ec620a7765
* implement mdx remote * fix an unfenced code block * fix partials path Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
37 lines
1.9 KiB
Plaintext
37 lines
1.9 KiB
Plaintext
---
|
|
layout: 'docs'
|
|
page_title: 'Vault Agent Auto-Auth Kerberos Method'
|
|
sidebar_title: 'Kerberos'
|
|
sidebar_current: 'docs-agent-autoauth-methods-kerberos'
|
|
description: |-
|
|
Kerberos Method for Vault Agent Auto-Auth
|
|
---
|
|
|
|
# Vault Agent Auto-Auth Kerberos Method
|
|
|
|
The `kerberos` agent provides an automated mechanism to retrieve
|
|
a Vault token for Kerberos entities. It reads in configuration and
|
|
identification information from the surrounding environment, and uses
|
|
it to authenticate to Vault.
|
|
|
|
For more on this auth method, see the [Kerberos auth method](/docs/auth/kerberos).
|
|
|
|
## Configuration
|
|
|
|
- `krb5conf_path` `(string: required)` is the path to a valid `krb5.conf` file describing how to
|
|
communicate with the Kerberos environment.
|
|
- `keytab_path` `(string: required)` is the path to the `keytab` in which the entry lives for the
|
|
entity authenticating to Vault. Keytab files should be protected from other
|
|
users on a shared server using appropriate file permissions.
|
|
- `username` `(string: required)` is the username for the entry _within_ the `keytab` to use for
|
|
logging into Kerberos. This username must match a service account in LDAP.
|
|
- `service` `(string: required)` is the service principal name to use in obtaining a service ticket for
|
|
gaining a SPNEGO token. This service must exist in LDAP.
|
|
- `realm` `(string: required)` is the name of the Kerberos realm. This realm must match the UPNDomain
|
|
configured on the LDAP connection. This check is case-sensitive.
|
|
- `disable_fast_negotiation` `(bool: optional)` is for disabling the Kerberos auth method's default
|
|
of using FAST negotiation. FAST is a pre-authentication framework for Kerberos.
|
|
It includes a mechanism for tunneling pre-authentication exchanges using armoured
|
|
KDC messages. FAST provides increased resistance to passive password guessing attacks.
|
|
Some common Kerberos implementations do not support FAST negotiation. The default is false.
|