kpasswdd(8) [debian man page]
KPASSWDD(8) BSD System Manager's Manual KPASSWDD(8) NAME
kpasswdd -- Kerberos 5 password changing server SYNOPSIS
kpasswdd [--addresses=address] [--check-library=library] [--check-function=function] [-k kspec | --keytab=kspec] [-r realm | --realm=realm] [-p string | --port=string] [--version] [--help] DESCRIPTION
kpasswdd serves request for password changes. It listens on UDP port 464 (service kpasswd) and processes requests when they arrive. It changes the database directly and should thus only run on the master KDC. Supported options: --addresses=address For each till the argument is given, add the address to what kpasswdd should listen too. --check-library=library If your system has support for dynamic loading of shared libraries, you can use an external function to check password quality. This option specifies which library to load. --check-function=function This is the function to call in the loaded library. The function should look like this: const char * passwd_check(krb5_context context, krb5_principal principal, krb5_data *password) context is an initialized context; principal is the one who tries to change passwords, and password is the new password. Note that the password (in password->data) is not zero terminated. -k kspec, --keytab=kspec Keytab to get authentication key from. -r realm, --realm=realm Default realm. -p string, --port=string Port to listen on (default service kpasswd - 464). DIAGNOSTICS
If an error occurs, the error message is returned to the user and/or logged to syslog. BUGS
The default password quality checks are too basic. SEE ALSO
kpasswd(1), kdc(8) HEIMDAL
April 19, 1999 HEIMDAL
Check Out this Related Man Page
KADMIND(8) BSD System Manager's Manual KADMIND(8) NAME
kadmind -- server for administrative access to Kerberos database SYNOPSIS
kadmind [-c file | --config-file=file] [-k file | --key-file=file] [--keytab=keytab] [-r realm | --realm=realm] [-d | --debug] [-p port | --ports=port] DESCRIPTION
kadmind listens for requests for changes to the Kerberos database and performs these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by inetd(8), otherwise it behaves as a daemon, forking processes for each new connection. The --debug option causes kadmind to accept exactly one connection, which is useful for debugging. The kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by kpasswd(1)). This daemon should only be run on the master server, and not on any slaves. Principals are always allowed to change their own password and list their own principal. Apart from that, doing any operation requires per- mission explicitly added in the ACL file /var/heimdal/kadmind.acl. The format of this file is: principal rights [principal-pattern] Where rights is any (comma separated) combination of: o change-password or cpw o list o delete o modify o add o get o get-keys o all And the optional principal-pattern restricts the rights to operations on principals that match the glob-style pattern. Supported options: -c file, --config-file=file location of config file -k file, --key-file=file location of master key file --keytab=keytab what keytab to use -r realm, --realm=realm realm to use -d, --debug enable debugging -p port, --ports=port ports to listen to. By default, if run as a daemon, it listens to port 749, but you can add any number of ports with this option. The port string is a whitespace separated list of port specifications, with the special string ``+'' representing the default port. FILES
/var/heimdal/kadmind.acl EXAMPLES
This will cause kadmind to listen to port 4711 in addition to any compiled in defaults: kadmind --ports="+ 4711" & This acl file will grant Joe all rights, and allow Mallory to view and add host principals, as well as extract host principal keys (e.g., into keytabs). joe/admin@EXAMPLE.COM all mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM SEE ALSO
kpasswd(1), kadmin(8), kdc(8), kpasswdd(8) HEIMDAL
December 8, 2004 HEIMDAL