krb5 commit: Update man pages

Tom Yu tlyu at MIT.EDU
Tue Dec 10 22:30:17 EST 2013


https://github.com/krb5/krb5/commit/c6e6fd8f8e6133de0284af56f7051c9eb3e90f36
commit c6e6fd8f8e6133de0284af56f7051c9eb3e90f36
Author: Tom Yu <tlyu at mit.edu>
Date:   Tue Dec 10 22:26:17 2013 -0500

    Update man pages

 src/man/k5identity.man     |    2 +-
 src/man/k5login.man        |    2 +-
 src/man/k5srvutil.man      |    2 +-
 src/man/kadm5.acl.man      |    9 +-
 src/man/kadmin.man         |   64 ++++++++++-----
 src/man/kadmind.man        |    2 +-
 src/man/kdb5_ldap_util.man |    2 +-
 src/man/kdb5_util.man      |   14 ++--
 src/man/kdc.conf.man       |  199 +++++++++++++++++++++++++++++++++++---------
 src/man/kdestroy.man       |    2 +-
 src/man/kinit.man          |    2 +-
 src/man/klist.man          |    2 +-
 src/man/kpasswd.man        |    2 +-
 src/man/kprop.man          |    2 +-
 src/man/kpropd.man         |   29 +++----
 src/man/kproplog.man       |    2 +-
 src/man/krb5-config.man    |    2 +-
 src/man/krb5.conf.man      |  108 +++++++++++++++++-------
 src/man/krb5kdc.man        |    2 +-
 src/man/ksu.man            |    2 +-
 src/man/kswitch.man        |    2 +-
 src/man/ktutil.man         |    2 +-
 src/man/kvno.man           |    2 +-
 src/man/sclient.man        |    2 +-
 src/man/sserver.man        |    2 +-
 25 files changed, 323 insertions(+), 138 deletions(-)

diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 495b0b6..06ad79f 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,4 @@
-.TH "K5IDENTITY" "5" " " "1.12" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 05447d0..c2f304d 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,4 @@
-.TH "K5LOGIN" "5" " " "1.12" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 040926b..98ed9a8 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,4 @@
-.TH "K5SRVUTIL" "1" " " "1.12" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 179729d..dbdb10d 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,4 @@
-.TH "KADM5.ACL" "5" " " "1.12" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
@@ -147,7 +147,8 @@ Each component of the name may be wildcarded using the \fB*\fP
 character.
 .sp
 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
-in which \fB*number\fP matches the component number in \fIprincipal\fP.
+in which \fB*number\fP matches the corresponding wildcard in
+\fIprincipal\fP.
 .TP
 .B \fIrestrictions\fP
 (Optional) A string of flags. Allowed restrictions are:
@@ -212,8 +213,8 @@ instance \fBroot\fP (matches line 3).
 .sp
 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
 or change the password of their null instance, but not any other
-null instance.  (Here, "*1" denotes a back\-reference to the first
-component of the actor principal.)
+null instance.  (Here, \fB*1\fP denotes a back\-reference to the
+component matching the first wildcard in the actor principal.)
 .sp
 (line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
 \fBjoeadmin at ATHENA.MIT.EDU\fP, as mentioned above) has inquire
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index f9009d7..c896cdf 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,4 @@
-.TH "KADMIN" "1" " " "1.12" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
@@ -142,9 +142,9 @@ If using kadmin.local, prompt for the database master password
 instead of reading it from a stash file.
 .TP
 .B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
-Sets the list of encryption types and salt types to be used for
-any new keys created.  See \fIEncryption_and_salt_types\fP in
-\fIkdc.conf(5)\fP for a list of possible values.
+Sets the keysalt list to be used for any new keys created.  See
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible
+values.
 .TP
 .B \fB\-O\fP
 Force use of old AUTH_GSSAPI authentication flavor.
@@ -255,12 +255,18 @@ key for another user.  \fB+allow_dup_skey\fP clears this flag.
 .B {\-|+}\fBrequires_preauth\fP
 \fB+requires_preauth\fP requires this principal to preauthenticate
 before being allowed to kinit.  \fB\-requires_preauth\fP clears this
-flag.
+flag.  When \fB+requires_preauth\fP is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client\(aqs initial authentication was performed using
+preauthentication.
