
KDC(8)                   UNIX System Manager's Manual                   KDC(8)

NNAAMMEE
     kkddcc - Kerberos 5 server

SSYYNNOOPPSSIISS
     kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
     [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
     [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
     ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]

DDEESSCCRRIIPPTTIIOONN
     kkddcc serves requests for tickets. When it starts, it first checks the
     flags passed, any options that are not specified with a command line flag
     is taken from a config file, or from a default compiled-in value.

     Options supported:

     --cc _f_i_l_e

     ----ccoonnffiigg--ffiillee==_f_i_l_e
             Specifies the location of the config file, the default is
             _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec-
             ified in the config file.

     --pp

     ----nnoo--rreeqquuiirree--pprreeaauutthh
             Turn off the requirement for pre-autentication in the initial AS-
             REQ for all principals. The use of pre-authentication makes it
             more difficult to do offline password attacks. You might want to
             turn it off if you have clients that doesn't do pre-authentica-
             tion. Since the version 4 protocol doesn't support any pre-au-
             thentication, so serving version 4 clients is just about the same
             as not requiring pre-athentication. The default is to require
             pre-authentication. Adding the require-preauth per principal is a
             more flexible way of handling this.

     ----mmaaxx--rreeqquueesstt==_s_i_z_e
             Gives an upper limit on the size of the requests that the kdc is
             willing to handle.

     --HH, ----eennaabbllee--hhttttpp
             Makes the kdc listen on port 80 and handle requests encapsulated
             in HTTP.

     --KK, ----nnoo--kkaasseerrvveerr
             Disables kaserver emulation (in case it's compiled in).

     --rr _r_e_a_l_m

     ----vv44--rreeaallmm==_r_e_a_l_m
             What realm this server should act as when dealing with version 4
             requests. The database can contain any number of realms, but
             since the version 4 protocol doesn't contain a realm for the
             server, it must be explicitly specified. The default is whatever
             is returned by kkrrbb__ggeett__llrreeaallmm().  This option is only availabe if
             the KDC has been compiled with version 4 support.

     --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
             Specifies the set of ports the KDC should listen on.  It is given
             as a white-space separated list of services or port numbers.

     ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
             The list of addresses to listen for requests on.  By default, the
             kdc will listen on all the locally configured addresses.  If only
             a subset is desired, or the automatic detection fails, this op-
             tion might be used.

     All activities , are logged to one or more destinations, see
     krb5.conf(5),  and krb5_openlog(3).  The entity used for logging is kkddcc.

CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
     The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can
     actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC
     with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section
     called ``kdc''. All the command-line options can preferably be added in
     the configuration file.  The only difference is the pre-authentication
     flag, that has to be specified as:

           require-preauth = no

     (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).

     And there are some configuration options which do not have command-line
     equivalents:

           check-ticket-addresses = _b_o_o_l_e_a_n
                Check the addresses in the ticket when processing TGS re-
                quests.  The default is FALSE.

           allow-null-ticket-addresses = _b_o_o_l_e_a_n
                Permit tickets with no addresses.  This option is only rele-
                vant when check-ticket-addresses is TRUE.

           allow-anonymous = _b_o_o_l_e_a_n
                Permit anonymous tickets with no addresses.

           encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
                Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
                code.  The Heimdal clients allow both.

           kdc_warn_pwexpire = _t_i_m_e
                How long before password/principal expiration the KDC should
                start sending out warning messages.

     An example of a config file:

           [kdc]
                   require-preauth = no
                   v4-realm = FOO.SE
                   key-file = /key-file

SSEEEE AALLSSOO
     kinit(1)

 HEIMDAL                         July 27, 1997                               2