \& emailProtection E\-mail Protection (S/MIME). \& timeStamping Trusted Timestamping \& OCSPSigning OCSP Signing \& ipsecIKE ipsec Internet Key Exchange \& msCodeInd Microsoft Individual Code Signing (authenticode) \& msCodeCom Microsoft Commercial Code Signing (authenticode) \& msCTLSign Microsoft Trust List Signing \& msEFS Microsoft Encrypted File System .Ve .PP Examples: .PP .Vb 2 \& extendedKeyUsage=critical,codeSigning,1.2.3.4 \& extendedKeyUsage=serverAuth,clientAuth .Ve .SS "Subject Key Identifier." .IX Subsection "Subject Key Identifier." This is really a string extension and can take two possible values. Either the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0 or a hex string giving the extension value to include. The use of the hex string is strongly discouraged. .PP Example: .PP .Vb 1 \& subjectKeyIdentifier=hash .Ve .SS "Authority Key Identifier." .IX Subsection "Authority Key Identifier." The authority key identifier extension permits two options. keyid and issuer: both can take the optional value \*(L"always\*(R". .PP If the keyid option is present an attempt is made to copy the subject key identifier from the parent certificate. If the value \*(L"always\*(R" is present then an error is returned if the option fails. .PP The issuer option copies the issuer and serial number from the issuer certificate. This will only be done if the keyid option fails or is not included unless the \*(L"always\*(R" flag will always include the value. .PP Example: .PP .Vb 1 \& authorityKeyIdentifier=keyid,issuer .Ve .SS "Subject Alternative Name." .IX Subsection "Subject Alternative Name." The subject alternative name extension allows various literal values to be included in the configuration file. These include \fBemail\fR (an email address) \&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR (a distinguished name) and otherName. .PP The email option include a special 'copy' value. This will automatically include any email addresses contained in the certificate subject name in the extension. .PP The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format. .PP The value of \fBdirName\fR should point to a section containing the distinguished name to use as a set of name value pairs. Multi values AVAs can be formed by prefacing the name with a \fB+\fR character. .PP otherName can include arbitrary data associated with an \s-1OID:\s0 the value should be the \s-1OID\s0 followed by a semicolon and the content in standard \&\fBASN1_generate_nconf\fR\|(3) format. .PP Examples: .PP .Vb 5 \& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ \& subjectAltName=IP:192.168.7.1 \& subjectAltName=IP:13::17 \& subjectAltName=email:my@other.address,RID:1.2.3.4 \& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier \& \& subjectAltName=dirName:dir_sect \& \& [dir_sect] \& C=UK \& O=My Organization \& OU=My Unit \& CN=My Name .Ve .SS "Issuer Alternative Name." .IX Subsection "Issuer Alternative Name." The issuer alternative name option supports all the literal options of subject alternative name. It does \fBnot\fR support the email:copy option because that would not make sense. It does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate (if possible). .PP Example: .PP .Vb 1 \& issuerAltName = issuer:copy .Ve .SS "Authority Info Access." .IX Subsection "Authority Info Access." The authority information access extension gives details about how to access certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location where \fIlocation\fR has the same syntax as subject alternative name (except that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only certain values are meaningful, for example \s-1OCSP\s0 and caIssuers. .PP Example: .PP .Vb 2 \& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ \& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html .Ve .SS "\s-1CRL\s0 distribution points" .IX Subsection "CRL distribution points" This is a multi-valued extension whose options can be either in name:value pair using the same form as subject alternative name or a single value representing a section name containing all the distribution point fields. .PP For a name:value pair a new DistributionPoint with the fullName field set to the given value both the cRLissuer and reasons fields are omitted in this case. .PP In the single option case the section indicated contains values for each field. In this section: .PP If the name is \*(L"fullname\*(R" the value field should contain the full name of the distribution point in the same format as subject alternative name. .PP If the name is \*(L"relativename\*(R" then the value field should contain a section name whose contents represent a \s-1DN\s0 fragment to be placed in this field. .PP The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in subject alternative name format. .PP If the name is \*(L"reasons\*(R" the value field should consist of a comma separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R", \&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R", \&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R". .PP Simple examples: .PP .Vb 2 \& crlDistributionPoints=URI:http://myhost.com/myca.crl \& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl .Ve .PP Full distribution point example: .PP .Vb 1 \& crlDistributionPoints=crldp1_section \& \& [crldp1_section] \& \& fullname=URI:http://myhost.com/myca.crl \& CRLissuer=dirName:issuer_sect \& reasons=keyCompromise, CACompromise \& \& [issuer_sect] \& C=UK \& O=Organisation \& CN=Some Name .Ve .SS "Issuing Distribution Point" .IX Subsection "Issuing Distribution Point" This extension should only appear in CRLs. It is a multi valued extension whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution points extension with a few differences. .PP The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized. .PP The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field. .PP The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of the corresponding field. .PP Example: .PP .Vb 1 \& issuingDistributionPoint=critical, @idp_section \& \& [idp_section] \& \& fullname=URI:http://myhost.com/myca.crl \& indirectCRL=TRUE \& onlysomereasons=keyCompromise, CACompromise \& \& [issuer_sect] \& C=UK \& O=Organisation \& CN=Some Name .Ve .SS "Certificate Policies." .IX Subsection "Certificate Policies." This is a \fIraw\fR extension. All the fields of this extension can be set by using the appropriate syntax. .PP If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas, for example: .PP .Vb 1 \& certificatePolicies= 1.2.4.5, 1.1.3.4 .Ve .PP If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to