1.\" $Id: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $
2.\"
3.Dd July 27, 1997
4.Dt KDC 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kdc
| 1.\" $Id: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $
2.\"
3.Dd July 27, 1997
4.Dt KDC 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kdc
|
10.Sh SYNOPSIS
11.Nm
12.Oo Fl c Ar file \*(Ba Xo
13.Fl -config-file= Ns Ar file Oc
14.Xc
15.Op Fl p | Fl -no-require-preauth
16.Op Fl -max-request= Ns Ar size
17.Op Fl H | Fl -enable-http
18.Oo Fl r Ar string \*(Ba Xo
19.Fl -v4-realm= Ns Ar string Oc
20.Xc
21.Op Fl K | Fl -no-kaserver
22.Op Fl r Ar realm
23.Op Fl -v4-realm= Ns Ar realm
24.Oo Fl P Ar string \*(Ba Xo
25.Fl -ports= Ns Ar string Oc
26.Xc
27.Op Fl -addresses= Ns Ar list of addresses
28.Sh DESCRIPTION
29.Nm
30serves requests for tickets. When it starts, it first checks the flags
31passed, any options that are not specified with a command line flag is
32taken from a config file, or from a default compiled-in value.
33.Pp
34Options supported:
35.Bl -tag -width Ds
36.It Fl c Ar file
37.It Fl -config-file= Ns Ar file
38Specifies the location of the config file, the default is
39.Pa /var/heimdal/kdc.conf .
40This is the only value that can't be specified in the config file.
41.It Fl p
42.It Fl -no-require-preauth
43Turn off the requirement for pre-autentication in the initial AS-REQ
44for all principals. The use of pre-authentication makes it more
45difficult to do offline password attacks. You might want to turn it
46off if you have clients that doesn't do pre-authentication. Since the
47version 4 protocol doesn't support any pre-authentication, so serving
48version 4 clients is just about the same as not requiring
49pre-athentication. The default is to require
50pre-authentication. Adding the require-preauth per principal is a more
51flexible way of handling this.
52.It Xo
53.Fl -max-request= Ns Ar size
54.Xc
55Gives an upper limit on the size of the requests that the kdc is
56willing to handle.
57.It Xo
58.Fl H Ns ,
59.Fl -enable-http
60.Xc
61Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
62.It Xo
63.Fl K Ns ,
64.Fl -no-kaserver
65.Xc
66Disables kaserver emulation (in case it's compiled in).
67.It Fl r Ar realm
68.It Fl -v4-realm= Ns Ar realm
69What realm this server should act as when dealing with version 4
70requests. The database can contain any number of realms, but since the
71version 4 protocol doesn't contain a realm for the server, it must be
72explicitly specified. The default is whatever is returned by
73.Fn krb_get_lrealm .
74This option is only availabe if the KDC has been compiled with version
754 support.
76.It Xo
77.Fl P Ar string Ns ,
78.Fl -ports= Ns Ar string
79.Xc
80Specifies the set of ports the KDC should listen on. It is given as a
81white-space separated list of services or port numbers.
82.It Xo
83.Fl -addresses= Ns Ar list of addresses
84.Xc
85The list of addresses to listen for requests on. By default, the kdc
86will listen on all the locally configured addresses. If only a subset
87is desired, or the automatic detection fails, this option might be used.
88.El
89.Pp
90All activities , are logged to one or more destinations, see
91.Xr krb5.conf 5 ,
92and
93.Xr krb5_openlog 3 .
94The entity used for logging is
95.Nm kdc .
96.Sh CONFIGURATION FILE
97The configuration file has the same syntax as the
98.Pa krb5.conf
99file (you can actually put the configuration in
100.Pa /etc/krb5.conf ,
101and then start the KDC with
102.Fl -config-file= Ns Ar /etc/krb5.conf ) .
103All options should be in a section called
104.Dq kdc .
105All the command-line options can preferably be added in the
106configuration file. The only difference is the pre-authentication flag,
107that has to be specified as:
108.Pp
109.Dl require-preauth = no
110.Pp
111(in fact you can specify the option as
112.Fl -require-preauth=no ) .
113.Pp
114And there are some configuration options which do not have
115command-line equivalents:
116.Bl -tag -width "xxx" -offset indent
117.It Li check-ticket-addresses = Va boolean
118Check the addresses in the ticket when processing TGS requests. The
119default is FALSE.
120.It Li allow-null-ticket-addresses = Va boolean
121Permit tickets with no addresses. This option is only relevant when
122check-ticket-addresses is TRUE.
123.It Li allow-anonymous = Va boolean
124Permit anonymous tickets with no addresses.
125.It encode_as_rep_as_tgs_rep = Va boolean
126Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
127Heimdal clients allow both.
128.It kdc_warn_pwexpire = Va time
129How long before password/principal expiration the KDC should start
130sending out warning messages.
