diff options
| author | Sarah Day <sarahday@mit.edu> | 2015-12-23 15:01:44 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2016-07-18 11:22:48 -0400 |
| commit | 5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae (patch) | |
| tree | 83a076977a521941a1e1ebfc5ed6ec1420c50c5d /src/man | |
| parent | aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00 (diff) | |
| download | krb5-5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae.zip krb5-5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae.tar.gz krb5-5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae.tar.bz2 | |
Allow user to restrict KDC to specific addresses
krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.
[ghudson@mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]
ticket: 1093
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/kdc.conf.man | 55 |
1 files changed, 41 insertions, 14 deletions
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index dbab0e8..69fde60 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -96,8 +96,12 @@ subsection does not contain a relation for the tag. See the .IP \(bu 2 \fBhost_based_services\fP .IP \(bu 2 +\fBkdc_listen\fP +.IP \(bu 2 \fBkdc_ports\fP .IP \(bu 2 +\fBkdc_tcp_listen\fP +.IP \(bu 2 \fBkdc_tcp_ports\fP .IP \(bu 2 \fBno_host_referral\fP @@ -329,21 +333,44 @@ assigned port for kadmind is 749, which is used by default. (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. .TP +.B \fBkdc_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the UDP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. If the KDC daemon fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address on the standard port. +New in release 1.15. +.TP .B \fBkdc_ports\fP -(Whitespace\- or comma\-separated list.) Lists the ports on which -the Kerberos server should listen for UDP requests, as a -comma\-separated list of integers. The default value is -\fB88,750\fP, which are the assigned Kerberos port and the port -historically used by Kerberos V4. +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as \fBkdc_listen\fP +if that relation is not defined. +.TP +.B \fBkdc_tcp_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the TCP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. To disable listening on TCP, set +this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&. +If the KDC daemon fails to bind to any of the specified addresses, +it will fail to start. The default is to bind to the wildcard +address on the standard port. New in release 1.15. .TP .B \fBkdc_tcp_ports\fP -(Whitespace\- or comma\-separated list.) Lists the ports on which -the Kerberos server should listen for TCP connections, as a -comma\-separated list of integers. To disable listening on TCP, -set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&. -If this relation is not specified, the default is to listen on TCP -port 88 (the standard port). Prior to release 1.13, the default -was not to listen for TCP connections at all. +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as +\fBkdc_tcp_listen\fP if that relation is not defined. .TP .B \fBkpasswd_listen\fP (Comma\-separated list.) Specifies the kpasswd listening addresses @@ -1096,8 +1123,8 @@ Here\(aqs an example of a kdc.conf file: .nf .ft C [kdcdefaults] - kdc_ports = 88 - + kdc_listen = 88 + kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 |