. -> .\n
copyright/license git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11716 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
114
kdc/kdc.8
114
kdc/kdc.8
@@ -1,3 +1,34 @@
|
||||
.\" Copyright (c) 2003 Kungliga Tekniska H<>gskolan
|
||||
.\" (Royal Institute of Technology, Stockholm, Sweden).
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\"
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\"
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" 3. Neither the name of the Institute nor the names of its contributors
|
||||
.\" may be used to endorse or promote products derived from this software
|
||||
.\" without specific prior written permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id$
|
||||
.\"
|
||||
.Dd August 22, 2002
|
||||
@@ -29,9 +60,10 @@
|
||||
.Op Fl -addresses= Ns Ar list of addresses
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
serves requests for tickets. When it starts, it first checks the flags
|
||||
passed, any options that are not specified with a command line flag are
|
||||
taken from a config file, or from a default compiled-in value.
|
||||
serves requests for tickets.
|
||||
When it starts, it first checks the flags passed, any options that are
|
||||
not specified with a command line flag are taken from a config file,
|
||||
or from a default compiled-in value.
|
||||
.Pp
|
||||
Options supported:
|
||||
.Bl -tag -width Ds
|
||||
@@ -47,14 +79,17 @@ This is the only value that can't be specified in the config file.
|
||||
.Fl -no-require-preauth
|
||||
.Xc
|
||||
Turn off the requirement for pre-autentication in the initial AS-REQ
|
||||
for all principals. The use of pre-authentication makes it more
|
||||
difficult to do offline password attacks. You might want to turn it
|
||||
off if you have clients that don't support pre-authentication. Since the
|
||||
version 4 protocol doesn't support any pre-authentication, serving
|
||||
version 4 clients is just about the same as not requiring
|
||||
pre-athentication. The default is to require
|
||||
pre-authentication. Adding the require-preauth per principal is a more
|
||||
flexible way of handling this.
|
||||
for all principals.
|
||||
The use of pre-authentication makes it more difficult to do offline
|
||||
password attacks.
|
||||
You might want to turn it off if you have clients
|
||||
that don't support pre-authentication.
|
||||
Since the version 4 protocol doesn't support any pre-authentication,
|
||||
serving version 4 clients is just about the same as not requiring
|
||||
pre-athentication.
|
||||
The default is to require pre-authentication.
|
||||
Adding the require-preauth per principal is a more flexible way of
|
||||
handling this.
|
||||
.It Xo
|
||||
.Fl -max-request= Ns Ar size
|
||||
.Xc
|
||||
@@ -75,9 +110,11 @@ Disables kaserver emulation (in case it's compiled in).
|
||||
.Fl -v4-realm= Ns Ar realm
|
||||
.Xc
|
||||
What realm this server should act as when dealing with version 4
|
||||
requests. The database can contain any number of realms, but since the
|
||||
version 4 protocol doesn't contain a realm for the server, it must be
|
||||
explicitly specified. The default is whatever is returned by
|
||||
requests.
|
||||
The database can contain any number of realms, but since the version 4
|
||||
protocol doesn't contain a realm for the server, it must be explicitly
|
||||
specified.
|
||||
The default is whatever is returned by
|
||||
.Fn krb_get_lrealm .
|
||||
This option is only availabe if the KDC has been compiled with version
|
||||
4 support.
|
||||
@@ -85,12 +122,15 @@ This option is only availabe if the KDC has been compiled with version
|
||||
.Fl P Ar string ,
|
||||
.Fl -ports= Ns Ar string
|
||||
.Xc
|
||||
Specifies the set of ports the KDC should listen on. It is given as a
|
||||
Specifies the set of ports the KDC should listen on.
|
||||
It is given as a
|
||||
white-space separated list of services or port numbers.
|
||||
.It Fl -addresses= Ns Ar list of addresses
|
||||
The list of addresses to listen for requests on. By default, the kdc
|
||||
will listen on all the locally configured addresses. If only a subset
|
||||
is desired, or the automatic detection fails, this option might be used.
