KDC(8) NetBSD System Manager's Manual KDC(8)
NAME
kdc - Kerberos 5 server
SYNOPSIS
kdc [-c file | --config-file=file] [-p | --no-require-preauth] [--max-request=size] [-H | --enable-http] [-D | --no-detach] [-r string | --v4-realm=string] [--kerberos4-cross-realm] [-K | --no-kaserver] [-r realm] [--v4-realm=realm] [-P string | --ports=string] [--addresses=list of addresses]
DESCRIPTION
kdc serves requests for tickets. When it starts, it first checks the flags passed, any options that are not specified with a command line flag is taken from a config file, or from a default compiled-in value. Options supported: -c file --config-file=file Specifies the location of the config file, the default is /var/heimdal/kdc.conf. This is the only value that can't be specified in the config file. -p --no-require-preauth Turn off the requirement for pre-autentication in the initial AS- REQ for all principals. The use of pre-authentication makes it more difficult to do offline password attacks. You might want to turn it off if you have clients that doesn't do pre-authentica- tion. Since the version 4 protocol doesn't support any pre-au- thentication, so serving version 4 clients is just about the same as not requiring pre-athentication. The default is to require pre-authentication. Adding the require-preauth per principal is a more flexible way of handling this. --max-request=size Gives an upper limit on the size of the requests that the kdc is willing to handle. --kerberos4-cross-realm respond to kerberos 4 requests from foreign realms. This is a known security hole and should not be enabled unless you under- stand the consequences and are willing to live with them. -H, --enable-http Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -D, --no-detach Makes the kdc not detach from the tty. Useful for debugging. -K, --no-kaserver Disables kaserver emulation (in case it's compiled in). -r realm --v4-realm=realm What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 protocol doesn't contain a realm for the server, it must be explicitly specified. The default is whatever is returned by krb_get_lrealm(). This option is only availabe if the KDC has been compiled with version 4 support. -P string, --ports=string Specifies the set of ports the KDC should listen on. It is given as a white-space separated list of services or port numbers. --addresses=list of addresses The list of addresses to listen for requests on. By default, the kdc will listen on all the locally configured addresses. If only a subset is desired, or the automatic detection fails, this op- tion might be used. All activities , are logged to one or more destinations, see krb5.conf(5), and krb5_openlog(3). The entity used for logging is kdc.
CONFIGURATION FILE
The configuration file has the same syntax as the krb5.conf file (you can actually put the configuration in /etc/krb5.conf, and then start the KDC with --config-file=/etc/krb5.conf). All options should be in a section called ``kdc''. All the command-line options can preferably be added in the configuration file. The only difference is the pre-authentication flag, that has to be specified as: require-preauth = no (in fact you can specify the option as --require-preauth=no). And there are some configuration options which do not have command-line equivalents: check-ticket-addresses = boolean Check the addresses in the ticket when processing TGS re- quests. The default is FALSE. allow-null-ticket-addresses = boolean Permit tickets with no addresses. This option is only rele- vant when check-ticket-addresses is TRUE. allow-anonymous = boolean Permit anonymous tickets with no addresses. encode_as_rep_as_tgs_rep = boolean Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The Heimdal clients allow both. kdc_warn_pwexpire = time How long before password/principal expiration the KDC should start sending out warning messages. An example of a config file: [kdc] require-preauth = no v4-realm = FOO.SE key-file = /key-file
SEE ALSO
kinit(1) NetBSD 1.6.2 July 27, 1997 2
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.