freebsd-dev/crypto/heimdal/kdc/kdc.8

.\" $Id: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $
.\"
.Dd July 27, 1997
.Dt KDC 8
.Os HEIMDAL
.Sh NAME
.Nm kdc
.Nd Kerberos 5 server
.Sh SYNOPSIS
.Nm
.Oo Fl c Ar file \*(Ba Xo
.Fl -config-file= Ns Ar file Oc
.Xc
.Op Fl p | Fl -no-require-preauth
.Op Fl -max-request= Ns Ar size
.Op Fl H | Fl -enable-http
.Oo Fl r Ar string \*(Ba Xo
.Fl -v4-realm= Ns Ar string Oc
.Xc
.Op Fl K | Fl -no-kaserver
.Op Fl r Ar realm
.Op Fl -v4-realm= Ns Ar realm
.Oo Fl P Ar string \*(Ba Xo
.Fl -ports= Ns Ar string Oc
.Xc
.Op Fl -addresses= Ns Ar list of addresses
.Sh DESCRIPTION
.Nm
serves requests for tickets. When it starts, it first checks the flags
passed, any options that are not specified with a command line flag is
taken from a config file, or from a default compiled-in value.
.Pp
Options supported:
.Bl -tag -width Ds
.It Fl c Ar file
.It Fl -config-file= Ns Ar file
Specifies the location of the config file, the default is
.Pa /var/heimdal/kdc.conf .
This is the only value that can't be specified in the config file.
.It Fl p
.It Fl -no-require-preauth
Turn off the requirement for pre-autentication in the initial AS-REQ
for all principals. The use of pre-authentication makes it more
difficult to do offline password attacks. You might want to turn it
off if you have clients that doesn't do pre-authentication. Since the
version 4 protocol doesn't support any pre-authentication, so serving
version 4 clients is just about the same as not requiring
pre-athentication. The default is to require
pre-authentication. Adding the require-preauth per principal is a more
flexible way of handling this.
.It Xo
.Fl -max-request= Ns Ar size
.Xc
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
.It Xo
.Fl H Ns ,
.Fl -enable-http
.Xc
Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
.It Xo
.Fl K Ns ,
.Fl -no-kaserver
.Xc
Disables kaserver emulation (in case it's compiled in).
.It Fl r Ar realm
.It Fl -v4-realm= Ns Ar realm
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but since the
version 4 protocol doesn't contain a realm for the server, it must be
explicitly specified. The default is whatever is returned by
.Fn krb_get_lrealm .
This option is only availabe if the KDC has been compiled with version
4 support.
.It Xo
.Fl P Ar string Ns ,
.Fl -ports= Ns Ar string
.Xc
Specifies the set of ports the KDC should listen on.  It is given as a
white-space separated list of services or port numbers.
.It Xo
.Fl -addresses= Ns Ar list of addresses
.Xc
The list of addresses to listen for requests on.  By default, the kdc
will listen on all the locally configured addresses.  If only a subset
is desired, or the automatic detection fails, this option might be used.
.El
.Pp
All activities , are logged to one or more destinations, see 
.Xr krb5.conf 5 ,
and
.Xr krb5_openlog 3 .
The entity used for logging is
.Nm kdc .
.Sh CONFIGURATION FILE
The configuration file has the same syntax as the 
.Pa krb5.conf
file (you can actually put the configuration in
.Pa /etc/krb5.conf ,
and then start the KDC with
.Fl -config-file= Ns Ar /etc/krb5.conf ) .
All options should be in a section called
.Dq kdc .
All the command-line options can preferably be added in the
configuration file.  The only difference is the pre-authentication flag,
that has to be specified as:
.Pp
.Dl require-preauth = no
.Pp
(in fact you can specify the option as
.Fl -require-preauth=no ) .
.Pp
And there are some configuration options which do not have
command-line equivalents:
.Bl -tag -width "xxx" -offset indent
.It Li check-ticket-addresses = Va boolean
Check the addresses in the ticket when processing TGS requests.  The
default is FALSE.
.It Li allow-null-ticket-addresses = Va boolean
Permit tickets with no addresses.  This option is only relevant when
check-ticket-addresses is TRUE.
.It Li allow-anonymous = Va boolean
Permit anonymous tickets with no addresses.
.It encode_as_rep_as_tgs_rep = Va boolean
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
Heimdal clients allow both.
.It kdc_warn_pwexpire = Va time
How long before password/principal expiration the KDC should start
sending out warning messages.
.El
.Pp
An example of a config file:
.Bd -literal -offset indent
[kdc]
	require-preauth = no
	v4-realm = FOO.SE
	key-file = /key-file
.Ed
.Sh SEE ALSO
.Xr kinit 1