krb5 commit [krb5-1.14]: Update manpages
Tom Yu
tlyu at mit.edu
Fri Sep 18 15:04:36 EDT 2015
https://github.com/krb5/krb5/commit/66c10cfedf88efa0b3a9fac6d766cd54b405df94
commit 66c10cfedf88efa0b3a9fac6d766cd54b405df94
Author: Tom Yu <tlyu at mit.edu>
Date: Thu Sep 17 15:20:38 2015 -0400
Update manpages
src/man/k5identity.man | 8 +-
src/man/k5login.man | 17 ++-
src/man/k5srvutil.man | 8 +-
src/man/kadm5.acl.man | 72 ++++++++------
src/man/kadmin.man | 194 +++++++++++++++++++++++++++---------
src/man/kadmind.man | 62 +++---------
src/man/kdb5_ldap_util.man | 34 ++++---
src/man/kdb5_util.man | 234 ++++++++++++++++++++++++++++++++++++++++----
src/man/kdc.conf.man | 193 ++++++++++++++++++++++++------------
src/man/kdestroy.man | 10 +-
src/man/kinit.man | 25 +++--
src/man/klist.man | 17 ++--
src/man/kpasswd.man | 8 +-
src/man/kprop.man | 14 ++--
src/man/kpropd.man | 34 +++++--
src/man/kproplog.man | 8 +-
src/man/krb5-config.man | 10 +-
src/man/krb5.conf.man | 183 ++++++++++++++++++++++------------
src/man/krb5kdc.man | 53 +++--------
src/man/ksu.man | 60 +++++++-----
src/man/kswitch.man | 12 +-
src/man/ktutil.man | 16 ++-
src/man/kvno.man | 12 +-
src/man/sclient.man | 8 +-
src/man/sserver.man | 18 ++--
25 files changed, 860 insertions(+), 450 deletions(-)
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 06ad79f..38df500 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,6 @@
-.TH "K5IDENTITY" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5IDENTITY" "5" " " "1.14" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH DESCRIPTION
.sp
The .k5identity file, which resides in a user\(aqs home directory,
@@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5login.man b/src/man/k5login.man
index c2f304d..f3cd66d 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,6 @@
-.TH "K5LOGIN" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5LOGIN" "5" " " "1.14" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH DESCRIPTION
.sp
The .k5login file, which resides in a user\(aqs home directory, contains
@@ -41,7 +41,7 @@ administrators remote root access to the host via Kerberos.
.SH EXAMPLES
.sp
Suppose the user \fBalice\fP had a .k5login file in her home directory
-containing the following line:
+containing just the following line:
.INDENT 0.0
.INDENT 3.5
.sp
@@ -55,7 +55,12 @@ bob at FOOBAR.ORG
.sp
This would allow \fBbob\fP to use Kerberos network applications, such as
ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
-tickets.
+tickets. In a default configuration (with \fBk5login_authoritative\fP set
+to true in \fIkrb5.conf(5)\fP), this .k5login file would not let
+\fBalice\fP use those network applications to access her account, since
+she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP
+set to false, a default rule would permit the principal \fBalice\fP in the
+machine\(aqs default realm to access the \fBalice\fP account.
.sp
Let us further suppose that \fBalice\fP is a system administrator.
Alice and the other system administrators would have their principals
@@ -86,6 +91,6 @@ kerberos(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 98ed9a8..323932c 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,6 @@
-.TH "K5SRVUTIL" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5SRVUTIL" "1" " " "1.14" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBk5srvutil\fP \fIoperation\fP
@@ -84,6 +84,6 @@ place.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index dbdb10d..f2290f0 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,6 @@
-.TH "KADM5.ACL" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KADM5.ACL" "5" " " "1.14" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH DESCRIPTION
.sp
The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
@@ -39,7 +39,7 @@ which principals can operate on which other principals.
.sp
The default location of the Kerberos ACL file is
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP
-variable in \fIkdc.conf(5)\fP.
+variable in \fIkdc.conf(5)\fP\&.
.SH SYNTAX
.sp
Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -54,10 +54,14 @@ principal permissions [target_principal [restrictions] ]
.fi
.UNINDENT
.UNINDENT
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
Line order in the ACL file is important. The first matching entry
will control access for an actor principal on a target principal.
-.RE
+.UNINDENT
+.UNINDENT
.INDENT 0.0
.TP
.B \fIprincipal\fP
@@ -105,7 +109,7 @@ _
T{
l
T} T{
-[Dis]allows the listing of principals or policies
+[Dis]allows the listing of all principals or policies
T}
_
T{
@@ -129,7 +133,7 @@ _
T{
x
T} T{
-Short for admcil. All privileges
+Short for admcilsp. All privileges
T}
_
T{
@@ -148,7 +152,7 @@ character.
.sp
\fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
in which \fB*number\fP matches the corresponding wildcard in
-\fIprincipal\fP.
+\fIprincipal\fP\&.
.TP
.B \fIrestrictions\fP
(Optional) A string of flags. Allowed restrictions are:
@@ -158,14 +162,14 @@ in which \fB*number\fP matches the corresponding wildcard in
.TP
.B {+|\-}\fIflagname\fP
flag is forced to the indicated value. The permissible flags
-are the same as the + and \- flags for the kadmin
-\fIadd_principal\fP and \fImodify_principal\fP commands.
+are the same as those for the \fBdefault_principal_flags\fP
+variable in \fIkdc.conf(5)\fP\&.
.TP
.B \fI\-clearpolicy\fP
policy is forced to be empty.
.TP
.B \fI\-policy pol\fP
-policy is forced to be \fIpol\fP.
+policy is forced to be \fIpol\fP\&.
.TP
.B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
(\fIgetdate\fP string) associated value will be forced to
@@ -177,24 +181,28 @@ MIN(\fItime\fP, requested value).
The above flags act as restrictions on any add or modify operation
which is allowed due to that ACL line.
.UNINDENT
-.IP Warning
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
If the kadmind ACL file is modified, the kadmind daemon needs to be
restarted for changes to take effect.
-.RE
+.UNINDENT
+.UNINDENT
.SH EXAMPLE
.sp
-Here is an example of a kadm5.acl file.
+Here is an example of a kadm5.acl file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
-*/admin at ATHENA.MIT.EDU * # line 1
+*/admin at ATHENA.MIT.EDU * # line 1
joeadmin at ATHENA.MIT.EDU ADMCIL # line 2
-joeadmin/*@ATHENA.MIT.EDU il */root at ATHENA.MIT.EDU # line 3
-*/root at ATHENA.MIT.EDU cil *1 at ATHENA.MIT.EDU # line 4
-*/*@ATHENA.MIT.EDU i # line 5
-*/admin at EXAMPLE.COM x * \-maxlife 9h \-postdateable # line 6
+joeadmin/*@ATHENA.MIT.EDU i */root at ATHENA.MIT.EDU # line 3
+*/root at ATHENA.MIT.EDU ci *1 at ATHENA.MIT.EDU # line 4
+*/root at ATHENA.MIT.EDU l * # line 5
+sms at ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6
.ft P
.fi
.UNINDENT
@@ -208,28 +216,30 @@ an \fBadmin\fP instance has all administrative privileges.
1). He has no permissions at all with his null instance,
\fBjoeadmin at ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other
non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire and list permissions with any principal that has the
-instance \fBroot\fP (matches line 3).
+inquire permissions with any principal that has the instance \fBroot\fP
+(matches line 3).
.sp
-(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
+(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
or change the password of their null instance, but not any other
null instance. (Here, \fB*1\fP denotes a back\-reference to the
component matching the first wildcard in the actor principal.)
.sp
-(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
-\fBjoeadmin at ATHENA.MIT.EDU\fP, as mentioned above) has inquire
-privileges.
+(line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate
+the list of principals in the database, and the list of policies
+in the database. This line is separate from line 4, because list
+permission can only be granted globally, not to specific target
+principals.
.sp
-(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP
-has all permissions, but any principal that they create or modify will
-not be able to get postdateable tickets or tickets with a life of
-longer than 9 hours.
+(line 6) Finally, the Service Management System principal
+\fBsms at ATHENA.MIT.EDU\fP has all permissions, but any principal that it
+creates or modifies will not be able to get postdateable tickets or
+tickets with a life of longer than 9 hours.
.SH SEE ALSO
.sp
\fIkdc.conf(5)\fP, \fIkadmind(8)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index c896cdf..d91eee1 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,6 @@
-.TH "KADMIN" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KADMIN" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkadmin\fP
@@ -40,6 +40,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
[\fB\-w\fP \fIpassword\fP]
[\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
+[command args...]
.sp
\fBkadmin.local\fP
[\fB\-r\fP \fIrealm\fP]
@@ -49,12 +50,13 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
[\fB\-m\fP]
[\fB\-x\fP \fIdb_args\fP]
+[command args...]
.SH DESCRIPTION
.sp
kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
administration system. They provide nearly identical functionalities;
the difference is that kadmin.local directly accesses the KDC
-database, while kadmin performs operations using \fIkadmind(8)\fP.
+database, while kadmin performs operations using \fIkadmind(8)\fP\&.
Except as explicitly noted otherwise, this man page will use "kadmin"
to refer to both versions. kadmin provides for the maintenance of
Kerberos principals, password policies, and service key tables
@@ -62,7 +64,7 @@ Kerberos principals, password policies, and service key tables
.sp
The remote kadmin client uses Kerberos to authenticate to kadmind
using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is
-the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP.
+the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP\&.
If the credentials cache contains a ticket for one of these
principals, and the \fB\-c\fP credentials_cache option is specified, that
ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and
@@ -90,7 +92,7 @@ obtained with getpwuid, in order of preference.
.B \fB\-k\fP
Use a keytab to decrypt the KDC response instead of prompting for
a password. In this case, the default principal will be
-\fBhost/hostname\fP. If there is no keytab specified with the
+\fBhost/hostname\fP\&. If there is no keytab specified with the
\fB\-t\fP option, then the default keytab will be used.
.TP
.B \fB\-t\fP \fIkeytab\fP
@@ -101,7 +103,7 @@ with the \fB\-k\fP option.
Requests anonymous processing. Two types of anonymous principals
are supported. For fully anonymous Kerberos, configure PKINIT on
the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
-\fIkrb5.conf(5)\fP. Then use the \fB\-n\fP option with a principal
+\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal
of the form \fB at REALM\fP (an empty principal name followed by the
at\-sign and a realm name). If permitted by the KDC, an anonymous
ticket will be returned. A second form of anonymous tickets is
@@ -127,8 +129,7 @@ care, as it may expose the password to other users on the system
via the process list.
.TP
.B \fB\-q\fP \fIquery\fP
-Perform the specified query and then exit. This can be useful for
-writing scripts.
+Perform the specified query and then exit.
.TP
.B \fB\-d\fP \fIdbname\fP
Specifies the name of the KDC database. This option does not
@@ -153,26 +154,95 @@ Force use of old AUTH_GSSAPI authentication flavor.
Prevent fallback to AUTH_GSSAPI authentication flavor.
.TP
.B \fB\-x\fP \fIdb_args\fP
-Specifies the database specific arguments. Options supported for
-the LDAP database module are:
-.INDENT 7.0
+Specifies the database specific arguments. See the next section
+for supported options.