be specified in a separate section: this is done by using the \f(CW@section\fR syntax instead of a literal \s-1OID\s0 value. .PP The section referred to must include the policy \s-1OID\s0 using the name policyIdentifier, cPSuri qualifiers can be included using the syntax: .PP .Vb 1 \& CPS.nnn=value .Ve .PP userNotice qualifiers can be set using the syntax: .PP .Vb 1 \& userNotice.nnn=@notice .Ve .PP The value of the userNotice qualifier is specified in the relevant section. This section can include explicitText, organization and noticeNumbers options. explicitText and organization are text strings, noticeNumbers is a comma separated list of numbers. The organization and noticeNumbers options (if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0 then you need the 'ia5org' option at the top level to modify the encoding: otherwise it will not be interpreted properly. .PP Example: .PP .Vb 1 \& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect \& \& [polsect] \& \& policyIdentifier = 1.3.5.8 \& CPS.1="http://my.host.name/" \& CPS.2="http://my.your.name/" \& userNotice.1=@notice \& \& [notice] \& \& explicitText="Explicit Text Here" \& organization="Organisation Name" \& noticeNumbers=1,2,3,4 .Ve .PP The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0 it can only be of type DisplayText. In \s-1RFC3280\s0 IA5String is also permissible. Some software (for example some versions of \s-1MSIE\s0) may require ia5org. .PP \&\s-1ASN1\s0 type of explicitText can be specified by prepending \fB\s-1UTF8\s0\fR, \&\fB\s-1BMP\s0\fR or \fB\s-1VISIBLE\s0\fR prefix followed by colon. For example: .PP .Vb 2 \& [notice] \& explicitText="UTF8:Explicit Text Here" .Ve .SS "Policy Constraints" .IX Subsection "Policy Constraints" This is a multi-valued extension which consisting of the names \&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative integer value. At least one component must be present. .PP Example: .PP .Vb 1 \& policyConstraints = requireExplicitPolicy:3 .Ve .SS "Inhibit Any Policy" .IX Subsection "Inhibit Any Policy" This is a string extension whose value must be a non negative integer. .PP Example: .PP .Vb 1 \& inhibitAnyPolicy = 2 .Ve .SS "Name Constraints" .IX Subsection "Name Constraints" The name constraints extension is a multi-valued extension. The name should begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of the name and the value follows the syntax of subjectAltName except email:copy is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and subnet mask separated by a \fB/\fR. .PP Examples: .PP .Vb 1 \& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 \& \& nameConstraints=permitted;email:.somedomain.com \& \& nameConstraints=excluded;email:.com .Ve .SS "\s-1OCSP\s0 No Check" .IX Subsection "OCSP No Check" The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored. .PP Example: .PP .Vb 1 \& noCheck = ignored .Ve .SS "\s-1TLS\s0 Feature (aka Must Staple)" .IX Subsection "TLS Feature (aka Must Staple)" This is a multi-valued extension consisting of a list of \s-1TLS\s0 extension identifiers. Each identifier may be a number (0..65535) or a supported name. When a \s-1TLS\s0 client sends a listed extension, the \s-1TLS\s0 server is expected to include that extension in its reply. .PP The supported names are: \fBstatus_request\fR and \fBstatus_request_v2\fR. .PP Example: .PP .Vb 1 \& tlsfeature = status_request .Ve .SH "DEPRECATED EXTENSIONS" .IX Header "DEPRECATED EXTENSIONS" The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged. .SS "Netscape String extensions." .IX Subsection "Netscape String extensions." Netscape Comment (\fBnsComment\fR) is a string extension containing a comment which will be displayed when the certificate is viewed in some browsers. .PP Example: .PP .Vb 1 \& nsComment = "Some Random Comment" .Ve .PP Other supported extensions in this category are: \fBnsBaseUrl\fR, \&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR and \fBnsSslServerName\fR. .SS "Netscape Certificate Type" .IX Subsection "Netscape Certificate Type" This is a multi-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used instead. .PP Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR, \&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR. .SH "ARBITRARY EXTENSIONS" .IX Header "ARBITRARY EXTENSIONS" If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. .PP There are two ways to encode arbitrary extensions. .PP The first way is to use the word \s-1ASN1\s0 followed by the extension content using the same syntax as \fBASN1_generate_nconf\fR\|(3). For example: .PP .Vb 1 \& 1.2.3.4=critical,ASN1:UTF8String:Some random data \& \& 1.2.3.4=ASN1:SEQUENCE:seq_sect \& \& [seq_sect] \& \& field1 = UTF8:field1 \& field2 = UTF8:field2 .Ve .PP It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any extension. .PP .Vb 2 \& 1.2.3.4=critical,DER:01:02:03:04 \& 1.2.3.4=DER:01020304 .Ve .PP The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension Any extension can be placed in this form to override the default behaviour. For example: .PP .Vb 1 \& basicConstraints=critical,DER:00:01:02:03 .Ve .SH "WARNINGS" .IX Header "WARNINGS" There is no guarantee that a specific implementation will process a given extension. It may therefore be sometimes possible to use certificates for purposes prohibited by their extensions because a specific application does not recognize or honour the values of the relevant extensions. .PP The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create totally invalid extensions if they are not used carefully. .SH "NOTES" .IX Header "NOTES" If an extension is multi-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. For example: .PP .Vb 1 \& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar .Ve .PP will produce an error but the equivalent form: .PP .Vb 1 \& subjectAltName=@subject_alt_section \& \& [subject_alt_section] \& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar .Ve .PP is valid. .PP Due to the behaviour of the OpenSSL \fBconf\fR library the same field name can only occur once in a section. This means that: .PP .Vb 1 \& subjectAltName=@alt_section \& \& [alt_section] \& \& email=steve@here \& email=steve@there .Ve .PP will only recognize the last value. This can be worked around by using the form: .PP .Vb 1 \& [alt_section] \& \& email.1=steve@here \& email.2=steve@there .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBreq\fR\|(1), \fBca\fR\|(1), \fBx509\fR\|(1), \&\fBASN1_generate_nconf\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!3d  k5login.5nu[.