diff options
Diffstat (limited to 'crypto/heimdal/kdc/kdc.8')
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 165 |
1 files changed, 115 insertions, 50 deletions
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index 20c180a..baae563 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -1,4 +1,35 @@ -.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $ .\" .Dd August 22, 2002 .Dt KDC 8 @@ -15,23 +46,26 @@ .Op Fl p | Fl -no-require-preauth .Op Fl -max-request= Ns Ar size .Op Fl H | Fl -enable-http +.Op Fl -no-524 +.Op Fl -kerberos4 +.Op Fl -kerberos4-cross-realm .Oo Fl r Ar string \*(Ba Xo .Fl -v4-realm= Ns Ar string .Xc .Oc -.Op Fl K | Fl -no-kaserver -.Op Fl r Ar realm -.Op Fl -v4-realm= Ns Ar realm -.Oo Fl P Ar string \*(Ba Xo -.Fl -ports= Ns Ar string +.Op Fl K | Fl -kaserver +.Oo Fl P Ar portspec \*(Ba Xo +.Fl -ports= Ns Ar portspec .Xc .Oc +.Op Fl -detach .Op Fl -addresses= Ns Ar list of addresses .Sh DESCRIPTION .Nm -serves requests for tickets. When it starts, it first checks the flags -passed, any options that are not specified with a command line flag is -taken from a config file, or from a default compiled-in value. +serves requests for tickets. +When it starts, it first checks the flags passed, any options that are +not specified with a command line flag are taken from a config file, +or from a default compiled-in value. .Pp Options supported: .Bl -tag -width Ds @@ -47,14 +81,17 @@ This is the only value that can't be specified in the config file. .Fl -no-require-preauth .Xc Turn off the requirement for pre-autentication in the initial AS-REQ -for all principals. The use of pre-authentication makes it more -difficult to do offline password attacks. You might want to turn it -off if you have clients that doesn't do pre-authentication. Since the -version 4 protocol doesn't support any pre-authentication, so serving -version 4 clients is just about the same as not requiring -pre-athentication. The default is to require -pre-authentication. Adding the require-preauth per principal is a more -flexible way of handling this. +for all principals. +The use of pre-authentication makes it more difficult to do offline +password attacks. +You might want to turn it off if you have clients +that don't support pre-authentication. +Since the version 4 protocol doesn't support any pre-authentication, +serving version 4 clients is just about the same as not requiring +pre-athentication. +The default is to require pre-authentication. +Adding the require-preauth per principal is a more flexible way of +handling this. .It Xo .Fl -max-request= Ns Ar size .Xc @@ -66,34 +103,53 @@ willing to handle. .Xc Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. .It Xo -.Fl K , -.Fl -no-kaserver +.Fl -no-524 +.Xc +don't respond to 524 requests +.It Xo +.Fl -kerberos4 .Xc -Disables kaserver emulation (in case it's compiled in). +respond to Kerberos 4 requests .It Xo -.Fl r Ar realm , -.Fl -v4-realm= Ns Ar realm +.Fl -kerberos4-cross-realm +.Xc +respond to Kerberos 4 requests from foreign realms. +This is a known security hole and should not be enabled unless you +understand the consequences and are willing to live with them. +.It Xo +.Fl r Ar string , +.Fl -v4-realm= Ns Ar string .Xc What realm this server should act as when dealing with version 4 -requests. The database can contain any number of realms, but since the -version 4 protocol doesn't contain a realm for the server, it must be -explicitly specified. The default is whatever is returned by +requests. +The database can contain any number of realms, but since the version 4 +protocol doesn't contain a realm for the server, it must be explicitly +specified. +The default is whatever is returned by .Fn krb_get_lrealm . This option is only availabe if the KDC has been compiled with version 4 support. .It Xo -.Fl P Ar string , -.Fl -ports= Ns Ar string +.Fl K , +.Fl -kaserver .Xc -Specifies the set of ports the KDC should listen on. It is given as a +Enable kaserver emulation (in case it's compiled in). +.It Xo +.Fl P Ar portspec , +.Fl -ports= Ns Ar portspec +.Xc +Specifies the set of ports the KDC should listen on. +It is given as a white-space separated list of services or port numbers. .It Fl -addresses= Ns Ar list of addresses -The list of addresses to listen for requests on. By default, the kdc -will listen on all the locally configured addresses. If only a subset -is desired, or the automatic detection fails, this option might be used. +The list of addresses to listen for requests on. +By default, the kdc will listen on all the locally configured +addresses. +If only a subset is desired, or the automatic detection fails, this +option might be used. .El .Pp -All activities , are logged to one or more destinations, see +All activities are logged to one or more destinations, see .Xr krb5.conf 5 , and .Xr krb5_openlog 3 . @@ -104,13 +160,14 @@ The configuration file has the same syntax as .Xr krb5.conf 5 , but will be read before .Pa /etc/krb5.conf , -so it may override settings found there. Options specific to the KDC -only are found in the +so it may override settings found there. +Options specific to the KDC only are found in the .Dq [kdc] section. All the command-line options can preferably be added in the -configuration file. The only difference is the pre-authentication flag, -that has to be specified as: +configuration file. +The only difference is the pre-authentication flag, which has to be +specified as: .Pp .Dl require-preauth = no .Pp @@ -121,21 +178,28 @@ And there are some configuration options which do not have command-line equivalents: .Bl -tag -width "xxx" -offset indent .It Li check-ticket-addresses = Va boolean -Check the addresses in the ticket when processing TGS requests. The -default is FALSE. +Check the addresses in the ticket when processing TGS requests. +The default is FALSE. .It Li allow-null-ticket-addresses = Va boolean -Permit tickets with no addresses. This option is only relevant when -check-ticket-addresses is TRUE. +Permit tickets with no addresses. +This option is only relevant when check-ticket-addresses is TRUE. .It Li allow-anonymous = Va boolean Permit anonymous tickets with no addresses. .It encode_as_rep_as_tgs_rep = Va boolean -Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The -Heimdal clients allow both. +Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. +The Heimdal clients allow both. .It kdc_warn_pwexpire = Va time How long before password/principal expiration the KDC should start sending out warning messages. .El .Pp +The configuration file is only read when the +.Nm +is started. +If changes made to the configuration file are to take effect, the +.Nm +needs to be restarted. +.Pp An example of a config file: .Bd -literal -offset indent [kdc] @@ -145,14 +209,15 @@ An example of a config file: .Ed .Sh BUGS If the machine running the KDC has new addresses added to it, the KDC -will have to be restarted to listen to them. The reason it doesn't -just listen to wildcarded (like INADDR_ANY) addresses, is that the -replies has to come from the same address they were sent to, and most -OS:es doesn't pass this information to the application. If your normal -mode of operation require that you add and remove addresses, the best -option is probably to listen to a wildcarded TCP socket, and make sure -your clients use TCP to connect. For instance, this will listen to -IPv4 TCP port 88 only: +will have to be restarted to listen to them. +The reason it doesn't just listen to wildcarded (like INADDR_ANY) +addresses, is that the replies has to come from the same address they +were sent to, and most OS:es doesn't pass this information to the +application. +If your normal mode of operation require that you add and remove +addresses, the best option is probably to listen to a wildcarded TCP +socket, and make sure your clients use TCP to connect. +For instance, this will listen to IPv4 TCP port 88 only: .Bd -literal -offset indent kdc --addresses=0.0.0.0 --ports="88/tcp" .Ed |