krb5 commit [krb5-1.16]: Update man pages
Greg Hudson
ghudson at mit.edu
Thu Nov 1 20:01:55 EDT 2018
https://github.com/krb5/krb5/commit/22896a17255e7d6a0b6aab536442ba056e903650
commit 22896a17255e7d6a0b6aab536442ba056e903650
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Nov 1 19:38:36 2018 -0400
Update man pages
src/man/k5identity.man | 12 +-
src/man/k5login.man | 2 +-
src/man/k5srvutil.man | 16 ++-
src/man/kadm5.acl.man | 18 ++--
src/man/kadmin.man | 210 +++++++++++++++++++------------------
src/man/kadmind.man | 46 +++++----
src/man/kdb5_ldap_util.man | 92 +++++++++--------
src/man/kdb5_util.man | 193 ++++++++++++++++++----------------
src/man/kdc.conf.man | 246 ++++++++++++++++++++++----------------------
src/man/kdestroy.man | 21 +---
src/man/kerberos.man | 2 +-
src/man/kinit.man | 73 ++++++--------
src/man/klist.man | 43 +++-----
src/man/kpasswd.man | 6 +-
src/man/kprop.man | 24 ++---
src/man/kpropd.man | 43 +++++----
src/man/kproplog.man | 21 ++--
src/man/krb5-config.man | 24 ++--
src/man/krb5.conf.man | 225 ++++++++++++++++++++--------------------
src/man/krb5kdc.man | 31 ++----
src/man/ksu.man | 45 +++++----
src/man/kswitch.man | 20 +---
src/man/ktutil.man | 6 +-
src/man/kvno.man | 24 ++---
src/man/sclient.man | 8 +-
src/man/sserver.man | 16 ++-
26 files changed, 731 insertions(+), 736 deletions(-)
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index b12fe67..a5b06dd 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -50,19 +50,19 @@ principal is chosen as the client principal. The following fields are
recognized:
.INDENT 0.0
.TP
-.B \fBrealm\fP
+\fBrealm\fP
If the realm of the server principal is known, it is matched
against \fIvalue\fP, which may be a pattern using shell wildcards.
For host\-based server principals, the realm will generally only be
-known if there is a \fIdomain_realm\fP section in
-\fIkrb5.conf(5)\fP with a mapping for the hostname.
+known if there is a domain_realm section in
+krb5.conf(5) with a mapping for the hostname.
.TP
-.B \fBservice\fP
+\fBservice\fP
If the server principal is a host\-based principal, its service
component is matched against \fIvalue\fP, which may be a pattern using
shell wildcards.
.TP
-.B \fBhost\fP
+\fBhost\fP
If the server principal is a host\-based principal, its hostname
component is converted to lower case and matched against \fIvalue\fP,
which may be a pattern using shell wildcards.
@@ -94,7 +94,7 @@ alice/mail at EXAMPLE.COM host=mail.example.com service=imap
.UNINDENT
.SH SEE ALSO
.sp
-kerberos(1), \fIkrb5.conf(5)\fP
+kerberos(1), krb5.conf(5)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 1ca11d3..6495b80 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -56,7 +56,7 @@ bob at FOOBAR.ORG
This would allow \fBbob\fP to use Kerberos network applications, such as
ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
tickets. In a default configuration (with \fBk5login_authoritative\fP set
-to true in \fIkrb5.conf(5)\fP), this .k5login file would not let
+to true in krb5.conf(5)), this .k5login file would not let
\fBalice\fP use those network applications to access her account, since
she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP
set to false, a default rule would permit the principal \fBalice\fP in the
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 570aa43..e6db05a 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -45,11 +45,11 @@ or to delete non\-current keys from a keytab.
\fIoperation\fP must be one of the following:
.INDENT 0.0
.TP
-.B \fBlist\fP
+\fBlist\fP
Lists the keys in a keytab, showing version number and principal
name.
.TP
-.B \fBchange\fP
+\fBchange\fP
Uses the kadmin protocol to update the keys in the Kerberos
database to new randomly\-generated keys, and updates the keys in
the keytab to match. If a key\(aqs version number doesn\(aqt match the
@@ -63,14 +63,14 @@ option. Old keys are retained in the keytab so that existing
tickets continue to work, but \fBdelold\fP should be used after
such tickets expire, to prevent attacks against the old keys.
.TP
-.B \fBdelold\fP
+\fBdelold\fP
Deletes keys that are not the most recent version from the keytab.
This operation should be used some time after a change operation
to remove old keys, after existing tickets issued for the service
have expired. If the \fB\-i\fP flag is given, then k5srvutil will
prompt for confirmation for each principal.
.TP
-.B \fBdelete\fP
+\fBdelete\fP
Deletes particular keys in the keytab, interactively prompting for
each key.
.UNINDENT
@@ -78,11 +78,15 @@ each key.
In all cases, the default keytab is used unless this is overridden by
the \fB\-f\fP option.
.sp
-k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in
+k5srvutil uses the kadmin(1) program to edit the keytab in
place.
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkadmin(1)\fP, \fIktutil(1)\fP
+kadmin(1), ktutil(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 49d6f81..e63dd1a 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -32,14 +32,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
.SH DESCRIPTION
.sp
-The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
+The Kerberos kadmind(8) daemon uses an Access Control List
(ACL) file to manage access rights to the Kerberos database.