 .TP
 .B {\-|+}\fBrequires_hwauth\fP
 \fB+requires_hwauth\fP requires this principal to preauthenticate
 using a hardware device before being allowed to kinit.
-\fB\-requires_hwauth\fP clears this flag.
+\fB\-requires_hwauth\fP clears this flag.  When \fB+requires_hwauth\fP is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client\(aqs initial authentication was
+performed using a hardware device to preauthenticate.
 .TP
 .B {\-|+}\fBok_as_delegate\fP
 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
@@ -291,9 +297,22 @@ flag.
 \fB+password_changing_service\fP marks this principal as a password
 change service principal.
 .TP
+.B {\-|+}\fBok_to_auth_as_delegate\fP
+\fB+ok_to_auth_as_delegate\fP allows this principal to acquire
+forwardable tickets to itself from arbitrary users, for use with
+constrained delegation.
+.TP
+.B {\-|+}\fBno_auth_data_required\fP
+\fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
+being added to service tickets for the principal.
+.TP
 .B \fB\-randkey\fP
 Sets the key of the principal to a random value.
 .TP
+.B \fB\-nokey\fP
+Causes the principal to be created with no key.  New in release
+1.12.
+.TP
 .B \fB\-pw\fP \fIpassword\fP
 Sets the password of the principal to the specified string and
 does not prompt for a password.  Note: using this option in a
@@ -301,8 +320,9 @@ shell script may expose the password to other users on the system
 via the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-x\fP \fIdb_princ_args\fP
 Indicates database\-specific options.  The options for the LDAP
@@ -437,8 +457,9 @@ script may expose the password to other users on the system via
 the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-keepold\fP
 Keeps the existing keys in the database.  This flag is usually not
@@ -463,13 +484,15 @@ kadmin:
 .SS purgekeys
 .INDENT 0.0
 .INDENT 3.5
-\fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
+\fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
 .sp
 Purges previously retained old keys (e.g., from \fBchange_password
 \-keepold\fP) from \fIprincipal\fP.  If \fB\-keepkvno\fP is specified, then
-only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.
+only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.  If
+\fB\-all\fP is specified, then all keys are purged.  The \fB\-all\fP option
+is new in release 1.12.
 .sp
 This command requires the \fBmodify\fP privilege.
 .SS get_principal
@@ -581,8 +604,8 @@ modules.  The following string attributes are recognized by the KDC:
 .B \fBsession_enctypes\fP
 Specifies the encryption types supported for session keys when the
 principal is authenticated to as a server.  See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values.
 .UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
@@ -665,10 +688,10 @@ out until it is administratively unlocked with \fBmodprinc
 .B \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
 setting or changing a principal\(aqs password/keys.  See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values, but note that key/salt tuples must be
-separated with commas (\(aq,\(aq) only.  To clear the allowed key/salt
-policy use a value of \(aq\-\(aq.
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values, but note that key/salt tuples must be separated
+with commas (\(aq,\(aq) only.  To clear the allowed key/salt policy use
+a value of \(aq\-\(aq.
 .UNINDENT
 .sp
 Example:
@@ -830,8 +853,9 @@ Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Use the specified list of enctype\-salttype pairs for setting the
-new keys of the principal.
+Uses the specified keysalt list for setting the new keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-q\fP
 Display less verbose information.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 4f76509..d3be287 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,4 @@
-.TH "KADMIND" "8" " " "1.12" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 01f4f4c..17ecea9 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.12" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 76266c7..a90976d 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_UTIL" "8" " " "1.12" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
@@ -138,7 +138,7 @@ argument can be used to override the \fIkeyfile\fP specified in
 .sp
 Dumps the current Kerberos and KADM5 database into an ASCII file.  By
 default, the database is dumped in current format, "kdb5_util
-load_dump version 6".  If filename is not specified, or is the string
+load_dump version 7".  If filename is not specified, or is the string
 "\-", the dump is sent to standard output.  Options:
 .INDENT 0.0
 .TP
@@ -265,9 +265,9 @@ salt types to be used for the new keys.
 Adds a new master key to the master key principal, but does not mark
 it as active.  Existing master keys will remain.  The \fB\-e\fP option
 specifies the encryption type of the new master key; see
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of
-possible values.  The \fB\-s\fP option stashes the new master key in the
-stash file, which will be created if it doesn\(aqt already exist.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible
+values.  The \fB\-s\fP option stashes the new master key in the stash
+file, which will be created if it doesn\(aqt already exist.