\" Man page generated from reStructuredText. . .TH "K5LOGIN" "5" " " "1.17" "MIT Kerberos" .SH NAME k5login \- Kerberos V5 acl file for host access . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH DESCRIPTION .sp The .k5login file, which resides in a user\(aqs home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root\(aqs home directory, thereby granting system administrators remote root access to the host via Kerberos. .SH EXAMPLES .sp Suppose the user \fBalice\fP had a .k5login file in her home directory containing just the following line: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C bob@FOOBAR.ORG .ft P .fi .UNINDENT .UNINDENT .sp This would allow \fBbob\fP to use Kerberos network applications, such as ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos tickets. In a default configuration (with \fBk5login_authoritative\fP set to true in krb5.conf(5)), this .k5login file would not let \fBalice\fP use those network applications to access her account, since she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP set to false, a default rule would permit the principal \fBalice\fP in the machine\(aqs default realm to access the \fBalice\fP account. .sp Let us further suppose that \fBalice\fP is a system administrator. Alice and the other system administrators would have their principals in root\(aqs .k5login file on each host: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C alice@BLEEP.COM joeadmin/root@BLEEP.COM .ft P .fi .UNINDENT .UNINDENT .sp This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because \fBbob\fP retains the Kerberos tickets for his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the privileges that require \fBalice\fP\(aqs tickets, such as root access to any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs password. .SH SEE ALSO .sp kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT 1985-2019, MIT .\" Generated by docutils manpage writer. . PK!ք k5identity.5nu[.\" Man page generated from reStructuredText. . .TH "K5IDENTITY" "5" " " "1.17" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH DESCRIPTION .sp The .k5identity file, which resides in a user\(aqs home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. .sp Blank lines and lines beginning with \fB#\fP are ignored. Each line has the form: .INDENT 0.0 .INDENT 3.5 \fIprincipal\fP \fIfield\fP=\fIvalue\fP ... .UNINDENT .UNINDENT .sp If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: .INDENT 0.0 .TP \fBrealm\fP If the realm of the server principal is known, it is matched against \fIvalue\fP, which may be a pattern using shell wildcards. For host\-based server principals, the realm will generally only be known if there is a domain_realm section in krb5.conf(5) with a mapping for the hostname. .TP \fBservice\fP If the server principal is a host\-based principal, its service component is matched against \fIvalue\fP, which may be a pattern using shell wildcards. .TP \fBhost\fP If the server principal is a host\-based principal, its hostname component is converted to lower case and matched against \fIvalue\fP, which may be a pattern using shell wildcards. .sp If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. .UNINDENT .SH EXAMPLE .sp The following example .k5identity file selects the client principal \fBalice@KRBTEST.COM\fP if the server principal is within that realm, the principal \fBalice/root@EXAMPLE.COM\fP if the server host is within a servers subdomain, and the principal \fBalice/mail@EXAMPLE.COM\fP when accessing the IMAP service on \fBmail.example.com\fP: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C alice@KRBTEST.COM realm=KRBTEST.COM alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap .ft P .fi .UNINDENT .UNINDENT .SH SEE ALSO .sp kerberos(1), krb5.conf(5) .SH AUTHOR MIT .SH COPYRIGHT 1985-2019, MIT .\" Generated by docutils manpage writer. . PK!F~ krb5.conf.5nu[.\" Man page generated from reStructuredText. . .TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos" .SH NAME krb5.conf \- Kerberos configuration file . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .sp The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory \fB/etc\fP\&. You can override the default location by setting the environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated filenames may be specified in \fBKRB5_CONFIG\fP; all files which are present will be read. Starting in release 1.14, directory names can also be specified in \fBKRB5_CONFIG\fP; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. .SH STRUCTURE .sp The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with \(aq#\(aq or \(aq;\(aq (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C foo = bar .ft P .fi .UNINDENT .UNINDENT .sp or: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C fubar = { foo = bar baz = quux } .ft P .fi .UNINDENT .UNINDENT .sp Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. .sp For example, if you have the following lines: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C foo = bar* foo = baz .ft P .fi .UNINDENT .UNINDENT .sp then the second value of \fBfoo\fP (\fBbaz\fP) would never be read. .sp The krb5.conf file can include other files using either of the following directives at the beginning of a line: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C include FILENAME includedir DIRNAME .ft P .fi .UNINDENT .UNINDENT .sp \fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. .sp The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C module MODULEPATH:RESIDUAL .ft P .fi .UNINDENT .UNINDENT .sp \fIMODULEPATH\fP may be relative to the library path of the krb5 installation, or it may be an absolute path. \fIRESIDUAL\fP is provided to the module at initialization time. If krb5.conf uses a module directive, kdc.conf(5) should also use one if it exists. .SH SECTIONS .sp The krb5.conf file may contain the following sections: .TS center; |l|l|. _ T{ \fI\%[libdefaults]\fP T} T{ Settings used by the Kerberos V5 library T} _ T{ \fI\%[realms]\fP T} T{ Realm\-specific contact information and settings T} _ T{ \fI\%[domain_realm]\fP T} T{ Maps server hostnames to Kerberos realms T} _ T{ \fI\%[capaths]\fP T} T{ Authentication paths for non\-hierarchical cross\-realm T} _ T{ \fI\%[appdefaults]\fP T} T{ Settings used by some Kerberos V5 applications T} _ T{ \fI\%[plugins]\fP T} T{ Controls plugin module registration T} _ .TE .sp Additionally, krb5.conf may include any of the relations described in kdc.conf(5), but it is not a recommended practice. .SS [libdefaults] .sp The libdefaults section may contain any of the following relations: .INDENT 0.0 .TP \fBallow_weak_crypto\fP If this flag is set