1c1,3
< .\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
---
> .\" Copyright (c) 2003 Kungliga Tekniska H�gskolan
> .\" (Royal Institute of Technology, Stockholm, Sweden).
> .\" All rights reserved.
2a5,33
> .\" Redistribution and use in source and binary forms, with or without
> .\" modification, are permitted provided that the following conditions
> .\" are met:
> .\"
> .\" 1. Redistributions of source code must retain the above copyright
> .\" notice, this list of conditions and the following disclaimer.
> .\"
> .\" 2. Redistributions in binary form must reproduce the above copyright
> .\" notice, this list of conditions and the following disclaimer in the
> .\" documentation and/or other materials provided with the distribution.
> .\"
> .\" 3. Neither the name of the Institute nor the names of its contributors
> .\" may be used to endorse or promote products derived from this software
> .\" without specific prior written permission.
> .\"
> .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
> .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
> .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> .\" SUCH DAMAGE.
> .\"
> .\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $
> .\"
17a49,51
> .Op Fl -no-524
> .Op Fl -kerberos4
> .Op Fl -kerberos4-cross-realm
22,26c56,58
< .Op Fl K | Fl -no-kaserver
< .Op Fl r Ar realm
< .Op Fl -v4-realm= Ns Ar realm
< .Oo Fl P Ar string \*(Ba Xo
< .Fl -ports= Ns Ar string
---
> .Op Fl K | Fl -kaserver
> .Oo Fl P Ar portspec \*(Ba Xo
> .Fl -ports= Ns Ar portspec
28a61
> .Op Fl -detach
32,34c65,68
< serves requests for tickets. When it starts, it first checks the flags
< passed, any options that are not specified with a command line flag is
< taken from a config file, or from a default compiled-in value.
---
> serves requests for tickets.
> When it starts, it first checks the flags passed, any options that are
> not specified with a command line flag are taken from a config file,
> or from a default compiled-in value.
50,57c84,94
< for all principals. The use of pre-authentication makes it more
< difficult to do offline password attacks. You might want to turn it
< off if you have clients that doesn't do pre-authentication. Since the
< version 4 protocol doesn't support any pre-authentication, so serving
< version 4 clients is just about the same as not requiring
< pre-athentication. The default is to require
< pre-authentication. Adding the require-preauth per principal is a more
< flexible way of handling this.
---
> for all principals.
> The use of pre-authentication makes it more difficult to do offline
> password attacks.
> You might want to turn it off if you have clients
> that don't support pre-authentication.
> Since the version 4 protocol doesn't support any pre-authentication,
> serving version 4 clients is just about the same as not requiring
> pre-athentication.
> The default is to require pre-authentication.
> Adding the require-preauth per principal is a more flexible way of
> handling this.
69,70c106
< .Fl K ,
< .Fl -no-kaserver
---
> .Fl -no-524
72c108
< Disables kaserver emulation (in case it's compiled in).
---
> don't respond to 524 requests
74,75c110
< .Fl r Ar realm ,
< .Fl -v4-realm= Ns Ar realm
---
> .Fl -kerberos4
76a112,122
> respond to Kerberos 4 requests
> .It Xo
> .Fl -kerberos4-cross-realm
> .Xc
> respond to Kerberos 4 requests from foreign realms.
> This is a known security hole and should not be enabled unless you
> understand the consequences and are willing to live with them.
> .It Xo
> .Fl r Ar string ,
> .Fl -v4-realm= Ns Ar string
> .Xc
78,80c124,128
< requests. The database can contain any number of realms, but since the
< version 4 protocol doesn't contain a realm for the server, it must be
< explicitly specified. The default is whatever is returned by
---
> requests.
> The database can contain any number of realms, but since the version 4
> protocol doesn't contain a realm for the server, it must be explicitly
> specified.
> The default is whatever is returned by
85,86c133,134
< .Fl P Ar string ,
< .Fl -ports= Ns Ar string
---
> .Fl K ,
> .Fl -kaserver
88c136,142
< Specifies the set of ports the KDC should listen on. It is given as a
---
> Enable kaserver emulation (in case it's compiled in).
> .It Xo
> .Fl P Ar portspec ,
> .Fl -ports= Ns Ar portspec
> .Xc
> Specifies the set of ports the KDC should listen on.
> It is given as a
91,93c145,149
< The list of addresses to listen for requests on. By default, the kdc
< will listen on all the locally configured addresses. If only a subset
< is desired, or the automatic detection fails, this option might be used.