 .sp
 After a new master key is added, it should be propagated to slave
 servers via a manual or periodic invocation of \fIkprop(8)\fP.  Then,
@@ -333,8 +333,8 @@ gives more verbose output.
 .sp
 Update all principal records (or only those matching the
 \fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the
-active database master key, if they are encrypted using older
-versions, and give a count at the end of the number of principals
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
 updated.  If the \fB\-f\fP option is not given, ask for confirmation
 before starting to make changes.  The \fB\-v\fP option causes each
 principal processed to be listed, with an indication as to whether it
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index af5e229..5d32bf4 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,4 @@
-.TH "KDC.CONF" "5" " " "1.12" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
@@ -34,7 +34,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
 are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
 \fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
-Relations documented here may also be specified in krb5.conf.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.
 .sp
 Normally, the kdc.conf file is found in the KDC state directory,
 \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP.  You can override the default location by setting the
@@ -110,11 +112,21 @@ default value is 4096 bytes.
 .UNINDENT
 .SS [realms]
 .sp
-Each tag in the [realms] section is the name of a Kerberos realm.
-The value of the tag is a subsection where the relations define KDC
-parameters for that particular realm.
+Each tag in the [realms] section is the name of a Kerberos realm.  The
+value of the tag is a subsection where the relations define KDC
+parameters for that particular realm.  The following example shows how
+to define one parameter for the ATHENA.MIT.EDU realm:
 .sp
-For each realm, the following tags may be specified:
+.nf
+.ft C
+[realms]
+    ATHENA.MIT.EDU = {
+        max_renewable_life = 7d 0h 0m 0s
+    }
+.ft P
+.fi
+.sp
+The following tags may be specified in a [realms] subsection:
 .INDENT 0.0
 .TP
 .B \fBacl_file\fP
@@ -125,17 +137,17 @@ which permissions on the Kerberos database.  The default value is
 file see \fIkadm5.acl(5)\fP.
 .TP
 .B \fBdatabase_module\fP
-This relation indicates the name of the configuration section
-under \fI\%[dbmodules]\fP for database specific parameters used by
-the loadable database library.
+(String.)  This relation indicates the name of the configuration
+section under \fI\%[dbmodules]\fP for database\-specific parameters
+used by the loadable database library.  The default value is the
+realm name.  If this configuration section does not exist, default
+values will be used for all database parameters.
 .TP
 .B \fBdatabase_name\fP
-(String.)  This string specifies the location of the Kerberos
-database for this realm, if the DB2 back\-end is being used.  If a
-\fBdatabase_module\fP is specified for the realm and the
-corresponding module contains a \fBdatabase_name\fP parameter, that
-value will take precedence over this one.  The default value is
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+(String, deprecated.)  This relation specifies the location of the
+Kerberos database for this realm, if the DB2 module is being used
+and the \fI\%[dbmodules]\fP configuration section does not specify a
+database name.  The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
 .TP
 .B \fBdefault_principal_expiration\fP
 (\fIabstime\fP string.)  Specifies the default expiration date of
@@ -174,8 +186,8 @@ preauthenticate using a hardware device before receiving any
 tickets.
 .TP
 .B \fBno\-auth\-data\-required\fP
-Enabling this flag prevents PAC data from being added to
-service tickets for the principal.
+Enabling this flag prevents PAC or AD\-SIGNEDPATH data from
+being added to service tickets for the principal.
 .TP
 .B \fBok\-as\-delegate\fP
 If this flag is enabled, it hints the client that credentials
@@ -229,9 +241,10 @@ authentication process that was used to obtain the TGT.
 .TP
 .B \fBdict_file\fP
 (String.)  Location of the dictionary file containing strings that
-are not allowed as passwords.  If none is specified or if there is
-no policy assigned to the principal, no dictionary checks of
-passwords will be performed.
+are not allowed as passwords.  The file should contain one string
+per line, with no additional whitespace.  If none is specified or
+if there is no policy assigned to the principal, no dictionary
+checks of passwords will be performed.
 .TP
 .B \fBhost_based_services\fP
 (Whitespace\- or comma\-separated list.)  Lists services which will
@@ -308,7 +321,7 @@ master key.  The default is \fBK/M\fP.
