summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/kdc/kdc.8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc/kdc.8')
-rw-r--r--crypto/heimdal/kdc/kdc.8165
1 files changed, 115 insertions, 50 deletions
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
index 20c180a..baae563 100644
--- a/crypto/heimdal/kdc/kdc.8
+++ b/crypto/heimdal/kdc/kdc.8
@@ -1,4 +1,35 @@
-.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $
.\"
.Dd August 22, 2002
.Dt KDC 8
@@ -15,23 +46,26 @@
.Op Fl p | Fl -no-require-preauth
.Op Fl -max-request= Ns Ar size
.Op Fl H | Fl -enable-http
+.Op Fl -no-524
+.Op Fl -kerberos4
+.Op Fl -kerberos4-cross-realm
.Oo Fl r Ar string \*(Ba Xo
.Fl -v4-realm= Ns Ar string
.Xc
.Oc
-.Op Fl K | Fl -no-kaserver
-.Op Fl r Ar realm
-.Op Fl -v4-realm= Ns Ar realm
-.Oo Fl P Ar string \*(Ba Xo
-.Fl -ports= Ns Ar string
+.Op Fl K | Fl -kaserver
+.Oo Fl P Ar portspec \*(Ba Xo
+.Fl -ports= Ns Ar portspec
.Xc
.Oc
+.Op Fl -detach
.Op Fl -addresses= Ns Ar list of addresses
.Sh DESCRIPTION
.Nm
-serves requests for tickets. When it starts, it first checks the flags
-passed, any options that are not specified with a command line flag is
-taken from a config file, or from a default compiled-in value.
+serves requests for tickets.
+When it starts, it first checks the flags passed, any options that are
+not specified with a command line flag are taken from a config file,
+or from a default compiled-in value.
.Pp
Options supported:
.Bl -tag -width Ds
@@ -47,14 +81,17 @@ This is the only value that can't be specified in the config file.
.Fl -no-require-preauth
.Xc
Turn off the requirement for pre-autentication in the initial AS-REQ
-for all principals. The use of pre-authentication makes it more
-difficult to do offline password attacks. You might want to turn it
-off if you have clients that doesn't do pre-authentication. Since the
-version 4 protocol doesn't support any pre-authentication, so serving
-version 4 clients is just about the same as not requiring
-pre-athentication. The default is to require
-pre-authentication. Adding the require-preauth per principal is a more
-flexible way of handling this.
+for all principals.
+The use of pre-authentication makes it more difficult to do offline
+password attacks.
+You might want to turn it off if you have clients
+that don't support pre-authentication.
+Since the version 4 protocol doesn't support any pre-authentication,
+serving version 4 clients is just about the same as not requiring
+pre-athentication.
+The default is to require pre-authentication.
+Adding the require-preauth per principal is a more flexible way of
+handling this.
.It Xo
.Fl -max-request= Ns Ar size
.Xc
@@ -66,34 +103,53 @@ willing to handle.
.Xc
Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
.It Xo
-.Fl K ,
-.Fl -no-kaserver
+.Fl -no-524
+.Xc
+don't respond to 524 requests
+.It Xo
+.Fl -kerberos4
.Xc
-Disables kaserver emulation (in case it's compiled in).
+respond to Kerberos 4 requests
.It Xo
-.Fl r Ar realm ,
-.Fl -v4-realm= Ns Ar realm
+.Fl -kerberos4-cross-realm
+.Xc
+respond to Kerberos 4 requests from foreign realms.
+This is a known security hole and should not be enabled unless you
+understand the consequences and are willing to live with them.
+.It Xo
+.Fl r Ar string ,
+.Fl -v4-realm= Ns Ar string
.Xc
What realm this server should act as when dealing with version 4
-requests. The database can contain any number of realms, but since the
-version 4 protocol doesn't contain a realm for the server, it must be
-explicitly specified. The default is whatever is returned by
+requests.
+The database can contain any number of realms, but since the version 4
+protocol doesn't contain a realm for the server, it must be explicitly
+specified.
+The default is whatever is returned by
.Fn krb_get_lrealm .
This option is only availabe if the KDC has been compiled with version
4 support.
