summaryrefslogtreecommitdiff
path: root/crypto/heimdal/kdc/kdc.8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc/kdc.8')
-rw-r--r--crypto/heimdal/kdc/kdc.8229
1 files changed, 0 insertions, 229 deletions
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
deleted file mode 100644
index baae563d52360..0000000000000
--- a/crypto/heimdal/kdc/kdc.8
+++ /dev/null
@@ -1,229 +0,0 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden).
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" 3. Neither the name of the Institute nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $
-.\"
-.Dd August 22, 2002
-.Dt KDC 8
-.Os HEIMDAL
-.Sh NAME
-.Nm kdc
-.Nd Kerberos 5 server
-.Sh SYNOPSIS
-.Nm
-.Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
-.Xc
-.Oc
-.Op Fl p | Fl -no-require-preauth
-.Op Fl -max-request= Ns Ar size
-.Op Fl H | Fl -enable-http
-.Op Fl -no-524
-.Op Fl -kerberos4
-.Op Fl -kerberos4-cross-realm
-.Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string
-.Xc
-.Oc
-.Op Fl K | Fl -kaserver
-.Oo Fl P Ar portspec \*(Ba Xo
-.Fl -ports= Ns Ar portspec
-.Xc
-.Oc
-.Op Fl -detach
-.Op Fl -addresses= Ns Ar list of addresses
-.Sh DESCRIPTION
-.Nm
-serves requests for tickets.
-When it starts, it first checks the flags passed, any options that are
-not specified with a command line flag are taken from a config file,
-or from a default compiled-in value.
-.Pp
-Options supported:
-.Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
-Specifies the location of the config file, the default is
-.Pa /var/heimdal/kdc.conf .
-This is the only value that can't be specified in the config file.
-.It Xo
-.Fl p ,
-.Fl -no-require-preauth
-.Xc
-Turn off the requirement for pre-autentication in the initial AS-REQ
-for all principals.
-The use of pre-authentication makes it more difficult to do offline
-password attacks.
-You might want to turn it off if you have clients
-that don't support pre-authentication.
-Since the version 4 protocol doesn't support any pre-authentication,
-serving version 4 clients is just about the same as not requiring
-pre-athentication.
-The default is to require pre-authentication.
-Adding the require-preauth per principal is a more flexible way of
-handling this.
-.It Xo
-.Fl -max-request= Ns Ar size
-.Xc
-Gives an upper limit on the size of the requests that the kdc is
-willing to handle.
-.It Xo
-.Fl H ,
-.Fl -enable-http
-.Xc
-Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Xo
-.Fl -no-524
-.Xc
-don't respond to 524 requests
-.It Xo
-.Fl -kerberos4
-.Xc
-respond to Kerberos 4 requests
-.It Xo
-.Fl -kerberos4-cross-realm
-.Xc
-respond to Kerberos 4 requests from foreign realms.
-This is a known security hole and should not be enabled unless you
-understand the consequences and are willing to live with them.
-.It Xo
-.Fl r Ar string ,
-.Fl -v4-realm= Ns Ar string
-.Xc
-What realm this server should act as when dealing with version 4
-requests.
-The database can contain any number of realms, but since the version 4
-protocol doesn't contain a realm for the server, it must be explicitly
-specified.
-The default is whatever is returned by
-.Fn krb_get_lrealm .
-This option is only availabe if the KDC has been compiled with version
-4 support.
-.It Xo
-.Fl K ,
-.Fl -kaserver
-.Xc
-Enable kaserver emulation (in case it's compiled in).
-.It Xo
-.Fl P Ar portspec ,
-.Fl -ports= Ns Ar portspec
-.Xc
-Specifies the set of ports the KDC should listen on.
-It is given as a
-white-space separated list of services or port numbers.
-.It Fl -addresses= Ns Ar list of addresses
-The list of addresses to listen for requests on.
-By default, the kdc will listen on all the locally configured
-addresses.
-If only a subset is desired, or the automatic detection fails, this
-option might be used.
-.El
-.Pp
-All activities are logged to one or more destinations, see
-.Xr krb5.conf 5 ,
-and
-.Xr krb5_openlog 3 .
-The entity used for logging is
-.Nm kdc .
-.Sh CONFIGURATION FILE
-The configuration file has the same syntax as
-.Xr krb5.conf 5 ,
-but will be read before
-.Pa /etc/krb5.conf ,
-so it may override settings found there.
-Options specific to the KDC only are found in the
-.Dq [kdc]
-section.
-All the command-line options can preferably be added in the
-configuration file.
-The only difference is the pre-authentication flag, which has to be
-specified as:
-.Pp
-.Dl require-preauth = no
-.Pp
-(in fact you can specify the option as
-.Fl -require-preauth=no ) .
-.Pp
-And there are some configuration options which do not have
-command-line equivalents:
-.Bl -tag -width "xxx" -offset indent
-.It Li check-ticket-addresses = Va boolean
-Check the addresses in the ticket when processing TGS requests.
-The default is FALSE.
-.It Li allow-null-ticket-addresses = Va boolean
-Permit tickets with no addresses.
-This option is only relevant when check-ticket-addresses is TRUE.
-.It Li allow-anonymous = Va boolean
-Permit anonymous tickets with no addresses.
-.It encode_as_rep_as_tgs_rep = Va boolean
-Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
-The Heimdal clients allow both.
-.It kdc_warn_pwexpire = Va time
-How long before password/principal expiration the KDC should start
-sending out warning messages.
-.El
-.Pp
-The configuration file is only read when the
-.Nm
-is started.
-If changes made to the configuration file are to take effect, the
-.Nm
-needs to be restarted.
-.Pp
-An example of a config file:
-.Bd -literal -offset indent
-[kdc]
- require-preauth = no
- v4-realm = FOO.SE
- key-file = /key-file
-.Ed
-.Sh BUGS
-If the machine running the KDC has new addresses added to it, the KDC
-will have to be restarted to listen to them.
-The reason it doesn't just listen to wildcarded (like INADDR_ANY)
-addresses, is that the replies has to come from the same address they
-were sent to, and most OS:es doesn't pass this information to the
-application.
-If your normal mode of operation require that you add and remove
-addresses, the best option is probably to listen to a wildcarded TCP
-socket, and make sure your clients use TCP to connect.
-For instance, this will listen to IPv4 TCP port 88 only:
-.Bd -literal -offset indent
-kdc --addresses=0.0.0.0 --ports="88/tcp"
-.Ed
-.Pp
-There should be a way to specify protocol, port, and address triplets,
-not just addresses and protocol, port tuples.
-.Sh SEE ALSO
-.Xr kinit 1 ,
-.Xr krb5.conf 5