+.UNINDENT
+.sp
+Starting with release 1.14, if any command\-line arguments remain after
+the options, they will be treated as a single query to be executed.
+This mode of operation is intended for scripts and behaves differently
+from the interactive mode in several respects:
+.INDENT 0.0
+.IP \(bu 2
+Query arguments are split by the shell, not by kadmin.
+.IP \(bu 2
+Informational and warning messages are suppressed. Error messages
+and query output (e.g. for \fBget_principal\fP) will still be
+displayed.
+.IP \(bu 2
+Confirmation prompts are disabled (as if \fB\-force\fP was given).
+Password prompts will still be issued as required.
+.IP \(bu 2
+The exit status will be non\-zero if the query fails.
+.UNINDENT
+.sp
+The \fB\-q\fP option does not carry these behavior differences; the query
+will be processed as if it was entered interactively. The \fB\-q\fP
+option cannot be used in combination with a query in the remaining
+arguments.
+.SH DATABASE OPTIONS
+.sp
+Database options can be used to override database\-specific defaults.
+Supported options for the DB2 module are:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
.TP
-.B \fB\-x host=\fP\fIhostname\fP
+.B \fB\-x dbname=\fP*filename*
+Specifies the base filename of the DB2 database.
+.TP
+.B \fB\-x lockiter\fP
+Make iteration operations hold the lock for the duration of
+the entire operation, rather than temporarily releasing the
+lock while handling each principal. This is the default
+behavior, but this option exists to allow command line
+override of a [dbmodules] setting. First introduced in
+release 1.13.
+.TP
+.B \fB\-x unlockiter\fP
+Make iteration operations unlock the database for each
+principal, instead of holding the lock for the duration of the
+entire operation. First introduced in release 1.13.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Supported options for the LDAP module are:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-x host=\fP\fIldapuri\fP
Specifies the LDAP server to connect to by a LDAP URI.
.TP
.B \fB\-x binddn=\fP\fIbind_dn\fP
-Specifies the DN of the object used by the administration
-server to bind to the LDAP server. This object should have
-the read and write privileges on the realm container, the
-principal container, and the subtree that is referenced by the
-realm.
-.TP
-.B \fB\-x bindpwd=\fP\fIbind_password\fP
-Specifies the password for the above mentioned binddn. Using
-this option may expose the password to other users on the
-system via the process list; to avoid this, instead stash the
-password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
+Specifies the DN used to bind to the LDAP server.
+.TP
+.B \fB\-x bindpwd=\fP\fIpassword\fP
+Specifies the password or SASL secret used to bind to the LDAP
+server. Using this option may expose the password to other
+users on the system via the process list; to avoid this,
+instead stash the password using the \fBstashsrvpw\fP command of
+\fIkdb5_ldap_util(8)\fP\&.
+.TP
+.B \fB\-x sasl_mech=\fP\fImechanism\fP
+Specifies the SASL mechanism used to bind to the LDAP server.
+The bind DN is ignored if a SASL mechanism is used. New in
+release 1.13.
+.TP
+.B \fB\-x sasl_authcid=\fP\fIname\fP
+Specifies the authentication name used when binding to the
+LDAP server with a SASL mechanism, if the mechanism requires
+one. New in release 1.13.
+.TP
+.B \fB\-x sasl_authzid=\fP\fIname\fP
+Specifies the authorization name used when binding to the LDAP
+server with a SASL mechanism. New in release 1.13.
+.TP
+.B \fB\-x sasl_realm=\fP\fIrealm\fP
+Specifies the realm used when binding to the LDAP server with
+a SASL mechanism, if the mechanism uses one. New in release
+1.13.
.TP
.B \fB\-x debug=\fP\fIlevel\fP
sets the OpenLDAP client library debug level. \fIlevel\fP is an
@@ -180,6 +250,7 @@ integer to be interpreted by the library. Debugging messages
are printed to standard error. New in release 1.12.
.UNINDENT
.UNINDENT
+.UNINDENT
.SH COMMANDS
.sp
When using the remote client, available commands may be restricted
@@ -344,8 +415,11 @@ principal is to be created.
.B \fB\-x tktpolicy=\fP\fIpolicy\fP
Associates a ticket policy to the Kerberos principal.
.UNINDENT
-.IP Note
+.sp
+\fBNOTE:\fP
.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
.IP \(bu 2
The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
specified with the \fBdn\fP option.
@@ -358,7 +432,8 @@ container.
\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
principal container configured in the realm.
.UNINDENT
-.RE
+.UNINDENT
+.UNINDENT
.UNINDENT
.sp
Example:
@@ -409,7 +484,7 @@ to its password policy) so that it can successfully authenticate.
.UNINDENT
.UNINDENT
.sp
-Renames the specified \fIold_principal\fP to \fInew_principal\fP. This
+Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This
command prompts for confirmation, unless the \fB\-force\fP option is
given.
.sp
@@ -436,7 +511,7 @@ Alias: \fBdelprinc\fP
.UNINDENT
.UNINDENT
.sp
-Changes the password of \fIprincipal\fP. Prompts for a new password if
+Changes the password of \fIprincipal\fP\&. Prompts for a new password if
neither \fB\-randkey\fP or \fB\-pw\fP is specified.
.sp
This command requires the \fBchangepw\fP privilege, or that the
@@ -489,8 +564,8 @@ kadmin:
.UNINDENT
.sp
Purges previously retained old keys (e.g., from \fBchange_password
-\-keepold\fP) from \fIprincipal\fP. If \fB\-keepkvno\fP is specified, then
-only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. If
+\-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then
+only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If
\fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option
is new in release 1.12.
.sp
@@ -528,8 +603,8 @@ Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
-Key: vno 1, DES cbc mode with CRC\-32, no salt
-Key: vno 1, DES cbc mode with CRC\-32, Version 4
+Key: vno 1, des\-cbc\-crc
+Key: vno 1, des\-cbc\-crc:v4
Attributes:
Policy: [none]
@@ -551,7 +626,7 @@ kadmin:
.sp
Retrieves all or some principal names. \fIexpression\fP is a shell\-style
glob expression that can contain the wild\-card characters \fB?\fP,
-\fB*\fP, and \fB[]\fP. All principal names matching the expression are
+\fB*\fP, and \fB[]\fP\&. All principal names matching the expression are
printed. If no expression is provided, all principal names are
printed. If the expression does not contain an \fB@\fP character, an
\fB@\fP character followed by the local realm is appended to the
@@ -584,7 +659,7 @@ kadmin:
.UNINDENT
.UNINDENT
.sp
-Displays string attributes on \fIprincipal\fP.
+Displays string attributes on \fIprincipal\fP\&.
.sp
This command requires the \fBinquire\fP privilege.
.sp
@@ -592,25 +667,50 @@ Alias: \fBgetstr\fP
.SS set_string
.INDENT 0.0
.INDENT 3.5
-\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
+\fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP
.UNINDENT
.UNINDENT
.sp
-Sets a string attribute on \fIprincipal\fP. String attributes are used to
+Sets a string attribute on \fIprincipal\fP\&. String attributes are used to
supply per\-principal configuration to the KDC and some KDC plugin
-modules. The following string attributes are recognized by the KDC:
+modules. The following string attribute names are recognized by the
+KDC:
.INDENT 0.0
.TP
+.B \fBrequire_auth\fP
+Specifies an authentication indicator which is required to
+authenticate to the principal as a service. Multiple indicators
+can be specified, separated by spaces; in this case any of the
+specified indicators will be accepted. (New in release 1.14.)
+.TP
.B \fBsession_enctypes\fP
Specifies the encryption types supported for session keys when the
principal is authenticated to as a server. See
\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
accepted values.
+.TP
+.B \fBotp\fP
+Enables One Time Passwords (OTP) preauthentication for a client
+\fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
+of objects, each having optional \fBtype\fP and \fBusername\fP fields.
.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
.sp
Alias: \fBsetstr\fP
+.sp
+Example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+set_string host/foo.mit.edu session_enctypes aes128\-cts
+set_string user at FOO.COM otp [{"type":"hotp","username":"custom"}]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.SS del_string
.INDENT 0.0
.INDENT 3.5
@@ -618,7 +718,7 @@ Alias: \fBsetstr\fP
.UNINDENT
.UNINDENT
.sp
-Deletes a string attribute from \fIprincipal\fP.
+Deletes a string attribute from \fIprincipal\fP\&.
.sp
This command requires the \fBdelete\fP privilege.
.sp
@@ -683,7 +783,7 @@ is locked from authenticating if too many authentication failures
occur without the specified failure count interval elapsing.
A duration of 0 (the default) means the principal remains locked
out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP.
+\-unlock\fP\&.
.TP
.B \fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
@@ -713,8 +813,8 @@ kadmin:
.UNINDENT
.UNINDENT
.sp
-Modifies the password policy named \fIpolicy\fP. Options are as described
-for \fBadd_policy\fP.
+Modifies the password policy named \fIpolicy\fP\&. Options are as described
+for \fBadd_policy\fP\&.
.sp
This command requires the \fBmodify\fP privilege.
.sp
@@ -726,7 +826,7 @@ Alias: \fBmodpol\fP
.UNINDENT
.UNINDENT
.sp
-Deletes the password policy named \fIpolicy\fP. Prompts for confirmation
+Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation
before deletion. The command will fail if the policy is in use by any
principals.
.sp
@@ -755,7 +855,7 @@ kadmin:
.UNINDENT
.UNINDENT
.sp
-Displays the values of the password policy named \fIpolicy\fP. With the
+Displays the values of the password policy named \fIpolicy\fP\&. With the
\fB\-terse\fP flag, outputs the fields as quoted strings separated by
tabs.
.sp
@@ -798,13 +898,13 @@ meaningful.
.sp
Retrieves all or some policy names. \fIexpression\fP is a shell\-style
glob expression that can contain the wild\-card characters \fB?\fP,
-\fB*\fP, and \fB[]\fP. All policy names matching the expression are
+\fB*\fP, and \fB[]\fP\&. All policy names matching the expression are
printed. If no expression is provided, all existing policy names are
printed.
.sp
This command requires the \fBlist\fP privilege.
.sp
-Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP.
+Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&.
.sp
Examples:
.INDENT 0.0
@@ -953,6 +1053,6 @@ interface to the OpenVision Kerberos administration program.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index d3be287..974ccad 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,6 @@
-.TH "KADMIND" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KADMIND" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkadmind\fP
@@ -37,6 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-r\fP \fIrealm\fP]
[\fB\-m\fP]
[\fB\-nofork\fP]
+[\fB\-proponly\fP]
[\fB\-port\fP \fIport\-number\fP]
[\fB\-P\fP \fIpid_file\fP]
[\fB\-p\fP \fIkdb5_util_path\fP]
@@ -66,7 +67,7 @@ settings.
kadmind\(aqs ACL (access control list) tells it which principals are
allowed to perform administration actions. The pathname to the
ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
-variable; by default, it is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
+variable; by default, it is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.
