1.\" $NetBSD: kdc.8,v 1.3 2011/04/28 14:16:40 wiz Exp $ 2.\" 3.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd August 24, 2006 37.Dt KDC 8 38.Os 39.Sh NAME 40.Nm kdc 41.Nd Kerberos 5 server 42.Sh SYNOPSIS 43.Nm 44.Bk -words 45.Oo Fl c Ar file \*(Ba Xo 46.Fl -config-file= Ns Ar file 47.Xc 48.Oc 49.Op Fl p | Fl -no-require-preauth 50.Op Fl -max-request= Ns Ar size 51.Op Fl H | Fl -enable-http 52.Op Fl -no-524 53.Op Fl -kerberos4 54.Op Fl -kerberos4-cross-realm 55.Oo Fl r Ar string \*(Ba Xo 56.Fl -v4-realm= Ns Ar string 57.Xc 58.Oc 59.Op Fl K | Fl -kaserver 60.Oo Fl P Ar portspec \*(Ba Xo 61.Fl -ports= Ns Ar portspec 62.Xc 63.Oc 64.Op Fl -detach 65.Op Fl -disable-des 66.Op Fl -addresses= Ns Ar list of addresses 67.Ek 68.Sh DESCRIPTION 69.Nm 70serves requests for tickets. 71When it starts, it first checks the flags passed, any options that are 72not specified with a command line flag are taken from a config file, 73or from a default compiled-in value. 74.Pp 75Options supported: 76.Bl -tag -width Ds 77.It Fl c Ar file , Fl -config-file= Ns Ar file 78Specifies the location of the config file, the default is 79.Pa /var/heimdal/kdc.conf . 80This is the only value that can't be specified in the config file. 81.It Fl p , Fl -no-require-preauth 82Turn off the requirement for pre-autentication in the initial AS-REQ 83for all principals. 84The use of pre-authentication makes it more difficult to do offline 85password attacks. 86You might want to turn it off if you have clients 87that don't support pre-authentication. 88Since the version 4 protocol doesn't support any pre-authentication, 89serving version 4 clients is just about the same as not requiring 90pre-athentication. 91The default is to require pre-authentication. 92Adding the require-preauth per principal is a more flexible way of 93handling this. 94.It Fl -max-request= Ns Ar size 95Gives an upper limit on the size of the requests that the kdc is 96willing to handle. 97.It Fl H , Fl -enable-http 98Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. 99.It Fl -no-524 100don't respond to 524 requests 101.It Fl -kerberos4 102respond to Kerberos 4 requests 103.It Fl -kerberos4-cross-realm 104respond to Kerberos 4 requests from foreign realms. 105This is a known security hole and should not be enabled unless you 106understand the consequences and are willing to live with them. 107.It Fl r Ar string , Fl -v4-realm= Ns Ar string 108What realm this server should act as when dealing with version 4 109requests. 110The database can contain any number of realms, but since the version 4 111protocol doesn't contain a realm for the server, it must be explicitly 112specified. 113The default is whatever is returned by 114.Fn krb_get_lrealm . 115This option is only available if the KDC has been compiled with version 1164 support. 117.It Fl K , Fl -kaserver 118Enable kaserver emulation (in case it's compiled in). 119.It Fl P Ar portspec , Fl -ports= Ns Ar portspec 120Specifies the set of ports the KDC should listen on. 121It is given as a 122white-space separated list of services or port numbers. 123.It Fl -addresses= Ns Ar list of addresses 124The list of addresses to listen for requests on. 125By default, the kdc will listen on all the locally configured 126addresses. 127If only a subset is desired, or the automatic detection fails, this 128option might be used. 129.It Fl -detach 130detach from pty and run as a daemon. 131.It Fl -disable-des 132disable add des encryption types, makes the kdc not use them. 133.El 134.Pp 135All activities are logged to one or more destinations, see 136.Xr krb5.conf 5 , 137and 138.Xr krb5_openlog 3 . 139The entity used for logging is 140.Nm kdc . 141.Sh CONFIGURATION FILE 142The configuration file has the same syntax as 143.Xr krb5.conf 5 , 144but will be read before 145.Pa /etc/krb5.conf , 146so it may override settings found there. 147Options specific to the KDC only are found in the 148.Dq [kdc] 149section. 150All the command-line options can preferably be added in the 151configuration file. 152The only difference is the pre-authentication flag, which has to be 153specified as: 154.Pp 155.Dl require-preauth = no 156.Pp 157(in fact you can specify the option as 158.Fl -require-preauth=no ) . 159.Pp 160And there are some configuration options which do not have 161command-line equivalents: 162.Bl -tag -width "xxx" -offset indent 163.It Li enable-digest = Va boolean 164turn on support for digest processing in the KDC. 165The default is FALSE. 166.It Li check-ticket-addresses = Va boolean 167Check the addresses in the ticket when processing TGS requests. 168The default is TRUE. 169.It Li allow-null-ticket-addresses = Va boolean 170Permit tickets with no addresses. 171This option is only relevant when check-ticket-addresses is TRUE. 172.It Li allow-anonymous = Va boolean 173Permit anonymous tickets with no addresses. 174.It Li max-kdc-datagram-reply-length = Va number 175Maximum packet size the UDP rely that the KDC will transmit, instead 176the KDC sends back a reply telling the client to use TCP instead. 177.It Li transited-policy = Li always-check \*(Ba \ 178Li allow-per-principal | Li always-honour-request 179This controls how KDC requests with the 180.Li disable-transited-check 181flag are handled. It can be one of: 182.Bl -tag -width "xxx" -offset indent 183.It Li always-check 184Always check transited encoding, this is the default. 185.It Li allow-per-principal 186Currently this is identical to 187.Li always-check . 188In a future release, it will be possible to mark a principal as able 189to handle unchecked requests. 190.It Li always-honour-request 191Always do what the client asked. 192In a future release, it will be possible to force a check per 193principal. 194.El 195.It encode_as_rep_as_tgs_rep = Va boolean 196Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. 197The Heimdal clients allow both. 198.It kdc_warn_pwexpire = Va time 199How long before password/principal expiration the KDC should start 200sending out warning messages. 201.El 202.Pp 203The configuration file is only read when the 204.Nm 205is started. 206If changes made to the configuration file are to take effect, the 207.Nm 208needs to be restarted. 209.Pp 210An example of a config file: 211.Bd -literal -offset indent 212[kdc] 213 require-preauth = no 214 v4-realm = FOO.SE 215.Ed 216.Sh BUGS 217If the machine running the KDC has new addresses added to it, the KDC 218will have to be restarted to listen to them. 219The reason it doesn't just listen to wildcarded (like INADDR_ANY) 220addresses, is that the replies has to come from the same address they 221were sent to, and most OS:es doesn't pass this information to the 222application. 223If your normal mode of operation require that you add and remove 224addresses, the best option is probably to listen to a wildcarded TCP 225socket, and make sure your clients use TCP to connect. 226For instance, this will listen to IPv4 TCP port 88 only: 227.Bd -literal -offset indent 228kdc --addresses=0.0.0.0 --ports="88/tcp" 229.Ed 230.Pp 231There should be a way to specify protocol, port, and address triplets, 232not just addresses and protocol, port tuples. 233.Sh SEE ALSO 234.Xr kinit 1 , 235.Xr krb5.conf 5 236