krb5 commit [krb5-1.11]: Update manpages

Tom Yu tlyu at MIT.EDU
Tue Jan 21 17:10:05 EST 2014 

https://github.com/krb5/krb5/commit/8170b11e9a1ac3f06f6fe3e153a3da5aa270ea98
commit 8170b11e9a1ac3f06f6fe3e153a3da5aa270ea98
Author: Tom Yu <tlyu at mit.edu>
Date:   Thu Jan 16 15:53:26 2014 -0500

    Update manpages

 src/man/kadm5.acl.man |    7 ++-
 src/man/kadmin.man    |   33 ++++++++-------
 src/man/kdb5_util.man |    8 ++--
 src/man/kdc.conf.man  |  106 ++++++++++++++++++++++++++++++++++---------------
 src/man/klist.man     |    7 +--
 src/man/krb5.conf.man |   18 ++++----
 6 files changed, 112 insertions(+), 67 deletions(-)

diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 570cd96..c7adf52 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -147,7 +147,8 @@ Each component of the name may be wildcarded using the \fB*\fP
 character.
 .sp
 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
-in which \fB*number\fP matches the component number in \fIprincipal\fP.
+in which \fB*number\fP matches the corresponding wildcard in
+\fIprincipal\fP.
 .TP
 .B \fIrestrictions\fP
 (Optional) A string of flags. Allowed restrictions are:
@@ -212,8 +213,8 @@ instance \fBroot\fP (matches line 3).
 .sp
 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
 or change the password of their null instance, but not any other
-null instance.  (Here, "*1" denotes a back\-reference to the first
-component of the actor principal.)
+null instance.  (Here, \fB*1\fP denotes a back\-reference to the
+component matching the first wildcard in the actor principal.)
 .sp
 (line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
 \fBjoeadmin at ATHENA.MIT.EDU\fP, as mentioned above) has inquire
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index a3f29d4..728797c 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -142,9 +142,9 @@ If using kadmin.local, prompt for the database master password
 instead of reading it from a stash file.
 .TP
 .B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
-Sets the list of encryption types and salt types to be used for
-any new keys created.  See \fIEncryption_and_salt_types\fP in
-\fIkdc.conf(5)\fP for a list of possible values.
+Sets the keysalt list to be used for any new keys created.  See
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible
+values.
 .TP
 .B \fB\-O\fP
 Force use of old AUTH_GSSAPI authentication flavor.
@@ -302,8 +302,9 @@ shell script may expose the password to other users on the system
 via the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-x\fP \fIdb_princ_args\fP
 Indicates database\-specific options.  The options for the LDAP
@@ -438,8 +439,9 @@ script may expose the password to other users on the system via
 the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Uses the specified list of enctype\-salttype pairs for setting the
-key of the principal.
+Uses the specified keysalt list for setting the keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-keepold\fP
 Keeps the existing keys in the database.  This flag is usually not
@@ -582,8 +584,8 @@ modules.  The following string attributes are recognized by the KDC:
 .B \fBsession_enctypes\fP
 Specifies the encryption types supported for session keys when the
 principal is authenticated to as a server.  See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values.
 .UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
@@ -666,10 +668,10 @@ out until it is administratively unlocked with \fBmodprinc
 .B \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
 setting or changing a principal\(aqs password/keys.  See
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
-of the accepted values, but note that key/salt tuples must be
-separated with commas (\(aq,\(aq) only.  To clear the allowed key/salt
-policy use a value of \(aq\-\(aq.
+\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the
+accepted values, but note that key/salt tuples must be separated
+with commas (\(aq,\(aq) only.  To clear the allowed key/salt policy use
+a value of \(aq\-\(aq.
 .UNINDENT
 .sp
 Example:
@@ -831,8 +833,9 @@ Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-Use the specified list of enctype\-salttype pairs for setting the
-new keys of the principal.
+Uses the specified keysalt list for setting the new keys of the
+principal.  See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+list of possible values.
 .TP
 .B \fB\-q\fP
 Display less verbose information.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index f0063d6..64b21a9 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -138,7 +138,7 @@ argument can be used to override the \fIkeyfile\fP specified in
 .sp
 Dumps the current Kerberos and KADM5 database into an ASCII file.  By
 default, the database is dumped in current format, "kdb5_util
-load_dump version 6".  If filename is not specified, or is the string