.UNINDENT
.sp
After the server begins running, it puts itself in the background and
@@ -78,8 +79,9 @@ and policy updates incrementally instead of receiving full dumps of
the database. This facility can be enabled in the \fIkdc.conf(5)\fP
file with the \fBiprop_enable\fP option. Incremental propagation
requires the principal \fBkiprop/MASTER\e at REALM\fP (where MASTER is the
-master KDC\(aqs canonical host name, and REALM the realm name) to be
-registered in the database.
+master KDC\(aqs canonical host name, and REALM the realm name). In
+release 1.13, this principal is automatically created and registered
+into the datebase.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -98,10 +100,16 @@ causes the server to remain in the foreground and remain
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
.TP
+.B \fB\-proponly\fP
+causes the server to only listen and respond to Kerberos slave
+incremental propagation polling requests. This option can be used
+to set up a hierarchical propagation topology where a slave KDC
+provides incremental updates to other Kerberos slaves.
+.TP
.B \fB\-port\fP \fIport\-number\fP
specifies the port on which the administration server listens for
connections. The default port is determined by the
-\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP.
+\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&.
.TP
.B \fB\-P\fP \fIpid_file\fP
specifies the file to which the PID of kadmind process should be
@@ -122,43 +130,7 @@ specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.
.TP
.B \fB\-x\fP \fIdb_args\fP
-specifies database\-specific arguments.
-.sp
-Options supported for LDAP database are:
-.INDENT 7.0
-.INDENT 3.5
-.INDENT 0.0
-.TP
-.B \fB\-x nconns=\fP\fInumber_of_connections\fP
-specifies the number of connections to be maintained per
-LDAP server.
-.TP
-.B \fB\-x host=\fP\fIldapuri\fP
-specifies the LDAP server to connect to by URI.
-.TP
-.B \fB\-x binddn=\fP\fIbinddn\fP
-specifies the DN of the object used by the administration
-server to bind to the LDAP server. This object should
-have read and write privileges on the realm container, the
-principal container, and the subtree that is referenced by
-the realm.
-.TP
-.B \fB\-x bindpwd=\fP\fIbind_password\fP
-specifies the password for the above mentioned binddn.
-Using this option may expose the password to other users
-on the system via the process list; to avoid this, instead
-stash the password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
-.TP
-.B \fB\-x debug=\fP\fIlevel\fP
-sets the OpenLDAP client library debug level. \fIlevel\fP is
-an integer to be interpreted by the library. Debugging
-messages are printed to standard error, so this option
-must be used with the \fB\-nofork\fP option to be useful.
-New in release 1.12.
-.UNINDENT
-.UNINDENT
-.UNINDENT
+specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments.
.UNINDENT
.SH SEE ALSO
.sp
@@ -167,6 +139,6 @@ New in release 1.12.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 17ecea9..a8d7884 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,6 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KDB5_LDAP_UTIL" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkdb5_ldap_util\fP
@@ -49,7 +49,7 @@ Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
.TP
.B \fB\-w\fP \fIpasswd\fP
-Specifies the password of \fIuser_dn\fP. This option is not
+Specifies the password of \fIuser_dn\fP\&. This option is not
recommended.
.TP
.B \fB\-H\fP \fIldapuri\fP
@@ -97,7 +97,7 @@ realm container.
.B \fB\-k\fP \fImkeytype\fP
Specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
.TP
.B \fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
@@ -131,7 +131,7 @@ tickets for principals in this realm.
.B \fIticket_flags\fP
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP.
+\fIkadmin(1)\fP\&.
.UNINDENT
.sp
Example:
@@ -197,7 +197,7 @@ tickets for principals in this realm.
.B \fIticket_flags\fP
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP.
+\fIkadmin(1)\fP\&.
.UNINDENT
.sp
Example:
@@ -314,7 +314,7 @@ shell%
.INDENT 3.5
\fBstashsrvpw\fP
[\fB\-f\fP \fIfilename\fP]
-\fIservicedn\fP
+\fIname\fP
.UNINDENT
.UNINDENT
.sp
@@ -327,9 +327,15 @@ to the LDAP server. Options:
Specifies the complete path of the service password file. By
default, \fB/usr/local/var/service_passwd\fP is used.
.TP
-.B \fIservicedn\fP
-Specifies Distinguished Name (DN) of the service object whose
-password is to be stored in file.
+.B \fIname\fP
+Specifies the name of the object whose password is to be stored.
+If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
+simple binding, this should be the distinguished name it will
+use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
+variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is
+configured for SASL binding, this should be the authentication
+name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
+\fBldap_kadmind_sasl_authcid\fP variable.
.UNINDENT
.sp
Example:
@@ -376,7 +382,7 @@ tickets for principals.
Specifies the ticket flags. If this option is not specified, by
default, no restriction will be set by the policy. Allowable
flags are documented in the description of the \fBadd_principal\fP
-command in \fIkadmin(1)\fP.
+command in \fIkadmin(1)\fP\&.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
@@ -410,7 +416,7 @@ Password for "cn=admin,o=org":
.UNINDENT
.sp
Modifies the attributes of a ticket policy. Options are same as for
-\fBcreate_policy\fP.
+\fBcreate_policy\fP\&.
.sp
Example:
.INDENT 0.0
@@ -538,6 +544,6 @@ userpolicy
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index a90976d..36d5efa 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,6 @@
-.TH "KDB5_UTIL" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KDB5_UTIL" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkdb5_util\fP
@@ -63,14 +63,14 @@ specifies the Kerberos realm of the database.
.TP
.B \fB\-d\fP \fIdbname\fP
specifies the name under which the principal database is stored;
-by default the database is that listed in \fIkdc.conf(5)\fP. The
+by default the database is that listed in \fIkdc.conf(5)\fP\&. The
password policy database and lock files are also derived from this
value.
.TP
.B \fB\-k\fP \fImkeytype\fP
specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
.TP
.B \fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
@@ -79,7 +79,7 @@ the default is 1. Note that 0 is not allowed.
.B \fB\-M\fP \fImkeyname\fP
principal name for the master key in the database. If not
specified, the name is determined by the \fBmaster_key_name\fP
-variable in \fIkdc.conf(5)\fP.
+variable in \fIkdc.conf(5)\fP\&.
.TP
.B \fB\-m\fP
specifies that the master database password should be read from
@@ -88,7 +88,7 @@ the keyboard rather than fetched from a file on disk.
.B \fB\-sf\fP \fIstash_file\fP
specifies the stash filename of the master database password. If
not specified, the filename is determined by the
-\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP.
+\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&.
.TP
.B \fB\-P\fP \fIpassword\fP
specifies the master database password. Using this option may
@@ -126,13 +126,13 @@ the \fB\-f\fP argument, does not prompt the user.
.sp
Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP
argument can be used to override the \fIkeyfile\fP specified in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
.SS dump
.INDENT 0.0
.INDENT 3.5
\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP]
[\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP]
-[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
+[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]]
.UNINDENT
.UNINDENT
.sp
@@ -206,7 +206,8 @@ Options:
.TP
.B \fB\-b7\fP
requires the database to be in the Kerberos 5 Beta 7 format
-("kdb5_util load_dump version 4").
+("kdb5_util load_dump version 4"). This was the dump format
+produced on releases prior to 1.2.2.
.TP
.B \fB\-ov\fP
requires the database to be in "ovsec_adm_import" format. Must be
@@ -234,10 +235,7 @@ is dumped.
.TP
.B \fB\-update\fP
records from the dump file are added to or updated in the existing
-database. (This is useful in conjunction with an ovsec_adm_export
-format dump if you want to preserve per\-principal policy
-information, since the current default format does not contain
-this data.) Otherwise, a new database is created containing only
+database. Otherwise, a new database is created containing only
what is in the dump file and the old one destroyed upon successful
completion.
.UNINDENT
@@ -270,7 +268,7 @@ values. The \fB\-s\fP option stashes the new master key in the stash
file, which will be created if it doesn\(aqt already exist.
.sp
After a new master key is added, it should be propagated to slave
-servers via a manual or periodic invocation of \fIkprop(8)\fP. Then,
+servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then,
the stash files on the slave servers should be updated with the
kdb5_util \fBstash\fP command. Once those steps are complete, the key
is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
@@ -281,7 +279,7 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
.UNINDENT
.UNINDENT
.sp
-Sets the activation time of the master key specified by \fImkeyVNO\fP.
+Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
Once a master key becomes active, it will be used to encrypt newly
created principal keys. If no \fItime\fP argument is given, the current
time is used, causing the specified master key version to become
@@ -299,7 +297,7 @@ principal keys to be encrypted in the new master key.
.sp
List all master keys, from most recent to earliest, in the master key
principal. The output will show the kvno, enctype, and salt type for
-each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP. A
+each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A
\fB*\fP following an mkey denotes the currently active master key.
.SS purge_mkeys
.INDENT 0.0
@@ -340,12 +338,212 @@ before starting to make changes. The \fB\-v\fP option causes each
principal processed to be listed, with an indication as to whether it
needed updating or not. The \fB\-n\fP option performs a dry run, only
showing the actions which would have been taken.
+.SS tabdump
+.INDENT 0.0
+.INDENT 3.5
+\fBtabdump\fP [\fB\-H\fP] [\fB\-c\fP] [\fB\-e\fP] [\fB\-n\fP] [\fB\-o\fP \fIoutfile\fP]
+\fIdumptype\fP
+.UNINDENT
+.UNINDENT
+.sp
+Dump selected fields of the database in a tabular format suitable for
+reporting (e.g., using traditional Unix text processing tools) or
+importing into relational databases. The data format is tab\-separated
+(default), or optionally comma\-separated (CSV), with a fixed number of
+columns. The output begins with a header line containing field names,
+unless suppression is requested using the \fB\-H\fP option.
+.sp
+The \fIdumptype\fP parameter specifies the name of an output table (see
+below).
+.sp
+Options:
+.INDENT 0.0
+.TP
+.B \fB\-H\fP
+suppress writing the field names in a header line
+.TP
+.B \fB\-c\fP
+use comma separated values (CSV) format, with minimal quoting,
+instead of the default tab\-separated (unquoted, unescaped) format
+.TP
+.B \fB\-e\fP
+write empty hexadecimal string fields as empty fields instead of
+as "\-1".
+.TP
+.B \fB\-n\fP
+produce numeric output for fields that normally have symbolic
+output, such as enctypes and flag names. Also requests output of
+time stamps as decimal POSIX time_t values.
+.TP
+.B \fB\-o\fP \fIoutfile\fP
+write the dump to the specified output file instead of to standard
+output
+.UNINDENT
+.sp
+Dump types:
+.INDENT 0.0
+.TP
+.B \fBkeydata\fP
+principal encryption key information, including actual key data
+(which is still encrypted in the master key)
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBkeyindex\fP
+index of this key in the principal\(aqs key list
+.TP
+.B \fBkvno\fP
+key version number
+.TP
+.B \fBenctype\fP
+encryption type
+.TP
+.B \fBkey\fP
+key data as a hexadecimal string
+.TP
+.B \fBsalttype\fP
+salt type
+.TP
+.B \fBsalt\fP
+salt data as a hexadecimal string
+.UNINDENT
+.TP
+.B \fBkeyinfo\fP
+principal encryption key information (as in \fBkeydata\fP above),
+excluding actual key data
+.TP
+.B \fBprinc_flags\fP
+principal boolean attributes. Flag names print as hexadecimal
+numbers if the \fB\-n\fP option is specified, and all flag positions
+are printed regardless of whether or not they are set. If \fB\-n\fP
+is not specified, print all known flag names for each principal,
+but only print hexadecimal flag names if the corresponding flag is
+set.
