.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $ .\" .Dd July 27, 1997 .Dt KDC 8 .Os HEIMDAL .Sh NAME .Nm kdc .Nd Kerberos 5 server .Sh SYNOPSIS .Nm .Op Fl c Ar file .Op Fl -config-file= Ns Ar file .Op Fl p | Fl -no-require-preauth .Op Fl -max-request= Ns Ar size .Op Fl H | Fl -enable-http .Op Fl K | Fl -no-kaserver .Op Fl r Ar realm .Op Fl -v4-realm= Ns Ar realm .Oo Fl P Ar string \*(Ba Xo .Fl -ports= Ns Ar string Oc .Xc .Op Fl -addresses= Ns Ar list of addresses .Sh DESCRIPTION .Nm serves requests for tickets. When it starts, it first checks the flags passed, any options that are not specified with a command line flag is taken from a config file, or from a default compiled-in value. .Pp Options supported: .Bl -tag -width Ds .It Fl c Ar file .It Fl -config-file= Ns Ar file Specifies the location of the config file, the default is .Pa /var/heimdal/kdc.conf . This is the only value that can't be specified in the config file. .It Fl p .It Fl -no-require-preauth Turn off the requirement for pre-autentication in the initial AS-REQ for all principals. The use of pre-authentication makes it more difficult to do offline password attacks. You might want to turn it off if you have clients that doesn't do pre-authentication. Since the version 4 protocol doesn't support any pre-authentication, so serving version 4 clients is just about the same as not requiring pre-athentication. The default is to require pre-authentication. Adding the require-preauth per principal is a more flexible way of handling this. .It Xo .Fl -max-request= Ns Ar size .Xc Gives an upper limit on the size of the requests that the kdc is willing to handle. .It Xo .Fl H Ns , .Fl -enable-http .Xc Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. .It Xo .Fl K Ns , .Fl -no-kaserver .Xc Disables kaserver emulation (in case it's compiled in). .It Fl r Ar realm .It Fl -v4-realm= Ns Ar realm What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 protocol doesn't contain a realm for the server, it must be explicitly specified. The default is whatever is returned by .Fn krb_get_lrealm . This option is only availabe if the KDC has been compiled with version 4 support. .It Xo .Fl P Ar string Ns , .Fl -ports= Ns Ar string .Xc Specifies the set of ports the KDC should listen on. It is given as a white-space separated list of services or port numbers. .It Xo .Fl -addresses= Ns Ar list of addresses .Xc The list of addresses to listen for requests on. By default, the kdc will listen on all the locally configured addresses. If only a subset is desired, or the automatic detection fails, this option might be used. .El .Pp All activities , are logged to one or more destinations, see .Xr krb5.conf 5 , and .Xr krb5_openlog 3 . The entity used for logging is .Nm kdc . .Sh CONFIGURATION FILE The configuration file has the same syntax as the .Pa krb5.conf file (you can actually put the configuration in .Pa /etc/krb5.conf , and then start the KDC with .Fl -config-file= Ns Ar /etc/krb5.conf ) . All options should be in a section called .Dq kdc . Options are called the same as the long option name, and takes the same arguments. The only difference is the pre-authentication flag, that has to be specified as: .Pp .Dl require-preauth = no .Pp (in fact you can specify the option as .Fl -require-preauth=no ) . .Pp An example of a config file: .Bd -literal -offset indent [kdc] require-preauth = no v4-realm = FOO.SE key-file = /key-file .Ed .Sh SEE ALSO .Xr kinit 1