oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

. -> .\n

Browse Source 
copyright/license


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11716 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2003-03-14 14:11:46 +00:00
parent 88d0cbb1b2
commit 5612c9889e
1 changed files with 78 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
kdc/kdc.8
View File

@@ -1,3 +1,34 @@
.\" Copyright (c) 2003 Kungliga Tekniska H<>gskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. Neither the name of the Institute nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$ .\" $Id$
.\" .\"
.Dd August 22, 2002 .Dd August 22, 2002
@@ -29,9 +60,10 @@
.Op Fl -addresses= Ns Ar list of addresses .Op Fl -addresses= Ns Ar list of addresses
.Sh DESCRIPTION .Sh DESCRIPTION
.Nm .Nm
serves requests for tickets. When it starts, it first checks the flags serves requests for tickets.
passed, any options that are not specified with a command line flag are When it starts, it first checks the flags passed, any options that are
taken from a config file, or from a default compiled-in value. not specified with a command line flag are taken from a config file,
or from a default compiled-in value.
.Pp .Pp
Options supported: Options supported:
.Bl -tag -width Ds .Bl -tag -width Ds
@@ -47,14 +79,17 @@ This is the only value that can't be specified in the config file.
.Fl -no-require-preauth .Fl -no-require-preauth
.Xc .Xc
Turn off the requirement for pre-autentication in the initial AS-REQ Turn off the requirement for pre-autentication in the initial AS-REQ
for all principals. The use of pre-authentication makes it more for all principals.
difficult to do offline password attacks. You might want to turn it The use of pre-authentication makes it more difficult to do offline
off if you have clients that don't support pre-authentication. Since the password attacks.
version 4 protocol doesn't support any pre-authentication, serving You might want to turn it off if you have clients
version 4 clients is just about the same as not requiring that don't support pre-authentication.
pre-athentication. The default is to require Since the version 4 protocol doesn't support any pre-authentication,
pre-authentication. Adding the require-preauth per principal is a more serving version 4 clients is just about the same as not requiring
flexible way of handling this. pre-athentication.
The default is to require pre-authentication.
Adding the require-preauth per principal is a more flexible way of
handling this.
.It Xo .It Xo
.Fl -max-request= Ns Ar size .Fl -max-request= Ns Ar size
.Xc .Xc
@@ -75,9 +110,11 @@ Disables kaserver emulation (in case it's compiled in).
.Fl -v4-realm= Ns Ar realm .Fl -v4-realm= Ns Ar realm
.Xc .Xc
What realm this server should act as when dealing with version 4 What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but since the requests.
version 4 protocol doesn't contain a realm for the server, it must be The database can contain any number of realms, but since the version 4
explicitly specified. The default is whatever is returned by protocol doesn't contain a realm for the server, it must be explicitly
specified.
The default is whatever is returned by
.Fn krb_get_lrealm . .Fn krb_get_lrealm .
This option is only availabe if the KDC has been compiled with version This option is only availabe if the KDC has been compiled with version
4 support. 4 support.
@@ -85,12 +122,15 @@ This option is only availabe if the KDC has been compiled with version
.Fl P Ar string , .Fl P Ar string ,
.Fl -ports= Ns Ar string .Fl -ports= Ns Ar string
.Xc .Xc
Specifies the set of ports the KDC should listen on. It is given as a Specifies the set of ports the KDC should listen on.
It is given as a
white-space separated list of services or port numbers. white-space separated list of services or port numbers.
.It Fl -addresses= Ns Ar list of addresses .It Fl -addresses= Ns Ar list of addresses
The list of addresses to listen for requests on. By default, the kdc The list of addresses to listen for requests on.
will listen on all the locally configured addresses. If only a subset By default, the kdc will listen on all the locally configured
is desired, or the automatic detection fails, this option might be used. addresses.
If only a subset is desired, or the automatic detection fails, this
option might be used.
.El .El
.Pp .Pp
All activities are logged to one or more destinations, see All activities are logged to one or more destinations, see
@@ -104,13 +144,14 @@ The configuration file has the same syntax as
.Xr krb5.conf 5 , .Xr krb5.conf 5 ,
but will be read before but will be read before
.Pa /etc/krb5.conf , .Pa /etc/krb5.conf ,
so it may override settings found there. Options specific to the KDC so it may override settings found there.
only are found in the Options specific to the KDC only are found in the
.Dq [kdc] .Dq [kdc]
section. section.
All the command-line options can preferably be added in the All the command-line options can preferably be added in the
configuration file. The only difference is the pre-authentication flag, configuration file.
which has to be specified as: The only difference is the pre-authentication flag, which has to be
specified as:
.Pp .Pp
.Dl require-preauth = no .Dl require-preauth = no
.Pp .Pp
@@ -121,16 +162,16 @@ And there are some configuration options which do not have
command-line equivalents: command-line equivalents:
.Bl -tag -width "xxx" -offset indent .Bl -tag -width "xxx" -offset indent
.It Li check-ticket-addresses = Va boolean .It Li check-ticket-addresses = Va boolean
Check the addresses in the ticket when processing TGS requests. The Check the addresses in the ticket when processing TGS requests.
default is FALSE. The default is FALSE.
.It Li allow-null-ticket-addresses = Va boolean .It Li allow-null-ticket-addresses = Va boolean
Permit tickets with no addresses. This option is only relevant when Permit tickets with no addresses.
check-ticket-addresses is TRUE. This option is only relevant when check-ticket-addresses is TRUE.
.It Li allow-anonymous = Va boolean .It Li allow-anonymous = Va boolean
Permit anonymous tickets with no addresses. Permit anonymous tickets with no addresses.
.It encode_as_rep_as_tgs_rep = Va boolean .It encode_as_rep_as_tgs_rep = Va boolean
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
Heimdal clients allow both. The Heimdal clients allow both.
.It kdc_warn_pwexpire = Va time .It kdc_warn_pwexpire = Va time
How long before password/principal expiration the KDC should start How long before password/principal expiration the KDC should start
sending out warning messages. sending out warning messages.
@@ -152,14 +193,15 @@ An example of a config file:
.Ed .Ed
.Sh BUGS .Sh BUGS
If the machine running the KDC has new addresses added to it, the KDC If the machine running the KDC has new addresses added to it, the KDC
will have to be restarted to listen to them. The reason it doesn't will have to be restarted to listen to them.
just listen to wildcarded (like INADDR_ANY) addresses, is that the The reason it doesn't just listen to wildcarded (like INADDR_ANY)
replies has to come from the same address they were sent to, and most addresses, is that the replies has to come from the same address they
OS:es doesn't pass this information to the application. If your normal were sent to, and most OS:es doesn't pass this information to the
mode of operation require that you add and remove addresses, the best application.
option is probably to listen to a wildcarded TCP socket, and make sure If your normal mode of operation require that you add and remove
your clients use TCP to connect. For instance, this will listen to addresses, the best option is probably to listen to a wildcarded TCP
IPv4 TCP port 88 only: socket, and make sure your clients use TCP to connect.
For instance, this will listen to IPv4 TCP port 88 only:
.Bd -literal -offset indent .Bd -literal -offset indent
kdc --addresses=0.0.0.0 --ports="88/tcp" kdc --addresses=0.0.0.0 --ports="88/tcp"
.Ed .Ed