For operations that affect principals, the ACL file also controls
which principals can operate on which other principals.
.sp
The default location of the Kerberos ACL file is
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
.SH SYNTAX
.sp
Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -127,7 +127,7 @@ _
T{
p
T} T{
-[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP)
+[Dis]allows the propagation of the principal database (used in incr_db_prop)
T}
_
T{
@@ -185,7 +185,7 @@ in which \fB*number\fP matches the corresponding wildcard in
.B {+|\-}\fIflagname\fP
flag is forced to the indicated value. The permissible flags
are the same as those for the \fBdefault_principal_flags\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
.TP
.B \fI\-clearpolicy\fP
policy is forced to be empty.
@@ -194,7 +194,7 @@ policy is forced to be empty.
policy is forced to be \fIpol\fP\&.
.TP
.B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
-(\fIgetdate\fP string) associated value will be forced to
+(getdate string) associated value will be forced to
MIN(\fItime\fP, requested value).
.UNINDENT
.UNINDENT
@@ -260,17 +260,17 @@ postdateable tickets or tickets with a life of longer than 9 hours.
.SH MODULE BEHAVIOR
.sp
The ACL file can coexist with other authorization modules in release
-1.16 and later, as configured in the \fIkadm5_auth\fP section of
-\fIkrb5.conf(5)\fP\&. The ACL file will positively authorize
+1.16 and later, as configured in the kadm5_auth section of
+krb5.conf(5)\&. The ACL file will positively authorize
operations according to the rules above, but will never
authoritatively deny an operation, so other modules can authorize
operations in addition to those authorized by the ACL file.
.sp
To operate without an ACL file, set the \fIacl_file\fP variable in
-\fIkdc.conf(5)\fP to the empty string with \fBacl_file = ""\fP\&.
+kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&.
.SH SEE ALSO
.sp
-\fIkdc.conf(5)\fP, \fIkadmind(8)\fP
+kdc.conf(5), kadmind(8)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index a426b3a..bab046a 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
administration system. They provide nearly identical functionalities;
the difference is that kadmin.local directly accesses the KDC
-database, while kadmin performs operations using \fIkadmind(8)\fP\&.
+database, while kadmin performs operations using kadmind(8)\&.
Except as explicitly noted otherwise, this man page will use "kadmin"
to refer to both versions. kadmin provides for the maintenance of
Kerberos principals, password policies, and service key tables
@@ -80,30 +80,30 @@ kadmin.local can be run on any host which can access the LDAP server.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Use \fIrealm\fP as the default database realm.
.TP
-.B \fB\-p\fP \fIprincipal\fP
+\fB\-p\fP \fIprincipal\fP
Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
\fB/admin\fP to the primary principal name of the default ccache,
the value of the \fBUSER\fP environment variable, or the username as
obtained with getpwuid, in order of preference.
.TP
-.B \fB\-k\fP
+\fB\-k\fP
Use a keytab to decrypt the KDC response instead of prompting for
a password. In this case, the default principal will be
\fBhost/hostname\fP\&. If there is no keytab specified with the
\fB\-t\fP option, then the default keytab will be used.
.TP
-.B \fB\-t\fP \fIkeytab\fP
+\fB\-t\fP \fIkeytab\fP
Use \fIkeytab\fP to decrypt the KDC response. This can only be used
with the \fB\-k\fP option.
.TP
-.B \fB\-n\fP
+\fB\-n\fP
Requests anonymous processing. Two types of anonymous principals
are supported. For fully anonymous Kerberos, configure PKINIT on
the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
-\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal
+krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal
of the form \fB at REALM\fP (an empty principal name followed by the
at\-sign and a realm name). If permitted by the KDC, an anonymous
ticket will be returned. A second form of anonymous tickets is
@@ -114,46 +114,46 @@ principal (but not realm) will be replaced by the anonymous
principal. As of release 1.8, the MIT Kerberos KDC only supports
fully anonymous operation.
.TP
-.B \fB\-c\fP \fIcredentials_cache\fP
+\fB\-c\fP \fIcredentials_cache\fP
Use \fIcredentials_cache\fP as the credentials cache. The
cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
server) or \fBkadmin/admin\fP service; it can be acquired with the
-\fIkinit(1)\fP program. If this option is not specified, kadmin
+kinit(1) program. If this option is not specified, kadmin
requests a new service ticket from the KDC, and stores it in its
own temporary ccache.
.TP
-.B \fB\-w\fP \fIpassword\fP
+\fB\-w\fP \fIpassword\fP
Use \fIpassword\fP instead of prompting for one. Use this option with
care, as it may expose the password to other users on the system
via the process list.
.TP
-.B \fB\-q\fP \fIquery\fP
+\fB\-q\fP \fIquery\fP
Perform the specified query and then exit.
.TP
-.B \fB\-d\fP \fIdbname\fP
+\fB\-d\fP \fIdbname\fP
Specifies the name of the KDC database. This option does not
apply to the LDAP database module.
.TP
-.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
+\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
Specifies the admin server which kadmin should contact.
.TP
-.B \fB\-m\fP
+\fB\-m\fP
If using kadmin.local, prompt for the database master password
instead of reading it from a stash file.
.TP
-.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
+\fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
Sets the keysalt list to be used for any new keys created. See
-\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible
+Keysalt_lists in kdc.conf(5) for a list of possible
values.
