blob: 859133f2cb39f63bcda1567df809e0dab6f18625 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
[kdc]
# See allowed values in krb5_openlog(3) man page.
logging = FILE:/var/log/heimdal-kdc.log
# detach = boolean
# Gives an upper limit on the size of the requests that the kdc is
# willing to handle.
# max-request = integer
# Turn off the requirement for pre-autentication in the initial AS-
# REQ for all principals. The use of pre-authentication makes it
# more difficult to do offline password attacks. You might want to
# turn it off if you have clients that don't support pre-authenti-
# cation. Since the version 4 protocol doesn't support any pre-
# authentication, serving version 4 clients is just about the same
# as not requiring pre-athentication. The default is to require
# pre-authentication. Adding the require-preauth per principal is
# a more flexible way of handling this.
# require-preauth = boolean
# Specifies the set of ports the KDC should listen on. It is given
# as a white-space separated list of services or port numbers.
# ports = 88,750
# The list of addresses to listen for requests on. By default, the
# kdc will listen on all the locally configured addresses. If only
# a subset is desired, or the automatic detection fails, this
# option might be used.
# addresses = list of ip addresses
# respond to Kerberos 4 requests
# enable-kerberos4 = false
# respond to Kerberos 4 requests from foreign realms. This is a
# known security hole and should not be enabled unless you under-
# stand the consequences and are willing to live with them.
# enable-kerberos4-cross-realm = false
# respond to 524 requests
# enable-524 = value of enable-kerberos4
# Makes the kdc listen on port 80 and handle requests encapsulated
# in HTTP.
# enable-http = boolean
# What realm this server should act as when dealing with version 4
# requests. The database can contain any number of realms, but
# since the version 4 protocol doesn't contain a realm for the
# server, it must be explicitly specified. The default is whatever
# is returned by krb_get_lrealm(). This option is only availabe if
# the KDC has been compiled with version 4 support.
# v4-realm = string
# Enable kaserver emulation (in case it's compiled in).
# enable-kaserver = false
# Check the addresses in the ticket when processing TGS requests.
# check-ticket-addresses = true
# Permit tickets with no addresses. This option is only
# relevent when check-ticket-addresses is TRUE.
# allow-null-ticket-addresses = true
# Permit anonymous tickets with no addresses.
# allow-anonymous = boolean
# Always verify the transited policy, ignoring the
# disable-transited-check flag if set in the KDC client request.
# transited-policy = {always-check,allow-per-principal,always-honour-request}
# Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
# code. The Heimdal clients allow both.
# encode_as_rep_as_tgs_rep = boolean
# How long before password/principal expiration the KDC should
# start sending out warning messages.
# kdc_warn_pwexpire = time
# Specifies the set of ports the KDC should listen on. It is given
# as a white-space separated list of services or port numbers.
# kdc_ports = 88,750
# [password_quality]
# check_library = LIBRARY
# check_function = FUNCTION
# min_length = value
# [kadmin]
# default_keys = list of strings
# use_v4_salt = boolean
|