 .B \fBmaster_key_type\fP
 (Key type string.)  Specifies the master key\(aqs key type.  The
 default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP.  For a list of all possible
-values, see \fI\%Encryption and salt types\fP.
+values, see \fI\%Encryption types\fP.
 .TP
 .B \fBmax_life\fP
 (\fIduration\fP string.)  Specifies the maximum time period for
@@ -368,7 +381,7 @@ default value is false.  New in release 1.9.
 combinations of principals for this realm.  Any principals created
 through \fIkadmin(1)\fP will have keys of these types.  The
 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP.  For lists of
-possible values, see \fI\%Encryption and salt types\fP.
+possible values, see \fI\%Keysalt lists\fP.
 .UNINDENT
 .SS [dbdefaults]
 .sp
@@ -393,20 +406,21 @@ definitions of these relations.
 .SS [dbmodules]
 .sp
 The [dbmodules] section contains parameters used by the KDC database
-library and database modules.
+library and database modules.  Each tag in the [dbmodules] section is
+the name of a Kerberos realm or a section name specified by a realm\(aqs
+\fBdatabase_module\fP parameter.  The following example shows how to
+define one database parameter for the ATHENA.MIT.EDU realm:
 .sp
-The following tag may be specified in the [dbmodules] section:
-.INDENT 0.0
-.TP
-.B \fBdb_module_dir\fP
-This tag controls where the plugin system looks for modules.  The
-value should be an absolute path.
-.UNINDENT
+.nf
+.ft C
+[dbmodules]
+    ATHENA.MIT.EDU = {
+        disable_last_success = true
+    }
+.ft P
+.fi
 .sp
-Other tags in the [dbmodules] section name a configuration subsection
-for parameters which can be referred to by a realm\(aqs
-\fBdatabase_module\fP parameter.  The following tags may be specified in
-the subsection:
+The following tags may be specified in a [dbmodules] subsection:
 .INDENT 0.0
 .TP
 .B \fBdatabase_name\fP
@@ -467,6 +481,15 @@ passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
 \fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects.  This file must
 be kept secure.
 .UNINDENT
+.sp
+The following tag may be specified directly in the [dbmodules]
+section to control where database modules are loaded from:
+.INDENT 0.0
+.TP
+.B \fBdb_module_dir\fP
+This tag controls where the plugin system looks for database
+modules.  The value should be an absolute path.
+.UNINDENT
 .SS [logging]
 .sp
 The [logging] section indicates how \fIkrb5kdc(8)\fP and
@@ -543,6 +566,82 @@ administrative server will be appended to the file
 .fi
 .UNINDENT
 .UNINDENT
+.SS [otp]
+.sp
+Each subsection of [otp] is the name of an OTP token type.  The tags
+within the subsection define the configuration required to forward a
+One Time Password request to a RADIUS server.
+.sp
+For each token type, the following tags may be specified:
+.INDENT 0.0
+.TP
+.B \fBserver\fP
+This is the server to send the RADIUS request to.  It can be a
+hostname with optional port, an ip address with optional port, or
+a Unix domain socket address.  The default is
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP.
+.TP
+.B \fBsecret\fP
+This tag indicates a filename (which may be relative to \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP)
+containing the secret used to encrypt the RADIUS packets.  The
+secret should appear in the first line of the file by itself;
+leading and trailing whitespace on the line will be removed.  If
+the value of \fBserver\fP is a Unix domain socket address, this tag
+is optional, and an empty secret will be used if it is not
+specified.  Otherwise, this tag is required.
+.TP
+.B \fBtimeout\fP
+An integer which specifies the time in seconds during which the
+KDC should attempt to contact the RADIUS server.  This tag is the
+total time across all retries and should be less than the time
+which an OTP value remains valid for.  The default is 5 seconds.
+.TP
+.B \fBretries\fP
+This tag specifies the number of retries to make to the RADIUS
+server.  The default is 3 retries (4 tries).
+.TP
+.B \fBstrip_realm\fP
+If this tag is \fBtrue\fP, the principal without the realm will be
+passed to the RADIUS server.  Otherwise, the realm will be
+included.  The default value is \fBtrue\fP.
