diff options
Diffstat (limited to 'crypto/heimdal/kdc/kdc.8')
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 151 |
1 files changed, 61 insertions, 90 deletions
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index 331682f1cd6b..4a69bda06790 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -1,35 +1,35 @@ -.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: kdc.8 18419 2006-10-12 10:05:57Z lha $ +.\" $Id$ .\" .Dd August 24, 2006 .Dt KDC 8 @@ -41,27 +41,27 @@ .Nm .Bk -words .Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file +.Fl Fl config-file= Ns Ar file .Xc .Oc -.Op Fl p | Fl -no-require-preauth -.Op Fl -max-request= Ns Ar size -.Op Fl H | Fl -enable-http -.Op Fl -no-524 -.Op Fl -kerberos4 -.Op Fl -kerberos4-cross-realm +.Op Fl p | Fl Fl no-require-preauth +.Op Fl Fl max-request= Ns Ar size +.Op Fl H | Fl Fl enable-http +.Op Fl Fl no-524 +.Op Fl Fl kerberos4 +.Op Fl Fl kerberos4-cross-realm .Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string +.Fl Fl v4-realm= Ns Ar string .Xc .Oc -.Op Fl K | Fl -kaserver +.Op Fl K | Fl Fl kaserver .Oo Fl P Ar portspec \*(Ba Xo -.Fl -ports= Ns Ar portspec +.Fl Fl ports= Ns Ar portspec .Xc .Oc -.Op Fl -detach -.Op Fl -disable-DES -.Op Fl -addresses= Ns Ar list of addresses +.Op Fl Fl detach +.Op Fl Fl disable-des +.Op Fl Fl addresses= Ns Ar list of addresses .Ek .Sh DESCRIPTION .Nm @@ -72,17 +72,11 @@ or from a default compiled-in value. .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl Fl config-file= Ns Ar file Specifies the location of the config file, the default is .Pa /var/heimdal/kdc.conf . This is the only value that can't be specified in the config file. -.It Xo -.Fl p , -.Fl -no-require-preauth -.Xc +.It Fl p , Fl Fl no-require-preauth Turn off the requirement for pre-autentication in the initial AS-REQ for all principals. The use of pre-authentication makes it more difficult to do offline @@ -95,34 +89,20 @@ pre-athentication. The default is to require pre-authentication. Adding the require-preauth per principal is a more flexible way of handling this. -.It Xo -.Fl -max-request= Ns Ar size -.Xc +.It Fl Fl max-request= Ns Ar size Gives an upper limit on the size of the requests that the kdc is willing to handle. -.It Xo -.Fl H , -.Fl -enable-http -.Xc +.It Fl H , Fl Fl enable-http Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -.It Xo -.Fl -no-524 -.Xc +.It Fl Fl no-524 don't respond to 524 requests -.It Xo -.Fl -kerberos4 -.Xc +.It Fl Fl kerberos4 respond to Kerberos 4 requests -.It Xo -.Fl -kerberos4-cross-realm -.Xc +.It Fl Fl kerberos4-cross-realm respond to Kerberos 4 requests from foreign realms. This is a known security hole and should not be enabled unless you understand the consequences and are willing to live with them. -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl Fl v4-realm= Ns Ar string What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 @@ -130,29 +110,23 @@ protocol doesn't contain a realm for the server, it must be explicitly specified. The default is whatever is returned by .Fn krb_get_lrealm . -This option is only availabe if the KDC has been compiled with version +This option is only available if the KDC has been compiled with version 4 support. -.It Xo -.Fl K , -.Fl -kaserver -.Xc +.It Fl K , Fl Fl kaserver Enable kaserver emulation (in case it's compiled in). -.It Xo -.Fl P Ar portspec , -.Fl -ports= Ns Ar portspec -.Xc +.It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec Specifies the set of ports the KDC should listen on. It is given as a white-space separated list of services or port numbers. -.It Fl -addresses= Ns Ar list of addresses +.It Fl Fl addresses= Ns Ar list of addresses The list of addresses to listen for requests on. By default, the kdc will listen on all the locally configured addresses. If only a subset is desired, or the automatic detection fails, this option might be used. -.It Fl -detach +.It Fl Fl detach detach from pty and run as a daemon. -.It Fl -disable-DES +.It Fl Fl disable-des disable add des encryption types, makes the kdc not use them. .El .Pp @@ -163,13 +137,13 @@ and The entity used for logging is .Nm kdc . .Sh CONFIGURATION FILE -The configuration file has the same syntax as +The configuration file has the same syntax as .Xr krb5.conf 5 , -but will be read before +but will be read before .Pa /etc/krb5.conf , so it may override settings found there. Options specific to the KDC only are found in the -.Dq [kdc] +.Dq [kdc] section. All the command-line options can preferably be added in the configuration file. @@ -179,7 +153,7 @@ specified as: .Dl require-preauth = no .Pp (in fact you can specify the option as -.Fl -require-preauth=no ) . +.Fl Fl require-preauth=no ) . .Pp And there are some configuration options which do not have command-line equivalents: @@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses. .It Li max-kdc-datagram-reply-length = Va number Maximum packet size the UDP rely that the KDC will transmit, instead the KDC sends back a reply telling the client to use TCP instead. -.It Li transited-policy = Xo -.Li always-check \*(Ba -.Li allow-per-principal | -.Li always-honour-request -.Xc +.It Li transited-policy = Li always-check \*(Ba \ +Li allow-per-principal | Li always-honour-request This controls how KDC requests with the .Li disable-transited-check flag are handled. It can be one of: @@ -227,7 +198,7 @@ How long before password/principal expiration the KDC should start sending out warning messages. .El .Pp -The configuration file is only read when the +The configuration file is only read when the .Nm is started. If changes made to the configuration file are to take effect, the @@ -252,7 +223,7 @@ addresses, the best option is probably to listen to a wildcarded TCP socket, and make sure your clients use TCP to connect. For instance, this will listen to IPv4 TCP port 88 only: .Bd -literal -offset indent -kdc --addresses=0.0.0.0 --ports="88/tcp" +kdc --addresses=0.0.0.0 --ports="88/tcp" .Ed .Pp There should be a way to specify protocol, port, and address triplets, |