krb5 commit [krb5-1.15]: Update man pages
Greg Hudson
ghudson at mit.edu
Mon Sep 25 12:41:48 EDT 2017
https://github.com/krb5/krb5/commit/653091afa16dc7c1d0fbe6044be19f7feb323072
commit 653091afa16dc7c1d0fbe6044be19f7feb323072
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Sep 25 11:43:56 2017 -0400
Update man pages
src/man/kadm5.acl.man | 25 +++++++++++++------------
src/man/kdc.conf.man | 2 +-
src/man/krb5.conf.man | 13 +++++++------
3 files changed, 21 insertions(+), 19 deletions(-)
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 9043775..25a237f 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -230,16 +230,17 @@ sms at ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6
.UNINDENT
.UNINDENT
.sp
-(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with
-an \fBadmin\fP instance has all administrative privileges.
+(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an
+\fBadmin\fP instance has all administrative privileges except extracting
+keys.
.sp
-(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his
-\fBadmin\fP instance, \fBjoeadmin/admin at ATHENA.MIT.EDU\fP (matches line
-1). He has no permissions at all with his null instance,
-\fBjoeadmin at ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other
-non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire permissions with any principal that has the instance \fBroot\fP
-(matches line 3).
+(lines 1\-3) The user \fBjoeadmin\fP has all permissions except
+extracting keys with his \fBadmin\fP instance,
+\fBjoeadmin/admin at ATHENA.MIT.EDU\fP (matches line 1). He has no
+permissions at all with his null instance, \fBjoeadmin at ATHENA.MIT.EDU\fP
+(matches line 2). His \fBroot\fP and other non\-\fBadmin\fP, non\-null
+instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions
+with any principal that has the instance \fBroot\fP (matches line 3).
.sp
(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
or change the password of their null instance, but not any other
@@ -253,9 +254,9 @@ permission can only be granted globally, not to specific target
principals.
.sp
(line 6) Finally, the Service Management System principal
-\fBsms at ATHENA.MIT.EDU\fP has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+\fBsms at ATHENA.MIT.EDU\fP has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
.SH SEE ALSO
.sp
\fIkdc.conf(5)\fP, \fIkadmind(8)\fP
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 10b333c..1744af3 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1031,7 +1031,7 @@ _
T{
aes
T} T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
T}
_
T{
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 4e350bd..6924759 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -112,9 +112,10 @@ includedir DIRNAME
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in ".conf" are also included. Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
.sp
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -257,7 +258,7 @@ the client should request when making a TGS\-REQ, in order of
preference from highest to lowest. The list may be delimited with
commas or whitespace. See \fIEncryption_types\fP in
\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
-The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
.sp
@@ -271,7 +272,7 @@ Identifies the supported list of session key encryption types that
the client should request when making an AS\-REQ, in order of
preference from highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.sp
@@ -454,7 +455,7 @@ used across NATs. The default value is true.
.B \fBpermitted_enctypes\fP
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
More information about the cvs-krb5
mailing list