kdc(8)
- NetBSD Manual Pages
KDC(8) NetBSD System Manager's Manual KDC(8)
NAME
kdc - Kerberos 5 server
SYNOPSIS
kdc [-c file | --config-file=file] [-p | --no-require-preauth]
[--max-request=size] [-H | --enable-http] [-D | --no-detach] [-r string |
--v4-realm=string] [-K | --no-kaserver] [-r realm] [--v4-realm=realm] [-P
string | --ports=string] [--addresses=list of addresses]
DESCRIPTION
kdc serves requests for tickets. When it starts, it first checks the
flags passed, any options that are not specified with a command line flag
is taken from a config file, or from a default compiled-in value.
Options supported:
-c file
--config-file=file
Specifies the location of the config file, the default is
/var/heimdal/kdc.conf. This is the only value that can't be
specified in the config file.
-p
--no-require-preauth
Turn off the requirement for pre-autentication in the initial AS-
REQ for all principals. The use of pre-authentication makes it
more difficult to do offline password attacks. You might want to
turn it off if you have clients that doesn't do pre-authentica-
tion. Since the version 4 protocol doesn't support any pre-au-
thentication, so serving version 4 clients is just about the same
as not requiring pre-athentication. The default is to require
pre-authentication. Adding the require-preauth per principal is a
more flexible way of handling this.
--max-request=size
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
-H, --enable-http
Makes the kdc listen on port 80 and handle requests encapsulated
in HTTP.
-D, --no-detach
Makes the kdc not detach from the tty. Useful for debugging.
-K, --no-kaserver
Disables kaserver emulation (in case it's compiled in).
-r realm
--v4-realm=realm
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but
since the version 4 protocol doesn't contain a realm for the
server, it must be explicitly specified. The default is whatever
is returned by krb_get_lrealm(). This option is only availabe if
the KDC has been compiled with version 4 support.
-P string, --ports=string
Specifies the set of ports the KDC should listen on. It is given
as a white-space separated list of services or port numbers.
--addresses=list of addresses
The list of addresses to listen for requests on. By default, the
kdc will listen on all the locally configured addresses. If only
a subset is desired, or the automatic detection fails, this op-
tion might be used.
All activities , are logged to one or more destinations, see
krb5.conf(5), and krb5_openlog(3). The entity used for logging is kdc.
CONFIGURATION FILE
The configuration file has the same syntax as the krb5.conf file (you can
actually put the configuration in /etc/krb5.conf, and then start the KDC
with --config-file=/etc/krb5.conf). All options should be in a section
called ``kdc''. All the command-line options can preferably be added in
the configuration file. The only difference is the pre-authentication
flag, that has to be specified as:
require-preauth = no
(in fact you can specify the option as --require-preauth=no).
And there are some configuration options which do not have command-line
equivalents:
check-ticket-addresses = boolean
Check the addresses in the ticket when processing TGS re-
quests. The default is FALSE.
allow-null-ticket-addresses = boolean
Permit tickets with no addresses. This option is only rele-
vant when check-ticket-addresses is TRUE.
allow-anonymous = boolean
Permit anonymous tickets with no addresses.
encode_as_rep_as_tgs_rep = boolean
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
code. The Heimdal clients allow both.
kdc_warn_pwexpire = time
How long before password/principal expiration the KDC should
start sending out warning messages.
An example of a config file:
[kdc]
require-preauth = no
v4-realm = FOO.SE
key-file = /key-file
SEE ALSO
kinit(1)
NetBSD 1.6 July 27, 1997 2
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.