165 lines
5.1 KiB
Groff
165 lines
5.1 KiB
Groff
.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
|
|
.\"
|
|
.Dd August 22, 2002
|
|
.Dt KDC 8
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm kdc
|
|
.Nd Kerberos 5 server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Oo Fl c Ar file \*(Ba Xo
|
|
.Fl -config-file= Ns Ar file
|
|
.Xc
|
|
.Oc
|
|
.Op Fl p | Fl -no-require-preauth
|
|
.Op Fl -max-request= Ns Ar size
|
|
.Op Fl H | Fl -enable-http
|
|
.Oo Fl r Ar string \*(Ba Xo
|
|
.Fl -v4-realm= Ns Ar string
|
|
.Xc
|
|
.Oc
|
|
.Op Fl K | Fl -no-kaserver
|
|
.Op Fl r Ar realm
|
|
.Op Fl -v4-realm= Ns Ar realm
|
|
.Oo Fl P Ar string \*(Ba Xo
|
|
.Fl -ports= Ns Ar string
|
|
.Xc
|
|
.Oc
|
|
.Op Fl -addresses= Ns Ar list of addresses
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
serves requests for tickets. When it starts, it first checks the flags
|
|
passed, any options that are not specified with a command line flag is
|
|
taken from a config file, or from a default compiled-in value.
|
|
.Pp
|
|
Options supported:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl c Ar file ,
|
|
.Fl -config-file= Ns Ar file
|
|
.Xc
|
|
Specifies the location of the config file, the default is
|
|
.Pa /var/heimdal/kdc.conf .
|
|
This is the only value that can't be specified in the config file.
|
|
.It Xo
|
|
.Fl p ,
|
|
.Fl -no-require-preauth
|
|
.Xc
|
|
Turn off the requirement for pre-autentication in the initial AS-REQ
|
|
for all principals. The use of pre-authentication makes it more
|
|
difficult to do offline password attacks. You might want to turn it
|
|
off if you have clients that doesn't do pre-authentication. Since the
|
|
version 4 protocol doesn't support any pre-authentication, so serving
|
|
version 4 clients is just about the same as not requiring
|
|
pre-athentication. The default is to require
|
|
pre-authentication. Adding the require-preauth per principal is a more
|
|
flexible way of handling this.
|
|
.It Xo
|
|
.Fl -max-request= Ns Ar size
|
|
.Xc
|
|
Gives an upper limit on the size of the requests that the kdc is
|
|
willing to handle.
|
|
.It Xo
|
|
.Fl H ,
|
|
.Fl -enable-http
|
|
.Xc
|
|
Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
|
|
.It Xo
|
|
.Fl K ,
|
|
.Fl -no-kaserver
|
|
.Xc
|
|
Disables kaserver emulation (in case it's compiled in).
|
|
.It Xo
|
|
.Fl r Ar realm ,
|
|
.Fl -v4-realm= Ns Ar realm
|
|
.Xc
|
|
What realm this server should act as when dealing with version 4
|
|
requests. The database can contain any number of realms, but since the
|
|
version 4 protocol doesn't contain a realm for the server, it must be
|
|
explicitly specified. The default is whatever is returned by
|
|
.Fn krb_get_lrealm .
|
|
This option is only availabe if the KDC has been compiled with version
|
|
4 support.
|
|
.It Xo
|
|
.Fl P Ar string ,
|
|
.Fl -ports= Ns Ar string
|
|
.Xc
|
|
Specifies the set of ports the KDC should listen on. It is given as a
|
|
white-space separated list of services or port numbers.
|
|
.It Fl -addresses= Ns Ar list of addresses
|
|
The list of addresses to listen for requests on. By default, the kdc
|
|
will listen on all the locally configured addresses. If only a subset
|
|
is desired, or the automatic detection fails, this option might be used.
|
|
.El
|
|
.Pp
|
|
All activities , are logged to one or more destinations, see
|
|
.Xr krb5.conf 5 ,
|
|
and
|
|
.Xr krb5_openlog 3 .
|
|
The entity used for logging is
|
|
.Nm kdc .
|
|
.Sh CONFIGURATION FILE
|
|
The configuration file has the same syntax as
|
|
.Xr krb5.conf 5 ,
|
|
but will be read before
|
|
.Pa /etc/krb5.conf ,
|
|
so it may override settings found there. Options specific to the KDC
|
|
only are found in the
|
|
.Dq [kdc]
|
|
section.
|
|
All the command-line options can preferably be added in the
|
|
configuration file. The only difference is the pre-authentication flag,
|
|
that has to be specified as:
|
|
.Pp
|
|
.Dl require-preauth = no
|
|
.Pp
|
|
(in fact you can specify the option as
|
|
.Fl -require-preauth=no ) .
|
|
.Pp
|
|
And there are some configuration options which do not have
|
|
command-line equivalents:
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li check-ticket-addresses = Va boolean
|
|
Check the addresses in the ticket when processing TGS requests. The
|
|
default is FALSE.
|
|
.It Li allow-null-ticket-addresses = Va boolean
|
|
Permit tickets with no addresses. This option is only relevant when
|
|
check-ticket-addresses is TRUE.
|
|
.It Li allow-anonymous = Va boolean
|
|
Permit anonymous tickets with no addresses.
|
|
.It encode_as_rep_as_tgs_rep = Va boolean
|
|
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
|
|
Heimdal clients allow both.
|
|
.It kdc_warn_pwexpire = Va time
|
|
How long before password/principal expiration the KDC should start
|
|
sending out warning messages.
|
|
.El
|
|
.Pp
|
|
An example of a config file:
|
|
.Bd -literal -offset indent
|
|
[kdc]
|
|
require-preauth = no
|
|
v4-realm = FOO.SE
|
|
key-file = /key-file
|
|
.Ed
|
|
.Sh BUGS
|
|
If the machine running the KDC has new addresses added to it, the KDC
|
|
will have to be restarted to listen to them. The reason it doesn't
|
|
just listen to wildcarded (like INADDR_ANY) addresses, is that the
|
|
replies has to come from the same address they were sent to, and most
|
|
OS:es doesn't pass this information to the application. If your normal
|
|
mode of operation require that you add and remove addresses, the best
|
|
option is probably to listen to a wildcarded TCP socket, and make sure
|
|
your clients use TCP to connect. For instance, this will listen to
|
|
IPv4 TCP port 88 only:
|
|
.Bd -literal -offset indent
|
|
kdc --addresses=0.0.0.0 --ports="88/tcp"
|
|
.Ed
|
|
.Pp
|
|
There should be a way to specify protocol, port, and address triplets,
|
|
not just addresses and protocol, port tuples.
|
|
.Sh SEE ALSO
|
|
.Xr kinit 1 ,
|
|
.Xr krb5.conf 5
|