diff options
Diffstat (limited to 'crypto/heimdal/kdc/kdc.cat8')
-rw-r--r-- | crypto/heimdal/kdc/kdc.cat8 | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8 new file mode 100644 index 0000000..234b76d --- /dev/null +++ b/crypto/heimdal/kdc/kdc.cat8 @@ -0,0 +1,118 @@ + +KDC(8) UNIX System Manager's Manual KDC(8) + +NNAAMMEE + kkddcc - Kerberos 5 server + +SSYYNNOOPPSSIISS + kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh] + [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g] + [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g | + ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s] + +DDEESSCCRRIIPPTTIIOONN + kkddcc serves requests for tickets. When it starts, it first checks the + flags passed, any options that are not specified with a command line flag + is taken from a config file, or from a default compiled-in value. + + Options supported: + + --cc _f_i_l_e + + ----ccoonnffiigg--ffiillee==_f_i_l_e + Specifies the location of the config file, the default is + _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec- + ified in the config file. + + --pp + + ----nnoo--rreeqquuiirree--pprreeaauutthh + Turn off the requirement for pre-autentication in the initial AS- + REQ for all principals. The use of pre-authentication makes it + more difficult to do offline password attacks. You might want to + turn it off if you have clients that doesn't do pre-authentica- + tion. Since the version 4 protocol doesn't support any pre-au- + thentication, so serving version 4 clients is just about the same + as not requiring pre-athentication. The default is to require + pre-authentication. Adding the require-preauth per principal is a + more flexible way of handling this. + + ----mmaaxx--rreeqquueesstt==_s_i_z_e + Gives an upper limit on the size of the requests that the kdc is + willing to handle. + + --HH, ----eennaabbllee--hhttttpp + Makes the kdc listen on port 80 and handle requests encapsulated + in HTTP. + + --KK, ----nnoo--kkaasseerrvveerr + Disables kaserver emulation (in case it's compiled in). + + --rr _r_e_a_l_m + + ----vv44--rreeaallmm==_r_e_a_l_m + What realm this server should act as when dealing with version 4 + requests. The database can contain any number of realms, but + since the version 4 protocol doesn't contain a realm for the + server, it must be explicitly specified. The default is whatever + is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if + the KDC has been compiled with version 4 support. + + --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g + Specifies the set of ports the KDC should listen on. It is given + as a white-space separated list of services or port numbers. + + ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s + The list of addresses to listen for requests on. By default, the + kdc will listen on all the locally configured addresses. If only + a subset is desired, or the automatic detection fails, this op- + tion might be used. + + All activities , are logged to one or more destinations, see + krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc. + +CCOONNFFIIGGUURRAATTIIOONN FFIILLEE + The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can + actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC + with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section + called ``kdc''. All the command-line options can preferably be added in + the configuration file. The only difference is the pre-authentication + flag, that has to be specified as: + + require-preauth = no + + (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo). + + And there are some configuration options which do not have command-line + equivalents: + + check-ticket-addresses = _b_o_o_l_e_a_n + Check the addresses in the ticket when processing TGS re- + quests. The default is FALSE. + + allow-null-ticket-addresses = _b_o_o_l_e_a_n + Permit tickets with no addresses. This option is only rele- + vant when check-ticket-addresses is TRUE. + + allow-anonymous = _b_o_o_l_e_a_n + Permit anonymous tickets with no addresses. + + encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n + Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE + code. The Heimdal clients allow both. + + kdc_warn_pwexpire = _t_i_m_e + How long before password/principal expiration the KDC should + start sending out warning messages. + + An example of a config file: + + [kdc] + require-preauth = no + v4-realm = FOO.SE + key-file = /key-file + +SSEEEE AALLSSOO + kinit(1) + + HEIMDAL July 27, 1997 2 |