KDC(8)                  NetBSD System Manager's Manual                  KDC(8)

     kdc - Kerberos 5 server

     kdc [-c file | --config-file=file] [-p | --no-require-preauth]
     [--max-request=size] [-H | --enable-http] [-D | --no-detach] [-r string |
     --v4-realm=string] [-K | --no-kaserver] [-r realm] [--v4-realm=realm] [-P
     string | --ports=string] [--addresses=list of addresses]

     kdc serves requests for tickets. When it starts, it first checks the
     flags passed, any options that are not specified with a command line flag
     is taken from a config file, or from a default compiled-in value.

     Options supported:

     -c file

             Specifies the location of the config file, the default is
             /var/heimdal/kdc.conf.  This is the only value that can't be
             specified in the config file.


             Turn off the requirement for pre-autentication in the initial AS-
             REQ for all principals. The use of pre-authentication makes it
             more difficult to do offline password attacks. You might want to
             turn it off if you have clients that doesn't do pre-authentica-
             tion. Since the version 4 protocol doesn't support any pre-au-
             thentication, so serving version 4 clients is just about the same
             as not requiring pre-athentication. The default is to require
             pre-authentication. Adding the require-preauth per principal is a
             more flexible way of handling this.

             Gives an upper limit on the size of the requests that the kdc is
             willing to handle.

     -H, --enable-http
             Makes the kdc listen on port 80 and handle requests encapsulated
             in HTTP.

     -D, --no-detach
             Makes the kdc not detach from the tty.  Useful for debugging.

     -K, --no-kaserver
             Disables kaserver emulation (in case it's compiled in).

     -r realm

             What realm this server should act as when dealing with version 4
             requests. The database can contain any number of realms, but
             since the version 4 protocol doesn't contain a realm for the
             server, it must be explicitly specified. The default is whatever
             is returned by krb_get_lrealm().  This option is only availabe if
             the KDC has been compiled with version 4 support.

     -P string, --ports=string
             Specifies the set of ports the KDC should listen on.  It is given
             as a white-space separated list of services or port numbers.

     --addresses=list of addresses
             The list of addresses to listen for requests on.  By default, the
             kdc will listen on all the locally configured addresses.  If only
             a subset is desired, or the automatic detection fails, this op-
             tion might be used.

     All activities , are logged to one or more destinations, see
     krb5.conf(5), and krb5_openlog(3).  The entity used for logging is kdc.

     The configuration file has the same syntax as the krb5.conf file (you can
     actually put the configuration in /etc/krb5.conf, and then start the KDC
     with --config-file=/etc/krb5.conf).  All options should be in a section
     called ``kdc''.  All the command-line options can preferably be added in
     the configuration file.  The only difference is the pre-authentication
     flag, that has to be specified as:

           require-preauth = no

     (in fact you can specify the option as --require-preauth=no).

     And there are some configuration options which do not have command-line

           check-ticket-addresses = boolean
                Check the addresses in the ticket when processing TGS re-
                quests.  The default is FALSE.

           allow-null-ticket-addresses = boolean
                Permit tickets with no addresses.  This option is only rele-
                vant when check-ticket-addresses is TRUE.

           allow-anonymous = boolean
                Permit anonymous tickets with no addresses.

           encode_as_rep_as_tgs_rep = boolean
                Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
                code.  The Heimdal clients allow both.

           kdc_warn_pwexpire = time
                How long before password/principal expiration the KDC should
                start sending out warning messages.

     An example of a config file:

                   require-preauth = no
                   v4-realm = FOO.SE
                   key-file = /key-file


NetBSD 1.6                       July 27, 1997                               2

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2018 Modified for NetBSD by Kimmo Suominen