xref: /freebsd/crypto/heimdal/kdc/kdc.8 (revision 41466b50c1d5bfd1cf6adaae547a579a75d7c04e) 
1.\" $Id: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $
2.\"
3.Dd July 27, 1997
4.Dt KDC 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kdc
8.Nd Kerberos 5 server
9.Sh SYNOPSIS
10.Nm
11.Oo Fl c Ar file \*(Ba Xo
12.Fl -config-file= Ns Ar file
13.Xc
14.Oc
15.Op Fl p | Fl -no-require-preauth
16.Op Fl -max-request= Ns Ar size
17.Op Fl H | Fl -enable-http
18.Oo Fl r Ar string \*(Ba Xo
19.Fl -v4-realm= Ns Ar string
20.Xc
21.Oc
22.Op Fl K | Fl -no-kaserver
23.Op Fl r Ar realm
24.Op Fl -v4-realm= Ns Ar realm
25.Oo Fl P Ar string \*(Ba Xo
26.Fl -ports= Ns Ar string
27.Xc
28.Oc
29.Op Fl -addresses= Ns Ar list of addresses
30.Sh DESCRIPTION
31.Nm
32serves requests for tickets. When it starts, it first checks the flags
33passed, any options that are not specified with a command line flag is
34taken from a config file, or from a default compiled-in value.
35.Pp
36Options supported:
37.Bl -tag -width Ds
38.It Fl c Ar file
39.It Fl -config-file= Ns Ar file
40Specifies the location of the config file, the default is
41.Pa /var/heimdal/kdc.conf .
42This is the only value that can't be specified in the config file.
43.It Fl p
44.It Fl -no-require-preauth
45Turn off the requirement for pre-autentication in the initial AS-REQ
46for all principals. The use of pre-authentication makes it more
47difficult to do offline password attacks. You might want to turn it
48off if you have clients that doesn't do pre-authentication. Since the
49version 4 protocol doesn't support any pre-authentication, so serving
50version 4 clients is just about the same as not requiring
51pre-athentication. The default is to require
52pre-authentication. Adding the require-preauth per principal is a more
53flexible way of handling this.
54.It Xo
55.Fl -max-request= Ns Ar size
56.Xc
57Gives an upper limit on the size of the requests that the kdc is
58willing to handle.
59.It Xo
60.Fl H Ns ,
61.Fl -enable-http
62.Xc
63Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
64.It Xo
65.Fl K Ns ,
66.Fl -no-kaserver
67.Xc
68Disables kaserver emulation (in case it's compiled in).
69.It Fl r Ar realm
70.It Fl -v4-realm= Ns Ar realm
71What realm this server should act as when dealing with version 4
72requests. The database can contain any number of realms, but since the
73version 4 protocol doesn't contain a realm for the server, it must be
74explicitly specified. The default is whatever is returned by
75.Fn krb_get_lrealm .
76This option is only availabe if the KDC has been compiled with version
774 support.
78.It Xo
79.Fl P Ar string Ns ,
80.Fl -ports= Ns Ar string
81.Xc
82Specifies the set of ports the KDC should listen on.  It is given as a
83white-space separated list of services or port numbers.
84.It Xo
85.Fl -addresses= Ns Ar list of addresses
86.Xc
87The list of addresses to listen for requests on.  By default, the kdc
88will listen on all the locally configured addresses.  If only a subset
89is desired, or the automatic detection fails, this option might be used.
90.El
91.Pp
92All activities , are logged to one or more destinations, see
93.Xr krb5.conf 5 ,
94and
95.Xr krb5_openlog 3 .
96The entity used for logging is
97.Nm kdc .
98.Sh CONFIGURATION FILE
99The configuration file has the same syntax as the
100.Pa krb5.conf
101file (you can actually put the configuration in
102.Pa /etc/krb5.conf ,
103and then start the KDC with
104.Fl -config-file= Ns Ar /etc/krb5.conf ) .
105All options should be in a section called
106.Dq kdc .
107All the command-line options can preferably be added in the
108configuration file.  The only difference is the pre-authentication flag,
109that has to be specified as:
110.Pp
111.Dl require-preauth = no
112.Pp
113(in fact you can specify the option as
114.Fl -require-preauth=no ) .
115.Pp
116And there are some configuration options which do not have
117command-line equivalents:
118.Bl -tag -width "xxx" -offset indent
119.It Li check-ticket-addresses = Va boolean
120Check the addresses in the ticket when processing TGS requests.  The
121default is FALSE.
122.It Li allow-null-ticket-addresses = Va boolean
123Permit tickets with no addresses.  This option is only relevant when
124check-ticket-addresses is TRUE.
125.It Li allow-anonymous = Va boolean
126Permit anonymous tickets with no addresses.
127.It encode_as_rep_as_tgs_rep = Va boolean
128Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
129Heimdal clients allow both.
130.It kdc_warn_pwexpire = Va time
131How long before password/principal expiration the KDC should start
132sending out warning messages.
133.El
134.Pp
135An example of a config file:
136.Bd -literal -offset indent
137[kdc]
138	require-preauth = no
139	v4-realm = FOO.SE
140	key-file = /key-file
141.Ed
142.Sh SEE ALSO
143.Xr kinit 1
144