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBflag\fP
+flag name
+.TP
+.B \fBvalue\fP
+boolean value (0 for clear, or 1 for set)
+.UNINDENT
+.TP
+.B \fBprinc_lockout\fP
+state information used for tracking repeated password failures
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBlast_success\fP
+time stamp of most recent successful authentication
+.TP
+.B \fBlast_failed\fP
+time stamp of most recent failed authentication
+.TP
+.B \fBfail_count\fP
+count of failed attempts
+.UNINDENT
+.TP
+.B \fBprinc_meta\fP
+principal metadata
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBmodby\fP
+name of last principal to modify this principal
+.TP
+.B \fBmodtime\fP
+timestamp of last modification
+.TP
+.B \fBlastpwd\fP
+timestamp of last password change
+.TP
+.B \fBpolicy\fP
+policy object name
+.TP
+.B \fBmkvno\fP
+key version number of the master key that encrypts this
+principal\(aqs key data
+.TP
+.B \fBhist_kvno\fP
+key version number of the history key that encrypts the key
+history data for this principal
+.UNINDENT
+.TP
+.B \fBprinc_stringattrs\fP
+string attributes (key/value pairs)
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBkey\fP
+attribute name
+.TP
+.B \fBvalue\fP
+attribute value
+.UNINDENT
+.TP
+.B \fBprinc_tktpolicy\fP
+per\-principal ticket policy data, including maximum ticket
+lifetimes
+.INDENT 7.0
+.TP
+.B \fBname\fP
+principal name
+.TP
+.B \fBexpiration\fP
+principal expiration date
+.TP
+.B \fBpw_expiration\fP
+password expiration date
+.TP
+.B \fBmax_life\fP
+maximum ticket lifetime
+.TP
+.B \fBmax_renew_life\fP
+maximum renewable ticket lifetime
+.UNINDENT
+.UNINDENT
+.sp
+Examples:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ kdb5_util tabdump \-o keyinfo.txt keyinfo
+$ cat keyinfo.txt
+name keyindex kvno enctype salttype salt
+foo at EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
+bar at EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
+bar at EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+$ sqlite3
+sqlite> .mode tabs
+sqlite> .import keyinfo.txt keyinfo
+sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq;
+bar at EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+sqlite> .quit
+$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt
+bar at EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.SH SEE ALSO
.sp
\fIkadmin(1)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 5d32bf4..c1d9723 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,6 @@
-.TH "KDC.CONF" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KDC.CONF" "5" " " "1.14" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.sp
The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
@@ -39,8 +39,8 @@ KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
single configuration profile.
.sp
Normally, the kdc.conf file is found in the KDC state directory,
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the
-environment variable \fBKRB5_KDC_PROFILE\fP.
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\&. You can override the default location by setting the
+environment variable \fBKRB5_KDC_PROFILE\fP\&.
.sp
Please note that you need to restart the KDC daemon for any configuration
changes to take effect.
@@ -116,6 +116,8 @@ Each tag in the [realms] section is the name of a Kerberos realm. The
value of the tag is a subsection where the relations define KDC
parameters for that particular realm. The following example shows how
to define one parameter for the ATHENA.MIT.EDU realm:
+.INDENT 0.0
+.INDENT 3.5
.sp
.nf
.ft C
@@ -125,6 +127,8 @@ to define one parameter for the ATHENA.MIT.EDU realm:
}
.ft P
.fi
+.UNINDENT
+.UNINDENT
.sp
The following tags may be specified in a [realms] subsection:
.INDENT 0.0
@@ -133,8 +137,8 @@ The following tags may be specified in a [realms] subsection:
(String.) Location of the access control list file that
\fIkadmind(8)\fP uses to determine which principals are allowed
which permissions on the Kerberos database. The default value is
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. For more information on Kerberos ACL
-file see \fIkadm5.acl(5)\fP.
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL
+file see \fIkadm5.acl(5)\fP\&.
.TP
.B \fBdatabase_module\fP
(String.) This relation indicates the name of the configuration
@@ -147,7 +151,7 @@ values will be used for all database parameters.
(String, deprecated.) This relation specifies the location of the
Kerberos database for this realm, if the DB2 module is being used
and the \fI\%[dbmodules]\fP configuration section does not specify a
-database name. The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+database name. The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
.TP
.B \fBdefault_principal_expiration\fP
(\fIabstime\fP string.) Specifies the default expiration date of
@@ -257,8 +261,8 @@ propagation is enabled. The default value is false.
.TP
.B \fBiprop_master_ulogsize\fP
(Integer.) Specifies the maximum number of log entries to be
-retained for incremental propagation. The maximum value is 2500;
-the default value is 1000.
+retained for incremental propagation. The default value is 1000.
+Prior to release 1.11, the maximum value was 2500.
.TP
.B \fBiprop_slave_poll\fP
(Delta time string.) Specifies how often the slave KDC polls for
@@ -280,7 +284,7 @@ minutes (\fB5m\fP). New in release 1.11.
(File name.) Specifies where the update log file for the realm
database is to be stored. The default is to use the
\fBdatabase_name\fP entry from the realms section of the krb5 config
-file, with \fB.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt
+file, with \fB\&.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt
specified in the realms section, perhaps because the LDAP database
back end is being used, or the file name is specified in the
[dbmodules] section, then the hard\-coded default for
@@ -306,22 +310,20 @@ historically used by Kerberos V4.
.B \fBkdc_tcp_ports\fP
(Whitespace\- or comma\-separated list.) Lists the ports on which
the Kerberos server should listen for TCP connections, as a
-comma\-separated list of integers. If this relation is not
-specified, the compiled\-in default is not to listen for TCP
-connections at all.
-.sp
-If you wish to change this (note that the current implementation
-has little protection against denial\-of\-service attacks), the
-standard port number assigned for Kerberos TCP traffic is port 88.
+comma\-separated list of integers. To disable listening on TCP,
+set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&.
+If this relation is not specified, the default is to listen on TCP
+port 88 (the standard port). Prior to release 1.13, the default
+was not to listen for TCP connections at all.
.TP
.B \fBmaster_key_name\fP
(String.) Specifies the name of the principal associated with the
-master key. The default is \fBK/M\fP.
+master key. The default is \fBK/M\fP\&.
.TP
.B \fBmaster_key_type\fP
(Key type string.) Specifies the master key\(aqs key type. The
-default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible
-values, see \fI\%Encryption types\fP.
+default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible
+values, see \fI\%Encryption types\fP\&.
.TP
.B \fBmax_life\fP
(\fIduration\fP string.) Specifies the maximum time period for
@@ -337,7 +339,7 @@ The default value is 0.
(Whitespace\- or comma\-separated list.) Lists services to block
from getting host\-based referral processing, even if the client
marks the server principal as host\-based or the service is also
-listed in \fBhost_based_services\fP. \fBno_host_referral = *\fP will
+listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will
disable referral processing altogether.
.TP
.B \fBdes_crc_session_supported\fP
@@ -380,8 +382,8 @@ default value is false. New in release 1.9.
(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
through \fIkadmin(1)\fP will have keys of these types. The
-default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of
-possible values, see \fI\%Keysalt lists\fP.
+default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of
+possible values, see \fI\%Keysalt lists\fP\&.
.UNINDENT
.SS [dbdefaults]
.sp
@@ -395,8 +397,24 @@ definitions of these relations.
.IP \(bu 2
\fBldap_kdc_dn\fP
.IP \(bu 2
+\fBldap_kdc_sasl_authcid\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_authzid\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_mech\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_realm\fP
+.IP \(bu 2
\fBldap_kadmind_dn\fP
.IP \(bu 2
+\fBldap_kadmind_sasl_authcid\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_authzid\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_mech\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_realm\fP
+.IP \(bu 2
\fBldap_service_password_file\fP
.IP \(bu 2
\fBldap_servers\fP
@@ -410,6 +428,8 @@ library and database modules. Each tag in the [dbmodules] section is
the name of a Kerberos realm or a section name specified by a realm\(aqs
\fBdatabase_module\fP parameter. The following example shows how to
define one database parameter for the ATHENA.MIT.EDU realm:
+.INDENT 0.0
+.INDENT 3.5
.sp
.nf
.ft C
@@ -419,13 +439,15 @@ define one database parameter for the ATHENA.MIT.EDU realm:
}
.ft P
.fi
+.UNINDENT
+.UNINDENT
.sp
The following tags may be specified in a [dbmodules] subsection:
.INDENT 0.0
.TP
.B \fBdatabase_name\fP
This DB2\-specific tag indicates the location of the database in
-the filesystem. The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+the filesystem. The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
.TP
.B \fBdb_library\fP
This tag indicates the name of the loadable database module. The
@@ -451,18 +473,41 @@ introduced in release 1.9.
This LDAP\-specific tag indicates the number of connections to be
maintained per LDAP server.
.TP
-.B \fBldap_kadmind_dn\fP
-This LDAP\-specific tag indicates the default bind DN for the
-\fIkadmind(8)\fP daemon. kadmind does a login to the directory
-as this object. This object should have the rights to read and
-write the Kerberos data in the LDAP database.
-.TP
-.B \fBldap_kdc_dn\fP
-This LDAP\-specific tag indicates the default bind DN for the
-\fIkrb5kdc(8)\fP daemon. The KDC does a login to the directory
-as this object. This object should have the rights to read the
-Kerberos data in the LDAP database, and to write data unless
-\fBdisable_lockout\fP and \fBdisable_last_success\fP are true.
+.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
+These LDAP\-specific tags indicate the default DN for binding to
+the LDAP server. The \fIkrb5kdc(8)\fP daemon uses
+\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other
+administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN
+must have the rights to read and write the Kerberos data in the
+LDAP database. The KDC DN must have the same rights, unless
+\fBdisable_lockout\fP and \fBdisable_last_success\fP are true, in
+which case it only needs to have rights to read the Kerberos data.
+These tags are ignored if a SASL mechanism is set with
+\fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&.
+.TP
+.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
+These LDAP\-specific tags specify the SASL mechanism (such as
+\fBEXTERNAL\fP) to use when binding to the LDAP server. New in
+release 1.13.
+.TP
+.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
+These LDAP\-specific tags specify the SASL authentication identity
+to use when binding to the LDAP server. Not all SASL mechanisms
+require an authentication identity. If the SASL mechanism
+requires a secret (such as the password for \fBDIGEST\-MD5\fP), these
+tags also determine the name within the
+\fBldap_service_password_file\fP where the secret is stashed. New
+in release 1.13.
+.TP
+.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
+These LDAP\-specific tags specify the SASL authorization identity
+to use when binding to the LDAP server. In most circumstances
+they do not need to be specified. New in release 1.13.
