From: Ken Raeburn Date: Fri, 20 Sep 2002 20:47:43 +0000 (+0000) Subject: * admin.texinfo, dnssrv.texinfo: Documented config file variables and SRV X-Git-Tag: krb5-1.3-alpha1~359 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=c83ff74a790a8668513e7f89b53cadff401b2c69;p=krb5.git * admin.texinfo, dnssrv.texinfo: Documented config file variables and SRV records to use for Kerberos TCP service, if it's enabled, which it isn't by default. Removed UDP port 750 from the DNS SRV recommendations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14892 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index ce81239fb..a3e85a2ae 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,10 @@ +2002-09-20 Ken Raeburn + + * admin.texinfo, dnssrv.texinfo: Documented config file variables + and SRV records to use for Kerberos TCP service, if it's enabled, + which it isn't by default. Removed UDP port 750 from the DNS SRV + recommendations. + 2002-09-20 Jen Selby * Makefile: made the list of manpages a variable diff --git a/doc/admin.texinfo b/doc/admin.texinfo index c4d834163..e3b4b7656 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1025,11 +1025,24 @@ The following relation is defined in the [kdcdefaults] section: @table @b @itemx kdc_ports This relation lists the ports on which the Kerberos server should -listen by default. This list is a comma separated list of integers. +listen for UDP requests by default. This list is a comma separated +list of integers. If this relation is not specified, the compiled-in default is @value{DefaultKdcPorts}, the first being the assigned Kerberos port and the second which was used by Kerberos V4. +@itemx kdc_tcp_ports +This relation lists the ports on which the Kerberos server should +listen for TCP connections by default. This list is a comma separated +list of integers. +If this relation is not specified, the compiled-in default is not to +listen for TCP connections at all. + +If you wish to change this (which we do not recommend, because the +current implementation has little protection against denial-of-service +attacks), the standard port number assigned for Kerberos TCP traffic +is port 88. + @itemx v4_mode This string specifies how the KDC should respond to Kerberos 4 packets. The possible values are none, disable, full, and nopreauth. @@ -1152,9 +1165,14 @@ listen for this realm. The default is @value{DefaultKpasswdPort}. Kerberos realm. @itemx kdc_ports -(String.) Specifies the list of ports that the KDC is to listen to for -this realm. By default, the value of kdc_ports as specified in the -[kdcdefaults] section is used. +(String.) Specifies the list of ports that the KDC is to listen to +for UDP requests for this realm. By default, the value of kdc_ports +as specified in the [kdcdefaults] section is used. + +@itemx kdc_tcp_ports +(String.) Specifies the list of ports that the KDC is to listen to +for TCP requests for this realm. By default, the value of +kdc_tcp_ports as specified in the [kdcdefaults] section is used. @itemx master_key_name (String.) Specifies the name of the principal associated with the diff --git a/doc/dnssrv.texinfo b/doc/dnssrv.texinfo index 1f306d0f4..1a401ac14 100644 --- a/doc/dnssrv.texinfo +++ b/doc/dnssrv.texinfo @@ -21,9 +21,19 @@ well.) Several different Kerberos-related service names are used: @table @code @item _kerberos._udp -This is for contacting any KDC. This entry will be used the most -often. Normally you should list ports @value{DefaultKdcPorts} on each -of your KDCs. +This is for contacting any KDC by UDP. This entry will be used the most +often. Normally you should list port 88 on each of your KDCs. +@c Don't encourage continued use of port 750 for krb5. +@c It should be only for backwards compatibility with krb4. +@c Do the Mac/Windows krb4 libraries use this DNS entry? +@c The UNIX code does not. + +@item _kerberos._tcp +This is for contacting any KDC by TCP. The MIT KDC by default will not +listen on any TCP ports, so unless you've changed the configuration or +you're running another KDC implementation, you should leave this +unspecified. If you do enable TCP support, normally you should use +port 88. @item _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see