KDC(8) | System Manager's Manual | KDC(8) |
kdc
— Kerberos 5
server
kdc |
[-c
file | --config-file= file]
[-p | --no-require-preauth ]
[--max-request= size]
[-H | --enable-http ]
[--no-524 ] [--kerberos4 ]
[--kerberos4-cross-realm ]
[-r string | --v4-realm= string]
[-K | --kaserver ]
[-P portspec | --ports= portspec]
[--detach ] [--disable-des ]
[--addresses= list of addresses] |
kdc
serves requests for tickets. When it
starts, it first checks the flags passed, any options that are not specified
with a command line flag are taken from a config file, or from a default
compiled-in value.
Options supported:
-c
file,
--config-file=
file-p
,
--no-require-preauth
--max-request=
size-H
,
--enable-http
--no-524
--kerberos4
--kerberos4-cross-realm
-r
string,
--v4-realm=
stringkrb_get_lrealm
().
This option is only available if the KDC has been compiled with version 4
support.-K
,
--kaserver
-P
portspec,
--ports=
portspec--addresses=
list
of addresses--detach
--disable-des
All activities are logged to one or more destinations, see
krb5.conf(5), and krb5_openlog(3). The
entity used for logging is kdc
.
The configuration file has the same syntax as krb5.conf(5), but will be read before /etc/krb5.conf, so it may override settings found there. Options specific to the KDC only are found in the “[kdc]” section. All the command-line options can preferably be added in the configuration file. The only difference is the pre-authentication flag, which has to be specified as:
require-preauth = no
(in fact you can specify the option as
--require-preauth=no
).
And there are some configuration options which do not have command-line equivalents:
enable-digest
=
booleancheck-ticket-addresses
=
booleanallow-null-ticket-addresses
=
booleanallow-anonymous
=
booleanmax-kdc-datagram-reply-length
=
numbertransited-policy
=
always-check
|
allow-per-principal
|
always-honour-request
disable-transited-check
flag are handled. It can
be one of:
always-check
allow-per-principal
always-check
.
In a future release, it will be possible to mark a principal as able
to handle unchecked requests.always-honour-request
The configuration file is only read when the
kdc
is started. If changes made to the configuration
file are to take effect, the kdc
needs to be
restarted.
An example of a config file:
[kdc] require-preauth = no v4-realm = FOO.SE
If the machine running the KDC has new addresses added to it, the KDC will have to be restarted to listen to them. The reason it doesn't just listen to wildcarded (like INADDR_ANY) addresses, is that the replies has to come from the same address they were sent to, and most OS:es doesn't pass this information to the application. If your normal mode of operation require that you add and remove addresses, the best option is probably to listen to a wildcarded TCP socket, and make sure your clients use TCP to connect. For instance, this will listen to IPv4 TCP port 88 only:
kdc --addresses=0.0.0.0 --ports="88/tcp"
There should be a way to specify protocol, port, and address triplets, not just addresses and protocol, port tuples.
August 24, 2006 | HEIMDAL |