131.El
132.Pp
133An example of a config file:
134.Bd -literal -offset indent
135[kdc]
136 require-preauth = no
137 v4-realm = FOO.SE
138 key-file = /key-file
139.Ed
140.Sh SEE ALSO
141.Xr kinit 1
| 9.Sh SYNOPSIS
10.Nm
11.Oo Fl c Ar file \*(Ba Xo
12.Fl -config-file= Ns Ar file Oc
13.Xc
14.Op Fl p | Fl -no-require-preauth
15.Op Fl -max-request= Ns Ar size
16.Op Fl H | Fl -enable-http
17.Oo Fl r Ar string \*(Ba Xo
18.Fl -v4-realm= Ns Ar string Oc
19.Xc
20.Op Fl K | Fl -no-kaserver
21.Op Fl r Ar realm
22.Op Fl -v4-realm= Ns Ar realm
23.Oo Fl P Ar string \*(Ba Xo
24.Fl -ports= Ns Ar string Oc
25.Xc
26.Op Fl -addresses= Ns Ar list of addresses
27.Sh DESCRIPTION
28.Nm
29serves requests for tickets. When it starts, it first checks the flags
30passed, any options that are not specified with a command line flag is
31taken from a config file, or from a default compiled-in value.
32.Pp
33Options supported:
34.Bl -tag -width Ds
35.It Fl c Ar file
36.It Fl -config-file= Ns Ar file
37Specifies the location of the config file, the default is
38.Pa /var/heimdal/kdc.conf .
39This is the only value that can't be specified in the config file.
40.It Fl p
41.It Fl -no-require-preauth
42Turn off the requirement for pre-autentication in the initial AS-REQ
43for all principals. The use of pre-authentication makes it more
44difficult to do offline password attacks. You might want to turn it
45off if you have clients that doesn't do pre-authentication. Since the
46version 4 protocol doesn't support any pre-authentication, so serving
47version 4 clients is just about the same as not requiring
48pre-athentication. The default is to require
49pre-authentication. Adding the require-preauth per principal is a more
50flexible way of handling this.
51.It Xo
52.Fl -max-request= Ns Ar size
53.Xc
54Gives an upper limit on the size of the requests that the kdc is
55willing to handle.
56.It Xo
57.Fl H Ns ,
58.Fl -enable-http
59.Xc
60Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
61.It Xo
62.Fl K Ns ,
63.Fl -no-kaserver
64.Xc
65Disables kaserver emulation (in case it's compiled in).
66.It Fl r Ar realm
67.It Fl -v4-realm= Ns Ar realm
68What realm this server should act as when dealing with version 4
69requests. The database can contain any number of realms, but since the
70version 4 protocol doesn't contain a realm for the server, it must be
71explicitly specified. The default is whatever is returned by
72.Fn krb_get_lrealm .
73This option is only availabe if the KDC has been compiled with version
744 support.
75.It Xo
76.Fl P Ar string Ns ,
77.Fl -ports= Ns Ar string
78.Xc
79Specifies the set of ports the KDC should listen on. It is given as a
80white-space separated list of services or port numbers.
81.It Xo
82.Fl -addresses= Ns Ar list of addresses
83.Xc
84The list of addresses to listen for requests on. By default, the kdc
85will listen on all the locally configured addresses. If only a subset
86is desired, or the automatic detection fails, this option might be used.
87.El
88.Pp
89All activities , are logged to one or more destinations, see
90.Xr krb5.conf 5 ,
91and
92.Xr krb5_openlog 3 .
93The entity used for logging is
94.Nm kdc .
95.Sh CONFIGURATION FILE
96The configuration file has the same syntax as the
97.Pa krb5.conf
98file (you can actually put the configuration in
99.Pa /etc/krb5.conf ,
100and then start the KDC with
101.Fl -config-file= Ns Ar /etc/krb5.conf ) .
102All options should be in a section called
103.Dq kdc .
104All the command-line options can preferably be added in the
105configuration file. The only difference is the pre-authentication flag,
106that has to be specified as:
107.Pp
108.Dl require-preauth = no
109.Pp
110(in fact you can specify the option as
111.Fl -require-preauth=no ) .
112.Pp
113And there are some configuration options which do not have
114command-line equivalents:
115.Bl -tag -width "xxx" -offset indent
116.It Li check-ticket-addresses = Va boolean
117Check the addresses in the ticket when processing TGS requests. The
118default is FALSE.
119.It Li allow-null-ticket-addresses = Va boolean
120Permit tickets with no addresses. This option is only relevant when
121check-ticket-addresses is TRUE.
122.It Li allow-anonymous = Va boolean
123Permit anonymous tickets with no addresses.
124.It encode_as_rep_as_tgs_rep = Va boolean
125Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
126Heimdal clients allow both.
127.It kdc_warn_pwexpire = Va time
128How long before password/principal expiration the KDC should start
129sending out warning messages.
130.El
131.Pp
132An example of a config file:
133.Bd -literal -offset indent
134[kdc]
135 require-preauth = no
136 v4-realm = FOO.SE
137 key-file = /key-file
138.Ed
139.Sh SEE ALSO
140.Xr kinit 1
|