+.UNINDENT
+.sp
+In the following example, requests are sent to a remote server via UDP.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[otp]
+    MyRemoteTokenType = {
+        server = radius.mydomain.com:1812
+        secret = SEmfiajf42$
+        timeout = 15
+        retries = 5
+        strip_realm = true
+    }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+An implicit default token type named \fBDEFAULT\fP is defined for when
+the per\-principal configuration does not specify a token type.  Its
+configuration is shown below.  You may override this token type to
+something applicable for your situation.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[otp]
+    DEFAULT = {
+        strip_realm = false
+    }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SH PKINIT OPTIONS
 .IP Note
 The following are pkinit\-specific options.  These values may
@@ -668,7 +767,7 @@ fails.
 \fBpkinit_require_crl_checking\fP should be set to true if the
 policy is such that up\-to\-date CRLs must be present for every CA.
 .UNINDENT
-.SH ENCRYPTION AND SALT TYPES
+.SH ENCRYPTION TYPES
 .sp
 Any tag in the configuration files which requires a list of encryption
 types can be set to some combination of the following strings.
@@ -803,11 +902,33 @@ operations, they are not supported by very old versions of our GSSAPI
 implementation (krb5\-1.3.1 and earlier).  Services running versions of
 krb5 without AES support must not be given AES keys in the KDC
 database.
+.SH KEYSALT LISTS
+.sp
+Kerberos keys for users are usually derived from passwords.  Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
+lists\fP.  Each keysalt pair is an enctype name followed by a salttype
+name, in the format \fIenc\fP:\fIsalt\fP.  Individual keysalt list members are
+separated by comma (",") characters or space characters.  For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+kadmin \-e aes256\-cts:normal,aes128\-cts:normal
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+would start up kadmin so that by default it would generate
+password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP
+encryption types, using a \fBnormal\fP salt.
 .sp
-Kerberos keys for users are usually derived from passwords.  To ensure
-that people who happen to pick the same password do not have the same
-key, Kerberos 5 incorporates more information into the key using
-something called a salt.  The supported salt types are as follows:
+To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt.  The supported salt types are as
+follows:
 .TS
 center;
 |l|l|.
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 8e0aeba..70eb801 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,4 @@
-.TH "KDESTROY" "1" " " "1.12" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 8978bdc..46802f4 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,4 @@
-.TH "KINIT" "1" " " "1.12" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index b005473..220f0ef 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,4 @@
-.TH "KLIST" "1" " " "1.12" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 59bfc97..75d78fb 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,4 @@
-.TH "KPASSWD" "1" " " "1.12" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index d45b445..169d0ce 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,4 @@
-.TH "KPROP" "8" " " "1.12" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 3115789..7bd2d62 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,4 @@
-.TH "KPROPD" "8" " " "1.12" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
 .
@@ -69,9 +69,14 @@ kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
 .UNINDENT
 .UNINDENT
 .sp
-kpropd can also run as a standalone daemon.  This is required for
-incremental propagation.  But this is also useful for debugging
-purposes.
+kpropd can also run as a standalone daemon, backgrounding itself and
+waiting for connections on port 754 (or the port specified with the
+\fB\-P\fP option if given).  Standalone mode is required for incremental
+propagation.  Starting in release 1.11, kpropd automatically detects
+whether it was run from inetd and runs in standalone mode if it is
+not.  Prior to release 1.11, the \fB\-S\fP option is required to run
+kpropd in standalone mode; this option is now accepted for backward
+compatibility but does nothing.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
 variable in \fIkdc.conf(5)\fP.  If incremental propagation is
@@ -101,19 +106,11 @@ to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/kr
 Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
 program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP.
 .TP
-.B \fB\-S\fP
-[DEPRECATED] Enable standalone mode.  Normally kpropd is invoked by
-inetd(8) so it expects a network connection to be passed to it
-from inetd(8).  If the \fB\-S\fP option is specified, or if standard
-input is not a socket, kpropd will put itself into the background,
-and wait for connections on port 754 (or the port specified with the
-\fB\-P\fP option if given).
-.TP
 .B \fB\-d\fP
-Turn on debug mode.  In this mode, if the \fB\-S\fP option is
-selected, kpropd will not detach itself from the current job and
-run in the background.  Instead, it will run in the foreground and
-print out debugging messages during the database propagation.
+Turn on debug mode.  In this mode, kpropd will not detach
+itself from the current job and run in the background.  Instead,
+it will run in the foreground and print out debugging messages
+during the database propagation.
