svn rev #23583: trunk/src/ clients/kinit/ kadmin/cli/

hartmans@MIT.EDU hartmans at MIT.EDU
Mon Jan 4 14:59:25 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23583
Commit By: hartmans
Log Message:
Anonymous documentation


Changed Files:
U   trunk/src/clients/kinit/kinit.M
U   trunk/src/kadmin/cli/kadmin.M
Modified: trunk/src/clients/kinit/kinit.M
===================================================================
--- trunk/src/clients/kinit/kinit.M	2010-01-04 19:59:20 UTC (rev 23582)
+++ trunk/src/clients/kinit/kinit.M	2010-01-04 19:59:25 UTC (rev 23583)
@@ -39,6 +39,7 @@
 [\fB\-E\fP]
 [\fB\-v\fP] [\fB\-R\fP]
 [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
+[\fB\-n\fP]
 [\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP]
 [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
 [\fIprincipal\fP]
@@ -138,6 +139,26 @@
 .I keytab_file
 option; otherwise the default name and location will be used.
 .TP
+\fB-n\fP
+Requests anonymous processing.  Two types of anonymous principals are
+supported.  For fully anonymous Kerberos, configure pkinit on the KDC
+and configure
+.I pkinit_anchors
+in the client's krb5.conf.  Then use the
+.B -n
+option with a principal of the form
+.I @REALM
+(an empty principal name followed by the at-sign and a realm name).
+If permitted by the KDC, an anonymous ticket will be returned.
+A second form of anonymous tickets is supported; these realm-exposed
+tickets hide the identity of the client but not the client's realm.
+For this mode, use
+.B kinit -n
+with a normal principal name.  If supported by the KDC, the principal
+(but not realm) will be replaced by the anonymous principal.
+As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
+operation.
+.TP
 \fB\-T\fP \fIarmor_ccache\fP
 Specifies the name of a credential cache that already contains a
 ticket.  If supported by the KDC, This ccache will be used to armor

Modified: trunk/src/kadmin/cli/kadmin.M
===================================================================
--- trunk/src/kadmin/cli/kadmin.M	2010-01-04 19:59:20 UTC (rev 23582)
+++ trunk/src/kadmin/cli/kadmin.M	2010-01-04 19:59:25 UTC (rev 23583)
@@ -9,7 +9,7 @@
 [\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
 .br
 [[\fB-c\fP \fIcache_name\fP] | [\fB-k\fP [\fB-t\fP
-\fIkeytab\fP]]] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP
+\fIkeytab\fP]] | \fB-n\fP] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP
 \fIadmin_server\fP[\fI:port\fP]
 .TP "\w'.B kadmin.local\ 'u"
 .B kadmin.local
@@ -114,6 +114,25 @@
 to decrypt the KDC response.  This can only be used with the
 .B \-k
 option.
+\fB-n\fP
+Requests anonymous processing.  Two types of anonymous principals are
+supported.  For fully anonymous Kerberos, configure pkinit on the KDC
+and configure
+.I pkinit_anchors
+in the client's krb5.conf.  Then use the
+.B -n
+option with a principal of the form
+.I @REALM
+(an empty principal name followed by the at-sign and a realm name).
+If permitted by the KDC, an anonymous ticket will be returned.
+A second form of anonymous tickets is supported; these realm-exposed
+tickets hide the identity of the client but not the client's realm.
+For this mode, use
+.B kinit -n
+with a normal principal name.  If supported by the KDC, the principal
+(but not realm) will be replaced by the anonymous principal.
+As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
+operation.
 .TP
 \fB\-c\fP \fIcredentials_cache\fP
 Use

More information about the cvs-krb5 mailing list