1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
KDC(8) UNIX System Manager's Manual KDC(8)
N�NA�AM�ME�E
k�kd�dc�c - Kerberos 5 server
S�SY�YN�NO�OP�PS�SI�IS�S
k�kd�dc�c [-�-c�c _�f_�i_�l_�e | -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e] [-�-p�p | -�--�-n�no�o-�-r�re�eq�qu�ui�ir�re�e-�-p�pr�re�ea�au�ut�th�h]
[-�--�-m�ma�ax�x-�-r�re�eq�qu�ue�es�st�t=�=_�s_�i_�z_�e] [-�-H�H | -�--�-e�en�na�ab�bl�le�e-�-h�ht�tt�tp�p] [-�-r�r _�s_�t_�r_�i_�n_�g | -�--�-v�v4�4-�-r�re�ea�al�lm�m=�=_�s_�t_�r_�i_�n_�g]
[-�-K�K | -�--�-n�no�o-�-k�ka�as�se�er�rv�ve�er�r] [-�-r�r _�r_�e_�a_�l_�m] [-�--�-v�v4�4-�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m] [-�-P�P _�s_�t_�r_�i_�n_�g |
-�--�-p�po�or�rt�ts�s=�=_�s_�t_�r_�i_�n_�g] [-�--�-a�ad�dd�dr�re�es�ss�se�es�s=�=_�l_�i_�s_�t _�o_�f _�a_�d_�d_�r_�e_�s_�s_�e_�s]
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
k�kd�dc�c serves requests for tickets. When it starts, it first checks the
flags passed, any options that are not specified with a command line flag
is taken from a config file, or from a default compiled-in value.
Options supported:
-�-c�c _�f_�i_�l_�e
-�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e
Specifies the location of the config file, the default is
_�/_�v_�a_�r_�/_�h_�e_�i_�m_�d_�a_�l_�/_�k_�d_�c_�._�c_�o_�n_�f. This is the only value that can't be spec-
ified in the config file.
-�-p�p
-�--�-n�no�o-�-r�re�eq�qu�ui�ir�re�e-�-p�pr�re�ea�au�ut�th�h
Turn off the requirement for pre-autentication in the initial AS-
REQ for all principals. The use of pre-authentication makes it
more difficult to do offline password attacks. You might want to
turn it off if you have clients that doesn't do pre-authentica-
tion. Since the version 4 protocol doesn't support any pre-au-
thentication, so serving version 4 clients is just about the same
as not requiring pre-athentication. The default is to require
pre-authentication. Adding the require-preauth per principal is a
more flexible way of handling this.
-�--�-m�ma�ax�x-�-r�re�eq�qu�ue�es�st�t=�=_�s_�i_�z_�e
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
-�-H�H, -�--�-e�en�na�ab�bl�le�e-�-h�ht�tt�tp�p
Makes the kdc listen on port 80 and handle requests encapsulated
in HTTP.
-�-K�K, -�--�-n�no�o-�-k�ka�as�se�er�rv�ve�er�r
Disables kaserver emulation (in case it's compiled in).
-�-r�r _�r_�e_�a_�l_�m
-�--�-v�v4�4-�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but
since the version 4 protocol doesn't contain a realm for the
server, it must be explicitly specified. The default is whatever
is returned by k�kr�rb�b_�_g�ge�et�t_�_l�lr�re�ea�al�lm�m(). This option is only availabe if
the KDC has been compiled with version 4 support.
-�-P�P _�s_�t_�r_�i_�n_�g, -�--�-p�po�or�rt�ts�s=�=_�s_�t_�r_�i_�n_�g
Specifies the set of ports the KDC should listen on. It is given
as a white-space separated list of services or port numbers.
-�--�-a�ad�dd�dr�re�es�ss�se�es�s=�=_�l_�i_�s_�t _�o_�f _�a_�d_�d_�r_�e_�s_�s_�e_�s
The list of addresses to listen for requests on. By default, the
kdc will listen on all the locally configured addresses. If only
a subset is desired, or the automatic detection fails, this op-
tion might be used.
All activities , are logged to one or more destinations, see
krb5.conf(5), and krb5_openlog(3). The entity used for logging is k�kd�dc�c.
C�CO�ON�NF�FI�IG�GU�UR�RA�AT�TI�IO�ON�N F�FI�IL�LE�E
The configuration file has the same syntax as the _�k_�r_�b_�5_�._�c_�o_�n_�f file (you can
actually put the configuration in _�/_�e_�t_�c_�/_�k_�r_�b_�5_�._�c_�o_�n_�f, and then start the KDC
with -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�/_�e_�t_�c_�/_�k_�r_�b_�5_�._�c_�o_�n_�f). All options should be in a section
called ``kdc''. All the command-line options can preferably be added in
the configuration file. The only difference is the pre-authentication
flag, that has to be specified as:
require-preauth = no
(in fact you can specify the option as -�--�-r�re�eq�qu�ui�ir�re�e-�-p�pr�re�ea�au�ut�th�h=�=n�no�o).
And there are some configuration options which do not have command-line
equivalents:
check-ticket-addresses = _�b_�o_�o_�l_�e_�a_�n
Check the addresses in the ticket when processing TGS re-
quests. The default is FALSE.
allow-null-ticket-addresses = _�b_�o_�o_�l_�e_�a_�n
Permit tickets with no addresses. This option is only rele-
vant when check-ticket-addresses is TRUE.
allow-anonymous = _�b_�o_�o_�l_�e_�a_�n
Permit anonymous tickets with no addresses.
encode_as_rep_as_tgs_rep = _�b_�o_�o_�l_�e_�a_�n
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
code. The Heimdal clients allow both.
kdc_warn_pwexpire = _�t_�i_�m_�e
How long before password/principal expiration the KDC should
start sending out warning messages.
An example of a config file:
[kdc]
require-preauth = no
v4-realm = FOO.SE
key-file = /key-file
S�SE�EE�E A�AL�LS�SO�O
kinit(1)
HEIMDAL July 27, 1997 2
|
