1.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
2.\"
3.Dd August 22, 2002
4.Dt KDC 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kdc
8.Nd Kerberos 5 server
9.Sh SYNOPSIS
10.Nm
11.Oo Fl c Ar file \*(Ba Xo
12.Fl -config-file= Ns Ar file
13.Xc
14.Oc
15.Op Fl p | Fl -no-require-preauth
16.Op Fl -max-request= Ns Ar size
17.Op Fl H | Fl -enable-http
18.Oo Fl r Ar string \*(Ba Xo
19.Fl -v4-realm= Ns Ar string
20.Xc
21.Oc
22.Op Fl K | Fl -no-kaserver
23.Op Fl r Ar realm
24.Op Fl -v4-realm= Ns Ar realm
25.Oo Fl P Ar string \*(Ba Xo
26.Fl -ports= Ns Ar string
27.Xc
28.Oc
29.Op Fl -addresses= Ns Ar list of addresses
30.Sh DESCRIPTION
31.Nm
32serves requests for tickets. When it starts, it first checks the flags
33passed, any options that are not specified with a command line flag is
34taken from a config file, or from a default compiled-in value.
35.Pp
36Options supported:
37.Bl -tag -width Ds
38.It Xo
39.Fl c Ar file ,
40.Fl -config-file= Ns Ar file
41.Xc
42Specifies the location of the config file, the default is
43.Pa /var/heimdal/kdc.conf .
44This is the only value that can't be specified in the config file.
45.It Xo
46.Fl p ,
47.Fl -no-require-preauth
48.Xc
49Turn off the requirement for pre-autentication in the initial AS-REQ
50for all principals. The use of pre-authentication makes it more
51difficult to do offline password attacks. You might want to turn it
52off if you have clients that doesn't do pre-authentication. Since the
53version 4 protocol doesn't support any pre-authentication, so serving
54version 4 clients is just about the same as not requiring
55pre-athentication. The default is to require
56pre-authentication. Adding the require-preauth per principal is a more
57flexible way of handling this.
58.It Xo
59.Fl -max-request= Ns Ar size
60.Xc
61Gives an upper limit on the size of the requests that the kdc is
62willing to handle.
63.It Xo
64.Fl H ,
65.Fl -enable-http
66.Xc
67Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
68.It Xo
69.Fl K ,
70.Fl -no-kaserver
71.Xc
72Disables kaserver emulation (in case it's compiled in).
73.It Xo
74.Fl r Ar realm ,
75.Fl -v4-realm= Ns Ar realm
76.Xc
77What realm this server should act as when dealing with version 4
78requests. The database can contain any number of realms, but since the
79version 4 protocol doesn't contain a realm for the server, it must be
80explicitly specified. The default is whatever is returned by
81.Fn krb_get_lrealm .
82This option is only availabe if the KDC has been compiled with version
834 support.
84.It Xo
85.Fl P Ar string ,
86.Fl -ports= Ns Ar string
87.Xc
88Specifies the set of ports the KDC should listen on. It is given as a
89white-space separated list of services or port numbers.
90.It Fl -addresses= Ns Ar list of addresses
91The list of addresses to listen for requests on. By default, the kdc
92will listen on all the locally configured addresses. If only a subset
93is desired, or the automatic detection fails, this option might be used.
94.El
95.Pp
96All activities , are logged to one or more destinations, see
97.Xr krb5.conf 5 ,
98and
99.Xr krb5_openlog 3 .
100The entity used for logging is
101.Nm kdc .
102.Sh CONFIGURATION FILE
103The configuration file has the same syntax as
104.Xr krb5.conf 5 ,
105but will be read before
106.Pa /etc/krb5.conf ,
107so it may override settings found there. Options specific to the KDC
108only are found in the
109.Dq [kdc]
110section.
