krb5 commit [krb5-1.15]: Update man pages
Tom Yu
tlyu at mit.edu
Thu Oct 20 15:48:53 EDT 2016
https://github.com/krb5/krb5/commit/90e4082280c1573234d62aba9f0cf274a382def6
commit 90e4082280c1573234d62aba9f0cf274a382def6
Author: Tom Yu <tlyu at mit.edu>
Date: Wed Oct 19 16:52:35 2016 -0400
Update man pages
src/man/k5srvutil.man | 22 ++++++++++++----------
src/man/kadmin.man | 35 +++++++++++++++++++----------------
src/man/kadmind.man | 6 ++++++
src/man/kdb5_util.man | 8 ++++++++
src/man/kdc.conf.man | 36 +++++++++++++++++++++++++++++-------
src/man/kinit.man | 5 ++++-
src/man/krb5.conf.man | 15 +++++++++++----
7 files changed, 89 insertions(+), 38 deletions(-)
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 0ce72d4..364aab9 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -38,14 +38,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-e\fP \fIkeysalts\fP]
.SH DESCRIPTION
.sp
-k5srvutil allows an administrator to list or change keys currently in
-a keytab or to add new keys to the keytab.
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non\-current keys from a keytab.
.sp
\fIoperation\fP must be one of the following:
.INDENT 0.0
.TP
.B \fBlist\fP
-Lists the keys in a keytab showing version number and principal
+Lists the keys in a keytab, showing version number and principal
name.
.TP
.B \fBchange\fP
@@ -53,13 +54,14 @@ Uses the kadmin protocol to update the keys in the Kerberos
database to new randomly\-generated keys, and updates the keys in
the keytab to match. If a key\(aqs version number doesn\(aqt match the
version number stored in the Kerberos server\(aqs database, then the
-operation will fail. Old keys are retained in the keytab so that
-existing tickets continue to work. If the \fB\-i\fP flag is given,
-k5srvutil will prompt for confirmation before changing each key.
-If the \fB\-k\fP option is given, the old and new keys will be
-displayed. Ordinarily, keys will be generated with the default
-encryption types and key salts. This can be overridden with the
-\fB\-e\fP option.
+operation will fail. If the \fB\-i\fP flag is given, k5srvutil will
+prompt for confirmation before changing each key. If the \fB\-k\fP
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts. This can be overridden with the \fB\-e\fP
+option. Old keys are retained in the keytab so that existing
+tickets continue to work, but \fBdelold\fP should be used after
+such tickets expire, to prevent attacks against the old keys.
.TP
.B \fBdelold\fP
Deletes keys that are not the most recent version from the keytab.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 2730f35..7928960 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -284,11 +284,12 @@ Options:
(\fIgetdate\fP string) The password expiration date.
.TP
.B \fB\-maxlife\fP \fImaxlife\fP
-(\fIgetdate\fP string) The maximum ticket life for the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+for the principal.
.TP
.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIgetdate\fP string) The maximum renewable life of tickets for
-the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+life of tickets for the principal.
.TP
.B \fB\-kvno\fP \fIkvno\fP
The initial key version number.
@@ -717,7 +718,7 @@ Example:
.nf
.ft C
set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user at FOO.COM otp [{"type":"hotp","username":"custom"}]
+set_string user at FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
.ft P
.fi
.UNINDENT
@@ -751,10 +752,12 @@ The following options are available:
.INDENT 0.0
.TP
.B \fB\-maxlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the maximum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+lifetime of a password.
.TP
.B \fB\-minlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the minimum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+lifetime of a password.
.TP
.B \fB\-minlength\fP \fIlength\fP
Sets the minimum length of a password.