.TP
-.B \fB\-O\fP
+\fB\-O\fP
Force use of old AUTH_GSSAPI authentication flavor.
.TP
-.B \fB\-N\fP
+\fB\-N\fP
Prevent fallback to AUTH_GSSAPI authentication flavor.
.TP
-.B \fB\-x\fP \fIdb_args\fP
+\fB\-x\fP \fIdb_args\fP
Specifies the database specific arguments. See the next section
for supported options.
.UNINDENT
@@ -188,10 +188,10 @@ Supported options for the DB2 module are:
.INDENT 3.5
.INDENT 0.0
.TP
-.B \fB\-x dbname=\fP*filename*
+\fB\-x dbname=\fP*filename*
Specifies the base filename of the DB2 database.
.TP
-.B \fB\-x lockiter\fP
+\fB\-x lockiter\fP
Make iteration operations hold the lock for the duration of
the entire operation, rather than temporarily releasing the
lock while handling each principal. This is the default
@@ -199,7 +199,7 @@ behavior, but this option exists to allow command line
override of a [dbmodules] setting. First introduced in
release 1.13.
.TP
-.B \fB\-x unlockiter\fP
+\fB\-x unlockiter\fP
Make iteration operations unlock the database for each
principal, instead of holding the lock for the duration of the
entire operation. First introduced in release 1.13.
@@ -212,39 +212,39 @@ Supported options for the LDAP module are:
.INDENT 3.5
.INDENT 0.0
.TP
-.B \fB\-x host=\fP\fIldapuri\fP
+\fB\-x host=\fP\fIldapuri\fP
Specifies the LDAP server to connect to by a LDAP URI.
.TP
-.B \fB\-x binddn=\fP\fIbind_dn\fP
+\fB\-x binddn=\fP\fIbind_dn\fP
Specifies the DN used to bind to the LDAP server.
.TP
-.B \fB\-x bindpwd=\fP\fIpassword\fP
+\fB\-x bindpwd=\fP\fIpassword\fP
Specifies the password or SASL secret used to bind to the LDAP
server. Using this option may expose the password to other
users on the system via the process list; to avoid this,
instead stash the password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP\&.
+kdb5_ldap_util(8)\&.
.TP
-.B \fB\-x sasl_mech=\fP\fImechanism\fP
+\fB\-x sasl_mech=\fP\fImechanism\fP
Specifies the SASL mechanism used to bind to the LDAP server.
The bind DN is ignored if a SASL mechanism is used. New in
release 1.13.
.TP
-.B \fB\-x sasl_authcid=\fP\fIname\fP
+\fB\-x sasl_authcid=\fP\fIname\fP
Specifies the authentication name used when binding to the
LDAP server with a SASL mechanism, if the mechanism requires
one. New in release 1.13.
.TP
-.B \fB\-x sasl_authzid=\fP\fIname\fP
+\fB\-x sasl_authzid=\fP\fIname\fP
Specifies the authorization name used when binding to the LDAP
server with a SASL mechanism. New in release 1.13.
.TP
-.B \fB\-x sasl_realm=\fP\fIrealm\fP
+\fB\-x sasl_realm=\fP\fIrealm\fP
Specifies the realm used when binding to the LDAP server with
a SASL mechanism, if the mechanism uses one. New in release
1.13.
.TP
-.B \fB\-x debug=\fP\fIlevel\fP
+\fB\-x debug=\fP\fIlevel\fP
sets the OpenLDAP client library debug level. \fIlevel\fP is an
integer to be interpreted by the library. Debugging messages
are printed to standard error. New in release 1.12.
@@ -254,7 +254,7 @@ are printed to standard error. New in release 1.12.
.SH COMMANDS
.sp
When using the remote client, available commands may be restricted
-according to the privileges specified in the \fIkadm5.acl(5)\fP file
+according to the privileges specified in the kadm5.acl(5) file
on the admin server.
.SS add_principal
.INDENT 0.0
@@ -277,54 +277,54 @@ Aliases: \fBaddprinc\fP, \fBank\fP
Options:
.INDENT 0.0
.TP
-.B \fB\-expire\fP \fIexpdate\fP
-(\fIgetdate\fP string) The expiration date of the principal.
+\fB\-expire\fP \fIexpdate\fP
+(getdate string) The expiration date of the principal.
.TP
-.B \fB\-pwexpire\fP \fIpwexpdate\fP
-(\fIgetdate\fP string) The password expiration date.
+\fB\-pwexpire\fP \fIpwexpdate\fP
+(getdate string) The password expiration date.
.TP
-.B \fB\-maxlife\fP \fImaxlife\fP
-(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+\fB\-maxlife\fP \fImaxlife\fP
+(duration or getdate string) The maximum ticket life
for the principal.
.TP
-.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+\fB\-maxrenewlife\fP \fImaxrenewlife\fP
+(duration or getdate string) The maximum renewable
life of tickets for the principal.
.TP
-.B \fB\-kvno\fP \fIkvno\fP
+\fB\-kvno\fP \fIkvno\fP
The initial key version number.
.TP
-.B \fB\-policy\fP \fIpolicy\fP
+\fB\-policy\fP \fIpolicy\fP
The password policy used by this principal. If not specified, the
policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
is specified).
.TP
-.B \fB\-clearpolicy\fP
+\fB\-clearpolicy\fP
Prevents any policy from being assigned when \fB\-policy\fP is not
specified.