+load_dump version 7".  If filename is not specified, or is the string
 "\-", the dump is sent to standard output.  Options:
 .INDENT 0.0
 .TP
@@ -281,9 +281,9 @@ salt types to be used for the new keys.
 Adds a new master key to the master key principal, but does not mark
 it as active.  Existing master keys will remain.  The \fB\-e\fP option
 specifies the encryption type of the new master key; see
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of
-possible values.  The \fB\-s\fP option stashes the new master key in the
-stash file, which will be created if it doesn\(aqt already exist.
+\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible
+values.  The \fB\-s\fP option stashes the new master key in the stash
+file, which will be created if it doesn\(aqt already exist.
 .sp
 After a new master key is added, it should be propagated to slave
 servers via a manual or periodic invocation of \fIkprop(8)\fP.  Then,
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 04e47f9..df6e6aa 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -112,11 +112,21 @@ default value is 4096 bytes.
 .UNINDENT
 .SS [realms]
 .sp
-Each tag in the [realms] section is the name of a Kerberos realm.
-The value of the tag is a subsection where the relations define KDC
-parameters for that particular realm.
+Each tag in the [realms] section is the name of a Kerberos realm.  The
+value of the tag is a subsection where the relations define KDC
+parameters for that particular realm.  The following example shows how
+to define one parameter for the ATHENA.MIT.EDU realm:
 .sp
-For each realm, the following tags may be specified:
+.nf
+.ft C
+[realms]
+    ATHENA.MIT.EDU = {
+        max_renewable_life = 7d 0h 0m 0s
+    }
+.ft P
+.fi
+.sp
+The following tags may be specified in a [realms] subsection:
 .INDENT 0.0
 .TP
 .B \fBacl_file\fP
@@ -127,17 +137,17 @@ which permissions on the Kerberos database.  The default value is
 file see \fIkadm5.acl(5)\fP.
 .TP
 .B \fBdatabase_module\fP
-This relation indicates the name of the configuration section
-under \fI\%[dbmodules]\fP for database specific parameters used by
-the loadable database library.
+(String.)  This relation indicates the name of the configuration
+section under \fI\%[dbmodules]\fP for database\-specific parameters
+used by the loadable database library.  The default value is the
+realm name.  If this configuration section does not exist, default
+values will be used for all database parameters.
 .TP
 .B \fBdatabase_name\fP
-(String.)  This string specifies the location of the Kerberos
-database for this realm, if the DB2 back\-end is being used.  If a
-\fBdatabase_module\fP is specified for the realm and the
-corresponding module contains a \fBdatabase_name\fP parameter, that
-value will take precedence over this one.  The default value is
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+(String, deprecated.)  This relation specifies the location of the
+Kerberos database for this realm, if the DB2 module is being used
+and the \fI\%[dbmodules]\fP configuration section does not specify a
+database name.  The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
 .TP
 .B \fBdefault_principal_expiration\fP
 (\fIabstime\fP string.)  Specifies the default expiration date of
@@ -310,7 +320,7 @@ master key.  The default is \fBK/M\fP.
 .B \fBmaster_key_type\fP
 (Key type string.)  Specifies the master key\(aqs key type.  The
 default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP.  For a list of all possible
-values, see \fI\%Encryption and salt types\fP.
+values, see \fI\%Encryption types\fP.
 .TP
 .B \fBmax_life\fP
 (\fIduration\fP string.)  Specifies the maximum time period for
@@ -370,7 +380,7 @@ default value is false.
 combinations of principals for this realm.  Any principals created
 through \fIkadmin(1)\fP will have keys of these types.  The
 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP.  For lists of
-possible values, see \fI\%Encryption and salt types\fP.
+possible values, see \fI\%Keysalt lists\fP.
 .UNINDENT
 .SS [dbdefaults]
 .sp
@@ -395,20 +405,21 @@ definitions of these relations.
 .SS [dbmodules]
 .sp
 The [dbmodules] section contains parameters used by the KDC database
-library and database modules.
+library and database modules.  Each tag in the [dbmodules] section is
+the name of a Kerberos realm or a section name specified by a realm\(aqs
+\fBdatabase_module\fP parameter.  The following example shows how to
+define one database parameter for the ATHENA.MIT.EDU realm:
 .sp
-The following tag may be specified in the [dbmodules] section:
-.INDENT 0.0
-.TP
-.B \fBdb_module_dir\fP
-This tag controls where the plugin system looks for modules.  The
-value should be an absolute path.
-.UNINDENT
+.nf
+.ft C
+[dbmodules]
+    ATHENA.MIT.EDU = {
+        disable_last_success = true
+    }
+.ft P
+.fi
 .sp
-Other tags in the [dbmodules] section name a configuration subsection