to false, then weak encryption types (as noted in Encryption_types in kdc.conf(5)) will be filtered out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. .TP \fBap_req_checksum_type\fP An integer which specifies the type of AP\-REQ checksum to use in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP \fBcanonicalize\fP If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. .TP \fBccache_type\fP This parameter determines the format of credential cache types created by kinit(1) or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. .TP \fBclockskew\fP Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. .sp The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the \fBclockskew\fP setting. .TP \fBdefault_ccache_name\fP This relation specifies the name of the default credential cache. The default is \fBFILE:/tmp/krb5cc_%{uid}\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP \fBdefault_client_keytab_name\fP This relation specifies the name of the default keytab for obtaining client credentials. The default is \fBFILE:/opt/alt/krb5/usr/var/krb5/user/%{euid}/client.keytab\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP \fBdefault_keytab_name\fP This relation specifies the default keytab name to be used by application servers such as sshd. The default is \fBFILE:/etc/krb5.keytab\fP\&. This relation is subject to parameter expansion (see below). .TP \fBdefault_realm\fP Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit(1)\&. .TP \fBdefault_tgs_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making a TGS\-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See Encryption_types in kdc.conf(5) for a list of the accepted values for this tag. The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .sp Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP \fBdefault_tkt_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making an AS\-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .sp Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP \fBdns_canonicalize_hostname\fP Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully\-qualified hostnames. The default value is true. .TP \fBdns_lookup_kdc\fP Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) .sp Enabling this option does open up a type of denial\-of\-service attack, if someone spoofs the DNS records and redirects you to another server. However, it\(aqs no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. .TP \fBdns_uri_lookup\fP Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. .TP \fBerr_fmt\fP This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. .TP \fBextra_addresses\fP This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\-restricted tickets. The addresses should be in a comma\-separated list. This option has no effect if \fBnoaddresses\fP is true. .TP \fBforwardable\fP If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. .TP \fBignore_acceptor_hostname\fP When accepting GSSAPI or krb5 security contexts for host\-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. .TP \fBk5login_authoritative\fP If this flag is true, principals must be listed in a local user\(aqs k5login file to be granted login access, if a \&.k5login(5) file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. .TP \fBk5login_directory\fP If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user\(aqs home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. .TP \fBkcm_mach_service\fP On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Mach RPC will not be used to contact the KCM daemon. The default value is \fBorg.h5l.kcm\fP\&. .TP \fBkcm_socket\fP Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Unix domain sockets will not be used to contact the KCM daemon. The default value is \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&. .TP \fBkdc_default_options\fP Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). .TP \fBkdc_timesync\fP Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. .TP \fBkdc_req_checksum_type\fP An integer which specifies the type of checksum to use for the KDC requests, for compatibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred checksum type for those keys. .sp The possible values and their meanings are as follows. .TS center; |l|l|. _ T{ 1 T} T{ CRC32 T} _ T{ 2 T} T{ RSA MD4 T} _ T{ 3 T} T{ RSA MD4 DES T} _ T{ 4 T} T{ DES CBC T} _ T{ 7 T} T{ RSA MD5 T} _ T{ 8 T} T{ RSA MD5 DES T} _ T{ 9 T} T{ NIST SHA T} _ T{ 12 T} T{ HMAC SHA1 DES3 T} _ T{ \-138 T} T{ Microsoft MD5 HMAC checksum type T} _ .TE .TP \fBnoaddresses\fP If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. .TP \fBpermitted_enctypes\fP Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP \fBplugin_base_dir\fP If set, determines the base directory where krb5 plugins are located. The default value is the \fBkrb5/plugins\fP subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. .TP \fBpreferred_preauth_types\fP This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. .TP \fBproxiable\fP If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. .TP \fBrdns\fP If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If \fBdns_canonicalize_hostname\fP is set to false, this flag has no effect. The default value is true. .TP \fBrealm_try_domains\fP Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the host\(aqs domain itself, 1 means to also try the domain\(aqs immediate parent, and so forth. The library\(aqs usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is set. The default is not to search domain components. .TP \fBrenew_lifetime\fP (duration string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. .TP \fBsafe_checksum_type\fP An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For compatibility with applications linked against DCE version 1.1 or earlier Kerberos libraries, use a value of 3 to use the RSA MD4 DES instead. This field is ignored when its value is incompatible with the session key type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP \fBspake_preauth_groups\fP A whitespace or comma\-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: .TS center; |l|l|. _ T{ edwards25519 T} T{ Edwards25519 curve (\fI\%RFC 7748\fP) T} _ T{ P\-256 T} T{ NIST P\-256 curve (\fI\%RFC 5480\fP) T} _ T{ P\-384 T} T{ NIST P\-384 curve (\fI\%RFC 5480\fP) T} _ T{ P\-521 T} T{ NIST P\-521 curve (\fI\%RFC 5480\fP) T} _ .TE .sp The default value for the client is \fBedwards25519\fP\&. The default value for the KDC is empty. New in release 1.17. .TP \fBticket_lifetime\fP (duration string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. .TP \fBudp_preference_limit\fP