@@ -780,21 +783,21 @@ resets to 0 after a successful attempt to authenticate. A
.INDENT 0.0
.TP
.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIgetdate\fP string) Sets the allowable time between
-authentication failures. If an authentication failure happens
-after \fIfailuretime\fP has elapsed since the previous failure,
-the number of authentication failures is reset to 1. A
+(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+between authentication failures. If an authentication failure
+happens after \fIfailuretime\fP has elapsed since the previous
+failure, the number of authentication failures is reset to 1. A
\fIfailuretime\fP value of 0 (the default) means forever.
.UNINDENT
.INDENT 0.0
.TP
.B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIgetdate\fP string) Sets the duration for which the principal
-is locked from authenticating if too many authentication failures
-occur without the specified failure count interval elapsing.
-A duration of 0 (the default) means the principal remains locked
-out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP\&.
+(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing. A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with \fBmodprinc \-unlock\fP\&.
.TP
.B \fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 4cc4bf2..dc46b35 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -42,6 +42,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-P\fP \fIpid_file\fP]
[\fB\-p\fP \fIkdb5_util_path\fP]
[\fB\-K\fP \fIkprop_path\fP]
+[\fB\-k\fP \fIkprop_port\fP]
[\fB\-F\fP \fIdump_file\fP]
.SH DESCRIPTION
.sp
@@ -125,6 +126,11 @@ KDB in response to full resync requests when iprop is enabled.
specifies the path to the kprop command to use to send full dumps
to slaves in response to full resync requests.
.TP
+.B \fB\-k\fP \fIkprop_port\fP
+specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.
+.TP
.B \fB\-F\fP \fIdump_file\fP
specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 5d48ffe..c832e75 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -184,6 +184,14 @@ This may recover principals that do not dump normally, in cases
where database corruption has occurred. In cases of such
corruption, this option will probably retrieve more principals
than the \fB\-rev\fP option will.
+.sp
+Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
+option.
+
+.sp
+Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.
+
.UNINDENT
.SS load
.INDENT 0.0
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 69fde60..7665f84 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -88,7 +88,7 @@ _
.TE
.SS [kdcdefaults]
.sp
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
default values for realm variables, to be used if the [realms]
subsection does not contain a relation for the tag. See the
\fI\%[realms]\fP section for the definitions of these relations.
@@ -113,6 +113,11 @@ subsection does not contain a relation for the tag. See the
.B \fBkdc_max_dgram_reply_size\fP
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
+.TP
+.B \fBkdc_tcp_listen_backlog\fP
+(Integer.) Set the size of the listen queue length for the KDC
+daemon. The value may be limited by OS settings. The default
+value is 5.
.UNINDENT
.SS [realms]
.sp
@@ -964,15 +969,27 @@ DES with HMAC/sha1 (weak)
T}
_
T{
-aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256
+aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
+T} T{
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
T}
_
T{
-aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128
+aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
+T} T{
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
T}
_
T{
@@ -1044,8 +1061,13 @@ front.
While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5\-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+.sp
+The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
.SH KEYSALT LISTS
.sp
Kerberos keys for users are usually derived from passwords. Kerberos
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 6447a48..e5ea5d7 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -56,7 +56,10 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP\&.
+\fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate
+principal name based on existing credential cache contents or the
+local username of the user invoking kinit. Some options modify the
+choice of principal name.
.SH OPTIONS
.INDENT 0.0
.TP
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index e035072..1e3f5cb 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -111,10 +111,10 @@ includedir DIRNAME
\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores, or any filename
-ending in ".conf". Included profile files are syntactically
-independent of their parents, so each included file must begin with a
-section header.
+alphanumeric characters, dashes, or underscores. Starting in release
+1.15, files with names ending in ".conf" are also included. Included
+profile files are syntactically independent of their parents, so each
+included file must begin with a section header.
.sp
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -303,6 +303,13 @@ it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
+.B \fBdns_uri_lookup\fP
+Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. SRV records are used as a
+fallback if no URI records were found. The default value is true.
+New in release 1.15.
+.TP
.B \fBerr_fmt\fP
This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
More information about the cvs-krb5
mailing list