1.\" Copyright (c) 2003 - 2004 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: kdc.8 18419 2006-10-12 10:05:57Z lha $ 33.\" 34.Dd August 24, 2006 35.Dt KDC 8 36.Os HEIMDAL 37.Sh NAME 38.Nm kdc 39.Nd Kerberos 5 server 40.Sh SYNOPSIS 41.Nm 42.Bk -words 43.Oo Fl c Ar file \*(Ba Xo 44.Fl -config-file= Ns Ar file 45.Xc 46.Oc 47.Op Fl p | Fl -no-require-preauth 48.Op Fl -max-request= Ns Ar size 49.Op Fl H | Fl -enable-http 50.Op Fl -no-524 51.Op Fl -kerberos4 52.Op Fl -kerberos4-cross-realm 53.Oo Fl r Ar string \*(Ba Xo 54.Fl -v4-realm= Ns Ar string 55.Xc 56.Oc 57.Op Fl K | Fl -kaserver 58.Oo Fl P Ar portspec \*(Ba Xo 59.Fl -ports= Ns Ar portspec 60.Xc 61.Oc 62.Op Fl -detach 63.Op Fl -disable-DES 64.Op Fl -addresses= Ns Ar list of addresses 65.Ek 66.Sh DESCRIPTION 67.Nm 68serves requests for tickets. 69When it starts, it first checks the flags passed, any options that are 70not specified with a command line flag are taken from a config file, 71or from a default compiled-in value. 72.Pp 73Options supported: 74.Bl -tag -width Ds 75.It Xo 76.Fl c Ar file , 77.Fl -config-file= Ns Ar file 78.Xc 79Specifies the location of the config file, the default is 80.Pa /var/heimdal/kdc.conf . 81This is the only value that can't be specified in the config file. 82.It Xo 83.Fl p , 84.Fl -no-require-preauth 85.Xc 86Turn off the requirement for pre-autentication in the initial AS-REQ 87for all principals. 88The use of pre-authentication makes it more difficult to do offline 89password attacks. 90You might want to turn it off if you have clients 91that don't support pre-authentication. 92Since the version 4 protocol doesn't support any pre-authentication, 93serving version 4 clients is just about the same as not requiring 94pre-athentication. 95The default is to require pre-authentication. 96Adding the require-preauth per principal is a more flexible way of 97handling this. 98.It Xo 99.Fl -max-request= Ns Ar size 100.Xc 101Gives an upper limit on the size of the requests that the kdc is 102willing to handle. 103.It Xo 104.Fl H , 105.Fl -enable-http 106.Xc 107Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. 108.It Xo 109.Fl -no-524 110.Xc 111don't respond to 524 requests 112.It Xo 113.Fl -kerberos4 114.Xc 115respond to Kerberos 4 requests 116.It Xo 117.Fl -kerberos4-cross-realm 118.Xc 119respond to Kerberos 4 requests from foreign realms. 120This is a known security hole and should not be enabled unless you 121understand the consequences and are willing to live with them. 122.It Xo 123.Fl r Ar string , 124.Fl -v4-realm= Ns Ar string 125.Xc 126What realm this server should act as when dealing with version 4 127requests. 128The database can contain any number of realms, but since the version 4 129protocol doesn't contain a realm for the server, it must be explicitly 130specified. 131The default is whatever is returned by 132.Fn krb_get_lrealm . 133This option is only availabe if the KDC has been compiled with version 1344 support. 135.It Xo 136.Fl K , 137.Fl -kaserver 138.Xc 139Enable kaserver emulation (in case it's compiled in). 140.It Xo 141.Fl P Ar portspec , 142.Fl -ports= Ns Ar portspec 143.Xc 144Specifies the set of ports the KDC should listen on. 145It is given as a 146white-space separated list of services or port numbers. 147.It Fl -addresses= Ns Ar list of addresses 148The list of addresses to listen for requests on. 149By default, the kdc will listen on all the locally configured 150addresses. 151If only a subset is desired, or the automatic detection fails, this 152option might be used. 153.It Fl -detach 154detach from pty and run as a daemon. 155.It Fl -disable-DES 156disable add des encryption types, makes the kdc not use them. 157.El 158.Pp 159All activities are logged to one or more destinations, see 160.Xr krb5.conf 5 , 161and 162.Xr krb5_openlog 3 . 