When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fBudp_preference_limit\fP\&. If the message is smaller than \fBudp_preference_limit\fP, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. .TP \fBverify_ap_req_nofail\fP If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. .UNINDENT .SS [realms] .sp Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm\(aqs subsection: .INDENT 0.0 .TP \fBadmin_server\fP Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmind(8) server for the realm. .TP \fBauth_to_local\fP This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: .INDENT 7.0 .TP \fBRULE:\fP\fIexp\fP The local name will be formulated from \fIexp\fP\&. .sp The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. The integer \fIn\fP indicates how many components the target principal should have. If this matches, then a string will be formed from \fIstring\fP, substituting the realm of the principal for \fB$0\fP and the \fIn\fP\(aqth component of the principal for \fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then \fB[2:$2$1foo]\fP would result in the string \fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then the \fBs//[g]\fP substitution command will be run over the string. The optional \fBg\fP will cause the substitution to be global over the \fIstring\fP, instead of replacing only the first match in the \fIstring\fP\&. .TP \fBDEFAULT\fP The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. .UNINDENT .sp For example: .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } .ft P .fi .UNINDENT .UNINDENT .sp would result in any principal without \fBroot\fP or \fBadmin\fP as the second component to be translated with the default rule. A principal with a second component of \fBadmin\fP will become its first component. \fBroot\fP will be used as the local name for any principal with a second component of \fBroot\fP\&. The exception to these two rules are any principals \fBjohndoe/*\fP, which will always get the local name \fBguest\fP\&. .TP \fBauth_to_local_names\fP This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. .TP \fBdefault_domain\fP This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \fBrcmd.hostname\fP to \fBhost/hostname.domain\fP). .TP \fBdisable_encrypted_timestamp\fP If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm\(aqs KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. .TP \fBhttp_anchors\fP When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system\-wide default set of CA certificates is used. .sp The syntax for values is similar to that of values for the \fBpkinit_anchors\fP tag: .sp \fBFILE:\fP \fIfilename\fP .sp \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .sp \fBDIR:\fP \fIdirname\fP .sp \fIdirname\fP is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. .sp \fBENV:\fP \fIenvvar\fP .sp \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. .TP \fBkdc\fP The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. .TP \fBkpasswd_server\fP Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP host will be tried. .TP \fBmaster_kdc\fP Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user\(aqs password has just been changed, and the updated database has not been propagated to the replica servers yet. .TP \fBv4_instance_convert\fP This subsection allows the administrator to configure exceptions to the \fBdefault_domain\fP mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. .TP \fBv4_realm\fP This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. .UNINDENT .SS [domain_realm] .sp The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (\fB\&.\fP). The value of the relation is the Kerberos realm name for that particular host or domain. A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided. The Kerberos realm may be identified either in the \fI\%realms\fP section or using DNS SRV records. Host names and domain names should be in lower case. For example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .ft P .fi .UNINDENT .UNINDENT .sp maps the host with the name \fBcrash.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not the host with the name \fBdev.mit.edu\fP\&. That host is matched by the third entry, which maps the host \fBmit.edu\fP and all hosts under the domain \fBmit.edu\fP that do not match a preceding rule into the realm \fBATHENA.MIT.EDU\fP\&. .sp If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm\(aqs KDC. If that does not succeed, the host\(aqs realm is considered to be the hostname\(aqs domain portion converted to uppercase, unless the \fBrealm_try_domains\fP setting in [libdefaults] causes a different parent domain to be used. .SS [capaths] .sp In order to perform direct (non\-hierarchical) cross\-realm authentication, configuration is needed to determine the authentication paths between realms. .sp A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. .sp There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross\-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. .sp Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. .sp For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems would look like this: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C [capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . } .ft P .fi .UNINDENT .UNINDENT .sp The [capaths] section of the configuration file used on \fBNERSC.GOV\fP systems would look like this: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET } .ft P .fi .UNINDENT .UNINDENT .sp When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. .SS [appdefaults] .sp Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. .sp For example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C [appdefaults] telnet = { ATHENA.MIT.EDU = { option1 = false } } telnet = { option1 = true option2 = true } ATHENA.MIT.EDU = { option2 = false } option2 = true .ft P .fi .UNINDENT .UNINDENT .sp The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm \fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and \fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should have \fBoption2\fP set to false by default. Any programs running in other realms should have \fBoption2\fP set to true. .sp The list of specifiable options for each application may be found in that application\(aqs man pages. The application defaults specified here are overridden by those specified in the \fI\%realms\fP section. .SS [plugins] .