.TP
-.B {\-|+}\fBallow_postdated\fP
+{\-|+}\fBallow_postdated\fP
\fB\-allow_postdated\fP prohibits this principal from obtaining
postdated tickets. \fB+allow_postdated\fP clears this flag.
.TP
-.B {\-|+}\fBallow_forwardable\fP
+{\-|+}\fBallow_forwardable\fP
\fB\-allow_forwardable\fP prohibits this principal from obtaining
forwardable tickets. \fB+allow_forwardable\fP clears this flag.
.TP
-.B {\-|+}\fBallow_renewable\fP
+{\-|+}\fBallow_renewable\fP
\fB\-allow_renewable\fP prohibits this principal from obtaining
renewable tickets. \fB+allow_renewable\fP clears this flag.
.TP
-.B {\-|+}\fBallow_proxiable\fP
+{\-|+}\fBallow_proxiable\fP
\fB\-allow_proxiable\fP prohibits this principal from obtaining
proxiable tickets. \fB+allow_proxiable\fP clears this flag.
.TP
-.B {\-|+}\fBallow_dup_skey\fP
+{\-|+}\fBallow_dup_skey\fP
\fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
principal by prohibiting this principal from obtaining a session
key for another user. \fB+allow_dup_skey\fP clears this flag.
.TP
-.B {\-|+}\fBrequires_preauth\fP
+{\-|+}\fBrequires_preauth\fP
\fB+requires_preauth\fP requires this principal to preauthenticate
before being allowed to kinit. \fB\-requires_preauth\fP clears this
flag. When \fB+requires_preauth\fP is set on a service principal,
@@ -332,7 +332,7 @@ the KDC will only issue service tickets for that service principal
if the client\(aqs initial authentication was performed using
preauthentication.
.TP
-.B {\-|+}\fBrequires_hwauth\fP
+{\-|+}\fBrequires_hwauth\fP
\fB+requires_hwauth\fP requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
\fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
@@ -340,45 +340,45 @@ set on a service principal, the KDC will only issue service tickets
for that service principal if the client\(aqs initial authentication was
performed using a hardware device to preauthenticate.
.TP
-.B {\-|+}\fBok_as_delegate\fP
+{\-|+}\fBok_as_delegate\fP
\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
issued with this principal as the service. Clients may use this
flag as a hint that credentials should be delegated when
authenticating to the service. \fB\-ok_as_delegate\fP clears this
flag.
.TP
-.B {\-|+}\fBallow_svr\fP
+{\-|+}\fBallow_svr\fP
\fB\-allow_svr\fP prohibits the issuance of service tickets for this
principal. \fB+allow_svr\fP clears this flag.
.TP
-.B {\-|+}\fBallow_tgs_req\fP
+{\-|+}\fBallow_tgs_req\fP
\fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
request for a service ticket for this principal is not permitted.
\fB+allow_tgs_req\fP clears this flag.
.TP
-.B {\-|+}\fBallow_tix\fP
+{\-|+}\fBallow_tix\fP
\fB\-allow_tix\fP forbids the issuance of any tickets for this
principal. \fB+allow_tix\fP clears this flag.
.TP
-.B {\-|+}\fBneedchange\fP
+{\-|+}\fBneedchange\fP
\fB+needchange\fP forces a password change on the next initial
authentication to this principal. \fB\-needchange\fP clears this
flag.
.TP
-.B {\-|+}\fBpassword_changing_service\fP
+{\-|+}\fBpassword_changing_service\fP
\fB+password_changing_service\fP marks this principal as a password
change service principal.
.TP
-.B {\-|+}\fBok_to_auth_as_delegate\fP
+{\-|+}\fBok_to_auth_as_delegate\fP
\fB+ok_to_auth_as_delegate\fP allows this principal to acquire
forwardable tickets to itself from arbitrary users, for use with
constrained delegation.
.TP
-.B {\-|+}\fBno_auth_data_required\fP
+{\-|+}\fBno_auth_data_required\fP
\fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
being added to service tickets for the principal.
.TP
-.B {\-|+}\fBlockdown_keys\fP
+{\-|+}\fBlockdown_keys\fP
\fB+lockdown_keys\fP prevents keys for this principal from leaving
the KDC via kadmind. The chpass and extract operations are denied
for a principal with this attribute. The chrand operation is
@@ -389,42 +389,42 @@ krbtgt/* or kadmin/* with new principals without the attribute.
This attribute can be set via the network protocol, but can only
be removed using kadmin.local.
.TP
-.B \fB\-randkey\fP
+\fB\-randkey\fP
Sets the key of the principal to a random value.
.TP
-.B \fB\-nokey\fP
+\fB\-nokey\fP
Causes the principal to be created with no key. New in release
1.12.
.TP
-.B \fB\-pw\fP \fIpassword\fP
+\fB\-pw\fP \fIpassword\fP
Sets the password of the principal to the specified string and
does not prompt for a password. Note: using this option in a
shell script may expose the password to other users on the system
via the process list.
.TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
Uses the specified keysalt list for setting the keys of the
-principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal. See Keysalt_lists in kdc.conf(5) for a
list of possible values.
.TP
-.B \fB\-x\fP \fIdb_princ_args\fP
+\fB\-x\fP \fIdb_princ_args\fP
Indicates database\-specific options. The options for the LDAP
database module are:
.INDENT 7.0
.TP
-.B \fB\-x dn=\fP\fIdn\fP
+\fB\-x dn=\fP\fIdn\fP
Specifies the LDAP object that will contain the Kerberos
principal being created.