-for parameters which can be referred to by a realm\(aqs
-\fBdatabase_module\fP parameter.  The following tags may be specified in
-the subsection:
+The following tags may be specified in a [dbmodules] subsection:
 .INDENT 0.0
 .TP
 .B \fBdatabase_name\fP
@@ -469,6 +480,15 @@ passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
 \fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects.  This file must
 be kept secure.
 .UNINDENT
+.sp
+The following tag may be specified directly in the [dbmodules]
+section to control where database modules are loaded from:
+.INDENT 0.0
+.TP
+.B \fBdb_module_dir\fP
+This tag controls where the plugin system looks for database
+modules.  The value should be an absolute path.
+.UNINDENT
 .SS [logging]
 .sp
 The [logging] section indicates how \fIkrb5kdc(8)\fP and
@@ -670,7 +690,7 @@ fails.
 \fBpkinit_require_crl_checking\fP should be set to true if the
 policy is such that up\-to\-date CRLs must be present for every CA.
 .UNINDENT
-.SH ENCRYPTION AND SALT TYPES
+.SH ENCRYPTION TYPES
 .sp
 Any tag in the configuration files which requires a list of encryption
 types can be set to some combination of the following strings.
@@ -805,11 +825,33 @@ operations, they are not supported by very old versions of our GSSAPI
 implementation (krb5\-1.3.1 and earlier).  Services running versions of
 krb5 without AES support must not be given AES keys in the KDC
 database.
+.SH KEYSALT LISTS
+.sp
+Kerberos keys for users are usually derived from passwords.  Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
+lists\fP.  Each keysalt pair is an enctype name followed by a salttype
+name, in the format \fIenc\fP:\fIsalt\fP.  Individual keysalt list members are
+separated by comma (",") characters or space characters.  For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+kadmin \-e aes256\-cts:normal,aes128\-cts:normal
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+would start up kadmin so that by default it would generate
+password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP
+encryption types, using a \fBnormal\fP salt.
 .sp
-Kerberos keys for users are usually derived from passwords.  To ensure
-that people who happen to pick the same password do not have the same
-key, Kerberos 5 incorporates more information into the key using
-something called a salt.  The supported salt types are as follows:
+To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt.  The supported salt types are as
+follows:
 .TS
 center;
 |l|l|.
diff --git a/src/man/klist.man b/src/man/klist.man
index f581e67..bdb5615 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -91,10 +91,9 @@ a    anonymous
 .UNINDENT
 .TP
 .B \fB\-s\fP
-Causes klist to run silently (produce no output), but to still set
-the exit status according to whether it finds the credentials
-cache.  The exit status is \(aq0\(aq if klist finds a credentials cache,
-and \(aq1\(aq if it does not or if the tickets are expired.
+Causes klist to run silently (produce no output).  klist will exit
+with status 1 if the credentials cache cannot be read or is
+expired, and with status 0 otherwise.
 .TP
 .B \fB\-a\fP
 Display list of addresses in credentials.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 4ffe03e..a2aff29 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -178,14 +178,14 @@ The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
 .B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP) will be filtered
-out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and
-\fBpermitted_enctypes\fP.  The default value for this tag is false, which
-may cause authentication failures in existing Kerberos infrastructures
-that do not support strong crypto.  Users in affected environments
-should set this tag to true until their infrastructure adopts
-stronger ciphers.
+If this flag is set to false, then weak encryption types (as noted
+in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP,
+\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP.  The default
+value for this tag is false, which may cause authentication
+failures in existing Kerberos infrastructures that do not support
+strong crypto.  Users in affected environments should set this tag
+to true until their infrastructure adopts stronger ciphers.
 .TP
 .B \fBap_req_checksum_type\fP
 An integer which specifies the type of AP\-REQ checksum to use in
@@ -238,7 +238,7 @@ invoking programs such as \fIkinit(1)\fP.
 Identifies the supported list of session key encryption types that
 the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
-commas or whitespace.  See \fIEncryption_and_salt_types\fP in
+commas or whitespace.  See \fIEncryption_types\fP in
 \fIkdc.conf(5)\fP for a list of the accepted values for this tag.
 The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of

More information about the cvs-krb5 mailing list