summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/kdc/kdc.cat8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc/kdc.cat8')
-rw-r--r--crypto/heimdal/kdc/kdc.cat8118
1 files changed, 118 insertions, 0 deletions
diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8
new file mode 100644
index 0000000..234b76d
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc.cat8
@@ -0,0 +1,118 @@
+
+KDC(8) UNIX System Manager's Manual KDC(8)
+
+NNAAMMEE
+ kkddcc - Kerberos 5 server
+
+SSYYNNOOPPSSIISS
+ kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
+ [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
+ [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
+ ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
+
+DDEESSCCRRIIPPTTIIOONN
+ kkddcc serves requests for tickets. When it starts, it first checks the
+ flags passed, any options that are not specified with a command line flag
+ is taken from a config file, or from a default compiled-in value.
+
+ Options supported:
+
+ --cc _f_i_l_e
+
+ ----ccoonnffiigg--ffiillee==_f_i_l_e
+ Specifies the location of the config file, the default is
+ _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec-
+ ified in the config file.
+
+ --pp
+
+ ----nnoo--rreeqquuiirree--pprreeaauutthh
+ Turn off the requirement for pre-autentication in the initial AS-
+ REQ for all principals. The use of pre-authentication makes it
+ more difficult to do offline password attacks. You might want to
+ turn it off if you have clients that doesn't do pre-authentica-
+ tion. Since the version 4 protocol doesn't support any pre-au-
+ thentication, so serving version 4 clients is just about the same
+ as not requiring pre-athentication. The default is to require
+ pre-authentication. Adding the require-preauth per principal is a
+ more flexible way of handling this.
+
+ ----mmaaxx--rreeqquueesstt==_s_i_z_e
+ Gives an upper limit on the size of the requests that the kdc is
+ willing to handle.
+
+ --HH, ----eennaabbllee--hhttttpp
+ Makes the kdc listen on port 80 and handle requests encapsulated
+ in HTTP.
+
+ --KK, ----nnoo--kkaasseerrvveerr
+ Disables kaserver emulation (in case it's compiled in).
+
+ --rr _r_e_a_l_m
+
+ ----vv44--rreeaallmm==_r_e_a_l_m
+ What realm this server should act as when dealing with version 4
+ requests. The database can contain any number of realms, but
+ since the version 4 protocol doesn't contain a realm for the
+ server, it must be explicitly specified. The default is whatever
+ is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if
+ the KDC has been compiled with version 4 support.
+
+ --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
+ Specifies the set of ports the KDC should listen on. It is given
+ as a white-space separated list of services or port numbers.
+
+ ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
+ The list of addresses to listen for requests on. By default, the
+ kdc will listen on all the locally configured addresses. If only
+ a subset is desired, or the automatic detection fails, this op-
+ tion might be used.
+
+ All activities , are logged to one or more destinations, see
+ krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc.
+
+CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
+ The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can
+ actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC
+ with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section
+ called ``kdc''. All the command-line options can preferably be added in
+ the configuration file. The only difference is the pre-authentication
+ flag, that has to be specified as:
+
+ require-preauth = no
+
+ (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).
+
+ And there are some configuration options which do not have command-line
+ equivalents:
+
+ check-ticket-addresses = _b_o_o_l_e_a_n
+ Check the addresses in the ticket when processing TGS re-
+ quests. The default is FALSE.
+
+ allow-null-ticket-addresses = _b_o_o_l_e_a_n
+ Permit tickets with no addresses. This option is only rele-
+ vant when check-ticket-addresses is TRUE.
+
+ allow-anonymous = _b_o_o_l_e_a_n
+ Permit anonymous tickets with no addresses.
+
+ encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
+ Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
+ code. The Heimdal clients allow both.
+
+ kdc_warn_pwexpire = _t_i_m_e
+ How long before password/principal expiration the KDC should
+ start sending out warning messages.
+
+ An example of a config file:
+
+ [kdc]
+ require-preauth = no
+ v4-realm = FOO.SE
+ key-file = /key-file
+
+SSEEEE AALLSSOO
+ kinit(1)
+
+ HEIMDAL July 27, 1997 2
OpenPOWER on IntegriCloud