1 files changed, 42 insertions, 34 deletions

diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8
index 234b76d..53b173b 100644
--- a/crypto/heimdal/kdc/kdc.cat8
+++ b/crypto/heimdal/kdc/kdc.cat8
@@ -1,14 +1,13 @@
-
-KDC(8)                   UNIX System Manager's Manual                   KDC(8)
+KDC(8)                  FreeBSD System Manager's Manual                 KDC(8)
 
 NNAAMMEE
      kkddcc - Kerberos 5 server
 
 SSYYNNOOPPSSIISS
      kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
-     [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
-     [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
-     ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
+         [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g |
+         ----vv44--rreeaallmm==_s_t_r_i_n_g] [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m]
+         [--PP _s_t_r_i_n_g | ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
 
 DDEESSCCRRIIPPTTIIOONN
      kkddcc serves requests for tickets. When it starts, it first checks the
@@ -17,25 +16,21 @@ DDEESSCCRRIIPPTTIIOONN
 
      Options supported:
 
-     --cc _f_i_l_e
-
-     ----ccoonnffiigg--ffiillee==_f_i_l_e
+     --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
              Specifies the location of the config file, the default is
-             _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec-
-             ified in the config file.
+             _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f.  This is the only value that can't be
+             specified in the config file.
 
-     --pp
-
-     ----nnoo--rreeqquuiirree--pprreeaauutthh
+     --pp, ----nnoo--rreeqquuiirree--pprreeaauutthh
              Turn off the requirement for pre-autentication in the initial AS-
              REQ for all principals. The use of pre-authentication makes it
              more difficult to do offline password attacks. You might want to
              turn it off if you have clients that doesn't do pre-authentica-
-             tion. Since the version 4 protocol doesn't support any pre-au-
-             thentication, so serving version 4 clients is just about the same
-             as not requiring pre-athentication. The default is to require
-             pre-authentication. Adding the require-preauth per principal is a
-             more flexible way of handling this.
+             tion. Since the version 4 protocol doesn't support any pre-
+             authentication, so serving version 4 clients is just about the
+             same as not requiring pre-athentication. The default is to
+             require pre-authentication. Adding the require-preauth per prin-
+             cipal is a more flexible way of handling this.
 
      ----mmaaxx--rreeqquueesstt==_s_i_z_e
              Gives an upper limit on the size of the requests that the kdc is
@@ -48,9 +43,7 @@ DDEESSCCRRIIPPTTIIOONN
      --KK, ----nnoo--kkaasseerrvveerr
              Disables kaserver emulation (in case it's compiled in).
 
-     --rr _r_e_a_l_m
-
-     ----vv44--rreeaallmm==_r_e_a_l_m
+     --rr _r_e_a_l_m, ----vv44--rreeaallmm==_r_e_a_l_m
              What realm this server should act as when dealing with version 4
              requests. The database can contain any number of realms, but
              since the version 4 protocol doesn't contain a realm for the
@@ -65,19 +58,19 @@ DDEESSCCRRIIPPTTIIOONN
      ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
              The list of addresses to listen for requests on.  By default, the
              kdc will listen on all the locally configured addresses.  If only
-             a subset is desired, or the automatic detection fails, this op-
-             tion might be used.
+             a subset is desired, or the automatic detection fails, this
+             option might be used.
 
      All activities , are logged to one or more destinations, see
-     krb5.conf(5),  and krb5_openlog(3).  The entity used for logging is kkddcc.
+     krb5.conf(5), and krb5_openlog(3).  The entity used for logging is kkddcc.
 
 CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
-     The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can
-     actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC
-     with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section
-     called ``kdc''. All the command-line options can preferably be added in
-     the configuration file.  The only difference is the pre-authentication
-     flag, that has to be specified as:
+     The configuration file has the same syntax as krb5.conf(5), but will be
+     read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there.
+     Options specific to the KDC only are found in the ``[kdc]'' section.  All
+     the command-line options can preferably be added in the configuration
+     file.  The only difference is the pre-authentication flag, that has to be
+     specified as:
 
            require-preauth = no
 
@@ -87,8 +80,8 @@ CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
      equivalents:
 
            check-ticket-addresses = _b_o_o_l_e_a_n
-                Check the addresses in the ticket when processing TGS re-
-                quests.  The default is FALSE.
+                Check the addresses in the ticket when processing TGS
+                requests.  The default is FALSE.
 
            allow-null-ticket-addresses = _b_o_o_l_e_a_n
                 Permit tickets with no addresses.  This option is only rele-
@@ -112,7 +105,22 @@ CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
                    v4-realm = FOO.SE
                    key-file = /key-file
 
+BBUUGGSS
+     If the machine running the KDC has new addresses added to it, the KDC
+     will have to be restarted to listen to them. The reason it doesn't just
+     listen to wildcarded (like INADDR_ANY) addresses, is that the replies has
+     to come from the same address they were sent to, and most OS:es doesn't
+     pass this information to the application. If your normal mode of opera-
+     tion require that you add and remove addresses, the best option is proba-
+     bly to listen to a wildcarded TCP socket, and make sure your clients use
+     TCP to connect. For instance, this will listen to IPv4 TCP port 88 only:
+
+           kdc --addresses=0.0.0.0 --ports="88/tcp"
+
+     There should be a way to specify protocol, port, and address triplets,
+     not just addresses and protocol, port tuples.
+
 SSEEEE AALLSSOO
-     kinit(1)
+     kinit(1), krb5.conf(5)
 
- HEIMDAL                         July 27, 1997                               2
+HEIMDAL                         August 22, 2002                        HEIMDAL