|
||||
The list of addresses to listen for requests on.
|
||||
By default, the kdc will listen on all the locally configured
|
||||
addresses.
|
||||
If only a subset is desired, or the automatic detection fails, this
|
||||
option might be used.
|
||||
.El
|
||||
.Pp
|
||||
All activities are logged to one or more destinations, see
|
||||
@@ -104,13 +144,14 @@ The configuration file has the same syntax as
|
||||
.Xr krb5.conf 5 ,
|
||||
but will be read before
|
||||
.Pa /etc/krb5.conf ,
|
||||
so it may override settings found there. Options specific to the KDC
|
||||
only are found in the
|
||||
so it may override settings found there.
|
||||
Options specific to the KDC only are found in the
|
||||
.Dq [kdc]
|
||||
section.
|
||||
All the command-line options can preferably be added in the
|
||||
configuration file. The only difference is the pre-authentication flag,
|
||||
which has to be specified as:
|
||||
configuration file.
|
||||
The only difference is the pre-authentication flag, which has to be
|
||||
specified as:
|
||||
.Pp
|
||||
.Dl require-preauth = no
|
||||
.Pp
|
||||
@@ -121,16 +162,16 @@ And there are some configuration options which do not have
|
||||
command-line equivalents:
|
||||
.Bl -tag -width "xxx" -offset indent
|
||||
.It Li check-ticket-addresses = Va boolean
|
||||
Check the addresses in the ticket when processing TGS requests. The
|
||||
default is FALSE.
|
||||
Check the addresses in the ticket when processing TGS requests.
|
||||
The default is FALSE.
|
||||
.It Li allow-null-ticket-addresses = Va boolean
|
||||
Permit tickets with no addresses. This option is only relevant when
|
||||
check-ticket-addresses is TRUE.
|
||||
Permit tickets with no addresses.
|
||||
This option is only relevant when check-ticket-addresses is TRUE.
|
||||
.It Li allow-anonymous = Va boolean
|
||||
Permit anonymous tickets with no addresses.
|
||||
.It encode_as_rep_as_tgs_rep = Va boolean
|
||||
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
|
||||
Heimdal clients allow both.
|
||||
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
|
||||
The Heimdal clients allow both.
|
||||
.It kdc_warn_pwexpire = Va time
|
||||
How long before password/principal expiration the KDC should start
|
||||
sending out warning messages.
|
||||
@@ -152,14 +193,15 @@ An example of a config file:
|
||||
.Ed
|
||||
.Sh BUGS
|
||||
If the machine running the KDC has new addresses added to it, the KDC
|
||||
will have to be restarted to listen to them. The reason it doesn't
|
||||
just listen to wildcarded (like INADDR_ANY) addresses, is that the
|
||||
replies has to come from the same address they were sent to, and most
|
||||
OS:es doesn't pass this information to the application. If your normal
|
||||
mode of operation require that you add and remove addresses, the best
|
||||
option is probably to listen to a wildcarded TCP socket, and make sure
|
||||
your clients use TCP to connect. For instance, this will listen to
|
||||
IPv4 TCP port 88 only:
|
||||
will have to be restarted to listen to them.
|
||||
The reason it doesn't just listen to wildcarded (like INADDR_ANY)
|
||||
addresses, is that the replies has to come from the same address they
|
||||
were sent to, and most OS:es doesn't pass this information to the
|
||||
application.
|
||||
If your normal mode of operation require that you add and remove
|
||||
addresses, the best option is probably to listen to a wildcarded TCP
|
||||
socket, and make sure your clients use TCP to connect.
|
||||
For instance, this will listen to IPv4 TCP port 88 only:
|
||||
.Bd -literal -offset indent
|
||||
kdc --addresses=0.0.0.0 --ports="88/tcp"
|
||||
.Ed
|
||||
|
||||
Reference in New Issue
Block a user