111All the command-line options can preferably be added in the
112configuration file. The only difference is the pre-authentication flag,
113that has to be specified as:
114.Pp
115.Dl require-preauth = no
116.Pp
117(in fact you can specify the option as
118.Fl -require-preauth=no ) .
119.Pp
120And there are some configuration options which do not have
121command-line equivalents:
122.Bl -tag -width "xxx" -offset indent
123.It Li check-ticket-addresses = Va boolean
124Check the addresses in the ticket when processing TGS requests. The
125default is FALSE.
126.It Li allow-null-ticket-addresses = Va boolean
127Permit tickets with no addresses. This option is only relevant when
128check-ticket-addresses is TRUE.
129.It Li allow-anonymous = Va boolean
130Permit anonymous tickets with no addresses.
131.It encode_as_rep_as_tgs_rep = Va boolean
132Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
133Heimdal clients allow both.
134.It kdc_warn_pwexpire = Va time
135How long before password/principal expiration the KDC should start
136sending out warning messages.
137.El
138.Pp
139An example of a config file:
140.Bd -literal -offset indent
141[kdc]
142 require-preauth = no
143 v4-realm = FOO.SE
144 key-file = /key-file
145.Ed
146.Sh BUGS
147If the machine running the KDC has new addresses added to it, the KDC
148will have to be restarted to listen to them. The reason it doesn't
149just listen to wildcarded (like INADDR_ANY) addresses, is that the
150replies has to come from the same address they were sent to, and most
151OS:es doesn't pass this information to the application. If your normal
152mode of operation require that you add and remove addresses, the best
153option is probably to listen to a wildcarded TCP socket, and make sure
154your clients use TCP to connect. For instance, this will listen to
155IPv4 TCP port 88 only:
156.Bd -literal -offset indent
157kdc --addresses=0.0.0.0 --ports="88/tcp"
158.Ed
159.Pp
160There should be a way to specify protocol, port, and address triplets,
161not just addresses and protocol, port tuples.
162.Sh SEE ALSO
163.Xr kinit 1 ,
164.Xr krb5.conf 5
2.\"
3.Dd August 22, 2002
4.Dt KDC 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kdc
8.Nd Kerberos 5 server
9.Sh SYNOPSIS
10.Nm
11.Oo Fl c Ar file \*(Ba Xo
12.Fl -config-file= Ns Ar file
13.Xc
14.Oc
15.Op Fl p | Fl -no-require-preauth
16.Op Fl -max-request= Ns Ar size
17.Op Fl H | Fl -enable-http
18.Oo Fl r Ar string \*(Ba Xo
19.Fl -v4-realm= Ns Ar string
20.Xc
21.Oc
22.Op Fl K | Fl -no-kaserver
23.Op Fl r Ar realm
24.Op Fl -v4-realm= Ns Ar realm
25.Oo Fl P Ar string \*(Ba Xo
26.Fl -ports= Ns Ar string
27.Xc
28.Oc
29.Op Fl -addresses= Ns Ar list of addresses
30.Sh DESCRIPTION
31.Nm
32serves requests for tickets. When it starts, it first checks the flags
33passed, any options that are not specified with a command line flag is
34taken from a config file, or from a default compiled-in value.
35.Pp
36Options supported:
37.Bl -tag -width Ds
38.It Xo
39.Fl c Ar file ,
40.Fl -config-file= Ns Ar file
41.Xc
42Specifies the location of the config file, the default is
43.Pa /var/heimdal/kdc.conf .
44This is the only value that can't be specified in the config file.
45.It Xo
46.Fl p ,
47.Fl -no-require-preauth
48.Xc
49Turn off the requirement for pre-autentication in the initial AS-REQ
50for all principals. The use of pre-authentication makes it more
51difficult to do offline password attacks. You might want to turn it
52off if you have clients that doesn't do pre-authentication. Since the
53version 4 protocol doesn't support any pre-authentication, so serving
54version 4 clients is just about the same as not requiring
55pre-athentication. The default is to require
56pre-authentication. Adding the require-preauth per principal is a more
57flexible way of handling this.