.TP
-.B \fB\-x linkdn=\fP\fIdn\fP
+\fB\-x linkdn=\fP\fIdn\fP
Specifies the LDAP object to which the newly created Kerberos
principal object will point.
.TP
-.B \fB\-x containerdn=\fP\fIcontainer_dn\fP
+\fB\-x containerdn=\fP\fIcontainer_dn\fP
Specifies the container object under which the Kerberos
principal is to be created.
.TP
-.B \fB\-x tktpolicy=\fP\fIpolicy\fP
+\fB\-x tktpolicy=\fP\fIpolicy\fP
Associates a ticket policy to the Kerberos principal.
.UNINDENT
.sp
@@ -484,7 +484,7 @@ Alias: \fBmodprinc\fP
Options (in addition to the \fBaddprinc\fP options):
.INDENT 0.0
.TP
-.B \fB\-unlock\fP
+\fB\-unlock\fP
Unlocks a locked principal (one which has received too many failed
authentication attempts without enough time between them according
to its password policy) so that it can successfully authenticate.
@@ -535,20 +535,20 @@ Alias: \fBcpw\fP
The following options are available:
.INDENT 0.0
.TP
-.B \fB\-randkey\fP
+\fB\-randkey\fP
Sets the key of the principal to a random value.
.TP
-.B \fB\-pw\fP \fIpassword\fP
+\fB\-pw\fP \fIpassword\fP
Set the password to the specified string. Using this option in a
script may expose the password to other users on the system via
the process list.
.TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
Uses the specified keysalt list for setting the keys of the
-principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal. See Keysalt_lists in kdc.conf(5) for a
list of possible values.
.TP
-.B \fB\-keepold\fP
+\fB\-keepold\fP
Keeps the existing keys in the database. This flag is usually not
necessary except perhaps for \fBkrbtgt\fP principals.
.UNINDENT
@@ -689,29 +689,29 @@ modules. The following string attribute names are recognized by the
KDC:
.INDENT 0.0
.TP
-.B \fBrequire_auth\fP
+\fBrequire_auth\fP
Specifies an authentication indicator which is required to
authenticate to the principal as a service. Multiple indicators
can be specified, separated by spaces; in this case any of the
specified indicators will be accepted. (New in release 1.14.)
.TP
-.B \fBsession_enctypes\fP
+\fBsession_enctypes\fP
Specifies the encryption types supported for session keys when the
principal is authenticated to as a server. See
-\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
+Encryption_types in kdc.conf(5) for a list of the
accepted values.
.TP
-.B \fBotp\fP
+\fBotp\fP
Enables One Time Passwords (OTP) preauthentication for a client
\fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
of objects, each having optional \fBtype\fP and \fBusername\fP fields.
.TP
-.B \fBpkinit_cert_match\fP
+\fBpkinit_cert_match\fP
Specifies a matching expression that defines the certificate
attributes required for the client certificate used by the
principal during PKINIT authentication. The matching expression
is in the same format as those used by the \fBpkinit_cert_match\fP
-option in \fIkrb5.conf(5)\fP\&. (New in release 1.16.)
+option in krb5.conf(5)\&. (New in release 1.16.)
.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
@@ -758,29 +758,29 @@ Alias: \fBaddpol\fP
The following options are available:
.INDENT 0.0
.TP
-.B \fB\-maxlife\fP \fItime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+\fB\-maxlife\fP \fItime\fP
+(duration or getdate string) Sets the maximum
lifetime of a password.
.TP
-.B \fB\-minlife\fP \fItime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+\fB\-minlife\fP \fItime\fP
+(duration or getdate string) Sets the minimum
lifetime of a password.
.TP
-.B \fB\-minlength\fP \fIlength\fP
+\fB\-minlength\fP \fIlength\fP
Sets the minimum length of a password.
.TP
-.B \fB\-minclasses\fP \fInumber\fP
+\fB\-minclasses\fP \fInumber\fP
Sets the minimum number of character classes required in a
password. The five character classes are lower case, upper case,
numbers, punctuation, and whitespace/unprintable characters.
.TP
-.B \fB\-history\fP \fInumber\fP
+\fB\-history\fP \fInumber\fP
Sets the number of past keys kept for a principal. This option is
not supported with the LDAP KDC database module.
.UNINDENT
.INDENT 0.0
.TP
-.B \fB\-maxfailure\fP \fImaxnumber\fP
+\fB\-maxfailure\fP \fImaxnumber\fP
Sets the number of authentication failures before the principal is
locked. Authentication failures are only tracked for principals
which require preauthentication. The counter of failed attempts
@@ -789,8 +789,8 @@ resets to 0 after a successful attempt to authenticate. A
.UNINDENT
.INDENT 0.0
.TP
-.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+\fB\-failurecountinterval\fP \fIfailuretime\fP
+(duration or getdate string) Sets the allowable time
between authentication failures. If an authentication failure
happens after \fIfailuretime\fP has elapsed since the previous
failure, the number of authentication failures is reset to 1. A
@@ -798,18 +798,18 @@ failure, the number of authentication failures is reset to 1. A
.UNINDENT
.INDENT 0.0
.TP
-.B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+\fB\-lockoutduration\fP \fIlockouttime\fP
+(duration or getdate string) Sets the duration for
which the principal is locked from authenticating if too many
authentication failures occur without the specified failure count
interval elapsing. A duration of 0 (the default) means the
principal remains locked out until it is administratively unlocked
with \fBmodprinc \-unlock\fP\&.
