mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-24 08:01:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
38 lines
2.3 KiB
Plaintext
38 lines
2.3 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Auto-auth with Kerberos
|
|
description: >-
|
|
Use Kerberos for auto-authentication with Vault Agent or Vault Proxy.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Auto-auth method: Kerberos
|
|
|
|
The `kerberos` auto-auth method provides an automated mechanism to retrieve
|
|
a Vault token for Kerberos entities. It reads in configuration and
|
|
identification information from the surrounding environment, and uses
|
|
it to authenticate to Vault.
|
|
|
|
For more on this auth method, see the [Kerberos auth method](/vault/docs/auth/kerberos).
|
|
|
|
## Configuration
|
|
|
|
- `krb5conf_path` `(string: required)` is the path to a valid `krb5.conf` file describing how to
|
|
communicate with the Kerberos environment.
|
|
- `keytab_path` `(string: required)` is the path to the `keytab` in which the entry lives for the
|
|
entity authenticating to Vault. Keytab files should be protected from other
|
|
users on a shared server using appropriate file permissions.
|
|
- `username` `(string: required)` is the username for the entry _within_ the `keytab` to use for
|
|
logging into Kerberos. This username must match a service account in LDAP.
|
|
- `service` `(string: required)` is the service principal name to use in obtaining a service ticket for
|
|
gaining a SPNEGO token. This service must exist in LDAP.
|
|
- `realm` `(string: required)` is the name of the Kerberos realm. This realm must match the UPNDomain
|
|
configured on the LDAP connection. This check is case-sensitive.
|
|
- `disable_fast_negotiation` `(bool: optional)` is for disabling the Kerberos auth method's default
|
|
of using FAST negotiation. FAST is a pre-authentication framework for Kerberos.
|
|
It includes a mechanism for tunneling pre-authentication exchanges using armoured
|
|
KDC messages. FAST provides increased resistance to passive password guessing attacks.
|
|
Some common Kerberos implementations do not support FAST negotiation. The default is false.
|