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 .IP \(bu 2 \fI\%pwqual\fP interface .IP \(bu 2 \fI\%kadm5_hook\fP interface .IP \(bu 2 \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces .UNINDENT .UNINDENT .UNINDENT .sp Tags in the [plugins] section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. .sp New in release 1.9. .sp Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: .INDENT 0.0 .TP \fBdisable\fP This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. .TP \fBenable_only\fP This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. .TP \fBmodule\fP This tag may have multiple values. Each value is a string of the form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named \fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an absolute path, it will be treated as relative to the \fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&. .UNINDENT .sp For pluggable interfaces where module order matters, modules registered with a \fBmodule\fP tag normally come first, in the order they are registered, followed by built\-in modules in the order they are documented below. If \fBenable_only\fP tags are used, then the order of those tags overrides the normal module order. .sp The following subsections are currently supported within the [plugins] section: .SS ccselect interface .sp The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built\-in modules exist (and may be disabled with the disable tag): .INDENT 0.0 .TP \fBk5identity\fP Uses a .k5identity file in the user\(aqs home directory to select a client principal .TP \fBrealm\fP Uses the service realm to guess an appropriate cache from the collection .TP \fBhostname\fP If the service principal is host\-based, uses the service hostname to guess an appropriate cache from the collection .UNINDENT .SS pwqual interface .sp The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built\-in modules exist for this interface: .INDENT 0.0 .TP \fBdict\fP Checks against the realm dictionary file .TP \fBempty\fP Rejects empty passwords .TP \fBhesiod\fP Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) .TP \fBprinc\fP Checks against components of the principal name .UNINDENT .SS kadm5_hook interface .sp The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. .SS kadm5_auth interface .sp The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built\-in modules exist for this interface: .INDENT 0.0 .TP \fBacl\fP This module reads the kadm5.acl(5) file, and authorizes operations which are allowed according to the rules in the file. .TP \fBself\fP This module authorizes self\-service operations including password changes, creation of new random keys, fetching the client\(aqs principal record or string attributes, and fetching the policy record associated with the client principal. .UNINDENT .SS clpreauth and kdcpreauth interfaces .sp The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built\-in modules exist for these interfaces: .INDENT 0.0 .TP \fBpkinit\fP This module implements the PKINIT preauthentication mechanism. .TP \fBencrypted_challenge\fP This module implements the encrypted challenge FAST factor. .TP \fBencrypted_timestamp\fP This module implements the encrypted timestamp mechanism. .UNINDENT .SS hostrealm interface .sp The hostrealm section (introduced in release 1.12) controls modules for the host\-to\-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built\-in modules exist for this interface: .INDENT 0.0 .TP \fBprofile\fP This module consults the [domain_realm] section of the profile for authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP variable for the default realm. .TP \fBdns\fP This module looks for DNS records for fallback host\-to\-realm mappings and the default realm. It only operates if the \fBdns_lookup_realm\fP variable is set to true. .TP \fBdomain\fP This module applies heuristics for fallback host\-to\-realm mappings. It implements the \fBrealm_try_domains\fP variable, and uses the uppercased parent domain of the hostname if that does not produce a result. .UNINDENT .SS localauth interface .sp The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built\-in modules exist for this interface: .INDENT 0.0 .TP \fBdefault\fP This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP values. .TP \fBrule\fP This module implements the \fBRULE\fP type for \fBauth_to_local\fP values. .TP \fBnames\fP This module looks for an \fBauth_to_local_names\fP mapping for the principal name. .TP \fBauth_to_local\fP This module processes \fBauth_to_local\fP values in the default realm\(aqs section, and applies the default method if no \fBauth_to_local\fP values exist. .TP \fBk5login\fP This module authorizes a principal to a local account according to the account\(aqs \&.k5login(5) file. .TP \fBan2ln\fP This module authorizes a principal to a local account if the principal name maps to the local account name. .UNINDENT .SS certauth interface .sp The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built\-in modules exist for this interface: .INDENT 0.0 .TP \fBpkinit_san\fP This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP is set to true for the realm. .TP \fBpkinit_eku\fP This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the \fBpkinit_eku_checking\fP value for the realm. .TP \fBdbmatch\fP This module authorizes or rejects the certificate according to whether it matches the \fBpkinit_cert_match\fP string attribute on the client principal, if that attribute is present. .UNINDENT .SH PKINIT OPTIONS .sp \fBNOTE:\fP .INDENT 0.0 .INDENT 3.5 The following are PKINIT\-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm\-specific subsection of [libdefaults], or may be specified as realm\-specific values in the [realms] section. A realm\-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: .UNINDENT .UNINDENT .INDENT 0.0 .IP 1. 3 realm\-specific subsection of [libdefaults]: .INDENT 3.0 .INDENT 3.5 .sp .nf .ft C [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } .ft P .fi .UNINDENT .UNINDENT .IP 2. 3 realm\-specific value in the [realms] section: .INDENT 3.0 .INDENT 3.5 .sp .nf .ft C [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } .ft P .fi .UNINDENT .UNINDENT .IP 3. 