.TP
-.B \fB\-allowedkeysalts\fP
+\fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
setting or changing a principal\(aqs password/keys. See
-\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the
+Keysalt_lists in kdc.conf(5) for a list of the
accepted values, but note that key/salt tuples must be separated
with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use
a value of \(aq\-\(aq.
@@ -969,19 +969,19 @@ With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
The options are:
.INDENT 0.0
.TP
-.B \fB\-k[eytab]\fP \fIkeytab\fP
+\fB\-k[eytab]\fP \fIkeytab\fP
Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
used.
.TP
-.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
+\fB\-e\fP \fIenc\fP:\fIsalt\fP,...
Uses the specified keysalt list for setting the new keys of the
-principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a
+principal. See Keysalt_lists in kdc.conf(5) for a
list of possible values.
.TP
-.B \fB\-q\fP
+\fB\-q\fP
Display less verbose information.
.TP
-.B \fB\-norandkey\fP
+\fB\-norandkey\fP
Do not randomize the keys. The keys and their version numbers stay
unchanged. This option cannot be specified in combination with the
\fB\-e\fP option.
@@ -1025,11 +1025,11 @@ kvno match that integer are removed.
The options are:
.INDENT 0.0
.TP
-.B \fB\-k[eytab]\fP \fIkeytab\fP
+\fB\-k[eytab]\fP \fIkeytab\fP
Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
used.
.TP
-.B \fB\-q\fP
+\fB\-q\fP
Display less verbose information.
.UNINDENT
.sp
@@ -1068,9 +1068,13 @@ Aliases: \fBexit\fP, \fBq\fP
.sp
The kadmin program was originally written by Tom Yu at MIT, as an
interface to the OpenVision Kerberos administration program.
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkpasswd(1)\fP, \fIkadmind(8)\fP
+kpasswd(1), kadmind(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 411d3a0..4ee8524 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -50,24 +50,24 @@ kadmind starts the Kerberos administration server. kadmind typically
runs on the master Kerberos server, which stores the KDC database. If
the KDC database uses the LDAP module, the administration server and
the KDC server need not run on the same machine. kadmind accepts
-remote requests from programs such as \fIkadmin(1)\fP and
-\fIkpasswd(1)\fP to administer the information in these database.
+remote requests from programs such as kadmin(1) and
+kpasswd(1) to administer the information in these database.
.sp
kadmind requires a number of configuration files to be set up in order
for it to work:
.INDENT 0.0
.TP
-.B \fIkdc.conf(5)\fP
+.B kdc.conf(5)
The KDC configuration file contains configuration information for
the KDC and admin servers. kadmind uses settings in this file to
locate the Kerberos database, and is also affected by the
\fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related
settings.
.TP
-.B \fIkadm5.acl(5)\fP
+.B kadm5.acl(5)
kadmind\(aqs ACL (access control list) tells it which principals are
allowed to perform administration actions. The pathname to the
-ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
+ACL file can be specified with the \fBacl_file\fP kdc.conf(5)
variable; by default, it is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.
.UNINDENT
.sp
@@ -77,7 +77,7 @@ disassociates itself from its controlling terminal.
kadmind can be configured for incremental database propagation.
Incremental propagation allows slave KDC servers to receive principal
and policy updates incrementally instead of receiving full dumps of
-the database. This facility can be enabled in the \fIkdc.conf(5)\fP
+the database. This facility can be enabled in the kdc.conf(5)
file with the \fBiprop_enable\fP option. Incremental propagation
requires the principal \fBkiprop/MASTER\e at REALM\fP (where MASTER is the
master KDC\(aqs canonical host name, and REALM the realm name). In
@@ -86,62 +86,66 @@ into the datebase.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
specifies the realm that kadmind will serve; if it is not
specified, the default realm of the host is used.
.TP
-.B \fB\-m\fP
+\fB\-m\fP
causes the master database password to be fetched from the
keyboard (before the server puts itself in the background, if not
invoked with the \fB\-nofork\fP option) rather than from a file on
disk.
.TP
-.B \fB\-nofork\fP
+\fB\-nofork\fP
causes the server to remain in the foreground and remain
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
.TP
-.B \fB\-proponly\fP
+\fB\-proponly\fP
causes the server to only listen and respond to Kerberos slave
incremental propagation polling requests. This option can be used
to set up a hierarchical propagation topology where a slave KDC
provides incremental updates to other Kerberos slaves.
.TP
-.B \fB\-port\fP \fIport\-number\fP
+\fB\-port\fP \fIport\-number\fP
specifies the port on which the administration server listens for
connections. The default port is determined by the
-\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&.
+\fBkadmind_port\fP configuration variable in kdc.conf(5)\&.
.TP
-.B \fB\-P\fP \fIpid_file\fP
+\fB\-P\fP \fIpid_file\fP
specifies the file to which the PID of kadmind process should be
written after it starts up. This file can be used to identify
whether kadmind is still running and to allow init scripts to stop
the correct process.