+.TP
+.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
+These LDAP\-specific tags specify the SASL realm to use when
+binding to the LDAP server. In most circumstances they do not
+need to be set. New in release 1.13.
.TP
.B \fBldap_kerberos_container_dn\fP
This LDAP\-specific tag indicates the DN of the container object
@@ -478,8 +523,16 @@ to the LDAP server.
.B \fBldap_service_password_file\fP
This LDAP\-specific tag indicates the file containing the stashed
passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
-\fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects. This file must
-be kept secure.
+\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
+\fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
+for SASL authentication. This file must be kept secure.
+.TP
+.B \fBunlockiter\fP
+If set to \fBtrue\fP, this DB2\-specific tag causes iteration
+operations to release the database lock while processing each
+principal. Setting this flag to \fBtrue\fP can prevent extended
+blocking of KDC or kadmin operations when dumps of large databases
+are in progress. First introduced in release 1.13.
.UNINDENT
.sp
The following tag may be specified directly in the [dbmodules]
@@ -513,7 +566,7 @@ Values are of the following forms:
.TP
.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
This value causes the daemon\(aqs logging messages to go to the
-\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten.
+\fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten.
If the \fB:\fP form is used, the file is appended to.
.TP
.B \fBSTDERR\fP
@@ -535,23 +588,23 @@ The severity argument specifies the default severity of system log
messages. This may be any of the following severities supported
by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
-and \fBDEBUG\fP.
+and \fBDEBUG\fP\&.
.sp
The facility argument specifies the facility under which the
messages are logged. This may be any of the following facilities
supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
-\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
+\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&.
.sp
-If no severity is specified, the default is \fBERR\fP. If no
-facility is specified, the default is \fBAUTH\fP.
+If no severity is specified, the default is \fBERR\fP\&. If no
+facility is specified, the default is \fBAUTH\fP\&.
.UNINDENT
.sp
In the following example, the logging messages from the KDC will go to
the console and to the system log under the facility LOG_DAEMON with
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
-\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
+\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&.
.INDENT 0.0
.INDENT 3.5
.sp
@@ -579,7 +632,7 @@ For each token type, the following tags may be specified:
This is the server to send the RADIUS request to. It can be a
hostname with optional port, an ip address with optional port, or
a Unix domain socket address. The default is
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP.
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&.
.TP
.B \fBsecret\fP
This tag indicates a filename (which may be relative to \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP)
@@ -603,10 +656,15 @@ server. The default is 3 retries (4 tries).
.B \fBstrip_realm\fP
If this tag is \fBtrue\fP, the principal without the realm will be
passed to the RADIUS server. Otherwise, the realm will be
-included. The default value is \fBtrue\fP.
+included. The default value is \fBtrue\fP\&.
+.TP
+.B \fBindicator\fP
+This tag specifies an authentication indicator to be included in
+the ticket if this token type is used to authenticate. This
+option may be specified multiple times. (New in release 1.14.)
.UNINDENT
.sp
-In the following example, requests are sent to a remote server via UDP.
+In the following example, requests are sent to a remote server via UDP:
.INDENT 0.0
.INDENT 3.5
.sp
@@ -628,7 +686,7 @@ In the following example, requests are sent to a remote server via UDP.
An implicit default token type named \fBDEFAULT\fP is defined for when
the per\-principal configuration does not specify a token type. Its
configuration is shown below. You may override this token type to
-something applicable for your situation.
+something applicable for your situation:
.INDENT 0.0
.INDENT 3.5
.sp
@@ -643,16 +701,20 @@ something applicable for your situation.
.UNINDENT
.UNINDENT
.SH PKINIT OPTIONS
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
The following are pkinit\-specific options. These values may
be specified in [kdcdefaults] as global defaults, or within
a realm\-specific subsection of [realms]. Also note that a
realm\-specific value over\-rides, does not add to, a generic
[kdcdefaults] specification. The search order is:
-.RE
+.UNINDENT
+.UNINDENT
.INDENT 0.0
.IP 1. 3
-realm\-specific subsection of [realms],
+realm\-specific subsection of [realms]:
.INDENT 3.0
.INDENT 3.5
.sp
@@ -667,7 +729,7 @@ realm\-specific subsection of [realms],
.UNINDENT
.UNINDENT
.IP 2. 3
-generic value in the [kdcdefaults] section.
+generic value in the [kdcdefaults] section:
.INDENT 3.0
.INDENT 3.5
.sp
@@ -683,7 +745,7 @@ generic value in the [kdcdefaults] section.
.sp
For information about the syntax of some of these options, see
\fISpecifying PKINIT identity information\fP in
-\fIkrb5.conf(5)\fP.
+\fIkrb5.conf(5)\fP\&.
.INDENT 0.0
.TP
.B \fBpkinit_anchors\fP
@@ -704,7 +766,7 @@ the certificate to the Kerberos principal name. The default value
is false.
.sp
Without this option, the KDC will only accept certificates with
-the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. There is currently
+the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently
no option to disable SAN checking in the KDC.
.TP
.B \fBpkinit_eku_checking\fP
@@ -716,7 +778,7 @@ recognized in the kdc.conf file are:
.B \fBkpClientAuth\fP
This is the default value and specifies that client
certificates must have the id\-pkinit\-KPClientAuth EKU as
-defined in \fI\%RFC 4556\fP.
+defined in \fI\%RFC 4556\fP\&.
.TP
.B \fBscLogin\fP
If scLogin is specified, client certificates with the
@@ -733,13 +795,14 @@ this option is not recommended.
Specifies the location of the KDC\(aqs X.509 identity information.
This option is required if pkinit is to be supported by the KDC.
.TP
+.B \fBpkinit_indicator\fP
+Specifies an authentication indicator to include in the ticket if
+pkinit is used to authenticate. This option may be specified
+multiple times. (New in release 1.14.)
+.TP
.B \fBpkinit_kdc_ocsp\fP
Specifies the location of the KDC\(aqs OCSP.
.TP
-.B \fBpkinit_mapping_file\fP
-Specifies the name of the ACL pkinit mapping file. This file maps
-principals to the certificates that they can use.
-.TP
.B \fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client\(aqs
@@ -907,8 +970,8 @@ database.
Kerberos keys for users are usually derived from passwords. Kerberos
commands and configuration parameters that affect generation of keys
take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
-lists\fP. Each keysalt pair is an enctype name followed by a salttype
-name, in the format \fIenc\fP:\fIsalt\fP. Individual keysalt list members are
+lists\fP\&. Each keysalt pair is an enctype name followed by a salttype
+name, in the format \fIenc\fP:\fIsalt\fP\&. Individual keysalt list members are
separated by comma (",") characters or space characters. For example:
.INDENT 0.0
.INDENT 3.5
@@ -986,8 +1049,8 @@ Here\(aqs an example of a kdc.conf file:
kadmind_port = 749
max_life = 12h 0m 0s
max_renewable_life = 7d 0h 0m 0s
- master_key_type = des3\-hmac\-sha1
- supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4
+ master_key_type = aes256\-cts\-hmac\-sha1\-96
+ supported_enctypes = aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal
database_module = openldap_ldapconf
}
@@ -1025,6 +1088,6 @@ Here\(aqs an example of a kdc.conf file:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 70eb801..85332dd 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,6 @@
-.TH "KDESTROY" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KDESTROY" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkdestroy\fP
@@ -74,7 +74,7 @@ kdestroy uses the following environment variable:
.TP
.B \fBKRB5CCNAME\fP
Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
determine the availability of a cache collection; for instance, a
default cache of type \fBDIR\fP causes caches within the directory
@@ -92,6 +92,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 46802f4..c01f44e 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,6 @@
-.TH "KINIT" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KINIT" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkinit\fP
@@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP.
+\fIprincipal\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -65,9 +65,9 @@ display verbose output.
.TP
.B \fB\-l\fP \fIlifetime\fP
(\fIduration\fP string.) Requests a ticket with the lifetime
-\fIlifetime\fP.
+\fIlifetime\fP\&.
.sp
-For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP.
+For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
.sp
If the \fB\-l\fP option is not specified, the default ticket lifetime
(configured by each site) is used. Specifying a ticket lifetime
@@ -84,7 +84,7 @@ can become valid.
.TP
.B \fB\-r\fP \fIrenewable_life\fP
(\fIduration\fP string.) Requests renewable tickets, with a total
-lifetime of \fIrenewable_life\fP.
+lifetime of \fIrenewable_life\fP\&.
.TP
.B \fB\-f\fP
requests forwardable tickets.
@@ -123,6 +123,11 @@ with the validated ticket.
requests renewal of the ticket\-granting ticket. Note that an
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
+.sp
+Note that renewable tickets that have expired as reported by
+\fIklist(1)\fP may sometimes be renewed using this option,
+because the KDC applies a grace period to account for client\-KDC
+clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting.
.TP
.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
requests a ticket, obtained from a key in the local host\(aqs keytab.
@@ -141,7 +146,7 @@ Requests anonymous processing. Two types of anonymous principals
are supported.
.sp
For fully anonymous Kerberos, configure pkinit on the KDC and
-configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP.
+configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&.
Then use the \fB\-n\fP option with a principal of the form \fB at REALM\fP
(an empty principal name followed by the at\-sign and a realm
name). If permitted by the KDC, an anonymous ticket will be
@@ -224,7 +229,7 @@ kinit uses the following environment variables:
.TP
.B \fBKRB5CCNAME\fP
Location of the default Kerberos 5 credentials cache, in the form
-\fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP
+\fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP
type is assumed. The type of the default cache may determine the
availability of a cache collection; for instance, a default cache
of type \fBDIR\fP causes caches within the directory to be present
@@ -245,6 +250,6 @@ default location for the local host\(aqs keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/klist.man b/src/man/klist.man
index 220f0ef..51e7f84 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,6 @@
-.TH "KLIST" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KLIST" "1" " " "1.14" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBklist\fP
@@ -91,10 +91,9 @@ a anonymous
.UNINDENT
.TP
.B \fB\-s\fP
-Causes klist to run silently (produce no output), but to still set
-the exit status according to whether it finds the credentials
-cache. The exit status is \(aq0\(aq if klist finds a credentials cache,
-and \(aq1\(aq if it does not or if the tickets are expired.
+Causes klist to run silently (produce no output). klist will exit
+with status 1 if the credentials cache cannot be read or is
+expired, and with status 0 otherwise.
.TP
.B \fB\-a\fP
Display list of addresses in credentials.
@@ -138,7 +137,7 @@ klist uses the following environment variable:
.TP
.B \fBKRB5CCNAME\fP
Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
determine the availability of a cache collection; for instance, a
default cache of type \fBDIR\fP causes caches within the directory
@@ -159,6 +158,6 @@ Default location for the local host\(aqs keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 75d78fb..f06ebb3 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,6 @@
-.TH "KPASSWD" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KPASSWD" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkpasswd\fP [\fIprincipal\fP]
@@ -59,6 +59,6 @@ identity of the user invoking the kpasswd command.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 169d0ce..752ffd7 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,6 @@
-.TH "KPROP" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KPROP" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkprop\fP
@@ -43,8 +43,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.sp
kprop is used to securely propagate a Kerberos V5 database dump file
from the master Kerberos server to a slave Kerberos server, which is
-specified by \fIslave_host\fP. The dump file must be created by
-\fIkdb5_util(8)\fP.
