93 lines
2.8 KiB
Groff
93 lines
2.8 KiB
Groff
|
.\" $Id: kdc.8,v 1.3 1997/08/09 00:20:38 joda Exp $
|
||
|
.\"
|
||
|
.Dd July 27, 1997
|
||
|
.Dt KDC 8
|
||
|
.Os HEIMDAL
|
||
|
.Sh NAME
|
||
|
.Nm kdc
|
||
|
.Nd
|
||
|
Kerberos 5 server
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm
|
||
|
.Op Fl c Ar file
|
||
|
.Op Fl -config-file= Ns Ar file
|
||
|
.Op Fl k Ar file
|
||
|
.Op Fl -key-file= Ns Ar file
|
||
|
.Op Fl p
|
||
|
.Op Fl -no-require-preauth
|
||
|
.Op Fl r Ar realm
|
||
|
.Op Fl -v4-realm= Ns Ar realm
|
||
|
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm
|
||
|
serves requests for tickets. When it starts, it first checks the flags
|
||
|
passed, any options that are not specified with a command line flag is
|
||
|
taken from a config file, or from a default compiled-in value.
|
||
|
.Pp
|
||
|
Options supported:
|
||
|
.Bl -tag -width Ds
|
||
|
.It Fl c Ar file
|
||
|
.It Fl -config-file= Ns Ar file
|
||
|
Specifies the location of the config file, the default is
|
||
|
.Pa /var/heimdal/kdc.conf .
|
||
|
This is the only value that can't be specified in the config file.
|
||
|
.It Fl k Ar file
|
||
|
.It Fl -key-file= Ns Ar file
|
||
|
The location of the master-key file. All keys in the database is
|
||
|
encrypted with this master key. The use of a master key is currently
|
||
|
optional, so there is no default.
|
||
|
.Em "Don't specify a master key file if your database is not encrypted."
|
||
|
.It Fl p
|
||
|
.It Fl -no-require-preauth
|
||
|
Turn off the requirement for pre-autentication in the initial
|
||
|
AS-REQ. The use of pre-authentication makes it more difficult to do
|
||
|
offline password attacks. You might want to turn it off if you have
|
||
|
clients that doesn't do pre-authentication. Since the version 4
|
||
|
protocol doesn't support any pre-authentication, so serving version 4
|
||
|
clients is just about the same as not requiring pre-athentication. The
|
||
|
default is to require pre-authentication.
|
||
|
.It Fl r Ar realm
|
||
|
.It Fl -v4-realm= Ns Ar realm
|
||
|
What realm this server should act as when dealing with version 4
|
||
|
requests. The database can contain any number of realms, but since the
|
||
|
version 4 protocol doesn't contain a realm for the server, it must be
|
||
|
explicitly specified. The default is whatever is returned by
|
||
|
.Fn krb_get_lrealm .
|
||
|
This option is only availabe if the KDC has been compiled with version
|
||
|
4 support.
|
||
|
.El
|
||
|
.Pp
|
||
|
All activities , are logged to one or more destinations, see
|
||
|
.Xr krb5.conf 5 ,
|
||
|
and
|
||
|
.Xr krb5_openlog 3 .
|
||
|
The entity used for logging is
|
||
|
.Nm kdc .
|
||
|
.Sh CONFIGURATION FILE
|
||
|
The configuration file has the same syntax as the
|
||
|
.Pa krb5.conf
|
||
|
file (you can actually put the configuration in
|
||
|
.Pa /etc/krb5.conf ,
|
||
|
and then start the KDC with
|
||
|
.Fl -config-file= Ns Ar /etc/krb5.conf ) .
|
||
|
All options should be in a section called
|
||
|
.Dq kdc .
|
||
|
Options are called the same as the long option name, and takes the
|
||
|
same arguments. The only difference is the pre-authentication flag,
|
||
|
that has to be specified as:
|
||
|
.Pp
|
||
|
.Dl require-preauth = no
|
||
|
.Pp
|
||
|
(in fact you can specify the option as
|
||
|
.Fl -require-preauth=no ) .
|
||
|
.Pp
|
||
|
An example of a config file:
|
||
|
.Bd -literal -offset indent
|
||
|
[kdc]
|
||
|
require-preauth = no
|
||
|
v4-realm = FOO.SE
|
||
|
key-file = /key-file
|
||
|
.Ed
|
||
|
.Sh SEE ALSO
|
||
|
.Xr kinit 1
|