3 generic value in the [libdefaults] section: .INDENT 3.0 .INDENT 3.5 .sp .nf .ft C [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .ft P .fi .UNINDENT .UNINDENT .UNINDENT .SS Specifying PKINIT identity information .sp The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: .INDENT 0.0 .TP \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP specifies the name of a PEM\-format file containing the user\(aqs certificate. If \fIkeyfilename\fP is not specified, the user\(aqs private key is expected to be in \fIfilename\fP as well. Otherwise, \fIkeyfilename\fP is the name of the file containing the private key. .sp In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .TP \fBDIR:\fP\fIdirname\fP This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP specifies a directory with files named \fB*.crt\fP and \fB*.key\fP where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with \fB\&.crt\fP is found, a matching file ending with \fB\&.key\fP is assumed to contain the private key. If no such file is found, then the certificate in the \fB\&.crt\fP is not used. .sp In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to be an OpenSSL\-style hashed CA directory where each CA cert is stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. .sp In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style hashed CA directory where each revocation list is stored in a file named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP \fBPKCS12:\fP\fIfilename\fP \fIfilename\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. .TP \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodname\fP\&. If no module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of a particular smard card reader or token if there is more than one available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to force the selection of a particular certificate on the device. See the \fBpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for PKINIT. .TP \fBENV:\fP\fIenvvar\fP \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable \fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. .UNINDENT .SS PKINIT krb5.conf options .INDENT 0.0 .TP \fBpkinit_anchors\fP Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. .TP \fBpkinit_cert_match\fP Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. .sp The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP string representations from the certificate Subject DN and Issuer DN values. .sp The syntax of the matching rules is: .INDENT 7.0 .INDENT 3.5 [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... .UNINDENT .UNINDENT .sp where: .INDENT 7.0 .TP .B \fIrelation\-operator\fP can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The default is \fB&&\fP\&. .TP .B \fIcomponent\-rule\fP can be one of the following. Note that there is no punctuation or whitespace between component rules. .INDENT 7.0 .INDENT 3.5 .nf \fB\fP\fIregular\-expression\fP \fB\fP\fIregular\-expression\fP \fB\fP\fIregular\-expression\fP \fB\fP\fIextended\-key\-usage\-list\fP \fB\fP\fIkey\-usage\-list\fP .fi .sp .UNINDENT .UNINDENT .sp \fIextended\-key\-usage\-list\fP is a comma\-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: .INDENT 7.0 .IP \(bu 2 pkinit .IP \(bu 2 msScLogin .IP \(bu 2 clientAuth .IP \(bu 2 emailProtection .UNINDENT .sp \fIkey\-usage\-list\fP is a comma\-separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: .INDENT 7.0 .IP \(bu 2 digitalSignature .IP \(bu 2 keyEncipherment .UNINDENT .UNINDENT .sp Examples: .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* pkinit_cert_match = msScLogin,clientAuthdigitalSignature .ft P .fi .UNINDENT .UNINDENT .TP \fBpkinit_eku_checking\fP This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: .INDENT 7.0 .TP \fBkpKDC\fP This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. .TP \fBkpServerAuth\fP If \fBkpServerAuth\fP is specified, a KDC certificate with the id\-kp\-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. .TP \fBnone\fP If \fBnone\fP is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP \fBpkinit_dh_min_bits\fP Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. .TP \fBpkinit_identities\fP Specifies the location(s) to be used to find the user\(aqs X.509 identity information. If this option is specified multiple times, the first valid value is used; this can be used to specify an environment variable (with \fBENV:\fP\fIenvvar\fP) followed by a default value. Note that these values are not used if the user specifies \fBX509_user_identity\fP on the command line. .TP \fBpkinit_kdc_hostname\fP The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP \fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. .TP \fBpkinit_require_crl_checking\fP The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and \fBpkinit_require_crl_checking\fP is false, then verification succeeds. .sp However, if \fBpkinit_require_crl_checking\fP is true and there is no CRL information available for the issuing CA, then verification fails. .sp \fBpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. .TP \fBpkinit_revoke\fP Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .UNINDENT .SH PARAMETER EXPANSION .sp Starting with release 1.11, several variables, such as \fBdefault_keytab_name\fP, allow parameters to be expanded. Valid parameters are: .INDENT 0.0 .INDENT 3.5 .TS center; |l|l|. _ T{ %{TEMP} T} T{ Temporary directory T} _ T{ %{uid} T} T{ Unix real UID or Windows SID T} _ T{ %{euid} T} T{ Unix effective user ID or Windows SID T} _ T{ %{USERID} T} T{ Same as %{uid} T} _ T{ %{null} T} T{ Empty string T} _ T{ %{LIBDIR} T} T{ Installation library directory T} _ T{ %{BINDIR} T} T{ Installation binary directory T} _ T{ %{SBINDIR} T} T{ Installation admin binary directory T} _ T{ %{username} T} T{ (Unix) Username of effective user ID T} _ T{ %{APPDATA} T} T{ (Windows) Roaming application data for current user T} _ T{ %{COMMON_APPDATA} T} T{ (Windows) Application data for all users T} _ T{ %{LOCAL_APPDATA} T} T{ (Windows) Local application data for current user T} _ T{ %{SYSTEM} T} T{ (Windows) Windows system folder T} _ T{ %{WINDOWS} T} T{ (Windows) Windows folder T} _ T{ %{USERCONFIG} T} T{ (Windows) Per\-user MIT krb5 config file directory T} _ T{ %{COMMONCONFIG} T} T{ (Windows) Common MIT krb5 config file directory T} _ .TE .UNINDENT .UNINDENT .SH SAMPLE KRB5.CONF FILE .sp Here is an example of a generic krb5.conf file: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C [libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos\-1.mit.edu kdc = kerberos\-2.mit.edu admin_server = kerberos.mit.edu master_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos\-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU = . } .ft P .fi .UNINDENT .UNINDENT .SH FILES .sp \fB/etc/krb5.conf\fP .SH SEE ALSO .sp syslog(3) .SH AUTHOR MIT .SH COPYRIGHT 1985-2019, MIT .\" Generated by docutils manpage writer. . PK!H .k5identity.5nu[.so man5/k5identity.5 PK!tSX .k5login.5nu[.so man5/k5login.5 PK!package-lock-json.5.gznu[Xm6_A}H4/udXz(` $fW"U~=3dM l]y3CM?}/n.޼7s ]O?ɦ lpy-+u^nfY݊幸4R>Ƞao/n}6Y[ew# BNQNU:!Nؖ۵rJ[J+/sR}ƻVDA{T\Q2`$S">)J4gwWt kd^cMBXCc~"ZIW' 5ԴT2X_DזxS"DU?^DDaFb /szRRx6gh;ʿΦ 8^݈7y'do#B ͪfkNycce%OhQmw v&#tU -3ꤓxOH$Efđq8VB:8:ܓɳd`pr3zSm Jf8E[X }sTj :xUW> wsb#@bXKt[,9R<7gkc_VZko!