diff options
Diffstat (limited to 'crypto/heimdal/kdc/kdc.cat8')
-rw-r--r-- | crypto/heimdal/kdc/kdc.cat8 | 76 |
1 files changed, 42 insertions, 34 deletions
diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8 index 234b76d..53b173b 100644 --- a/crypto/heimdal/kdc/kdc.cat8 +++ b/crypto/heimdal/kdc/kdc.cat8 @@ -1,14 +1,13 @@ - -KDC(8) UNIX System Manager's Manual KDC(8) +KDC(8) FreeBSD System Manager's Manual KDC(8) NNAAMMEE kkddcc - Kerberos 5 server SSYYNNOOPPSSIISS kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh] - [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g] - [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g | - ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s] + [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | + ----vv44--rreeaallmm==_s_t_r_i_n_g] [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] + [--PP _s_t_r_i_n_g | ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s] DDEESSCCRRIIPPTTIIOONN kkddcc serves requests for tickets. When it starts, it first checks the @@ -17,25 +16,21 @@ DDEESSCCRRIIPPTTIIOONN Options supported: - --cc _f_i_l_e - - ----ccoonnffiigg--ffiillee==_f_i_l_e + --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e Specifies the location of the config file, the default is - _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec- - ified in the config file. + _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be + specified in the config file. - --pp - - ----nnoo--rreeqquuiirree--pprreeaauutthh + --pp, ----nnoo--rreeqquuiirree--pprreeaauutthh Turn off the requirement for pre-autentication in the initial AS- REQ for all principals. The use of pre-authentication makes it more difficult to do offline password attacks. You might want to turn it off if you have clients that doesn't do pre-authentica- - tion. Since the version 4 protocol doesn't support any pre-au- - thentication, so serving version 4 clients is just about the same - as not requiring pre-athentication. The default is to require - pre-authentication. Adding the require-preauth per principal is a - more flexible way of handling this. + tion. Since the version 4 protocol doesn't support any pre- + authentication, so serving version 4 clients is just about the + same as not requiring pre-athentication. The default is to + require pre-authentication. Adding the require-preauth per prin- + cipal is a more flexible way of handling this. ----mmaaxx--rreeqquueesstt==_s_i_z_e Gives an upper limit on the size of the requests that the kdc is @@ -48,9 +43,7 @@ DDEESSCCRRIIPPTTIIOONN --KK, ----nnoo--kkaasseerrvveerr Disables kaserver emulation (in case it's compiled in). - --rr _r_e_a_l_m - - ----vv44--rreeaallmm==_r_e_a_l_m + --rr _r_e_a_l_m, ----vv44--rreeaallmm==_r_e_a_l_m What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 protocol doesn't contain a realm for the @@ -65,19 +58,19 @@ DDEESSCCRRIIPPTTIIOONN ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s The list of addresses to listen for requests on. By default, the kdc will listen on all the locally configured addresses. If only - a subset is desired, or the automatic detection fails, this op- - tion might be used. + a subset is desired, or the automatic detection fails, this + option might be used. All activities , are logged to one or more destinations, see - krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc. + krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc. CCOONNFFIIGGUURRAATTIIOONN FFIILLEE - The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can - actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC - with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section - called ``kdc''. All the command-line options can preferably be added in - the configuration file. The only difference is the pre-authentication - flag, that has to be specified as: + The configuration file has the same syntax as krb5.conf(5), but will be + read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there. + Options specific to the KDC only are found in the ``[kdc]'' section. All + the command-line options can preferably be added in the configuration + file. The only difference is the pre-authentication flag, that has to be + specified as: require-preauth = no @@ -87,8 +80,8 @@ CCOONNFFIIGGUURRAATTIIOONN FFIILLEE equivalents: check-ticket-addresses = _b_o_o_l_e_a_n - Check the addresses in the ticket when processing TGS re- - quests. The default is FALSE. + Check the addresses in the ticket when processing TGS + requests. The default is FALSE. allow-null-ticket-addresses = _b_o_o_l_e_a_n Permit tickets with no addresses. This option is only rele- @@ -112,7 +105,22 @@ CCOONNFFIIGGUURRAATTIIOONN FFIILLEE v4-realm = FOO.SE key-file = /key-file +BBUUGGSS + If the machine running the KDC has new addresses added to it, the KDC + will have to be restarted to listen to them. The reason it doesn't just + listen to wildcarded (like INADDR_ANY) addresses, is that the replies has + to come from the same address they were sent to, and most OS:es doesn't + pass this information to the application. If your normal mode of opera- + tion require that you add and remove addresses, the best option is proba- + bly to listen to a wildcarded TCP socket, and make sure your clients use + TCP to connect. For instance, this will listen to IPv4 TCP port 88 only: + + kdc --addresses=0.0.0.0 --ports="88/tcp" + + There should be a way to specify protocol, port, and address triplets, + not just addresses and protocol, port tuples. + SSEEEE AALLSSOO - kinit(1) + kinit(1), krb5.conf(5) - HEIMDAL July 27, 1997 2 +HEIMDAL August 22, 2002 HEIMDAL |