*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> kdc (8)              



NAME    [Toc]    [Back]

     kdc - Kerberos 5 server

SYNOPSIS    [Toc]    [Back]

     kdc    [-c    file    |    --config-file=file]     [-p     |
         [--max-request=size]  [-H  |  --enable-http]  [--no-524]
         [--kerberos4-cross-realm]       [-r       string       |
         [-K  |  --kaserver]  [-P  portspec  |  --ports=portspec]
         [--addresses=list of addresses]

DESCRIPTION    [Toc]    [Back]

     kdc serves requests for tickets.  When it starts,  it  first
checks the
     flags passed, any options that are not specified with a command line flag
     are taken from a config file, or from a default  compiled-in

     Options supported:

     -c file, --config-file=file
             Specifies  the  location of the config file, the default is
             /var/heimdal/kdc.conf.  This is the only value  that
can't be
             specified in the config file.

     -p, --no-require-preauth
             Turn  off  the  requirement for pre-autentication in
the initial ASREQ
 for all principals.  The use of  pre-authentication makes it
             more  difficult to do offline password attacks.  You
might want to
             turn it off if you have clients that  don't  support
   Since  the version 4 protocol doesn't support any pre-authentication,
 serving  version  4  clients  is  just
about the same as
             not  requiring pre-athentication.  The default is to
require preauthentication.
   Adding  the  require-preauth   per
principal is a
             more flexible way of handling this.

             Gives  an  upper  limit  on the size of the requests
that the kdc is
             willing to handle.

             respond to kerberos 4 requests from foreign  realms.
This is a
             known security hole and should not be enabled unless
you understand
 the consequences and are willing to live  with

     -H, --enable-http
             Makes  the kdc listen on port 80 and handle requests
             in HTTP.

             don't respond to 524 requests

             respond to Kerberos 4 requests

             respond to Kerberos 4 requests from foreign  realms.
This is a
             known security hole and should not be enabled unless
you understand
 the consequences and are willing to live  with

     -r string, --v4-realm=string
             What  realm  this  server should act as when dealing
with version 4
             requests.  The database can contain  any  number  of
realms, but
             since the version 4 protocol doesn't contain a realm
for the
             server, it must be explicitly  specified.   The  default is whatever
             is returned by krb_get_lrealm().  This option is only availabe if
             the KDC has been compiled with version 4 support.

     -K, --kaserver
             Enable kaserver emulation  (in  case  it's  compiled

     -P portspec, --ports=portspec
             Specifies the set of ports the KDC should listen on.
It is given
             as a white-space separated list of services or  port

     --addresses=list of addresses
             The list of addresses to listen for requests on.  By
default, the
             kdc will listen on all the  locally  configured  addresses.  If only
             a  subset  is  desired,  or  the automatic detection
fails, this option
 might be used.

     All activities are logged to one or more  destinations,  see
     and krb5_openlog(3).  The entity used for logging is kdc.


     The  configuration file has the same syntax as krb5.conf(5),
but will be
     read before /etc/kerberosV/krb5.conf,  so  it  may  override
settings found
     there.   Options  specific  to the KDC only are found in the
``[kdc]'' section.
  All the command-line options can preferably be  added
in the configuration
 file.  The only difference is the pre-authentication flag,
     which has to be specified as:

           require-preauth = no

     (in    fact    you    can    specify    the    option     as

     And  there  are some configuration options which do not have

           check-ticket-addresses = boolean
                Check the addresses in the ticket when processing
TGS requests.
  The default is FALSE.

           allow-null-ticket-addresses = boolean
                Permit tickets with no addresses.  This option is
only relevant
 when check-ticket-addresses is TRUE.

           allow-anonymous = boolean
                Permit anonymous tickets with no addresses.

           transited-policy = always-check |  allow-per-principal
| always-honour-request

                This  controls how KDC requests with the disabletransitedcheck
 flag are handled. It can be one of:

                           Always check transited encoding,  this
is the default.

                           Currently this is identical to alwayscheck.  In a
                           future release, it will be possible to
mark a principal
  as able to handle unchecked requests.

                           Always do what the client asked.  In a
future release,
  it will be possible to force a
check per

           encode_as_rep_as_tgs_rep = boolean
                Encode AS-Rep as  TGS-Rep  to  be  bug-compatible
with old DCE
                code.  The Heimdal clients allow both.

           kdc_warn_pwexpire = time
                How long before password/principal expiration the
KDC should
                start sending out warning messages.

     The configuration file is only read when the kdc is started.
If changes
     made  to  the configuration file are to take effect, the kdc
needs to be

     An example of a config file:

                   require-preauth = no
                   v4-realm = FOO.SE
                   key-file = /key-file

BUGS    [Toc]    [Back]

     If the machine running the KDC has new  addresses  added  to
it, the KDC
     will  have to be restarted to listen to them.  The reason it
doesn't just
     listen to wildcarded (like INADDR_ANY)  addresses,  is  that
the replies has
     to  come  from  the same address they were sent to, and most
OS:es doesn't
     pass this information to the application.   If  your  normal
mode of operation
 require that you add and remove addresses, the best option is probably
 to listen to a wildcarded TCP socket, and make sure your
clients use
     TCP  to connect.  For instance, this will listen to IPv4 TCP
port 88 only:

           kdc --addresses= --ports="88/tcp"

     There should be a way to specify protocol, port, and address
     not just addresses and protocol, port tuples.

SEE ALSO    [Toc]    [Back]

     kinit(1), krb5.conf(5)

 HEIMDAL                             October       22,       2003
[ Back ]
 Similar pages
Name OS Title
kpasswdd OpenBSD Kerberos 5 password changing server
kpasswdd FreeBSD Kerberos 5 password changing server
kadmind OpenBSD server for administrative access to Kerberos database
krb5 FreeBSD kerberos 5 library
krb5 NetBSD kerberos 5 library
pam_ksu FreeBSD Kerberos 5 SU PAM module
pam_krb5 FreeBSD Kerberos 5 PAM module
krb5_get_krb_admin_hst FreeBSD lookup Kerberos KDC hosts
krb5_krbhst_free FreeBSD lookup Kerberos KDC hosts
krb5_sockaddr2port FreeBSD mange addresses in Kerberos.
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service