Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KDC(8)			  BSD System Manager's Manual			KDC(8)

     kdc -- Kerberos 5 server

     kdc [-c file | --config-file=file]	[-p | --no-require-preauth]
	 [--max-request=size] [-H | --enable-http] [-r string |
	 --v4-realm=string] [-K	| --no-kaserver] [-r realm] [--v4-realm=realm]
	 [-P string | --ports=string] [--addresses=list	of addresses]

     kdc serves	requests for tickets. When it starts, it first checks the
     flags passed, any options that are	not specified with a command line flag
     is	taken from a config file, or from a default compiled-in	value.

     Options supported:

     -c	file, --config-file=file
	     Specifies the location of the config file,	the default is
	     /var/heimdal/kdc.conf.  This is the only value that can't be
	     specified in the config file.

     -p, --no-require-preauth
	     Turn off the requirement for pre-autentication in the initial AS-
	     REQ for all principals. The use of	pre-authentication makes it
	     more difficult to do offline password attacks. You	might want to
	     turn it off if you	have clients that doesn't do pre-authentica-
	     tion. Since the version 4 protocol	doesn't	support	any pre-au-
	     thentication, so serving version 4	clients	is just	about the same
	     as	not requiring pre-athentication. The default is	to require
	     pre-authentication. Adding	the require-preauth per	principal is a
	     more flexible way of handling this.

	     Gives an upper limit on the size of the requests that the kdc is
	     willing to	handle.

     -H, --enable-http
	     Makes the kdc listen on port 80 and handle	requests encapsulated
	     in	HTTP.

     -K, --no-kaserver
	     Disables kaserver emulation (in case it's compiled	in).

     -r	realm, --v4-realm=realm
	     What realm	this server should act as when dealing with version 4
	     requests. The database can	contain	any number of realms, but
	     since the version 4 protocol doesn't contain a realm for the
	     server, it	must be	explicitly specified. The default is whatever
	     is	returned by krb_get_lrealm().  This option is only availabe if
	     the KDC has been compiled with version 4 support.

     -P	string,	--ports=string
	     Specifies the set of ports	the KDC	should listen on.  It is given
	     as	a white-space separated	list of	services or port numbers.

     --addresses=list of addresses
	     The list of addresses to listen for requests on.  By default, the
	     kdc will listen on	all the	locally	configured addresses.  If only
	     a subset is desired, or the automatic detection fails, this op-
	     tion might	be used.

     All activities , are logged to one	or more	destinations, see
     krb5.conf(5), and krb5_openlog(3).	 The entity used for logging is	kdc.

     The configuration file has	the same syntax	as krb5.conf(5), but will be
     read before /etc/krb5.conf, so it may override settings found there. Op-
     tions specific to the KDC only are	found in the "[kdc]" section.  All the
     command-line options can preferably be added in the configuration file.
     The only difference is the	pre-authentication flag, that has to be	speci-
     fied as:

	   require-preauth = no

     (in fact you can specify the option as --require-preauth=no).

     And there are some	configuration options which do not have	command-line

	   check-ticket-addresses = boolean
		Check the addresses in the ticket when processing TGS re-
		quests.	 The default is	FALSE.

	   allow-null-ticket-addresses = boolean
		Permit tickets with no addresses.  This	option is only rele-
		vant when check-ticket-addresses is TRUE.

	   allow-anonymous = boolean
		Permit anonymous tickets with no addresses.

	   encode_as_rep_as_tgs_rep = boolean
		Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
		code.  The Heimdal clients allow both.

	   kdc_warn_pwexpire = time
		How long before	password/principal expiration the KDC should
		start sending out warning messages.

     An	example	of a config file:

		   require-preauth = no
		   v4-realm = FOO.SE
		   key-file = /key-file

     If	the machine running the	KDC has	new addresses added to it, the KDC
     will have to be restarted to listen to them. The reason it	doesn't	just
     listen to wildcarded (like	INADDR_ANY) addresses, is that the replies has
     to	come from the same address they	were sent to, and most OS:es doesn't
     pass this information to the application. If your normal mode of opera-
     tion require that you add and remove addresses, the best option is	proba-
     bly to listen to a	wildcarded TCP socket, and make	sure your clients use
     TCP to connect. For instance, this	will listen to IPv4 TCP	port 88	only:

	   kdc --addresses= --ports="88/tcp"

     There should be a way to specify protocol,	port, and address triplets,
     not just addresses	and protocol, port tuples.

     kinit(1), krb5.conf(5)

HEIMDAL				August 22, 2002			       HEIMDAL


Want to link to this manual page? Use this URL:

home | help