1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
KDC(8) UNIX System Manager's Manual KDC(8)
NNAAMMEE
kkddcc - Kerberos 5 server
SSYYNNOOPPSSIISS
kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
[----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
[--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
DDEESSCCRRIIPPTTIIOONN
kkddcc serves requests for tickets. When it starts, it first checks the
flags passed, any options that are not specified with a command line flag
is taken from a config file, or from a default compiled-in value.
Options supported:
--cc _f_i_l_e
----ccoonnffiigg--ffiillee==_f_i_l_e
Specifies the location of the config file, the default is
_/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec-
ified in the config file.
--pp
----nnoo--rreeqquuiirree--pprreeaauutthh
Turn off the requirement for pre-autentication in the initial AS-
REQ for all principals. The use of pre-authentication makes it
more difficult to do offline password attacks. You might want to
turn it off if you have clients that doesn't do pre-authentica-
tion. Since the version 4 protocol doesn't support any pre-au-
thentication, so serving version 4 clients is just about the same
as not requiring pre-athentication. The default is to require
pre-authentication. Adding the require-preauth per principal is a
more flexible way of handling this.
----mmaaxx--rreeqquueesstt==_s_i_z_e
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
--HH, ----eennaabbllee--hhttttpp
Makes the kdc listen on port 80 and handle requests encapsulated
in HTTP.
--KK, ----nnoo--kkaasseerrvveerr
Disables kaserver emulation (in case it's compiled in).
--rr _r_e_a_l_m
----vv44--rreeaallmm==_r_e_a_l_m
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but
since the version 4 protocol doesn't contain a realm for the
server, it must be explicitly specified. The default is whatever
is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if
the KDC has been compiled with version 4 support.
--PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
Specifies the set of ports the KDC should listen on. It is given
as a white-space separated list of services or port numbers.
----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
The list of addresses to listen for requests on. By default, the
kdc will listen on all the locally configured addresses. If only
a subset is desired, or the automatic detection fails, this op-
tion might be used.
All activities , are logged to one or more destinations, see
krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc.
CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can
actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC
with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section
called ``kdc''. All the command-line options can preferably be added in
the configuration file. The only difference is the pre-authentication
flag, that has to be specified as:
require-preauth = no
(in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).
And there are some configuration options which do not have command-line
equivalents:
check-ticket-addresses = _b_o_o_l_e_a_n
Check the addresses in the ticket when processing TGS re-
quests. The default is FALSE.
allow-null-ticket-addresses = _b_o_o_l_e_a_n
Permit tickets with no addresses. This option is only rele-
vant when check-ticket-addresses is TRUE.
allow-anonymous = _b_o_o_l_e_a_n
Permit anonymous tickets with no addresses.
encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
code. The Heimdal clients allow both.
kdc_warn_pwexpire = _t_i_m_e
How long before password/principal expiration the KDC should
start sending out warning messages.
An example of a config file:
[kdc]
require-preauth = no
v4-realm = FOO.SE
key-file = /key-file
SSEEEE AALLSSOO
kinit(1)
HEIMDAL July 27, 1997 2
|