.TP
-.B \fB\-p\fP \fIkdb5_util_path\fP
+\fB\-p\fP \fIkdb5_util_path\fP
specifies the path to the kdb5_util command to use when dumping the
KDB in response to full resync requests when iprop is enabled.
.TP
-.B \fB\-K\fP \fIkprop_path\fP
+\fB\-K\fP \fIkprop_path\fP
specifies the path to the kprop command to use to send full dumps
to slaves in response to full resync requests.
.TP
-.B \fB\-k\fP \fIkprop_port\fP
+\fB\-k\fP \fIkprop_port\fP
specifies the port by which the kprop process that is spawned by kadmind
connects to the slave kpropd, in order to transfer the dump file during
an iprop full resync request.
.TP
-.B \fB\-F\fP \fIdump_file\fP
+\fB\-F\fP \fIdump_file\fP
specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.
.TP
-.B \fB\-x\fP \fIdb_args\fP
-specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments.
+\fB\-x\fP \fIdb_args\fP
+specifies database\-specific arguments. See Database Options in kadmin(1) for supported arguments.
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP,
-\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP
+kpasswd(1), kadmin(1), kdb5_util(8),
+kdb5_ldap_util(8), kadm5.acl(5), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 0a0a99a..f8695d6 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -44,15 +44,15 @@ services and ticket policies.
.SH COMMAND-LINE OPTIONS
.INDENT 0.0
.TP
-.B \fB\-D\fP \fIuser_dn\fP
+\fB\-D\fP \fIuser_dn\fP
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
.TP
-.B \fB\-w\fP \fIpasswd\fP
+\fB\-w\fP \fIpasswd\fP
Specifies the password of \fIuser_dn\fP\&. This option is not
recommended.
.TP
-.B \fB\-H\fP \fIldapuri\fP
+\fB\-H\fP \fIldapuri\fP
Specifies the URI of the LDAP server. It is recommended to use
\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
.UNINDENT
@@ -78,60 +78,60 @@ Specifies the URI of the LDAP server. It is recommended to use
Creates realm in directory. Options:
.INDENT 0.0
.TP
-.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+\fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).
.TP
-.B \fB\-sscope\fP \fIsearch_scope\fP
+\fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtree. The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
-.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
+\fB\-containerref\fP \fIcontainer_reference_dn\fP
Specifies the DN of the container object in which the principals
of a realm will be created. If the container reference is not
configured for a realm, the principals will be created in the
realm container.
.TP
-.B \fB\-k\fP \fImkeytype\fP
+\fB\-k\fP \fImkeytype\fP
Specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
.TP
-.B \fB\-kv\fP \fImkeyVNO\fP
+\fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
.TP
-.B \fB\-m\fP
+\fB\-m\fP
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
.TP
-.B \fB\-P\fP \fIpassword\fP
+\fB\-P\fP \fIpassword\fP
Specifies the master database password. This option is not
recommended.
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
-.B \fB\-sf\fP \fIstashfilename\fP
+\fB\-sf\fP \fIstashfilename\fP
Specifies the stash file of the master database password.
.TP
-.B \fB\-s\fP
+\fB\-s\fP
Specifies that the stash file is to be created.
.TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
principals in this realm.
.TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP\&.
+kadmin(1)\&.
.UNINDENT
.sp
Example:
@@ -169,35 +169,35 @@ Re\-enter KDC database master key to verify:
Modifies the attributes of a realm. Options:
.INDENT 0.0
.TP
-.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+\fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects separated
by colon (\fB:\fP). This list replaces the existing list.
.TP
-.B \fB\-sscope\fP \fIsearch_scope\fP
+\fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtrees. The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
-.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
+\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
container object in which the principals of a realm will be
created.
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
principals in this realm.
.TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP\&.
+kadmin(1)\&.
.UNINDENT
.sp
Example:
@@ -225,7 +225,7 @@ shell%
Displays the attributes of a realm. Options:
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -259,10 +259,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Destroys an existing realm. Options:
.INDENT 0.0
.TP
-.B \fB\-f\fP
+\fB\-f\fP
If specified, will not prompt the user for confirmation.
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -323,16 +323,16 @@ file so that KDC and Administration server can use it to authenticate
to the LDAP server. Options:
.INDENT 0.0
.TP
-.B \fB\-f\fP \fIfilename\fP
+\fB\-f\fP \fIfilename\fP
Specifies the complete path of the service password file. By
default, \fB/usr/local/var/service_passwd\fP is used.
.TP
.B \fIname\fP
Specifies the name of the object whose password is to be stored.
-If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
+If krb5kdc(8) or kadmind(8) are configured for
simple binding, this should be the distinguished name it will
use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
-variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is
+variable in kdc.conf(5)\&. If the KDC or kadmind is
configured for SASL binding, this should be the authentication
name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
\fBldap_kadmind_sasl_authcid\fP variable.
@@ -367,22 +367,22 @@ Re\-enter password for "cn=service\-kdc,o=org":
Creates a ticket policy in the directory. Options:
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
-.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum ticket life for
+\fB\-maxtktlife\fP \fImax_ticket_life\fP
+(getdate string) Specifies maximum ticket life for
principals.
.TP
-.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(\fIgetdate\fP string) Specifies maximum renewable life of
+\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+(getdate string) Specifies maximum renewable life of
tickets for principals.
