diff options
Diffstat (limited to 'crypto/heimdal/kdc/kdc.8')
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 229 |
1 files changed, 0 insertions, 229 deletions
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 deleted file mode 100644 index baae563d52360..0000000000000 --- a/crypto/heimdal/kdc/kdc.8 +++ /dev/null @@ -1,229 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $ -.\" -.Dd August 22, 2002 -.Dt KDC 8 -.Os HEIMDAL -.Sh NAME -.Nm kdc -.Nd Kerberos 5 server -.Sh SYNOPSIS -.Nm -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Op Fl p | Fl -no-require-preauth -.Op Fl -max-request= Ns Ar size -.Op Fl H | Fl -enable-http -.Op Fl -no-524 -.Op Fl -kerberos4 -.Op Fl -kerberos4-cross-realm -.Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string -.Xc -.Oc -.Op Fl K | Fl -kaserver -.Oo Fl P Ar portspec \*(Ba Xo -.Fl -ports= Ns Ar portspec -.Xc -.Oc -.Op Fl -detach -.Op Fl -addresses= Ns Ar list of addresses -.Sh DESCRIPTION -.Nm -serves requests for tickets. -When it starts, it first checks the flags passed, any options that are -not specified with a command line flag are taken from a config file, -or from a default compiled-in value. -.Pp -Options supported: -.Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc -Specifies the location of the config file, the default is -.Pa /var/heimdal/kdc.conf . -This is the only value that can't be specified in the config file. -.It Xo -.Fl p , -.Fl -no-require-preauth -.Xc -Turn off the requirement for pre-autentication in the initial AS-REQ -for all principals. -The use of pre-authentication makes it more difficult to do offline -password attacks. -You might want to turn it off if you have clients -that don't support pre-authentication. -Since the version 4 protocol doesn't support any pre-authentication, -serving version 4 clients is just about the same as not requiring -pre-athentication. -The default is to require pre-authentication. -Adding the require-preauth per principal is a more flexible way of -handling this. -.It Xo -.Fl -max-request= Ns Ar size -.Xc -Gives an upper limit on the size of the requests that the kdc is -willing to handle. -.It Xo -.Fl H , -.Fl -enable-http -.Xc -Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -.It Xo -.Fl -no-524 -.Xc -don't respond to 524 requests -.It Xo -.Fl -kerberos4 -.Xc -respond to Kerberos 4 requests -.It Xo -.Fl -kerberos4-cross-realm -.Xc -respond to Kerberos 4 requests from foreign realms. -This is a known security hole and should not be enabled unless you -understand the consequences and are willing to live with them. -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc -What realm this server should act as when dealing with version 4 -requests. -The database can contain any number of realms, but since the version 4 -protocol doesn't contain a realm for the server, it must be explicitly -specified. -The default is whatever is returned by -.Fn krb_get_lrealm . -This option is only availabe if the KDC has been compiled with version -4 support. -.It Xo -.Fl K , -.Fl -kaserver -.Xc -Enable kaserver emulation (in case it's compiled in). -.It Xo -.Fl P Ar portspec , -.Fl -ports= Ns Ar portspec -.Xc -Specifies the set of ports the KDC should listen on. -It is given as a -white-space separated list of services or port numbers. -.It Fl -addresses= Ns Ar list of addresses -The list of addresses to listen for requests on. -By default, the kdc will listen on all the locally configured -addresses. -If only a subset is desired, or the automatic detection fails, this -option might be used. -.El -.Pp -All activities are logged to one or more destinations, see -.Xr krb5.conf 5 , -and -.Xr krb5_openlog 3 . -The entity used for logging is -.Nm kdc . -.Sh CONFIGURATION FILE -The configuration file has the same syntax as -.Xr krb5.conf 5 , -but will be read before -.Pa /etc/krb5.conf , -so it may override settings found there. -Options specific to the KDC only are found in the -.Dq [kdc] -section. -All the command-line options can preferably be added in the -configuration file. -The only difference is the pre-authentication flag, which has to be -specified as: -.Pp -.Dl require-preauth = no -.Pp -(in fact you can specify the option as -.Fl -require-preauth=no ) . -.Pp -And there are some configuration options which do not have -command-line equivalents: -.Bl -tag -width "xxx" -offset indent -.It Li check-ticket-addresses = Va boolean -Check the addresses in the ticket when processing TGS requests. -The default is FALSE. -.It Li allow-null-ticket-addresses = Va boolean -Permit tickets with no addresses. -This option is only relevant when check-ticket-addresses is TRUE. -.It Li allow-anonymous = Va boolean -Permit anonymous tickets with no addresses. -.It encode_as_rep_as_tgs_rep = Va boolean -Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. -The Heimdal clients allow both. -.It kdc_warn_pwexpire = Va time -How long before password/principal expiration the KDC should start -sending out warning messages. -.El -.Pp -The configuration file is only read when the -.Nm -is started. -If changes made to the configuration file are to take effect, the -.Nm -needs to be restarted. -.Pp -An example of a config file: -.Bd -literal -offset indent -[kdc] - require-preauth = no - v4-realm = FOO.SE - key-file = /key-file -.Ed -.Sh BUGS -If the machine running the KDC has new addresses added to it, the KDC -will have to be restarted to listen to them. -The reason it doesn't just listen to wildcarded (like INADDR_ANY) -addresses, is that the replies has to come from the same address they -were sent to, and most OS:es doesn't pass this information to the -application. -If your normal mode of operation require that you add and remove -addresses, the best option is probably to listen to a wildcarded TCP -socket, and make sure your clients use TCP to connect. -For instance, this will listen to IPv4 TCP port 88 only: -.Bd -literal -offset indent -kdc --addresses=0.0.0.0 --ports="88/tcp" -.Ed -.Pp -There should be a way to specify protocol, port, and address triplets, -not just addresses and protocol, port tuples. -.Sh SEE ALSO -.Xr kinit 1 , -.Xr krb5.conf 5 |