1.\" $NetBSD: kdc.8,v 1.6 2023/06/19 21:41:41 christos Exp $ 2.\" 3.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd August 24, 2006 37.Dt KDC 8 38.Os 39.Sh NAME 40.Nm kdc 41.Nd Kerberos 5 server 42.Sh SYNOPSIS 43.Nm 44.Bk -words 45.Oo Fl c Ar file \*(Ba Xo 46.Fl Fl config-file= Ns Ar file 47.Xc 48.Oc 49.Op Fl p | Fl Fl no-require-preauth 50.Op Fl Fl max-request= Ns Ar size 51.Op Fl H | Fl Fl enable-http 52.Oo Fl r Ar string \*(Ba Xo 53.Fl Fl v4-realm= Ns Ar string 54.Xc 55.Oc 56.Oo Fl P Ar portspec \*(Ba Xo 57.Fl Fl ports= Ns Ar portspec 58.Xc 59.Oc 60.Op Fl Fl detach 61.Op Fl Fl disable-des 62.Op Fl Fl addresses= Ns Ar list of addresses 63.Ek 64.Sh DESCRIPTION 65.Nm 66serves requests for tickets. 67When it starts, it first checks the flags passed, any options that are 68not specified with a command line flag are taken from a config file, 69or from a default compiled-in value. 70.Pp 71Options supported: 72.Bl -tag -width Ds 73.It Fl c Ar file , Fl Fl config-file= Ns Ar file 74Specifies the location of the config file, the default is 75.Pa /var/heimdal/kdc.conf . 76This is the only value that can't be specified in the config file. 77.It Fl p , Fl Fl no-require-preauth 78Turn off the requirement for pre-autentication in the initial AS-REQ 79for all principals. 80The use of pre-authentication makes it more difficult to do offline 81password attacks. 82You might want to turn it off if you have clients 83that don't support pre-authentication. 84Since the version 4 protocol doesn't support any pre-authentication, 85serving version 4 clients is just about the same as not requiring 86pre-athentication. 87The default is to require pre-authentication. 88Adding the require-preauth per principal is a more flexible way of 89handling this. 90.It Fl Fl max-request= Ns Ar size 91Gives an upper limit on the size of the requests that the kdc is 92willing to handle. 93.It Fl H , Fl Fl enable-http 94Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. 95.It Fl r Ar string , Fl Fl v4-realm= Ns Ar string 96What realm this server should act as when dealing with version 4 97requests. 98The database can contain any number of realms, but since the version 4 99protocol doesn't contain a realm for the server, it must be explicitly 100specified. 101The default is whatever is returned by 102.Fn krb_get_lrealm . 103This option is only available if the KDC has been compiled with version 1044 support. 105.It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec 106Specifies the set of ports the KDC should listen on. 107It is given as a 108white-space separated list of services or port numbers. 109.It Fl Fl addresses= Ns Ar list of addresses 110The list of addresses to listen for requests on. 111By default, the kdc will listen on all the locally configured 112addresses. 113If only a subset is desired, or the automatic detection fails, this 114option might be used. 115.It Fl Fl detach 116detach from pty and run as a daemon. 117.It Fl Fl disable-des 118disable all des encryption types, makes the kdc not use them. 119.El 120.Pp 121All activities are logged to one or more destinations, see 122.Xr krb5.conf 5 , 123and 124.Xr krb5_openlog 3 . 125The entity used for logging is 126.Nm kdc . 127.Sh CONFIGURATION FILE 128The configuration file has the same syntax as 129.Xr krb5.conf 5 , 130but will be read before 131.Pa /etc/krb5.conf , 132so it may override settings found there. 133Options specific to the KDC only are found in the 134.Dq [kdc] 135section. 136All the command-line options can preferably be added in the 137configuration file. 138The only difference is the pre-authentication flag, which has to be 139specified as: 140.Pp 141.Dl require-preauth = no 142.Pp 143(in fact you can specify the option as 144.Fl Fl require-preauth=no ) . 145.Pp 146And there are some configuration options which do not have 147command-line equivalents: 148.Bl -tag -width "xxx" -offset indent 149.It Li enable-digest = Va boolean 150turn on support for digest processing in the KDC. 151The default is FALSE. 152.It Li check-ticket-addresses = Va boolean 153Check the addresses in the ticket when processing TGS requests. 154The default is TRUE. 155.It Li allow-null-ticket-addresses = Va boolean 156Permit tickets with no addresses. 157This option is only relevant when check-ticket-addresses is TRUE. 158.It Li allow-anonymous = Va boolean 159Permit anonymous tickets with no addresses. 160.It Li historical_anon_realm = Va boolean 161Enables pre-7.0 non-RFC-comformant KDC behavior. 162With this option set to 163.Li true 164the client realm in anonymous pkinit AS replies will be the requested realm, 165rather than the RFC-conformant 166.Li WELLKNOWN:ANONYMOUS 167realm. 168This can have a security impact on servers that expect to grant access to 169anonymous-but-authenticated to the KDC users of the realm in question: 170they would also grant access to unauthenticated anonymous users. 171As such, it is not recommend to set this option to 172.Li true. 173.It Li max-kdc-datagram-reply-length = Va number 174Maximum packet size the UDP rely that the KDC will transmit, instead 175the KDC sends back a reply telling the client to use TCP instead. 176.It Li transited-policy = Li always-check \*(Ba \ 177Li allow-per-principal | Li always-honour-request 178This controls how KDC requests with the 179.Li disable-transited-check 180flag are handled. It can be one of: 181.Bl -tag -width "xxx" -offset indent 182.It Li always-check 183Always check transited encoding, this is the default. 184.It Li allow-per-principal 185Currently this is identical to 186.Li always-check . 187In a future release, it will be possible to mark a principal as able 188to handle unchecked requests. 189.It Li always-honour-request 190Always do what the client asked. 191In a future release, it will be possible to force a check per 192principal. 193.El 194.It encode_as_rep_as_tgs_rep = Va boolean 195Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. 196The Heimdal clients allow both. 197.It kdc_warn_pwexpire = Va time 198How long before password/principal expiration the KDC should start 199sending out warning messages. 200.El 201.Pp 202The configuration file is only read when the 203.Nm 204is started. 205If changes made to the configuration file are to take effect, the 206.Nm 207needs to be restarted. 208.Pp 209An example of a config file: 210.Bd -literal -offset indent 211[kdc] 212 require-preauth = no 213 v4-realm = FOO.SE 214.Ed 215.Sh BUGS 216If the machine running the KDC has new addresses added to it, the KDC 217will have to be restarted to listen to them. 218The reason it doesn't just listen to wildcarded (like INADDR_ANY) 219addresses, is that the replies has to come from the same address they 220were sent to, and most OS:es doesn't pass this information to the 221application. 222If your normal mode of operation require that you add and remove 223addresses, the best option is probably to listen to a wildcarded TCP 224socket, and make sure your clients use TCP to connect. 225For instance, this will listen to IPv4 TCP port 88 only: 226.Bd -literal -offset indent 227kdc --addresses=0.0.0.0 --ports="88/tcp" 228.Ed 229.Pp 230There should be a way to specify protocol, port, and address triplets, 231not just addresses and protocol, port tuples. 232.Sh SEE ALSO 233.Xr kinit 1 , 234.Xr krb5.conf 5 235