 .TP
 .B \fB\-P\fP
 Allow for an alternate port number for kpropd to listen on.  This
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 6f36688..21d6bb5 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,4 @@
-.TH "KPROPLOG" "8" " " "1.12" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
 .
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 129387a..9731f40 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,4 @@
-.TH "KRB5-CONFIG" "1" " " "1.12" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index a653b69..7fa49e1 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,4 @@
-.TH "KRB5.CONF" "5" " " "1.12" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
@@ -178,14 +178,14 @@ The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
 .B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types will be
-filtered out of the previous three lists (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP).  The
-default value for this tag is false, which may cause
-authentication failures in existing Kerberos infrastructures that
-do not support strong crypto.  Users in affected environments
-should set this tag to true until their infrastructure adopts
-stronger ciphers.
+If this flag is set to false, then weak encryption types (as noted
+in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP,
+\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP.  The default
+value for this tag is false, which may cause authentication
+failures in existing Kerberos infrastructures that do not support
+strong crypto.  Users in affected environments should set this tag
+to true until their infrastructure adopts stronger ciphers.
 .TP
 .B \fBap_req_checksum_type\fP
 An integer which specifies the type of AP\-REQ checksum to use in
@@ -239,7 +239,7 @@ invoking programs such as \fIkinit(1)\fP.
 Identifies the supported list of session key encryption types that
 the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
-commas or whitespace.  See \fIEncryption_and_salt_types\fP in
+commas or whitespace.  See \fIEncryption_types\fP in
 \fIkdc.conf(5)\fP for a list of the accepted values for this tag.
 The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
@@ -264,6 +264,13 @@ compatibility purposes; stale values of this setting can prevent
 clients from taking advantage of new stronger enctypes when the
 libraries are upgraded.
 .TP
+.B \fBdns_canonicalize_hostname\fP
+Indicate whether name lookups will be used to canonicalize
+hostnames for use in service principal names.  Setting this flag
+to false can improve security by reducing reliance on DNS, but
+means that short hostnames will not be canonicalized to
+fully\-qualified hostnames.  The default value is true.
+.TP
 .B \fBdns_lookup_kdc\fP
 Indicate whether DNS SRV records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
@@ -428,7 +435,8 @@ default, if allowed by the KDC.  The default value is false.
 .B \fBrdns\fP
 If this flag is true, reverse name lookup will be used in addition
 to forward name lookup to canonicalizing hostnames for use in
-service principal names.  The default value is true.
+service principal names.  If \fBdns_canonicalize_hostname\fP is set
+to false, this flag has no effect.  The default value is true.
 .TP
 .B \fBrealm_try_domains\fP
 Indicate whether a host\(aqs domain components should be used to
@@ -590,7 +598,9 @@ The [domain_realm] section provides a translation from a domain name
 or hostname to a Kerberos realm name.  The tag name can be a host name
 or domain name, where domain names are indicated by a prefix of a
 period (\fB.\fP).  The value of the relation is the Kerberos realm name
-for that particular host or domain.  The Kerberos realm may be
+for that particular host or domain.  A host name relation implicitly
+provides the corresponding domain name relation, unless an explicit domain
+name relation is provided.  The Kerberos realm may be
 identified either in the \fI\%realms\fP section or using DNS SRV records.
 Host names and domain names should be in lower case.  For example:
 .INDENT 0.0
@@ -600,18 +610,20 @@ Host names and domain names should be in lower case.  For example:
 .ft C
 [domain_realm]
     crash.mit.edu = TEST.ATHENA.MIT.EDU
-    .mit.edu = ATHENA.MIT.EDU
+    .dev.mit.edu = TEST.ATHENA.MIT.EDU
     mit.edu = ATHENA.MIT.EDU
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-maps the host with the exact name \fBcrash.mit.edu\fP into the
-TEST.ATHENA.MIT.EDU realm.  The period prefix in \fB.mit.edu\fP denotes
-that all systems in the \fBmit.edu\fP domain belong to
-\fBATHENA.MIT.EDU\fP realm.  The third entry maps the host \fBmit.edu\fP
-itself to the \fBATHENA.MIT.EDU\fP realm.
+maps the host with the name \fBcrash.mit.edu\fP into the
+\fBTEST.ATHENA.MIT.EDU\fP realm.  The second entry maps all hosts under the
+domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not
+the host with the name \fBdev.mit.edu\fP.  That host is matched
+by the third entry, which maps the host \fBmit.edu\fP and all hosts
+under the domain \fBmit.edu\fP that do not match a preceding rule
+into the realm \fBATHENA.MIT.EDU\fP.