58.It Xo
59.Fl -max-request= Ns Ar size
60.Xc
61Gives an upper limit on the size of the requests that the kdc is
62willing to handle.
63.It Xo
64.Fl H ,
65.Fl -enable-http
66.Xc
67Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
68.It Xo
69.Fl K ,
70.Fl -no-kaserver
71.Xc
72Disables kaserver emulation (in case it's compiled in).
73.It Xo
74.Fl r Ar realm ,
75.Fl -v4-realm= Ns Ar realm
76.Xc
77What realm this server should act as when dealing with version 4
78requests. The database can contain any number of realms, but since the
79version 4 protocol doesn't contain a realm for the server, it must be
80explicitly specified. The default is whatever is returned by
81.Fn krb_get_lrealm .
82This option is only availabe if the KDC has been compiled with version
834 support.
84.It Xo
85.Fl P Ar string ,
86.Fl -ports= Ns Ar string
87.Xc
88Specifies the set of ports the KDC should listen on. It is given as a
89white-space separated list of services or port numbers.
90.It Fl -addresses= Ns Ar list of addresses
91The list of addresses to listen for requests on. By default, the kdc
92will listen on all the locally configured addresses. If only a subset
93is desired, or the automatic detection fails, this option might be used.
94.El
95.Pp
96All activities , are logged to one or more destinations, see
97.Xr krb5.conf 5 ,
98and
99.Xr krb5_openlog 3 .
100The entity used for logging is
101.Nm kdc .
102.Sh CONFIGURATION FILE
103The configuration file has the same syntax as
104.Xr krb5.conf 5 ,
105but will be read before
106.Pa /etc/krb5.conf ,
107so it may override settings found there. Options specific to the KDC
108only are found in the
109.Dq [kdc]
110section.
111All the command-line options can preferably be added in the
112configuration file. The only difference is the pre-authentication flag,
113that has to be specified as:
114.Pp
115.Dl require-preauth = no
116.Pp
117(in fact you can specify the option as
118.Fl -require-preauth=no ) .
119.Pp
120And there are some configuration options which do not have
121command-line equivalents:
122.Bl -tag -width "xxx" -offset indent
123.It Li check-ticket-addresses = Va boolean
124Check the addresses in the ticket when processing TGS requests. The
125default is FALSE.
126.It Li allow-null-ticket-addresses = Va boolean
127Permit tickets with no addresses. This option is only relevant when
128check-ticket-addresses is TRUE.
129.It Li allow-anonymous = Va boolean
130Permit anonymous tickets with no addresses.
131.It encode_as_rep_as_tgs_rep = Va boolean
132Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
133Heimdal clients allow both.
134.It kdc_warn_pwexpire = Va time
135How long before password/principal expiration the KDC should start
136sending out warning messages.
137.El
138.Pp
139An example of a config file:
140.Bd -literal -offset indent
141[kdc]
142 require-preauth = no
143 v4-realm = FOO.SE
144 key-file = /key-file
145.Ed
146.Sh BUGS
147If the machine running the KDC has new addresses added to it, the KDC
148will have to be restarted to listen to them. The reason it doesn't
149just listen to wildcarded (like INADDR_ANY) addresses, is that the
150replies has to come from the same address they were sent to, and most
151OS:es doesn't pass this information to the application. If your normal
152mode of operation require that you add and remove addresses, the best
153option is probably to listen to a wildcarded TCP socket, and make sure
154your clients use TCP to connect. For instance, this will listen to
155IPv4 TCP port 88 only:
156.Bd -literal -offset indent
157kdc --addresses=0.0.0.0 --ports="88/tcp"
158.Ed
159.Pp
160There should be a way to specify protocol, port, and address triplets,
161not just addresses and protocol, port tuples.
162.Sh SEE ALSO
163.Xr kinit 1 ,
164.Xr krb5.conf 5