+specified by \fIslave_host\fP\&. The dump file must be created by
+\fIkdb5_util(8)\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -54,7 +54,7 @@ Specifies the realm of the master server.
.B \fB\-f\fP \fIfile\fP
Specifies the filename where the dumped principal database file is
to be found; by default the dumped database file is normally
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP.
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&.
.TP
.B \fB\-P\fP \fIport\fP
Specifies the port to use to contact the \fIkpropd(8)\fP server
@@ -79,6 +79,6 @@ Specifies the location of the keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 7bd2d62..f2f0f16 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,6 @@
-.TH "KPROPD" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KPROPD" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
@@ -28,18 +30,18 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkpropd\fP
[\fB\-r\fP \fIrealm\fP]
+[\fB\-A\fP \fIadmin_server\fP]
[\fB\-a\fP \fIacl_file\fP]
[\fB\-f\fP \fIslave_dumpfile\fP]
[\fB\-F\fP \fIprincipal_database\fP]
[\fB\-p\fP \fIkdb5_util_prog\fP]
[\fB\-P\fP \fIport\fP]
[\fB\-d\fP]
+[\fB\-t\fP]
.SH DESCRIPTION
.sp
The \fIkpropd\fP command runs on the slave KDC server. It listens for
@@ -50,7 +52,7 @@ from the master KDC.
When the slave receives a kprop request from the master, kpropd
accepts the dumped KDC database and places it in a file, and then runs
\fIkdb5_util(8)\fP to load the dumped database into the active
-database which is used by \fIkrb5kdc(8)\fP. This allows the master
+database which is used by \fIkrb5kdc(8)\fP\&. This allows the master
Kerberos server to use \fIkprop(8)\fP to propagate its database to
the slave servers. Upon a successful download of the KDC database
file, the slave Kerberos server will have an up\-to\-date KDC database.
@@ -79,7 +81,7 @@ kpropd in standalone mode; this option is now accepted for backward
compatibility but does nothing.
.sp
Incremental propagation may be enabled with the \fBiprop_enable\fP
-variable in \fIkdc.conf(5)\fP. If incremental propagation is
+variable in \fIkdc.conf(5)\fP\&. If incremental propagation is
enabled, the slave periodically polls the master KDC for updates, at
an interval determined by the \fBiprop_slave_poll\fP variable. If the
slave receives updates, kpropd updates its log file with any updates
@@ -98,13 +100,17 @@ enabled.
.B \fB\-r\fP \fIrealm\fP
Specifies the realm of the master server.
.TP
+.B \fB\-A\fP \fIadmin_server\fP
+Specifies the server to be contacted for incremental updates; by
+default, the master admin server is contacted.
+.TP
.B \fB\-f\fP \fIfile\fP
Specifies the filename where the dumped principal database file is
-to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP.
+to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&.
.TP
.B \fB\-p\fP
Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
-program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP.
+program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP\&.
.TP
.B \fB\-d\fP
Turn on debug mode. In this mode, kpropd will not detach
@@ -112,13 +118,19 @@ itself from the current job and run in the background. Instead,
it will run in the foreground and print out debugging messages
during the database propagation.
.TP
+.B \fB\-t\fP
+In standalone mode without incremental propagation, exit after one
+dump file is received. In incremental propagation mode, exit as
+soon as the database is up to date, or if the master returns an
+error.
+.TP
.B \fB\-P\fP
Allow for an alternate port number for kpropd to listen on. This
is only useful in combination with the \fB\-S\fP option.
.TP
.B \fB\-a\fP \fIacl_file\fP
Allows the user to specify the path to the kpropd.acl file; by
-default the path used is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
+default the path used is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&.
.UNINDENT
.SH ENVIRONMENT
.sp
@@ -134,9 +146,9 @@ kpropd uses the following environment variables:
.TP
.B kpropd.acl
Access file for kpropd; the default location is
-\fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line
+\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line
containing the principal of a host from which the local machine
-will allow Kerberos database propagation via \fIkprop(8)\fP.
+will allow Kerberos database propagation via \fIkprop(8)\fP\&.
.UNINDENT
.SH SEE ALSO
.sp
@@ -144,6 +156,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 21d6bb5..015e0f8 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,6 @@
-.TH "KPROPLOG" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KPROPLOG" "8" " " "1.14" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v]
@@ -112,6 +112,6 @@ kproplog uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 9731f40..fd81ae1 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,6 @@
-.TH "KRB5-CONFIG" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KRB5-CONFIG" "1" " " "1.14" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkrb5\-config\fP
@@ -74,7 +74,7 @@ prints the built\-in default client (initiator) keytab location.
prints the compilation flags used to build the Kerberos installation.
.TP
.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
-prints the compiler options needed to link against \fIlibrary\fP.
+prints the compiler options needed to link against \fIlibrary\fP\&.
Allowed values for \fIlibrary\fP are:
.TS
center;
@@ -136,6 +136,6 @@ kerberos(1), cc(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 7fa49e1..9b2d506 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,6 @@
-.TH "KRB5.CONF" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KRB5.CONF" "5" " " "1.14" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
@@ -28,16 +30,19 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.sp
The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your krb5.conf file in the directory
-\fB/etc\fP. You can override the default location by setting the
-environment variable \fBKRB5_CONFIG\fP.
+\fB/etc\fP\&. You can override the default location by setting the
+environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated
+filenames may be specified in \fBKRB5_CONFIG\fP; all files which are
+present will be read. Starting in release 1.14, directory names can
+also be specified in \fBKRB5_CONFIG\fP; all files within the directory
+whose names consist solely of alphanumeric characters, dashes, or
+underscores will be read.
.SH STRUCTURE
.sp
The krb5.conf file is set up in the style of a Windows INI file.
@@ -53,9 +58,10 @@ foo = bar
.fi
.UNINDENT
.UNINDENT
+.sp
+or:
.INDENT 0.0
-.TP
-.B or
+.INDENT 3.5
.sp
.nf
.ft C
@@ -66,14 +72,16 @@ fubar = {
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP
value for the tag. This means that neither the remainder of this
configuration file nor any other configuration file will be checked
for any other values for this tag.
+.sp
+For example, if you have the following lines:
.INDENT 0.0
-.TP
-.B For example, if you have the following lines:
+.INDENT 3.5
.sp
.nf
.ft C
@@ -82,6 +90,7 @@ foo = baz
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
then the second value of \fBfoo\fP (\fBbaz\fP) would never be read.
.sp
@@ -181,7 +190,7 @@ The libdefaults section may contain any of the following relations:
If this flag is set to false, then weak encryption types (as noted
in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
out of the lists \fBdefault_tgs_enctypes\fP,
-\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP. The default
+\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default
value for this tag is false, which may cause authentication
failures in existing Kerberos infrastructures that do not support
strong crypto. Users in affected environments should set this tag
@@ -212,28 +221,34 @@ Kerberos which interact with credential caches on the same host.
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
+.sp
+The clockskew setting is also used when evaluating ticket start
+and expiration times. For example, tickets that have reached
+their expiration time can still be used (and renewed if they are
+renewable tickets) if they have been expired for a shorter
+duration than the \fBclockskew\fP setting.
.TP
.B \fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
-The default is \fB at CCNAME@\fP. This relation is subject to parameter
+The default is \fB at CCNAME@\fP\&. This relation is subject to parameter
expansion (see below). New in release 1.11.
.TP
.B \fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
-obtaining client credentials. The default is \fB at CKTNAME@\fP. This
+obtaining client credentials. The default is \fB at CKTNAME@\fP\&. This
relation is subject to parameter expansion (see below).
New in release 1.11.
.TP
.B \fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
-application servers such as sshd. The default is \fB at KTNAME@\fP. This
+application servers such as sshd. The default is \fB at KTNAME@\fP\&. This
relation is subject to parameter expansion (see below).
.TP
.B \fBdefault_realm\fP
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
-invoking programs such as \fIkinit(1)\fP.
+invoking programs such as \fIkinit(1)\fP\&.
.TP
.B \fBdefault_tgs_enctypes\fP
Identifies the supported list of session key encryption types that
@@ -287,6 +302,11 @@ it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
+.B \fBerr_fmt\fP
+This relation allows for custom error message formatting. If a
+value is set, error messages will be formatted by substituting a
+normal error message for %M and an error code for %C in the value.
+.TP
.B \fBextra_addresses\fP
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
@@ -310,7 +330,7 @@ default value is false. New in release 1.10.
.TP
.B \fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \fI.k5login(5)\fP
+k5login file to be granted login access, if a \fI\&.k5login(5)\fP
file exists. If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal. The default value is
@@ -324,6 +344,19 @@ files in the user\(aqs home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.
.TP
+.B \fBkcm_mach_service\fP
+On OS X only, determines the name of the bootstrap service used to
+contact the KCM daemon for the KCM credential cache type. If the
+value is \fB\-\fP, Mach RPC will not be used to contact the KCM
+daemon. The default value is \fBorg.h5l.kcm\fP\&.
+.TP
+.B \fBkcm_socket\fP
+Determines the path to the Unix domain socket used to access the
+KCM daemon for the KCM credential cache type. If the value is
+\fB\-\fP, Unix domain sockets will not be used to contact the KCM
+daemon. The default value is
+\fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
+.TP
.B \fBkdc_default_options\fP
Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
@@ -468,7 +501,7 @@ ticket requests. The default value is 1 day.
.B \fBudp_preference_limit\fP
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
-\fBudp_preference_limit\fP. If the message is smaller than
+\fBudp_preference_limit\fP\&. If the message is smaller than
\fBudp_preference_limit\fP, then UDP will be tried before TCP.
Regardless of the size, both protocols will be tried if the first
attempt fails.
@@ -500,9 +533,9 @@ translated. The possible values are:
.INDENT 7.0
.TP
.B \fBRULE:\fP\fIexp\fP
-The local name will be formulated from \fIexp\fP.
+The local name will be formulated from \fIexp\fP\&.
.sp
-The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
+The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
The integer \fIn\fP indicates how many components the target
principal should have. If this matches, then a string will be
formed from \fIstring\fP, substituting the realm of the principal
@@ -513,15 +546,18 @@ for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
the \fBs//[g]\fP substitution command will be run over the
string. The optional \fBg\fP will cause the substitution to be
global over the \fIstring\fP, instead of replacing only the first
-match in the \fIstring\fP.
+match in the \fIstring\fP\&.
.TP
.B \fBDEFAULT\fP
The principal name will be used as the local user name. If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
will fail.
-.TP
-.B For example:
+.UNINDENT
+.sp
+For example:
+.INDENT 7.0
+.INDENT 3.5
.sp
.nf
.ft C
@@ -535,14 +571,15 @@ will fail.
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
would result in any principal without \fBroot\fP or \fBadmin\fP as the
second component to be translated with the default rule. A
principal with a second component of \fBadmin\fP will become its
first component. \fBroot\fP will be used as the local name for any
-principal with a second component of \fBroot\fP. The exception to
+principal with a second component of \fBroot\fP\&. The exception to
these two rules are any principals \fBjohndoe/*\fP, which will
-always get the local name \fBguest\fP.
