krb5 commit: Update man pages
Greg Hudson
ghudson at mit.edu
Wed May 24 16:13:36 EDT 2017
https://github.com/krb5/krb5/commit/1095dfa9248ac2357d6c08493af88574aa1240b4
commit 1095dfa9248ac2357d6c08493af88574aa1240b4
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed May 24 15:55:37 2017 -0400
Update man pages
src/man/k5identity.man | 4 +-
src/man/k5login.man | 4 +-
src/man/k5srvutil.man | 26 +++++++++++++-----------
src/man/kadm5.acl.man | 4 +-
src/man/kadmin.man | 46 ++++++++++++++++++++++++++----------------
src/man/kadmind.man | 10 +++++++-
src/man/kdb5_ldap_util.man | 4 +-
src/man/kdb5_util.man | 12 +++++++++-
src/man/kdc.conf.man | 47 ++++++++++++++++++++++++++++++++++---------
src/man/kdestroy.man | 4 +-
src/man/kinit.man | 9 +++++--
src/man/klist.man | 4 +-
src/man/kpasswd.man | 4 +-
src/man/kprop.man | 4 +-
src/man/kpropd.man | 4 +-
src/man/kproplog.man | 4 +-
src/man/krb5-config.man | 4 +-
src/man/krb5.conf.man | 40 +++++++++++++++++++++++++++++++++---
src/man/krb5kdc.man | 4 +-
src/man/ksu.man | 4 +-
src/man/kswitch.man | 4 +-
src/man/ktutil.man | 4 +-
src/man/kvno.man | 4 +-
src/man/sclient.man | 4 +-
src/man/sserver.man | 4 +-
25 files changed, 175 insertions(+), 87 deletions(-)
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index e362a1f..ec4bda4 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "K5IDENTITY" "5" " " "1.15" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.16" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
@@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 989ac39..fea5c23 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "K5LOGIN" "5" " " "1.15" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.16" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
@@ -91,6 +91,6 @@ kerberos(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 0ce72d4..1830476 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "K5SRVUTIL" "1" " " "1.15" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.16" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
@@ -38,14 +38,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-e\fP \fIkeysalts\fP]
.SH DESCRIPTION
.sp
-k5srvutil allows an administrator to list or change keys currently in
-a keytab or to add new keys to the keytab.
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non\-current keys from a keytab.
.sp
\fIoperation\fP must be one of the following:
.INDENT 0.0
.TP
.B \fBlist\fP
-Lists the keys in a keytab showing version number and principal
+Lists the keys in a keytab, showing version number and principal
name.
.TP
.B \fBchange\fP
@@ -53,13 +54,14 @@ Uses the kadmin protocol to update the keys in the Kerberos
database to new randomly\-generated keys, and updates the keys in
the keytab to match. If a key\(aqs version number doesn\(aqt match the
version number stored in the Kerberos server\(aqs database, then the
-operation will fail. Old keys are retained in the keytab so that
-existing tickets continue to work. If the \fB\-i\fP flag is given,
-k5srvutil will prompt for confirmation before changing each key.
-If the \fB\-k\fP option is given, the old and new keys will be
-displayed. Ordinarily, keys will be generated with the default
-encryption types and key salts. This can be overridden with the
-\fB\-e\fP option.
+operation will fail. If the \fB\-i\fP flag is given, k5srvutil will
+prompt for confirmation before changing each key. If the \fB\-k\fP
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts. This can be overridden with the \fB\-e\fP
+option. Old keys are retained in the keytab so that existing
+tickets continue to work, but \fBdelold\fP should be used after
+such tickets expire, to prevent attacks against the old keys.
.TP
.B \fBdelold\fP
Deletes keys that are not the most recent version from the keytab.
@@ -84,6 +86,6 @@ place.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index f5daf52..fa3c93c 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KADM5.ACL" "5" " " "1.15" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.16" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
@@ -262,6 +262,6 @@ tickets with a life of longer than 9 hours.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 2730f35..008d9bf 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KADMIN" "1" " " "1.15" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
@@ -284,11 +284,12 @@ Options:
(\fIgetdate\fP string) The password expiration date.
.TP
.B \fB\-maxlife\fP \fImaxlife\fP
-(\fIgetdate\fP string) The maximum ticket life for the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+for the principal.
.TP
.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIgetdate\fP string) The maximum renewable life of tickets for
-the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+life of tickets for the principal.
.TP
.B \fB\-kvno\fP \fIkvno\fP
The initial key version number.
@@ -704,6 +705,13 @@ accepted values.