163The entity used for logging is 164.Nm kdc . 165.Sh CONFIGURATION FILE 166The configuration file has the same syntax as 167.Xr krb5.conf 5 , 168but will be read before 169.Pa /etc/krb5.conf , 170so it may override settings found there. 171Options specific to the KDC only are found in the 172.Dq [kdc] 173section. 174All the command-line options can preferably be added in the 175configuration file. 176The only difference is the pre-authentication flag, which has to be 177specified as: 178.Pp 179.Dl require-preauth = no 180.Pp 181(in fact you can specify the option as 182.Fl -require-preauth=no ) . 183.Pp 184And there are some configuration options which do not have 185command-line equivalents: 186.Bl -tag -width "xxx" -offset indent 187.It Li enable-digest = Va boolean 188turn on support for digest processing in the KDC. 189The default is FALSE. 190.It Li check-ticket-addresses = Va boolean 191Check the addresses in the ticket when processing TGS requests. 192The default is TRUE. 193.It Li allow-null-ticket-addresses = Va boolean 194Permit tickets with no addresses. 195This option is only relevant when check-ticket-addresses is TRUE. 196.It Li allow-anonymous = Va boolean 197Permit anonymous tickets with no addresses. 198.It Li max-kdc-datagram-reply-length = Va number 199Maximum packet size the UDP rely that the KDC will transmit, instead 200the KDC sends back a reply telling the client to use TCP instead. 201.It Li transited-policy = Xo 202.Li always-check \*(Ba 203.Li allow-per-principal | 204.Li always-honour-request 205.Xc 206This controls how KDC requests with the 207.Li disable-transited-check 208flag are handled. It can be one of: 209.Bl -tag -width "xxx" -offset indent 210.It Li always-check 211Always check transited encoding, this is the default. 212.It Li allow-per-principal 213Currently this is identical to 214.Li always-check . 215In a future release, it will be possible to mark a principal as able 216to handle unchecked requests. 217.It Li always-honour-request 218Always do what the client asked. 219In a future release, it will be possible to force a check per 220principal. 221.El 222.It encode_as_rep_as_tgs_rep = Va boolean 223Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. 224The Heimdal clients allow both. 225.It kdc_warn_pwexpire = Va time 226How long before password/principal expiration the KDC should start 227sending out warning messages. 228.El 229.Pp 230The configuration file is only read when the 231.Nm 232is started. 233If changes made to the configuration file are to take effect, the 234.Nm 235needs to be restarted. 236.Pp 237An example of a config file: 238.Bd -literal -offset indent 239[kdc] 240 require-preauth = no 241 v4-realm = FOO.SE 242.Ed 243.Sh BUGS 244If the machine running the KDC has new addresses added to it, the KDC 245will have to be restarted to listen to them. 246The reason it doesn't just listen to wildcarded (like INADDR_ANY) 247addresses, is that the replies has to come from the same address they 248were sent to, and most OS:es doesn't pass this information to the 249application. 250If your normal mode of operation require that you add and remove 251addresses, the best option is probably to listen to a wildcarded TCP 252socket, and make sure your clients use TCP to connect. 253For instance, this will listen to IPv4 TCP port 88 only: 254.Bd -literal -offset indent 255kdc --addresses=0.0.0.0 --ports="88/tcp" 256.Ed 257.Pp 258There should be a way to specify protocol, port, and address triplets, 259not just addresses and protocol, port tuples. 260.Sh SEE ALSO 261.Xr kinit 1 , 262.Xr krb5.conf 5 263