+always get the local name \fBguest\fP\&.
.TP
.B \fBauth_to_local_names\fP
This subsection allows you to set explicit mappings from principal
@@ -555,6 +592,32 @@ translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \fBrcmd.hostname\fP to
\fBhost/hostname.domain\fP).
.TP
+.B \fBhttp_anchors\fP
+When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
+can be used to specify the location of the CA certificate which should be
+trusted to issue the certificate for a proxy server. If left unspecified,
+the system\-wide default set of CA certificates is used.
+.sp
+The syntax for values is similar to that of values for the
+\fBpkinit_anchors\fP tag:
+.sp
+\fBFILE:\fP \fIfilename\fP
+.sp
+\fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file.
+.sp
+\fBDIR:\fP \fIdirname\fP
+.sp
+\fIdirname\fP is assumed to be an directory which contains CA certificates.
+All files in the directory will be examined; if they contain certificates
+(in PEM format), they will be used.
+.sp
+\fBENV:\fP \fIenvvar\fP
+.sp
+\fIenvvar\fP specifies the name of an environment variable which has been set
+to a value conforming to one of the previous values. For example,
+\fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
+been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
+.TP
.B \fBkdc\fP
The name or address of a host running a KDC for that realm. An
optional port number, separated from the hostname by a colon, may
@@ -597,7 +660,7 @@ is the Kerberos V4 realm name.
The [domain_realm] section provides a translation from a domain name
or hostname to a Kerberos realm name. The tag name can be a host name
or domain name, where domain names are indicated by a prefix of a
-period (\fB.\fP). The value of the relation is the Kerberos realm name
+period (\fB\&.\fP). The value of the relation is the Kerberos realm name
for that particular host or domain. A host name relation implicitly
provides the corresponding domain name relation, unless an explicit domain
name relation is provided. The Kerberos realm may be
@@ -620,10 +683,10 @@ Host names and domain names should be in lower case. For example:
maps the host with the name \fBcrash.mit.edu\fP into the
\fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the
domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not
-the host with the name \fBdev.mit.edu\fP. That host is matched
+the host with the name \fBdev.mit.edu\fP\&. That host is matched
by the third entry, which maps the host \fBmit.edu\fP and all hosts
under the domain \fBmit.edu\fP that do not match a preceding rule
-into the realm \fBATHENA.MIT.EDU\fP.
+into the realm \fBATHENA.MIT.EDU\fP\&.
.sp
If no translation entry applies to a hostname used for a service
principal for a service ticket request, the library will try to get a
@@ -660,7 +723,7 @@ a subtag of the server realm.
For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub
realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
-but not \fBPNL.GOV\fP. The [capaths] section for \fBANL.GOV\fP systems
+but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems
would look like this:
.INDENT 0.0
.INDENT 3.5
@@ -732,9 +795,10 @@ important to servers.
Each tag in the [appdefaults] section names a Kerberos V5 application
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
+.sp
+For example:
.INDENT 0.0
-.TP
-.B For example:
+.INDENT 3.5
.sp
.nf
.ft C
@@ -755,6 +819,7 @@ value of the tag defines the default behaviors for that application.
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
The above four ways of specifying the value of an option are shown in
order of decreasing precedence. In this example, if telnet is running
@@ -809,7 +874,7 @@ form \fBmodulename:pathname\fP, which causes the shared object
located at \fIpathname\fP to be registered as a dynamic module named
\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an
absolute path, it will be treated as relative to the
-\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP.
+\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&.
.UNINDENT
.sp
For pluggable interfaces where module order matters, modules
@@ -930,21 +995,25 @@ realm\(aqs section, and applies the default method if no
.TP
.B \fBk5login\fP
This module authorizes a principal to a local account according to
-the account\(aqs \fI.k5login(5)\fP file.
+the account\(aqs \fI\&.k5login(5)\fP file.
.TP
.B \fBan2ln\fP
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
.SH PKINIT OPTIONS
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
The following are PKINIT\-specific options. These values may
be specified in [libdefaults] as global defaults, or within
a realm\-specific subsection of [libdefaults], or may be
specified as realm\-specific values in the [realms] section.
A realm\-specific value overrides, not adds to, a generic
[libdefaults] specification. The search order is:
-.RE
+.UNINDENT
+.UNINDENT
.INDENT 0.0
.IP 1. 3
realm\-specific subsection of [libdefaults]:
@@ -962,7 +1031,7 @@ realm\-specific subsection of [libdefaults]:
.UNINDENT
.UNINDENT
.IP 2. 3
-realm\-specific value in the [realms] section,
+realm\-specific value in the [realms] section:
.INDENT 3.0
.INDENT 3.5
.sp
@@ -977,7 +1046,7 @@ realm\-specific value in the [realms] section,
.UNINDENT
.UNINDENT
.IP 3. 3
-generic value in the [libdefaults] section.
+generic value in the [libdefaults] section:
.INDENT 3.0
.INDENT 3.5
.sp
@@ -1015,19 +1084,19 @@ In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
where the first part of the file name is the same for matching
pairs of certificate and private key files. When a file with a
-name ending with \fB.crt\fP is found, a matching file ending with
-\fB.key\fP is assumed to contain the private key. If no such file
-is found, then the certificate in the \fB.crt\fP is not used.
+name ending with \fB\&.crt\fP is found, a matching file ending with
+\fB\&.key\fP is assumed to contain the private key. If no such file
+is found, then the certificate in the \fB\&.crt\fP is not used.
.sp
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
be an OpenSSL\-style hashed CA directory where each CA cert is
-stored in a file named \fBhash\-of\-ca\-cert.#\fP. This infrastructure
+stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure
is encouraged, but all files in the directory will be examined and
if they contain certificates (in PEM format), they will be used.
.sp
In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
hashed CA directory where each revocation list is stored in a file
-named \fBhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged,
+named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.
.TP
@@ -1038,8 +1107,8 @@ user\(aqs certificate and private key.
.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
-with no keyword, it is assumed to be the \fImodname\fP. If no
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP.
+with no keyword, it is assumed to be the \fImodname\fP\&. If no
+module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
a particular smard card reader or token if there is more than one
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
@@ -1051,7 +1120,7 @@ to select a particular certificate to use for PKINIT.
\fIenvvar\fP specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fP, where environment variable
-\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP.
+\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
.UNINDENT
.SS PKINIT krb5.conf options
.INDENT 0.0
@@ -1089,7 +1158,7 @@ where:
.B \fIrelation\-operator\fP
can be either \fB&&\fP, meaning all component rules must match,
or \fB||\fP, meaning only one component rule must match. The
-default is \fB&&\fP.
+default is \fB&&\fP\&.
.TP
.B \fIcomponent\-rule\fP
can be one of the following. Note that there is no
@@ -1158,11 +1227,12 @@ recognized in the krb5.conf file are:
.TP
.B \fBkpKDC\fP
This is the default value and specifies that the KDC must have
-the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
+the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
.TP
.B \fBkpServerAuth\fP
If \fBkpServerAuth\fP is specified, a KDC certificate with the
-id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
+id\-kp\-serverAuth EKU will be accepted. This key usage value
+is used in most commercially issued server certificates.
.TP
.B \fBnone\fP
If \fBnone\fP is specified, then the KDC certificate will not be
@@ -1187,13 +1257,10 @@ these values are not used if the user specifies
The presense of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\-pkinit\-san as
-defined in \fI\%RFC 4556\fP. This option may be specified multiple
+defined in \fI\%RFC 4556\fP\&. This option may be specified multiple
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
.TP
-.B \fBpkinit_longhorn\fP
-If this flag is set to true, we are talking to the Longhorn KDC.
-.TP
.B \fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
@@ -1221,16 +1288,6 @@ Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented. This option may be specified
multiple times.
-.TP
-.B \fBpkinit_win2k\fP
-This flag specifies whether the target realm is assumed to support
-only the old, pre\-RFC version of the protocol. The default is
-false.
-.TP
-.B \fBpkinit_win2k_require_binding\fP
-If this flag is set to true, it expects that the target KDC is
-patched to return a reply with a checksum rather than a nonce.
-The default is false.
.UNINDENT
.SH PARAMETER EXPANSION
.sp
@@ -1352,8 +1409,6 @@ Here is an example of a generic krb5.conf file:
.ft C
[libdefaults]
default_realm = ATHENA.MIT.EDU
- default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
- default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
dns_lookup_kdc = true
dns_lookup_realm = false
@@ -1364,7 +1419,6 @@ Here is an example of a generic krb5.conf file:
kdc = kerberos\-2.mit.edu:750
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
- default_domain = mit.edu
}
EXAMPLE.COM = {
kdc = kerberos.example.com
@@ -1373,7 +1427,6 @@ Here is an example of a generic krb5.conf file:
}
[domain_realm]
- .mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
[capaths]
@@ -1396,6 +1449,6 @@ syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 784c1f1..5a7962e 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,6 @@
-.TH "KRB5KDC" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KRB5KDC" "8" " " "1.14" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkrb5kdc\fP
@@ -59,7 +59,7 @@ LDAP database.
.sp
The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
to be entered manually as a password when \fB\-m\fP is given; the default
-is \fBdes\-cbc\-crc\fP.
+is \fBdes\-cbc\-crc\fP\&.
.sp
The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the
master key in the database (usually \fBK/M\fP in the KDC\(aqs realm).
@@ -91,48 +91,21 @@ the \fB\-P\fP option is also given) acts as a supervisor. The supervisor
will relay SIGHUP signals to the worker subprocesses, and will
terminate the worker subprocess if the it is itself terminated or if
any other worker process exits.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
On operating systems which do not have \fIpktinfo\fP support,
using worker processes will prevent the KDC from listening
for UDP packets on network interfaces created after the KDC
starts.
-.RE
-.sp
-The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
-Options supported for the LDAP database module are:
-.INDENT 0.0
-.INDENT 3.5
-.INDENT 0.0
-.TP
-.B \fB\-x\fP nconns=<number_of_connections>
-Specifies the number of connections to be maintained per
-LDAP server.
-.TP
-.B \fB\-x\fP host=<ldapuri>
-Specifies the LDAP server to connect to by URI.
-.TP
-.B \fB\-x\fP binddn=<binddn>
-Specifies the DN of the object used by the KDC server to bind
-to the LDAP server. This object should have read and write
-privileges to the realm container, the principal container,
-and the subtree that is referenced by the realm.
-.TP
-.B \fB\-x\fP bindpwd=<bind_password>
-Specifies the password for the above mentioned binddn. Using
-this option may expose the password to other users on the
-system via the process list; to avoid this, instead stash the
-password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
-.TP
-.B \fB\-x debug=\fP\fIlevel\fP
-sets the OpenLDAP client library debug level. \fIlevel\fP is an
-integer to be interpreted by the library. Debugging messages
-are printed to standard error, so this option must be used
-with the \fB\-n\fP option to be useful. New in release 1.12.
-.UNINDENT
.UNINDENT
.UNINDENT
.sp
+The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
+See \fIDatabase Options\fP in \fIkadmin(1)\fP for
+supported arguments.