 .sp
 If no translation entry applies to a hostname used for a service
 principal for a service ticket request, the library will try to get a
@@ -800,6 +812,12 @@ absolute path, it will be treated as relative to the
 \fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP.
 .UNINDENT
 .sp
+For pluggable interfaces where module order matters, modules
+registered with a \fBmodule\fP tag normally come first, in the order
+they are registered, followed by built\-in modules in the order they
+are documented below.  If \fBenable_only\fP tags are used, then the
+order of those tags overrides the normal module order.
+.sp
 The following subsections are currently supported within the [plugins]
 section:
 .SS ccselect interface
@@ -861,6 +879,30 @@ This module implements the encrypted challenge FAST factor.
 .B \fBencrypted_timestamp\fP
 This module implements the encrypted timestamp mechanism.
 .UNINDENT
+.SS hostrealm interface
+.sp
+The hostrealm section (introduced in release 1.12) controls modules
+for the host\-to\-realm interface, which affects the local mapping of
+hostnames to realm names and the choice of default realm.  The following
+built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBprofile\fP
+This module consults the [domain_realm] section of the profile for
+authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
+variable for the default realm.
+.TP
+.B \fBdns\fP
+This module looks for DNS records for fallback host\-to\-realm
+mappings and the default realm.  It only operates if the
+\fBdns_lookup_realm\fP variable is set to true.
+.TP
+.B \fBdomain\fP
+This module applies heuristics for fallback host\-to\-realm
+mappings.  It implements the \fBrealm_try_domains\fP variable, and
+uses the uppercased parent domain of the hostname if that does not
+produce a result.
+.UNINDENT
 .SS localauth interface
 .sp
 The localauth section (introduced in release 1.12) controls modules
@@ -869,30 +911,30 @@ between Kerberos principals and local system accounts.  The following
 built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
-.B \fBauth_to_local\fP
-This module processes \fBauth_to_local\fP values in the default
-realm\(aqs section, and applies the default method if no
-\fBauth_to_local\fP values exist.
-.TP
-.B \fBan2ln\fP
-This module authorizes a principal to a local account if the
-principal name maps to the local account name.
-.TP
 .B \fBdefault\fP
 This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
 values.
 .TP
-.B \fBk5login\fP
-This module authorizes a principal to a local account according to
-the account\(aqs \fI.k5login(5)\fP file.
+.B \fBrule\fP
+This module implements the \fBRULE\fP type for \fBauth_to_local\fP
+values.
 .TP
 .B \fBnames\fP
 This module looks for an \fBauth_to_local_names\fP mapping for the
 principal name.
 .TP
-.B \fBrule\fP
-This module implements the \fBRULE\fP type for \fBauth_to_local\fP
-values.
+.B \fBauth_to_local\fP
+This module processes \fBauth_to_local\fP values in the default
+realm\(aqs section, and applies the default method if no
+\fBauth_to_local\fP values exist.
+.TP
+.B \fBk5login\fP
+This module authorizes a principal to a local account according to
+the account\(aqs \fI.k5login(5)\fP file.
+.TP
+.B \fBan2ln\fP
+This module authorizes a principal to a local account if the
+principal name maps to the local account name.
 .UNINDENT
 .SH PKINIT OPTIONS
 .IP Note
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 0212168..784c1f1 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,4 @@
-.TH "KRB5KDC" "8" " " "1.12" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 3704392..89648ee 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,4 @@
-.TH "KSU" "1" " " "1.12" "MIT Kerberos"
+.TH "KSU" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index ee85964..ead8344 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,4 @@
-.TH "KSWITCH" "1" " " "1.12" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index d514cf4..9ebdebd 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,4 @@
-.TH "KTUTIL" "1" " " "1.12" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
 .
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 740e70a..2739bd2 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,4 @@
-.TH "KVNO" "1" " " "1.12" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 4218f81..88e24b6 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,4 @@
-.TH "SCLIENT" "1" " " "1.12" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 6f42bf6..93e749a 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,4 @@
-.TH "SSERVER" "8" " " "1.12" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
 .


More information about the cvs-krb5 mailing list