---
> The list of addresses to listen for requests on.
> By default, the kdc will listen on all the locally configured
> addresses.
> If only a subset is desired, or the automatic detection fails, this
> option might be used.
96c152
< All activities , are logged to one or more destinations, see
---
> All activities are logged to one or more destinations, see
107,108c163,164
< so it may override settings found there. Options specific to the KDC
< only are found in the
---
> so it may override settings found there.
> Options specific to the KDC only are found in the
112,113c168,170
< configuration file. The only difference is the pre-authentication flag,
< that has to be specified as:
---
> configuration file.
> The only difference is the pre-authentication flag, which has to be
> specified as:
124,125c181,182
< Check the addresses in the ticket when processing TGS requests. The
< default is FALSE.
---
> Check the addresses in the ticket when processing TGS requests.
> The default is FALSE.
127,128c184,185
< Permit tickets with no addresses. This option is only relevant when
< check-ticket-addresses is TRUE.
---
> Permit tickets with no addresses.
> This option is only relevant when check-ticket-addresses is TRUE.
132,133c189,190
< Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
< Heimdal clients allow both.
---
> Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
> The Heimdal clients allow both.
138a196,202
> The configuration file is only read when the
> .Nm
> is started.
> If changes made to the configuration file are to take effect, the
> .Nm
> needs to be restarted.
> .Pp
148,155c212,220
< will have to be restarted to listen to them. The reason it doesn't
< just listen to wildcarded (like INADDR_ANY) addresses, is that the
< replies has to come from the same address they were sent to, and most
< OS:es doesn't pass this information to the application. If your normal
< mode of operation require that you add and remove addresses, the best
< option is probably to listen to a wildcarded TCP socket, and make sure
< your clients use TCP to connect. For instance, this will listen to
< IPv4 TCP port 88 only:
---
> will have to be restarted to listen to them.
> The reason it doesn't just listen to wildcarded (like INADDR_ANY)
> addresses, is that the replies has to come from the same address they
> were sent to, and most OS:es doesn't pass this information to the
> application.
> If your normal mode of operation require that you add and remove
> addresses, the best option is probably to listen to a wildcarded TCP
> socket, and make sure your clients use TCP to connect.
> For instance, this will listen to IPv4 TCP port 88 only:
< .\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
---
> .\" Copyright (c) 2003 Kungliga Tekniska H�gskolan
> .\" (Royal Institute of Technology, Stockholm, Sweden).
> .\" All rights reserved.
2a5,33
> .\" Redistribution and use in source and binary forms, with or without
> .\" modification, are permitted provided that the following conditions
> .\" are met:
> .\"
> .\" 1. Redistributions of source code must retain the above copyright
> .\" notice, this list of conditions and the following disclaimer.
> .\"
> .\" 2. Redistributions in binary form must reproduce the above copyright
> .\" notice, this list of conditions and the following disclaimer in the
> .\" documentation and/or other materials provided with the distribution.
> .\"
> .\" 3. Neither the name of the Institute nor the names of its contributors
> .\" may be used to endorse or promote products derived from this software
> .\" without specific prior written permission.
> .\"
> .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
> .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
> .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> .\" SUCH DAMAGE.
> .\"
> .\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $
> .\"
17a49,51
> .Op Fl -no-524
> .Op Fl -kerberos4
> .Op Fl -kerberos4-cross-realm
22,26c56,58
< .Op Fl K | Fl -no-kaserver
< .Op Fl r Ar realm
< .Op Fl -v4-realm= Ns Ar realm
< .Oo Fl P Ar string \*(Ba Xo
< .Fl -ports= Ns Ar string
---
> .Op Fl K | Fl -kaserver
> .Oo Fl P Ar portspec \*(Ba Xo
> .Fl -ports= Ns Ar portspec
28a61
> .Op Fl -detach
32,34c65,68
< serves requests for tickets. When it starts, it first checks the flags
< passed, any options that are not specified with a command line flag is
< taken from a config file, or from a default compiled-in value.
---
> serves requests for tickets.
> When it starts, it first checks the flags passed, any options that are
> not specified with a command line flag are taken from a config file,
> or from a default compiled-in value.
50,57c84,94
< for all principals. The use of pre-authentication makes it more
< difficult to do offline password attacks. You might want to turn it
< off if you have clients that doesn't do pre-authentication. Since the
< version 4 protocol doesn't support any pre-authentication, so serving
< version 4 clients is just about the same as not requiring
< pre-athentication. The default is to require
< pre-authentication. Adding the require-preauth per principal is a more
< flexible way of handling this.