+.sp
The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
the KDC will operate under. It is intended only for testing purposes.
.SH EXAMPLE
@@ -177,6 +150,6 @@ krb5kdc uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 89648ee..99ff974 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,6 @@
-.TH "KSU" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KSU" "1" " " "1.14" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBksu\fP
@@ -37,7 +37,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[ \fB\-n\fP \fItarget_principal_name\fP ]
[ \fB\-c\fP \fIsource_cache_name\fP ]
[ \fB\-k\fP ]
-[ \fB\-D\fP ]
[ \fB\-r\fP time ]
[ \fB\-pf\fP ]
[ \fB\-l\fP \fIlifetime\fP ]
@@ -53,14 +52,18 @@ Kerberos version 5 server running to use ksu.
ksu is a Kerberized version of the su program that has two missions:
one is to securely change the real and effective user ID to that of
the target user, and the other is to create a new security context.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
For the sake of clarity, all references to and attributes of
the user invoking the program will start with "source"
(e.g., "source user", "source cache", etc.).
.sp
Likewise, all references to and attributes of the target
account will start with "target".
-.RE
+.UNINDENT
+.UNINDENT
.SH AUTHENTICATION
.sp
To fulfill the first mission, ksu operates in two phases:
@@ -70,7 +73,7 @@ principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic at USC.EDU\fP)
or a default principal name will be assigned using a heuristic
described in the OPTIONS section (see \fB\-n\fP option). The target user
name must be the first argument to ksu; if not specified root is the
-default. If \fB.\fP is specified then the target user will be the
+default. If \fB\&.\fP is specified then the target user will be the
source user (e.g., \fBksu .\fP). If the source user is root or the
target user is the source user, no authentication or authorization
takes place. Otherwise, ksu looks for an appropriate Kerberos ticket
@@ -96,12 +99,13 @@ option, see the OPTIONS section.
Upon successful authentication, ksu checks whether the target
principal is authorized to access the target account. In the target
user\(aqs home directory, ksu attempts to access two authorization files:
-\fI.k5login(5)\fP and .k5users. In the .k5login file each line
+\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line
contains the name of a principal that is authorized to access the
account.
+.sp
+For example:
.INDENT 0.0
-.TP
-.B For example:
+.INDENT 3.5
.sp
.nf
.ft C
@@ -111,6 +115,7 @@ jqpublic/admin at USC.EDU
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
The format of .k5users is the same, except the principal name may be
followed by a list of commands that the principal is authorized to
@@ -165,11 +170,15 @@ server and stored in the target cache. Otherwise, if a password is
not provided (user hit return) ksu continues in a normal mode of
operation (the target cache will not contain the desired TGT). If the
wrong password is typed in, ksu fails.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
During authentication, only the tickets that could be
obtained without providing a password are cached in in the
source cache.
-.RE
+.UNINDENT
+.UNINDENT
.SH OPTIONS
.INDENT 0.0
.TP
@@ -186,10 +195,10 @@ Case 1: source user is non\-root.
If the target user is the source user the default principal name
is set to the default principal of the source cache. If the
cache does not exist then the default principal name is set to
-\fBtarget_user at local_realm\fP. If the source and target users are
+\fBtarget_user at local_realm\fP\&. If the source and target users are
different and neither \fB~target_user/.k5users\fP nor
\fB~target_user/.k5login\fP exist then the default principal name
-is \fBtarget_user_login_name at local_realm\fP. Otherwise, starting
+is \fBtarget_user_login_name at local_realm\fP\&. Otherwise, starting
with the first principal listed below, ksu checks if the
principal is authorized to access the target account and whether
there is a legitimate ticket for that principal in the source
@@ -218,15 +227,15 @@ principal name equal to the prefix of the candidate. For
example if candidate a) is \fBjqpublic at ISI.EDU\fP and
\fBjqpublic/secure at ISI.EDU\fP is authorized to access the target
account then the default principal is set to
-\fBjqpublic/secure at ISI.EDU\fP.
+\fBjqpublic/secure at ISI.EDU\fP\&.
.IP \(bu 2
Case 2: source user is root.
.sp
If the target user is non\-root then the default principal name
-is \fBtarget_user at local_realm\fP. Else, if the source cache
+is \fBtarget_user at local_realm\fP\&. Else, if the source cache
exists the default principal name is set to the default
principal of the source cache. If the source cache does not
-exist, default principal name is set to \fBroot\e at local_realm\fP.
+exist, default principal name is set to \fBroot\e at local_realm\fP\&.
.UNINDENT
.UNINDENT
.sp
@@ -236,7 +245,7 @@ exist, default principal name is set to \fBroot\e at local_realm\fP.
Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If
\fB\-c\fP option is not used then the name is obtained from
\fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not
-defined the source cache name is set to \fBkrb5cc_<source uid>\fP.
+defined the source cache name is set to \fBkrb5cc_<source uid>\fP\&.
The target cache name is automatically set to \fBkrb5cc_<target
uid>.(gen_sym())\fP, where gen_sym generates a new number such that
the resulting cache does not already exist. For example:
@@ -259,9 +268,6 @@ Do not delete the target cache upon termination of the target
shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes
the target cache.
.TP
-.B \fB\-D\fP
-Turn on debug mode.
-.TP
.B \fB\-z\fP
Restrict the copy of tickets from the source cache to the target
cache to only the tickets where client == the target principal
@@ -376,7 +382,7 @@ full path or just the program name.
.B \fB\-a\fP \fIargs\fP
Specify arguments to be passed to the target shell. Note that all
flags and parameters following \-a will be passed to the shell,
-thus all options intended for ksu must precede \fB\-a\fP.
+thus all options intended for ksu must precede \fB\-a\fP\&.
.sp
The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if
used as follows:
@@ -421,8 +427,11 @@ If the source user is non\-root, ksu insists that the target user\(aqs
shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is
called to obtain the names of "legal shells". Note that the
target user\(aqs shell is obtained from the passwd file.
-.TP
-.B Sample configuration:
+.UNINDENT
+.sp
+Sample configuration:
+.INDENT 0.0
+.INDENT 3.5
.sp
.nf
.ft C
@@ -430,6 +439,7 @@ KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/
.ft P
.fi
.UNINDENT
+.UNINDENT
.sp
ksu should be owned by root and have the set user id bit turned on.
.sp
@@ -446,6 +456,6 @@ GENNADY (ARI) MEDVINSKY
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index ead8344..6c2195a 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,6 @@
-.TH "KSWITCH" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KSWITCH" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkswitch\fP
@@ -46,7 +46,7 @@ Directly specifies the credential cache to be made primary.
.TP
.B \fB\-p\fP \fIprincipal\fP
Causes the cache collection to be searched for a cache containing
-credentials for \fIprincipal\fP. If one is found, that collection is
+credentials for \fIprincipal\fP\&. If one is found, that collection is
made primary.
.UNINDENT
.SH ENVIRONMENT
@@ -56,7 +56,7 @@ kswitch uses the following environment variables:
.TP
.B \fBKRB5CCNAME\fP
Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
determine the availability of a cache collection; for instance, a
default cache of type \fBDIR\fP causes caches within the directory
@@ -74,6 +74,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 9ebdebd..351cae5 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,6 @@
-.TH "KTUTIL" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KTUTIL" "1" " " "1.14" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBktutil\fP
@@ -76,7 +76,7 @@ Alias: \fBrst\fP
.UNINDENT
.UNINDENT
.sp
-Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP.
+Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&.
.sp
Alias: \fBwkt\fP
.SS write_st
@@ -86,7 +86,7 @@ Alias: \fBwkt\fP
.UNINDENT
.UNINDENT
.sp
-Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP.
+Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&.
.sp
Alias: \fBwst\fP
.SS clear_list
@@ -143,6 +143,8 @@ Aliases: \fBexit\fP, \fBq\fP
.SH EXAMPLE
.INDENT 0.0
.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
.sp
.nf
.ft C
@@ -158,12 +160,14 @@ ktutil:
.fi
.UNINDENT
.UNINDENT
+.UNINDENT
+.UNINDENT
.SH SEE ALSO
.sp
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 2739bd2..f4efb0a 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,6 @@
-.TH "KVNO" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KVNO" "1" " " "1.14" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBkvno\fP
@@ -74,13 +74,13 @@ conjunction with protocol transition.
.B \fB\-S\fP \fIsname\fP
Specifies that the \fIservice1 service2\fP ... arguments are
interpreted as hostnames, and the service principals are to be
-constructed from those hostnames and the service name \fIsname\fP.
+constructed from those hostnames and the service name \fIsname\fP\&.
The service hostnames will be canonicalized according to the usual
rules for constructing service principals.
.TP
.B \fB\-U\fP \fIfor_user\fP
Specifies that protocol transition (S4U2Self) is to be used to
-acquire a ticket on behalf of \fIfor_user\fP. If constrained
+acquire a ticket on behalf of \fIfor_user\fP\&. If constrained
delegation is not requested, the service name must match the
credentials cache client principal.
.UNINDENT
@@ -104,6 +104,6 @@ Default location of the credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 88e24b6..486ac5a 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,6 @@
-.TH "SCLIENT" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "SCLIENT" "1" " " "1.14" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBsclient\fP \fIremotehost\fP
@@ -45,6 +45,6 @@ the server\(aqs response.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 93e749a..dc01619 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,6 @@
-.TH "SSERVER" "8" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "SSERVER" "8" " " "1.14" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructuredText.
-.
.SH SYNOPSIS
.sp
\fBsserver\fP
@@ -46,9 +46,9 @@ good test that Kerberos has been successfully installed on a machine.
.sp
The service name used by sserver and sclient is sample. Hence,
sserver will require that there be a keytab entry for the service
-\fBsample/hostname.domain.name at REALM.NAME\fP. This keytab is generated
+\fBsample/hostname.domain.name at REALM.NAME\fP\&. This keytab is generated
using the \fIkadmin(1)\fP program. The keytab file is usually
-installed as \fB at KTNAME@\fP.
+installed as \fB at KTNAME@\fP\&.
.sp
The \fB\-S\fP option allows for a different keytab than the default.
.sp
@@ -81,7 +81,7 @@ sample 13135/tcp
.sp
When using sclient, you will first have to have an entry in the
Kerberos database, by using \fIkadmin(1)\fP, and then you have to get
-Kerberos tickets, by using \fIkinit(1)\fP. Also, if you are running
+Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running
the sclient program on a different host than the sserver it will be
connecting to, be sure that both hosts have an entry in /etc/services
for the sample tcp port, and that the same port number is in both
@@ -110,7 +110,7 @@ kinit returns the error:
.nf
.ft C
kinit: Client not found in Kerberos database while getting
- initial credentials
+ initial credentials
.ft P
.fi
.UNINDENT
@@ -156,7 +156,7 @@ sclient returns the error:
.nf
.ft C
sclient: Server not found in Kerberos database while using
- sendauth
+ sendauth
.ft P
.fi
.UNINDENT
@@ -189,6 +189,6 @@ probably not installed in the proper directory.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
.\" Generated by docutils manpage writer.
.
More information about the cvs-krb5
mailing list