.It Xo
-.Fl P Ar string ,
-.Fl -ports= Ns Ar string
+.Fl K ,
+.Fl -kaserver
.Xc
-Specifies the set of ports the KDC should listen on. It is given as a
+Enable kaserver emulation (in case it's compiled in).
+.It Xo
+.Fl P Ar portspec ,
+.Fl -ports= Ns Ar portspec
+.Xc
+Specifies the set of ports the KDC should listen on.
+It is given as a
white-space separated list of services or port numbers.
.It Fl -addresses= Ns Ar list of addresses
-The list of addresses to listen for requests on. By default, the kdc
-will listen on all the locally configured addresses. If only a subset
-is desired, or the automatic detection fails, this option might be used.
+The list of addresses to listen for requests on.
+By default, the kdc will listen on all the locally configured
+addresses.
+If only a subset is desired, or the automatic detection fails, this
+option might be used.
.El
.Pp
-All activities , are logged to one or more destinations, see
+All activities are logged to one or more destinations, see
.Xr krb5.conf 5 ,
and
.Xr krb5_openlog 3 .
@@ -104,13 +160,14 @@ The configuration file has the same syntax as
.Xr krb5.conf 5 ,
but will be read before
.Pa /etc/krb5.conf ,
-so it may override settings found there. Options specific to the KDC
-only are found in the
+so it may override settings found there.
+Options specific to the KDC only are found in the
.Dq [kdc]
section.
All the command-line options can preferably be added in the
-configuration file. The only difference is the pre-authentication flag,
-that has to be specified as:
+configuration file.
+The only difference is the pre-authentication flag, which has to be
+specified as:
.Pp
.Dl require-preauth = no
.Pp
@@ -121,21 +178,28 @@ And there are some configuration options which do not have
command-line equivalents:
.Bl -tag -width "xxx" -offset indent
.It Li check-ticket-addresses = Va boolean
-Check the addresses in the ticket when processing TGS requests. The
-default is FALSE.
+Check the addresses in the ticket when processing TGS requests.
+The default is FALSE.
.It Li allow-null-ticket-addresses = Va boolean
-Permit tickets with no addresses. This option is only relevant when
-check-ticket-addresses is TRUE.
+Permit tickets with no addresses.
+This option is only relevant when check-ticket-addresses is TRUE.
.It Li allow-anonymous = Va boolean
Permit anonymous tickets with no addresses.
.It encode_as_rep_as_tgs_rep = Va boolean
-Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
-Heimdal clients allow both.
+Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
+The Heimdal clients allow both.
.It kdc_warn_pwexpire = Va time
How long before password/principal expiration the KDC should start
sending out warning messages.
.El
.Pp
+The configuration file is only read when the
+.Nm
+is started.
+If changes made to the configuration file are to take effect, the
+.Nm
+needs to be restarted.
+.Pp
An example of a config file:
.Bd -literal -offset indent
[kdc]
@@ -145,14 +209,15 @@ An example of a config file:
.Ed
.Sh BUGS
If the machine running the KDC has new addresses added to it, the KDC
-will have to be restarted to listen to them. The reason it doesn't
-just listen to wildcarded (like INADDR_ANY) addresses, is that the
-replies has to come from the same address they were sent to, and most
-OS:es doesn't pass this information to the application. If your normal
-mode of operation require that you add and remove addresses, the best
-option is probably to listen to a wildcarded TCP socket, and make sure
-your clients use TCP to connect. For instance, this will listen to
-IPv4 TCP port 88 only:
+will have to be restarted to listen to them.
+The reason it doesn't just listen to wildcarded (like INADDR_ANY)
+addresses, is that the replies has to come from the same address they
+were sent to, and most OS:es doesn't pass this information to the
+application.
+If your normal mode of operation require that you add and remove
+addresses, the best option is probably to listen to a wildcarded TCP
+socket, and make sure your clients use TCP to connect.
+For instance, this will listen to IPv4 TCP port 88 only:
.Bd -literal -offset indent
kdc --addresses=0.0.0.0 --ports="88/tcp"
.Ed
OpenPOWER on IntegriCloud