Enables One Time Passwords (OTP) preauthentication for a client
\fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
of objects, each having optional \fBtype\fP and \fBusername\fP fields.
+.TP
+.B \fBpkinit_cert_match\fP
+Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication. The matching expression
+is in the same format as those used by the \fBpkinit_cert_match\fP
+option in \fIkrb5.conf(5)\fP\&. (New in release 1.16.)
.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
@@ -717,7 +725,7 @@ Example:
.nf
.ft C
set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user at FOO.COM otp [{"type":"hotp","username":"custom"}]
+set_string user at FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
.ft P
.fi
.UNINDENT
@@ -751,10 +759,12 @@ The following options are available:
.INDENT 0.0
.TP
.B \fB\-maxlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the maximum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+lifetime of a password.
.TP
.B \fB\-minlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the minimum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+lifetime of a password.
.TP
.B \fB\-minlength\fP \fIlength\fP
Sets the minimum length of a password.
@@ -780,21 +790,21 @@ resets to 0 after a successful attempt to authenticate. A
.INDENT 0.0
.TP
.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIgetdate\fP string) Sets the allowable time between
-authentication failures. If an authentication failure happens
-after \fIfailuretime\fP has elapsed since the previous failure,
-the number of authentication failures is reset to 1. A
+(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+between authentication failures. If an authentication failure
+happens after \fIfailuretime\fP has elapsed since the previous
+failure, the number of authentication failures is reset to 1. A
\fIfailuretime\fP value of 0 (the default) means forever.
.UNINDENT
.INDENT 0.0
.TP
.B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIgetdate\fP string) Sets the duration for which the principal
-is locked from authenticating if too many authentication failures
-occur without the specified failure count interval elapsing.
-A duration of 0 (the default) means the principal remains locked
-out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP\&.
+(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing. A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with \fBmodprinc \-unlock\fP\&.
.TP
.B \fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
@@ -1064,6 +1074,6 @@ interface to the OpenVision Kerberos administration program.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 4cc4bf2..6d592a0 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KADMIND" "8" " " "1.15" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
@@ -42,6 +42,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-P\fP \fIpid_file\fP]
[\fB\-p\fP \fIkdb5_util_path\fP]
[\fB\-K\fP \fIkprop_path\fP]
+[\fB\-k\fP \fIkprop_port\fP]
[\fB\-F\fP \fIdump_file\fP]
.SH DESCRIPTION
.sp
@@ -125,6 +126,11 @@ KDB in response to full resync requests when iprop is enabled.
specifies the path to the kprop command to use to send full dumps
to slaves in response to full resync requests.
.TP
+.B \fB\-k\fP \fIkprop_port\fP
+specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.
+.TP
.B \fB\-F\fP \fIdump_file\fP
specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.
@@ -139,6 +145,6 @@ specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index e142c3c..001c797 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_LDAP_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
@@ -544,6 +544,6 @@ userpolicy
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 5d48ffe..66bf6f8 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -184,6 +184,14 @@ This may recover principals that do not dump normally, in cases
where database corruption has occurred. In cases of such
corruption, this option will probably retrieve more principals
than the \fB\-rev\fP option will.
+.sp
+Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
+option.
+
+.sp
+Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.
+
.UNINDENT
.SS load
.INDENT 0.0
@@ -544,6 +552,6 @@ bar at EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 69fde60..194af5a 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDC.CONF" "5" " " "1.15" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.16" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
@@ -88,7 +88,7 @@ _
.TE
.SS [kdcdefaults]
.sp
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
default values for realm variables, to be used if the [realms]
subsection does not contain a relation for the tag. See the
\fI\%[realms]\fP section for the definitions of these relations.
@@ -113,6 +113,11 @@ subsection does not contain a relation for the tag. See the
.B \fBkdc_max_dgram_reply_size\fP
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
+.TP
+.B \fBkdc_tcp_listen_backlog\fP
+(Integer.) Set the size of the listen queue length for the KDC
+daemon. The value may be limited by OS settings. The default
+value is 5.
.UNINDENT
.SS [realms]
.sp
@@ -254,6 +259,11 @@ per line, with no additional whitespace. If none is specified or
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
.TP
+.B \fBencrypted_challenge_indicator\fP
+(String.) Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre\-authentication. New in 1.16.