---
> for all principals.
> The use of pre-authentication makes it more difficult to do offline
> password attacks.
> You might want to turn it off if you have clients
> that don't support pre-authentication.
> Since the version 4 protocol doesn't support any pre-authentication,
> serving version 4 clients is just about the same as not requiring
> pre-athentication.
> The default is to require pre-authentication.
> Adding the require-preauth per principal is a more flexible way of
> handling this.
69,70c106
< .Fl K ,
< .Fl -no-kaserver
---
> .Fl -no-524
72c108
< Disables kaserver emulation (in case it's compiled in).
---
> don't respond to 524 requests
74,75c110
< .Fl r Ar realm ,
< .Fl -v4-realm= Ns Ar realm
---
> .Fl -kerberos4
76a112,122
> respond to Kerberos 4 requests
> .It Xo
> .Fl -kerberos4-cross-realm
> .Xc
> respond to Kerberos 4 requests from foreign realms.
> This is a known security hole and should not be enabled unless you
> understand the consequences and are willing to live with them.
> .It Xo
> .Fl r Ar string ,
> .Fl -v4-realm= Ns Ar string
> .Xc
78,80c124,128
< requests. The database can contain any number of realms, but since the
< version 4 protocol doesn't contain a realm for the server, it must be
< explicitly specified. The default is whatever is returned by
---
> requests.
> The database can contain any number of realms, but since the version 4
> protocol doesn't contain a realm for the server, it must be explicitly
> specified.
> The default is whatever is returned by
85,86c133,134
< .Fl P Ar string ,
< .Fl -ports= Ns Ar string
---
> .Fl K ,
> .Fl -kaserver
88c136,142
< Specifies the set of ports the KDC should listen on. It is given as a
---
> Enable kaserver emulation (in case it's compiled in).
> .It Xo
> .Fl P Ar portspec ,
> .Fl -ports= Ns Ar portspec
> .Xc
> Specifies the set of ports the KDC should listen on.
> It is given as a
91,93c145,149
< The list of addresses to listen for requests on. By default, the kdc
< will listen on all the locally configured addresses. If only a subset
< is desired, or the automatic detection fails, this option might be used.
---
> The list of addresses to listen for requests on.
> By default, the kdc will listen on all the locally configured
> addresses.
> If only a subset is desired, or the automatic detection fails, this
> option might be used.
96c152
< All activities , are logged to one or more destinations, see
---
> All activities are logged to one or more destinations, see
107,108c163,164
< so it may override settings found there. Options specific to the KDC
< only are found in the
---
> so it may override settings found there.
> Options specific to the KDC only are found in the
112,113c168,170
< configuration file. The only difference is the pre-authentication flag,
< that has to be specified as:
---
> configuration file.
> The only difference is the pre-authentication flag, which has to be
> specified as:
124,125c181,182
< Check the addresses in the ticket when processing TGS requests. The
< default is FALSE.
---
> Check the addresses in the ticket when processing TGS requests.
> The default is FALSE.
127,128c184,185
< Permit tickets with no addresses. This option is only relevant when
< check-ticket-addresses is TRUE.
---
> Permit tickets with no addresses.
> This option is only relevant when check-ticket-addresses is TRUE.
132,133c189,190
< Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
< Heimdal clients allow both.
---
> Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
> The Heimdal clients allow both.
138a196,202
> The configuration file is only read when the
> .Nm
> is started.
> If changes made to the configuration file are to take effect, the
> .Nm
> needs to be restarted.
> .Pp
148,155c212,220
< will have to be restarted to listen to them. The reason it doesn't
< just listen to wildcarded (like INADDR_ANY) addresses, is that the
< replies has to come from the same address they were sent to, and most
< OS:es doesn't pass this information to the application. If your normal
< mode of operation require that you add and remove addresses, the best
< option is probably to listen to a wildcarded TCP socket, and make sure
< your clients use TCP to connect. For instance, this will listen to
< IPv4 TCP port 88 only:
---
> will have to be restarted to listen to them.
> The reason it doesn't just listen to wildcarded (like INADDR_ANY)
> addresses, is that the replies has to come from the same address they
> were sent to, and most OS:es doesn't pass this information to the
> application.
> If your normal mode of operation require that you add and remove
> addresses, the best option is probably to listen to a wildcarded TCP
> socket, and make sure your clients use TCP to connect.
> For instance, this will listen to IPv4 TCP port 88 only: