aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5/doc/html/admin/https.html
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5/doc/html/admin/https.html')
-rw-r--r--crypto/krb5/doc/html/admin/https.html191
1 files changed, 0 insertions, 191 deletions
diff --git a/crypto/krb5/doc/html/admin/https.html b/crypto/krb5/doc/html/admin/https.html
deleted file mode 100644
index 3c1c24feb43d..000000000000
--- a/crypto/krb5/doc/html/admin/https.html
+++ /dev/null
@@ -1,191 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en" data-content_root="../">
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
-
- <title>HTTPS proxy configuration &#8212; MIT Kerberos Documentation</title>
- <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
- <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" />
- <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" />
- <script src="../_static/documentation_options.js?v=236fef3b"></script>
- <script src="../_static/doctools.js?v=888ff710"></script>
- <script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
- <link rel="author" title="About these documents" href="../about.html" />
- <link rel="index" title="Index" href="../genindex.html" />
- <link rel="search" title="Search" href="../search.html" />
- <link rel="copyright" title="Copyright" href="../copyright.html" />
- <link rel="next" title="Authentication indicators" href="auth_indicator.html" />
- <link rel="prev" title="Encryption types" href="enctypes.html" />
- </head><body>
- <div class="header-wrapper">
- <div class="header">
-
-
- <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
-
- <div class="rel">
-
- <a href="../index.html" title="Full Table of Contents"
- accesskey="C">Contents</a> |
- <a href="enctypes.html" title="Encryption types"
- accesskey="P">previous</a> |
- <a href="auth_indicator.html" title="Authentication indicators"
- accesskey="N">next</a> |
- <a href="../genindex.html" title="General Index"
- accesskey="I">index</a> |
- <a href="../search.html" title="Enter search criteria"
- accesskey="S">Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a>
- </div>
- </div>
- </div>
-
- <div class="content-wrapper">
- <div class="content">
- <div class="document">
-
- <div class="documentwrapper">
- <div class="bodywrapper">
- <div class="body" role="main">
-
- <section id="https-proxy-configuration">
-<span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Link to this heading">¶</a></h1>
-<p>In addition to being able to use UDP or TCP to communicate directly
-with a KDC as is outlined in RFC4120, and with kpasswd services in a
-similar fashion, the client libraries can attempt to use an HTTPS
-proxy server to communicate with a KDC or kpasswd service, using the
-protocol outlined in [MS-KKDCP].</p>
-<p>Communicating with a KDC through an HTTPS proxy allows clients to
-contact servers when network firewalls might otherwise prevent them
-from doing so. The use of TLS also encrypts all traffic between the
-clients and the KDC, preventing observers from conducting password
-dictionary attacks or from observing the client and server principals
-being authenticated, at additional computational cost to both clients
-and servers.</p>
-<p>An HTTPS proxy server is provided as a feature in some versions of
-Microsoft Windows Server, and a WSGI implementation named <cite>kdcproxy</cite>
-is available in the python package index.</p>
-<section id="configuring-the-clients">
-<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Link to this heading">¶</a></h2>
-<p>To use an HTTPS proxy, a client host must trust the CA which issued
-that proxy’s SSL certificate. If that CA’s certificate is not in the
-system-wide default set of trusted certificates, configure the
-following relation in the client host’s <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in
-the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http_anchors</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span>
-</pre></div>
-</div>
-<p>Adjust the pathname to match the path of the file which contains a
-copy of the CA’s certificate. The <cite>http_anchors</cite> option is documented
-more fully in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p>
-<p>Configure the client to access the KDC and kpasswd service by
-specifying their locations in its <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file in the form
-of HTTPS URLs for the proxy server:</p>
-<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdc</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span>
-<span class="n">kpasswd_server</span> <span class="o">=</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">server</span><span class="o">.</span><span class="n">fqdn</span><span class="o">/</span><span class="n">KdcProxy</span>
-</pre></div>
-</div>
-<p>If the proxy and client are properly configured, client commands such
-as <code class="docutils literal notranslate"><span class="pre">kinit</span></code>, <code class="docutils literal notranslate"><span class="pre">kvno</span></code>, and <code class="docutils literal notranslate"><span class="pre">kpasswd</span></code> should all function normally.</p>
-</section>
-</section>
-
-
- <div class="clearer"></div>
- </div>
- </div>
- </div>
- </div>
- <div class="sidebar">
-
- <h2>On this page</h2>
- <ul>
-<li><a class="reference internal" href="#">HTTPS proxy configuration</a><ul>
-<li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li>
-</ul>
-</li>
-</ul>
-
- <br/>
- <h2>Table of contents</h2>
- <ul class="current">
-<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
-<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
-<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
-<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
-<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
-<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
-<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
-<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
-<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
-<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
-<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
-<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
-<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
-<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
-<li class="toctree-l2 current"><a class="current reference internal" href="#">HTTPS proxy configuration</a></li>
-<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
-<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
-<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
-<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
-<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
-<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
-<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
-</ul>
-</li>
-<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
-<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
-</ul>
-
- <br/>
- <h4><a href="../index.html">Full Table of Contents</a></h4>
- <h4>Search</h4>
- <form class="search" action="../search.html" method="get">
- <input type="text" name="q" size="18" />
- <input type="submit" value="Go" />
- <input type="hidden" name="check_keywords" value="yes" />
- <input type="hidden" name="area" value="default" />
- </form>
-
- </div>
- <div class="clearer"></div>
- </div>
- </div>
-
- <div class="footer-wrapper">
- <div class="footer" >
- <div class="right" ><i>Release: 1.22-final</i><br />
- &copy; <a href="../copyright.html">Copyright</a> 1985-2025, MIT.
- </div>
- <div class="left">
-
- <a href="../index.html" title="Full Table of Contents"
- >Contents</a> |
- <a href="enctypes.html" title="Encryption types"
- >previous</a> |
- <a href="auth_indicator.html" title="Authentication indicators"
- >next</a> |
- <a href="../genindex.html" title="General Index"
- >index</a> |
- <a href="../search.html" title="Enter search criteria"
- >Search</a> |
- <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a>
- </div>
- </div>
- </div>
-
- </body>
-</html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-07 22:55:25 +0000