+.TP
.B \fBhost_based_services\fP
(Whitespace\- or comma\-separated list.) Lists services which will
get host\-based referral processing even if the server principal is
@@ -964,15 +974,27 @@ DES with HMAC/sha1 (weak)
T}
_
T{
-aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256
+aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
+T} T{
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
T}
_
T{
-aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128
+aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
+T} T{
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
T}
_
T{
@@ -1014,7 +1036,7 @@ _
T{
aes
T} T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
T}
_
T{
@@ -1044,8 +1066,13 @@ front.
While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5\-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+.sp
+The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
.SH KEYSALT LISTS
.sp
Kerberos keys for users are usually derived from passwords. Kerberos
@@ -1169,6 +1196,6 @@ Here\(aqs an example of a kdc.conf file:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 27ebdc7..0801994 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDESTROY" "1" " " "1.15" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
@@ -92,6 +92,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 6447a48..24a6f96 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KINIT" "1" " " "1.15" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
@@ -56,7 +56,10 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP\&.
+\fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate
+principal name based on existing credential cache contents or the
+local username of the user invoking kinit. Some options modify the
+choice of principal name.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -250,6 +253,6 @@ default location for the local host\(aqs keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/klist.man b/src/man/klist.man
index b6e9c8e..c73a88d 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KLIST" "1" " " "1.15" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.16" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
@@ -158,6 +158,6 @@ Default location for the local host\(aqs keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index e9b511a..89bdc96 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KPASSWD" "1" " " "1.15" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
@@ -59,6 +59,6 @@ identity of the user invoking the kpasswd command.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kprop.man b/src/man/kprop.man
index eda862b..45ceaaf 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KPROP" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
@@ -79,6 +79,6 @@ Specifies the location of the keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index d6b9c0a..398a086 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KPROPD" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
@@ -156,6 +156,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP\&.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index dc7c6fc..7bdf17d 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KPROPLOG" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
@@ -112,6 +112,6 @@ kproplog uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index d737fd8..2899808 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KRB5-CONFIG" "1" " " "1.15" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.16" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
@@ -136,6 +136,6 @@ kerberos(1), cc(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 35a4de5..d9c1558 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KRB5.CONF" "5" " " "1.15" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.16" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
@@ -111,8 +111,9 @@ includedir DIRNAME
\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores, or any filename
-ending in ".conf". Included profile files are syntactically
+alphanumeric characters, dashes, or underscores. Starting in release
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
independent of their parents, so each included file must begin with a
section header.
.sp
@@ -303,6 +304,13 @@ it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
+.B \fBdns_uri_lookup\fP
+Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. SRV records are used as a
+fallback if no URI records were found. The default value is true.
+New in release 1.15.
+.TP
.B \fBerr_fmt\fP
This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
@@ -1002,6 +1010,30 @@ the account\(aqs \fI\&.k5login(5)\fP file.
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
+.SS certauth interface
+.sp
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBpkinit_san\fP
+This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
+is set to true for the realm.
+.TP
+.B \fBpkinit_eku\fP
+This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+\fBpkinit_eku_checking\fP value for the realm.
+.TP
+.B \fBdbmatch\fP
+This module authorizes or rejects the certificate according to
+whether it matches the \fBpkinit_cert_match\fP string attribute on
+the client principal, if that attribute is present.
+.UNINDENT
.SH PKINIT OPTIONS
.sp
\fBNOTE:\fP
@@ -1450,6 +1482,6 @@ syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 505eff0..cf3de31 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KRB5KDC" "8" " " "1.15" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.16" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
@@ -150,6 +150,6 @@ krb5kdc uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index a048bd1..d885b8f 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KSU" "1" " " "1.15" "MIT Kerberos"
+.TH "KSU" "1" " " "1.16" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
@@ -456,6 +456,6 @@ GENNADY (ARI) MEDVINSKY
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 30e58c5..0c38aff 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KSWITCH" "1" " " "1.15" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
@@ -74,6 +74,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 2e9cb2c..f0bf88f 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KTUTIL" "1" " " "1.15" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.16" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
@@ -168,6 +168,6 @@ ktutil:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kvno.man b/src/man/kvno.man
index a1c44cb..a62a733 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KVNO" "1" " " "1.15" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
@@ -104,6 +104,6 @@ Default location of the credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sclient.man b/src/man/sclient.man
index a1231bc..c8228ad 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "SCLIENT" "1" " " "1.15" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.16" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
@@ -45,6 +45,6 @@ the server\(aqs response.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sserver.man b/src/man/sserver.man
index e428a43..f871e4e 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "SSERVER" "8" " " "1.15" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.16" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
@@ -189,6 +189,6 @@ probably not installed in the proper directory.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
More information about the cvs-krb5
mailing list