aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5/doc/html/_sources/admin/https.rst.txt
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5/doc/html/_sources/admin/https.rst.txt')
-rw-r--r--crypto/krb5/doc/html/_sources/admin/https.rst.txt48
1 files changed, 0 insertions, 48 deletions
diff --git a/crypto/krb5/doc/html/_sources/admin/https.rst.txt b/crypto/krb5/doc/html/_sources/admin/https.rst.txt
deleted file mode 100644
index b4e68b2b2029..000000000000
--- a/crypto/krb5/doc/html/_sources/admin/https.rst.txt
+++ /dev/null
@@ -1,48 +0,0 @@
-.. _https:
-
-HTTPS proxy configuration
-=========================
-
-In addition to being able to use UDP or TCP to communicate directly
-with a KDC as is outlined in RFC4120, and with kpasswd services in a
-similar fashion, the client libraries can attempt to use an HTTPS
-proxy server to communicate with a KDC or kpasswd service, using the
-protocol outlined in [MS-KKDCP].
-
-Communicating with a KDC through an HTTPS proxy allows clients to
-contact servers when network firewalls might otherwise prevent them
-from doing so. The use of TLS also encrypts all traffic between the
-clients and the KDC, preventing observers from conducting password
-dictionary attacks or from observing the client and server principals
-being authenticated, at additional computational cost to both clients
-and servers.
-
-An HTTPS proxy server is provided as a feature in some versions of
-Microsoft Windows Server, and a WSGI implementation named `kdcproxy`
-is available in the python package index.
-
-
-Configuring the clients
------------------------
-
-To use an HTTPS proxy, a client host must trust the CA which issued
-that proxy's SSL certificate. If that CA's certificate is not in the
-system-wide default set of trusted certificates, configure the
-following relation in the client host's :ref:`krb5.conf(5)` file in
-the appropriate :ref:`realms` subsection::
-
- http_anchors = FILE:/etc/krb5/cacert.pem
-
-Adjust the pathname to match the path of the file which contains a
-copy of the CA's certificate. The `http_anchors` option is documented
-more fully in :ref:`krb5.conf(5)`.
-
-Configure the client to access the KDC and kpasswd service by
-specifying their locations in its :ref:`krb5.conf(5)` file in the form
-of HTTPS URLs for the proxy server::
-
- kdc = https://server.fqdn/KdcProxy
- kpasswd_server = https://server.fqdn/KdcProxy
-
-If the proxy and client are properly configured, client commands such
-as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally.
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-11 16:41:52 +0000