From 5390bd18b6eeb17e45c2b3861002f81494d9b6c8 Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Sun, 27 Jul 1997 05:38:53 +0000 Subject: [PATCH] Manual page. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2644 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kdc.8 | 96 ++++++++++++++++++++++++++++++++ lib/krb5/krb5.conf.5 | 128 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 224 insertions(+) create mode 100644 kdc/kdc.8 create mode 100644 lib/krb5/krb5.conf.5 diff --git a/kdc/kdc.8 b/kdc/kdc.8 new file mode 100644 index 000000000..991d50c20 --- /dev/null +++ b/kdc/kdc.8 @@ -0,0 +1,96 @@ +.\" $Id$ +.\" +.Dd July 27, 1997 +.Dt KDC 8 +.Os HEIMDAL +.Sh NAME +.Nm kdc +.Nd +Kerberos 5 server +.Sh SYNOPSIS +.Nm +.Op Fl c Ar file +.Op Fl k Ar file +.Op Fl l Ar file +.Op Fl p +.Op Fl r Ar realm +.Op Fl -config-file= Ns Ar file +.Op Fl -key-file= Ns Ar file +.Op Fl -log-file= Ns Ar file +.Op Fl -log-level= Ns Ar number +.Op Fl -no-require-preauth +.Op Fl -v4-realm= Ns Ar realm + +.Sh DESCRIPTION +.Nm +serves requests for tickets. When it starts, it first checks the flags +passed, any options that are not specified with a command line flag is +taken from a config file, or from a default compiled-in value. +.Pp +Options supported: +.Bl -tag -width Ds +.It Fl c Ar file +.It Fl -config-file= Ns Ar file +Specifies the location of the config file, the default is +.Pa /var/heimdal/kdc.conf . +This is the only value that can't be specified in the config file. +.It Fl k Ar file +.It Fl -key-file= Ns Ar file +The location of the master-key file. All keys in the database is +encrypted with this master key. The use of a master key is currently +optional, so there is no default. +.Em "Don't specify a master key file if your database is not encrypted." +.It Fl l Ar file +.It Fl -log-file= Ns Ar file +The file where the KDC logs its activities. +.It Fl -log-level= Ns Ar number +What level of information you want logged. The default is 0, and logs +only requests and any errors when parsing them. You can turn off +logging by specifying -1. +.It Fl p +.It Fl -no-require-preauth +Turn off the requirement for pre-autentication in the initial +AS-REQ. The use of pre-authentication makes it more difficult to do +offline password attacks. You might want to turn it off if you have +clients that doesn't do pre-authentication. Since the version 4 +protocol doesn't support any pre-authentication, so serving version 4 +clients is just about the same as not requiring pre-athentication. The +default is to require pre-authentication. +.It Fl r Ar realm +.It Fl -v4-realm= Ns Ar realm +What realm this server should act as when dealing with version 4 +requests. The database can contain any number of realms, but since the +version 4 protocol doesn't contain a realm for the server, it must be +explicitly specified. The default is whatever is returned by +.Fn krb_get_lrealm . +This option is only availabe if the program has been compiled with +version 4 support. +.El +.Sh CONFIGURATION FILE +The configuration file has the same syntax as the +.Pa krb5.conf +file (you can actually put the configuration in +.Pa /etc/krb5.conf , +and then start the KDC with +.Fl -config-file= Ns Ar /etc/krb5.conf ) . +All options should be in a section called +.Dq kdc . +Options are called the same as the long option name, and takes the +same arguments. The only difference is the pre-authentication flag, +that has to be specified as: +.Pp +.Dl require-preauth = no +.Pp +(in fact you can specify the option as +.Fl -require-preauth= Ns Ar no +as well). +.Pp +An example of a config file: +.Bd -literal -offset indent +[kdc] + require-preauth = no + v4-realm = FOO.SE + log-file = /var/log/kdc.log +.Ed +.Sh SEE ALSO +.Xr kinit 1 diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 new file mode 100644 index 000000000..45dcb6aed --- /dev/null +++ b/lib/krb5/krb5.conf.5 @@ -0,0 +1,128 @@ +.\" $Id$ +.\" +.Dd July 27, 1997 +.Dt KRB5.CONF 5 +.Os HEIMDAL +.Sh NAME +.Nm /etc/krb5.conf +.Nd +Configuration file for Kerberos 5 +.Sh DESCRIPTION +The +.Nm +file specifies several configuration parameters for the Kerberos 5 +library, as well as some programs. +.Pp +The file consists of one or more sections, containing a number of +bindings. The value of each binding can be either a string or a list +of other bindings. The grammar looks like: +.Bd -literal -offset indent +file: + /* empty */ + sections + +sections: + section sections + section + +section: + '[' section_name ']' bindings + +section_name: + STRING + +bindings: + binding bindings + binding + +binding: + name '=' STRING + name '=' '{' bindings '}' + +name: + STRING + +.Ed +.Li STRINGs +consists of one or more non-white space characters. +Currently recognised sections and bindings are: + +.Bl -tag -width "xxxxxx" -offset indent +.It Li libdefaults +.Bl -tag -width "xxxxxx" -offset indent +.It Li default_realm = Va REALM +Default realm to use, this is also known as your +.Dq local realm . +The default is the result of +.Fn krb5_get_host_realm "local host name" . +.It Li clockskew = time +Maximum time differential (in seconds) allowed when comparing +times. Default is 300 seconds (five minutes). +.It Li kdc_timeout = time +Maximum time to wait for a reply from the kdc, default is 3 seconds. +.El +.It Li domain_realm +This is a list of mappings from DNS domain to Kerberos realm. Each +binding in this section looks like: +.Pp +.Dl domain = realm +.Pp +The domain can be either a full name of a host or a trailing +component, in the latter case the domain-string should start with a +perid. +.It Li realms +.Bl -tag -offset indent +.It Va REALM Li = { +.Bl -tag -offset indent +.It Li kdc = Va host[:port] +Specifies a kdc for this realm. If the optional port is absent, the +default value for the +.Dq kerberos/udp +service will be used. +.It Li v4_instance_convert = { +This specifies a list of version 4 instance to version 5 component +conversions that should be made when converting a version 4 principal +to a version 5 ditto. Since version 4 host instances only contains the +first part of the domain name, this section is sometimes +necessary. See also +.Li default_domain . +.It } +.It Li v4_name_convert = { +Similar to +.Li v4_instance_convert , +but converts the version 4 name, rather than the instance. This is not +used by the MIT libkrb5, but before someone thinks up something better +you will have to have a binding looking like: +.Pp +.Dl rcmd = host +.Pp +here. +.It } +.It Li default_domain = Va domain +The default domain to use when converting version 4 instances to +version 5 principals. +.El +.It Li } +.El +.El +.Sh EXAMPLE +.Bd -literal -offset indent +[lib_defaults] + default_domain = FOO.SE +[domain_realm] + .foo.se = FOO.SE + .bar.se = FOO.SE +[realms] + FOO.SE = { + kdc = kerberos.foo.se + v4_name_convert = { + rcmd = host + } + v4_instance_convert = { + xyz = xyz.bar.se + } + default_domain = foo.se + } +.Ed +.Sh SEE ALSO +.Xr Source tm