1.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $ 2.\" 3.Dd July 27, 1997 4.Dt KDC 8 5.Os HEIMDAL 6.Sh NAME 7.Nm kdc 8.Nd 9Kerberos 5 server 10.Sh SYNOPSIS 11.Nm 12.Op Fl c Ar file 13.Op Fl -config-file= Ns Ar file 14.Op Fl p | Fl -no-require-preauth 15.Op Fl -max-request= Ns Ar size 16.Op Fl H | Fl -enable-http 17.Op Fl K | Fl -no-kaserver 18.Op Fl r Ar realm 19.Op Fl -v4-realm= Ns Ar realm 20.Oo Fl P Ar string \*(Ba Xo 21.Fl -ports= Ns Ar string Oc 22.Xc 23.Op Fl -addresses= Ns Ar list of addresses 24 25.Sh DESCRIPTION 26.Nm 27serves requests for tickets. When it starts, it first checks the flags 28passed, any options that are not specified with a command line flag is 29taken from a config file, or from a default compiled-in value. 30.Pp 31Options supported: 32.Bl -tag -width Ds 33.It Fl c Ar file 34.It Fl -config-file= Ns Ar file 35Specifies the location of the config file, the default is 36.Pa /var/heimdal/kdc.conf . 37This is the only value that can't be specified in the config file. 38.It Fl p 39.It Fl -no-require-preauth 40Turn off the requirement for pre-autentication in the initial AS-REQ 41for all principals. The use of pre-authentication makes it more 42difficult to do offline password attacks. You might want to turn it 43off if you have clients that doesn't do pre-authentication. Since the 44version 4 protocol doesn't support any pre-authentication, so serving 45version 4 clients is just about the same as not requiring 46pre-athentication. The default is to require 47pre-authentication. Adding the require-preauth per principal is a more 48flexible way of handling this. 49.It Xo 50.Fl -max-request= Ns Ar size 51.Xc 52Gives an upper limit on the size of the requests that the kdc is 53willing to handle. 54.It Xo 55.Fl H Ns , 56.Fl -enable-http 57.Xc 58Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. 59.It Xo 60.Fl K Ns , 61.Fl -no-kaserver 62.Xc 63Disables kaserver emulation (in case it's compiled in). 64.It Fl r Ar realm 65.It Fl -v4-realm= Ns Ar realm 66What realm this server should act as when dealing with version 4 67requests. The database can contain any number of realms, but since the 68version 4 protocol doesn't contain a realm for the server, it must be 69explicitly specified. The default is whatever is returned by 70.Fn krb_get_lrealm . 71This option is only availabe if the KDC has been compiled with version 724 support. 73.It Xo 74.Fl P Ar string Ns , 75.Fl -ports= Ns Ar string 76.Xc 77Specifies the set of ports the KDC should listen on. It is given as a 78white-space separated list of services or port numbers. 79.It Xo 80.Fl -addresses= Ns Ar list of addresses 81.Xc 82The list of addresses to listen for requests on. By default, the kdc 83will listen on all the locally configured addresses. If only a subset 84is desired, or the automatic detection fails, this option might be used. 85.El 86.Pp 87All activities , are logged to one or more destinations, see 88.Xr krb5.conf 5 , 89and 90.Xr krb5_openlog 3 . 91The entity used for logging is 92.Nm kdc . 93.Sh CONFIGURATION FILE 94The configuration file has the same syntax as the 95.Pa krb5.conf 96file (you can actually put the configuration in 97.Pa /etc/krb5.conf , 98and then start the KDC with 99.Fl -config-file= Ns Ar /etc/krb5.conf ) . 100All options should be in a section called 101.Dq kdc . 102Options are called the same as the long option name, and takes the 103same arguments. The only difference is the pre-authentication flag, 104that has to be specified as: 105.Pp 106.Dl require-preauth = no 107.Pp 108(in fact you can specify the option as 109.Fl -require-preauth=no ) . 110.Pp 111An example of a config file: 112.Bd -literal -offset indent 113[kdc] 114 require-preauth = no 115 v4-realm = FOO.SE 116 key-file = /key-file 117.Ed 118.Sh SEE ALSO 119.Xr kinit 1 120