%"ZxftTB2H ,16P6]^kZt!jd蕱և&),Rk$F`[eyNm:h$6Ed!('"BxS.\'HXA!+F4[SnƆ S Z A`*bA\S柢ߣ>YV`3ٜ|~D0 S< !:w$nqXor)o3>~ޣGb|@[ y'{ t"u,rx&I?\($Ty/Nk&&F ,-:lܣ QR/6VMba߃@W,вQ19$$$^:ֿͶOt]j;۪\W̷𳑁af;.Vlӷ-e>U /z2C֐h, >BVd5XmZ) N30K(fq_7ŮQ+ٔ*IHyR!Pf5}Am aϋ>~ Кxd5G434`T=1y)x> }m>Zhذh)衧=0l,ͣqيE؝HxxI31*ܪ!ѣܵuCY91xso2R:-9LA߰ Sg? BJL-~zF&QpOӧȔmOOL(\Jߕ1|C,>݊gSj@ك1|`=Jk3Ɓg]&mQ}x@N_Mpmvve44Z/:G@4p)2Ni}Mˉ~XNۘHN@.Ќ+q Y:t7Za#9()]M>4K9kt{a:pN#d9,=e`P;䢃;⒇D]&PK!t^((package-json.5.gznu[}rFDܧ's2@%uDlδmHx{3x?/}A9{|vJ }u(.٤tiO~qU9]1cs|ϝܬQSfViyn uiLNܙk[6~Nl֔fmYݛtV_ M^ۿyMo#j"/Gcn]cf֤M cMY5Hӻwc/vޘ"ol4լ,MJ6`&7;_,hz9g\٦!,`etq=V'HbW ȦHKdΊܭzGZպr %_oIiOCJ7֖Rn͘EnNzks=~ğ5YT&4yFp!G C9 Yo bk2KK;K,lNlܪj _^\ҶGVh *{?:Nx4'0º͍y\]5g<OiN;%<#PҖN?!kb>Dž΋6|Aͫ)'sL$Damaut:o4ʼu_n>,>&z 'T%ܿ{cKvC7iD߼cizJK<ȎdQt&]\[_ ۤҦ1-2=v$۽ }hZ'4簈 !tͫ*#l]>GeTQZ`z1/nla6s#Z<D c.̖tgHQĂX0ˢ>f&39.]a#}E'Q7,Gflf@ᣔNsg^ tuJ|-+;@K \Soir%@v2' ,hlK`,b' *6MJ3Ѫi=&{ $E@@@:φ4/E mlhKDmU/'뭿S&n$EP YBB/z?/19KN$M75M񈶤3AܥMticc9}1{_ X)⺶o */]}sc"-fq²]qZbX3 Bf}LƔ +H:M@1NqJtC(gzF/iı^vkU9p d-oQQ@bC+B }u.~`!ΒrѹÝ꾴D|d,ra\Yt]ȡ(%'ykk K5 fYjP%8Γ s0 @&-M߯*X-IFNкo50Tꖀ~kYfDODV%c8/^M:0^tE͙U$ztNp-;i "6;NIr5]Ple;fݪTI/tl ̺uhe!TS--;;M{i<\%\]2"TT#M08pAqJx)*Oʻ~[%IlzHmc2󶮡\e$UC0^^"Y n.n@nBYUfY+vi~JU<kiY3duHyfHIIߛFCw=G] ''@<buAF:}ԭUŝw9IBL8[5,UފrnҶ!{$UdWuPGrdY:2x8eY.H_FQ/:F`# TCU>2hZ@igdS T5?Vm@ׄ3x4d~+p^R;L&V.&&z (q惶JP ofQ *%qrb*G4 3^K[q|HAb\Tl "29|^ G>m5#*[66ĂehFY1Z27Q,$ÃmҦD-;#dvzLi8+3#1~x8\0>?rȟw1mW6 fڙ)0D~v$Or(8xy Kx6;%.Ȃ/#`#g.^鄔}%&YVfr졕*u.'=/ַUQ Y{ÀV-!Cm@nN /g ѱŅ.X[ˢ{;?n"?q5G Cs2v. dߤ r#װ>岄FSgvҭnw"MKlr&,9|\u7аsĶϵ]uqj!Xo߃1:g8x y?Ho0=ܞSfj̓k"$0 [k7zEMA{B_N93lF^&mI4كS>lB#3;V]B=Da34J/n(Ltr#|4+Bjj(Xi&?f^}z_/1Մ7/~}W]`~j =kzj[yҦxc/&^ 0m8 9l0cu۞[\ovPt]jyQo?>]F#^| jgK=T|[eg !ݷernݷY|e! "N7l{ /zQQ!Q&Y*_T$!Z 7W/B\Ot|[VfSׄ]o oZTUɩ7JXp@f$Su/{&Fh#x:KG7'q#>rml+`$A*xI (N*_9q0VJeAnQ&k(pV-YMgI{@hTOc~?/rO? 'Nb]DI(>샽['N|0k\HM+CrN?/Ӝi~$`=h.~ψJ+Lp4w$Q5_- ojA~*Tvo mALf„2$YؔЉoOʼfE{JЅk7q|/ٮ i6aĶjORy]];ۮ /K``Iզ"8蓘M';Pvu96mw Ԥ 8 _ym LXTWeS(R2i]=#40Rc4ꅉS0Ccj a^G@}vM//M#0xu:=9|l/դ&>8ͪہЦۺ.,6d#&廜 b:!J s}?owm; 4b}RJ2Q3Ѽށ1|5rpK`S.<ÃYZ02JY џc;zlE.U &&JjD )r.gͷu];i?{ H ?,&($ &ڳ.{υw)pa#ܴHptߖ](Fmr>ҙU8|:oɨ,3q%$pX1r;RD"e>,!Ye._V cL2xV7$醸p10 Ѓx+f[vry2j?=GQE㠟/ UBBK֕]|T߉t̃%h*ؙ .lx(7aԝs'KSRلh~`Fw@KHO3 IvY0|D(2r*ݠ/ͦǰ$i$(Y"UpEFj&X3Ct=xLDjE; #zBV7Vu?C 5cMmCA^q!(k$O',   }$(rwop/O4=tw4t~0LgqԮzKZ7]eieV?k_ui52qAiF#> {Q G2lGi$*OWOrjIu^<_PW ;΋=v06ᜲ3$S%Q’85l.)5c9)ϣm!Q\,G($ aՓ+֢>}rOuċQI'rH@"N^[-!BLg">T'` _>D!MQw.cq~],+p \) D ;T(M+Ͷ$&Uʴ s:97_>~|CT!;n +0Qj8UhR.j$g0kHa!r.pҀ}Ш -Hg&R-`y޼fQ-$>W.tod=p)5m.Sdꆶ6]MTh^W.JYw/ƾFtj~mP蔼#I=`_G23 b%jM2xf>x~૿GS.P > #qV- IO|g&{#?>c@`z"=a0Rs4=4:ys/!mBްшcLdȁNNB>v_?5*x{j7`:ej#^xTOg’({gN=P'0ih1Og$7].dfw& :Y۝f5 {kzGc 8$&)rŮȍ[(Uc :?}Қ=J 8+_e@x~.$/{~ԯO(L<5>|~3?:E8!~]~*?5p}/&=ں-3J*XԇV+X<-}sAl^ 1* 9]JlˢJ3OΨ&6ir |Ϫg}+E={&")>5>33?>%BC5ջǺ(ф/_[ſjTʭzz1k:{[U2TJ>DS!L;N\,SDB bՠdDEOt ]8GaH{QPm\yf;6x$4%8K"{*=gGFgzUk?WL>%:2cԣ;e}~C)@| c?Hc4NΟfQz \Ɉ+4 GVE$5s7AtiQOL$7P􀍰!vxA;ZZ/njźRN?!{l DzFu㑦,M|G~FT29tCE=iq?Cb-\zrcYOot'+:!fAC7$Gt/ᇈ]'uE0̴K# qyY/ss?ˠ|ļfU$|^Z,ةWI{*X [B7rqBFg}<옾gETވ\qtAVu@ @AiYjg&yt]R]lK1 ՞gyI?>$-+S ΁:E{%9b:$Uϲ\Ʈ%ηk](6ީg+d:'!gԦ]puZr&TYdg![)z]Lo,S! ޢ&8t@l"fω0 k(ҲMiQpWs^zH9kH2D%kUG^Av't<۬>5ܣ$@P-!^s5?GJʝ\'~Ju,If!#l~T&z{HѺ1gan\=0P9𶛉3]`Pl(Z.>o7q(L脻~T%^iE)3E [% 4BXB§(`fcaN N++i 6gZ$-{|]^lCṭwF#nW٭I4~m,.*J; fle!L\j ֵ ( ` P(?ׄϒJc<ڂX7@>zDY~>PhQ'mX׿x~ ܐ ,|_^ATa1Wӆ`qd=Bty!!Cjo_4 CzgD^0H?ɛ"`ld@q;cS[4tl#G{i5iDLsdmi]0.4e0j]!iJ]_DLqDD**#P/jTs*]~CHmx#z9UlHl>?{,ӥ{XlT%>[NΝ6GBg2w<ID@] Yj:nyKzGM>%/"\gW!+qoșo}:>pI6hov-,!lg FB f~i? 5d́& 5Tܵ"ϾSs6شSP(JGm@_~_(>%t^"JgaLzya1R(Ʈ. !yWdq !Ͷq|pb=+THD f|CI|o;]u<KB!Φ'r;o͞shSzYY ҮQiӵ\Ռhz[4?cs6dIt[; XٴuͶÓO=fl$zhQs%Qэ 9Q3t8`7# xkzWu"`řOݢ(p{Ʃ0`Z+Mnĥ/WRBOdsjQڍ$zvdot w.뮹eAYW,_h$)!Wp6ZQ_(Lf5"#7.K;l~^ дx'B3A/y7p"ߪhD1h!x\U}@u|IMMO|7/TC[2}I?1-·C\wU}&?92{BG=x NUN O9MeWQm^jm,r|=]+xRnvQTtwbb Mum;yVԬ5* ].?*w6dIzr#DM<1ON Ei6ַSFmlF%:F'܏:RpBFĺsi(ᤧ&V"]h%_7#ҍv8p_ėxKnsķ6a ya 3E;;1CE0a) X'Ù"OLǂ,9-pQ˱>]đ2Rg/!7ݧ4N#ͨ݋FzDc.dAF W?09VWjs06ԛFk&§^\Vʧc؛>J ѿ 8Vbֱ @o]f0ei}P3 n_aIM)Sh@h#e0j58LnRΛh]J^bpX # vo]y]XEÏ5I$p)J\+eI!5Ζ1[gC^._b:\ˬC/*7xc WA%*DN==z$੐? 0N̥LժWW|K7 GsPXa硤2|\; "Gא H_C>Ց{!|rfAX$gUUYЕg@#&=[8[fr^AYW- v[ .fB[iWP^ˬm"j}Vk-k=۟.m߰ԋ57o]3/X7;c:^(FCtѼQ̊u[Z_Zs/Z'5mE @-KU0[e o^ȺPvSuT @g(KGn{>u^t6p$ULbGSvЋU_KW I6`tr[A)Ļm=TYՆ'W0d2b wkL? BBIªPk:i?NvYk*#DOς$ >lG{#cp\[|&@jm#T E]RV.䬛dmXB|5K@prvG쯏ܒz1"2J*2\DxT%6ZWN>hRX3͕HrƩ,5;vTy+rg2xƙU[ BgJ' 욼u2 27FV΂5NnT}hHI+k_?_^,f/);t qDjvxHUB'-7PZ/=s,UIAO&xfu g1$qCEQQ""# h>ԆOS*3YE>CI)w! ¸!FF,(RBkW+=`%&: 46u\GI<K!K  }mb)A }~wӚ$ 6dNNgaYwVC]jl^KÁ} 4qv0U:>x,$/o+Z< tq;xapX\WI,\r=.N ߯CopFwe,dT=g xv@C@j7D9`6spG8׫i\°ܴJy)RvfI0fS}0neKP%>wMЅɼ :AXm#R#eN@x^BBTbя9qKқ0TXq~NVd' TЩ&@ \?zDv#p%n<I3cPiZ3or .`7+R 8T(똜+q\[%Wۆ3mփ+^E )5 jRUa>aZC ?$cfLmch;39{kEb3D8aˀ pxVDmti <"Dcؕ xQ2=9OЅFb=֊#7 ߨa] @Mݢ7˱(oJͬSeOs`}TD,"S ᬵ qYoh 7f[H]mwW'x} )ayDK`3o;f޼%tB*.Ņā:o3դ-~R|g v(Tg:ROO}|r\vɳh: oW/~'r_LnEo ?b6uOm-'7/>p<^=4\K^Kކ%G$ug z)>!!ʳܳsqbOG=\}9JF@\,`P\O8Eh/'.7|uy en0046gbP;qqNj ݸQ">ўq~8|v+" xIDu)N(Hգ6b\ø oU邕#f'6|3E_1)聀8\k+b`\0~<} HORƶ AHnP6uআ:aGL "un=Ȱcdyp_=b)„sa a>0`ԤQĞHg"CG#;ew U AJ`'z.s\s ONGu_ PMmq4tSw'|IK W ັDˣ qFYy2ZVA@٠!'G Ɔ.N4%t9peQ3B|FO+ݸӤt^IV^L ˀ[bh/đ+mةG_d6D/l!PK!+AA install.5.gznu[VMoFW,CS@$S4)j AzeE]aw)@|,-ɭ`yn?Ir%.^I9n}x{MSHՍ+-ҪWF'}hĺ[4ʭ$ֲ|Kr›𼶦~EqhR9oM'~k**'|ٍKӶQ`ֲ$9̬Ul: +L|3F [d! F/|8! 2:Ife65a&)p7kkJrnJiƔmcRj|;G/ސ:]NXecY((&\M{QYt2}E3gU2ucQ͋t/RS)KO4,H=ԛ"ݍL7w9PeHֲ֡$^䆎9 cs| 6 Mïj4fdtW[2tp.($Yb&[TqL':qg/9\MDpߑ Fyj3vUx'k0N"3v Î5Y,&J5Y>&p'rdz7VޯU/%EJy`k֯y\h/JWf&d*[O<7`y LČ~yLT>AgzTr7F؜ 0XxrF=D:eN:ē?Z|7K|ugB2aټɃ\IngE<R*tڔd A+2+ w⽲I+ZMo)UFv,Z.ƍ3{J<]ZEqv+ZSfv6Ʊ$^58!d.TJK/IhFR]5֪U대VQ*ULbk$J㩸),Ny:f6Sz r jjeMkBޝ RǮy{UCDZ$?"Pd+.WMU| ?_E(h!k5\•Cjx7c,ONWx_+ gyu4|'Nͭ_.q:˰thZ6 ~>mZ>*T%8 oc$X]j |4e2v 5ԦՎP+r*8ԲvCݪfkP"+q$-yVlȁA'R`ֺaH+hXTl3ѡqKR/>g;rw|TSd0H4J%~ Jt!Cy<̄]J ^j?@Ԭu!Di@px-9q,2AeSrZ cQ8x4s]Z6KAPb3K ,*R4::zvM(/ΣiE;hL_4u0xI[tN.ijhVN;d~wN&/uw0[O;S"L2 1w~.%%J(.Ɍˉ>{LOPl= 1%U0%eY³~VS{IkH|:Tp(.:ۊ C+(2`G9DM.|"l`)m@Oɚr)+=!ٲqk*"@ADdG, ‡a QG+:`',j7:eN`ks2,KHpT Íl{b{ms-_ xRa!&vW5b|Eî7u@MFhb|'v]aS*4) -cO%֐ikE|&) WXV(Y),x Xn=p w%'S#GS~&T)\;W듓)+2d~ONԭ݋ѥS+46[cC#}62 R eoDO;`\c1Fk4-4QAhh wBs?Ϡ=<3mL \T8ї"G@?ңT MXj|L>9Uodڮjz.1m&VL#_%TKzpBItjWFý k"#Wxr!!~lev{ |ݝ EӒB{~A! `#"9׼,I;Lw,$@tdohv#0*n$]V[: M =@4B[Po^W~\Bb` kYAA;HOK@aF\k)̂@aά|Dí;NP%]rD;9}J"׍GXGB)8)YM]=5>tɯ?}X, T喦0ߊ!7[-nNH.PKb5nYsfxz5IaejlPqyITsnagiIzs8~dM6N(2H8I1IF뉈b A!uZ%*53MG1b +n"+5s4`Bg3Q> j7 F>.D&{byҼs* i1F hଁٲs !O,e>n):遲SGy#^fc+tk/Ȼ{= PdBsK ژi;g;ۺrE ߧKvE:dUj (}c:ݾD(7P~zX7z_{y3kԺ:8PK!config.5sslnu[PK!vg30[0[`x509v3_config.5sslnu[PK!3d  k5login.5nu[PK!ք k5identity.5nu[PK!F~ Lkrb5.conf.5nu[PK!H .k5identity.5nu[PK!tSX g.k5login.5nu[PK!package-lock-json.5.gznu[PK!t^((package-json.5.gznu[PK!݁u u folders.5.gznu[PK!+AA Ainstall.5.gznu[PK!K)& &  package-locks.5.gznu[PK!!kk&shrinkwrap-json.5.gznu[PK