krb5 commit [krb5-1.12]: Update man pages
Tom Yu
tlyu at MIT.EDU
Tue Dec 10 15:27:24 EST 2013
https://github.com/krb5/krb5/commit/9a9d6146227a01d5d9d4801d5deaa522910bb80a
commit 9a9d6146227a01d5d9d4801d5deaa522910bb80a
Author: Tom Yu <tlyu at mit.edu>
Date: Tue Dec 10 12:33:07 2013 -0500
Update man pages
src/man/kadmin.man | 33 ++++++++++++++++++---------------
src/man/kdb5_util.man | 6 +++---
src/man/kdc.conf.man | 36 +++++++++++++++++++++++++++++-------
src/man/krb5.conf.man | 18 +++++++++---------
4 files changed, 59 insertions(+), 34 deletions(-)
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 8220b5e..e123f79 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -142,9 +142,9 @@ If using kadmin.local, prompt for the database master password
instead of reading it from a stash file.
.TP
.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
-Sets the list of encryption types and salt types to be used for
-any new keys created. See \fIEncryption_and_salt_types\fP in
-\fIkdc.conf(5)\fP for a list of possible values.
+Sets the keysalt list to be used for any new keys created. See
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible
+values.
.TP
.B \fB\-O\fP
Force use of old AUTH_GSSAPI authentication flavor.
@@ -320,8 +320,9 @@ shell script may expose the password to other users on the system
via the process list.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
.TP
.B \fB\-x\fP \fIdb_princ_args\fP
Indicates database\-specific options. The options for the LDAP
@@ -456,8 +457,9 @@ script may expose the password to other users on the system via
the process list.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
.TP
.B \fB\-keepold\fP
Keeps the existing keys in the database. This flag is usually not
@@ -602,8 +604,8 @@ modules. The following string attributes are recognized by the KDC:
.B \fBsession_enctypes\fP
Specifies the encryption types supported for session keys when the
principal is authenticated to as a server. See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values.
.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
@@ -686,10 +688,10 @@ out until it is administratively unlocked with \fBmodprinc
.B \fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
setting or changing a principal\(aqs password/keys. See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values, but note that key/salt tuples must be
-separated with commas (\(aq,\(aq) only. To clear the allowed key/salt
-policy use a value of \(aq\-\(aq.
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values, but note that key/salt tuples must be separated
+with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use
+a value of \(aq\-\(aq.
.UNINDENT
.sp
Example:
@@ -851,8 +853,9 @@ Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
used.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Use the specified list of enctype\-salttype pairs for setting the
-new keys of the principal.
+Uses the specified keysalt list for setting the new keys of the
+principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
.TP
.B \fB\-q\fP
Display less verbose information.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index fda46ff..b89ce8a 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -265,9 +265,9 @@ salt types to be used for the new keys.
Adds a new master key to the master key principal, but does not mark
it as active. Existing master keys will remain. The \fB\-e\fP option
specifies the encryption type of the new master key; see
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of
-possible values. The \fB\-s\fP option stashes the new master key in the
-stash file, which will be created if it doesn\(aqt already exist.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible
+values. The \fB\-s\fP option stashes the new master key in the stash
+file, which will be created if it doesn\(aqt already exist.
.sp
After a new master key is added, it should be propagated to slave
servers via a manual or periodic invocation of \fIkprop(8)\fP. Then,
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index d37781c..87ec7f4 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -321,7 +321,7 @@ master key. The default is \fBK/M\fP.
.B \fBmaster_key_type\fP
(Key type string.) Specifies the master key\(aqs key type. The
default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible
-values, see \fI\%Encryption and salt types\fP.
+values, see \fI\%Encryption types\fP.
.TP
.B \fBmax_life\fP
(\fIduration\fP string.) Specifies the maximum time period for
@@ -381,7 +381,7 @@ default value is false. New in release 1.9.
combinations of principals for this realm. Any principals created
through \fIkadmin(1)\fP will have keys of these types. The
default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of
-possible values, see \fI\%Encryption and salt types\fP.
+possible values, see \fI\%Keysalt lists\fP.
.UNINDENT
.SS [dbdefaults]
.sp
@@ -767,7 +767,7 @@ fails.
\fBpkinit_require_crl_checking\fP should be set to true if the
policy is such that up\-to\-date CRLs must be present for every CA.
.UNINDENT
-.SH ENCRYPTION AND SALT TYPES
+.SH ENCRYPTION TYPES
.sp
Any tag in the configuration files which requires a list of encryption
types can be set to some combination of the following strings.
@@ -902,11 +902,33 @@ operations, they are not supported by very old versions of our GSSAPI
implementation (krb5\-1.3.1 and earlier). Services running versions of
krb5 without AES support must not be given AES keys in the KDC
database.
+.SH KEYSALT LISTS
.sp
-Kerberos keys for users are usually derived from passwords. To ensure
-that people who happen to pick the same password do not have the same
-key, Kerberos 5 incorporates more information into the key using
-something called a salt. The supported salt types are as follows:
+Kerberos keys for users are usually derived from passwords. Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
+lists\fP. Each keysalt pair is an enctype name followed by a salttype
+name, in the format \fIenc\fP:\fIsalt\fP. Individual keysalt list members are
+separated by comma (",") characters or space characters. For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+kadmin \-e aes256\-cts:normal,aes128\-cts:normal
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+would start up kadmin so that by default it would generate
+password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP
+encryption types, using a \fBnormal\fP salt.
+.sp
+To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt. The supported salt types are as
+follows:
.TS
center;
|l|l|.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 879918e..b197b23 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -178,14 +178,14 @@ The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
.B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP) will be filtered
-out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and
-\fBpermitted_enctypes\fP. The default value for this tag is false, which
-may cause authentication failures in existing Kerberos infrastructures
-that do not support strong crypto. Users in affected environments
-should set this tag to true until their infrastructure adopts
-stronger ciphers.
+If this flag is set to false, then weak encryption types (as noted
+in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP,
+\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP. The default
+value for this tag is false, which may cause authentication
+failures in existing Kerberos infrastructures that do not support
+strong crypto. Users in affected environments should set this tag
+to true until their infrastructure adopts stronger ciphers.
.TP
.B \fBap_req_checksum_type\fP
An integer which specifies the type of AP\-REQ checksum to use in
@@ -239,7 +239,7 @@ invoking programs such as \fIkinit(1)\fP.
Identifies the supported list of session key encryption types that
the client should request when making a TGS\-REQ, in order of
preference from highest to lowest. The list may be delimited with
-commas or whitespace. See \fIEncryption_and_salt_types\fP in
+commas or whitespace. See \fIEncryption_types\fP in
\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
More information about the cvs-krb5
mailing list