.TP
.B \fIticket_flags\fP
Specifies the ticket flags. If this option is not specified, by
default, no restriction will be set by the policy. Allowable
flags are documented in the description of the \fBadd_principal\fP
-command in \fIkadmin(1)\fP\&.
+command in kadmin(1)\&.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
@@ -479,10 +479,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Destroys an existing ticket policy. Options:
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
-.B \fB\-force\fP
+\fB\-force\fP
Forces the deletion of the policy object. If not specified, the
user will be prompted for confirmation before deleting the policy.
.TP
@@ -518,7 +518,7 @@ Lists the ticket policies in realm if specified or in the default
realm. Options:
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -538,9 +538,13 @@ userpolicy
.fi
.UNINDENT
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkadmin(1)\fP
+kadmin(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 0c8478d..ddebd3b 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -36,10 +36,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-r\fP \fIrealm\fP]
[\fB\-d\fP \fIdbname\fP]
[\fB\-k\fP \fImkeytype\fP]
-[\fB\-M\fP \fImkeyname\fP]
[\fB\-kv\fP \fImkeyVNO\fP]
-[\fB\-sf\fP \fIstashfilename\fP]
+[\fB\-M\fP \fImkeyname\fP]
[\fB\-m\fP]
+[\fB\-sf\fP \fIstashfilename\fP]
+[\fB\-P\fP \fIpassword\fP]
+[\fB\-x\fP \fIdb_args\fP]
\fIcommand\fP [\fIcommand_options\fP]
.SH DESCRIPTION
.sp
@@ -58,42 +60,46 @@ commands.
.SH COMMAND-LINE OPTIONS
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
specifies the Kerberos realm of the database.
.TP
-.B \fB\-d\fP \fIdbname\fP
+\fB\-d\fP \fIdbname\fP
specifies the name under which the principal database is stored;
-by default the database is that listed in \fIkdc.conf(5)\fP\&. The
+by default the database is that listed in kdc.conf(5)\&. The
password policy database and lock files are also derived from this
value.
.TP
-.B \fB\-k\fP \fImkeytype\fP
+\fB\-k\fP \fImkeytype\fP
specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
.TP
-.B \fB\-kv\fP \fImkeyVNO\fP
+\fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
.TP
-.B \fB\-M\fP \fImkeyname\fP
+\fB\-M\fP \fImkeyname\fP
principal name for the master key in the database. If not
specified, the name is determined by the \fBmaster_key_name\fP
-variable in \fIkdc.conf(5)\fP\&.
+variable in kdc.conf(5)\&.
.TP
-.B \fB\-m\fP
+\fB\-m\fP
specifies that the master database password should be read from
the keyboard rather than fetched from a file on disk.
.TP
-.B \fB\-sf\fP \fIstash_file\fP
+\fB\-sf\fP \fIstash_file\fP
specifies the stash filename of the master database password. If
not specified, the filename is determined by the
-\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&.
+\fBkey_stash_file\fP variable in kdc.conf(5)\&.
.TP
-.B \fB\-P\fP \fIpassword\fP
+\fB\-P\fP \fIpassword\fP
specifies the master database password. Using this option may
expose the password to other users on the system via the process
list.
+.TP
+\fB\-x\fP \fIdb_args\fP
+specifies database\-specific options. See kadmin(1) for
+supported options.
.UNINDENT
.SH COMMANDS
.SS create
@@ -126,13 +132,14 @@ the \fB\-f\fP argument, does not prompt the user.
.sp
Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP
argument can be used to override the \fIkeyfile\fP specified in
-\fIkdc.conf(5)\fP\&.
+kdc.conf(5)\&.
.SS dump
.INDENT 0.0
.INDENT 3.5
-\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP]
-[\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP]
-[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]]
+\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP]
+[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP
+\fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP
+[\fIprincipals\fP\&...]]
.UNINDENT
.UNINDENT
.sp
@@ -142,43 +149,43 @@ load_dump version 7". If filename is not specified, or is the string
"\-", the dump is sent to standard output. Options:
.INDENT 0.0
.TP
-.B \fB\-b7\fP
+\fB\-b7\fP
causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
.TP
-.B \fB\-ov\fP
+\fB\-ov\fP
causes the dump to be in "ovsec_adm_export" format.
.TP
-.B \fB\-r13\fP
+\fB\-r13\fP
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
releases prior to 1.8.
.TP
-.B \fB\-r18\fP
+\fB\-r18\fP
causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
load_dump version 6"). This was the dump format produced on
releases prior to 1.11.
.TP
-.B \fB\-verbose\fP
+\fB\-verbose\fP
causes the name of each principal and policy to be printed as it
is dumped.
.TP
-.B \fB\-mkey_convert\fP
+\fB\-mkey_convert\fP
prompts for a new master key. This new master key will be used to
re\-encrypt principal key data in the dumpfile. The principal keys
themselves will not be changed.
.TP
-.B \fB\-new_mkey_file\fP \fImkey_file\fP
+\fB\-new_mkey_file\fP \fImkey_file\fP
the filename of a stash file. The master key in this stash file
will be used to re\-encrypt the key data in the dumpfile. The key
data in the database will not be changed.
.TP
-.B \fB\-rev\fP
+\fB\-rev\fP
dumps in reverse order. This may recover principals that do not
dump normally, in cases where database corruption has occurred.
.TP
-.B \fB\-recurse\fP
+\fB\-recurse\fP
causes the dump to walk the database recursively (btree only).
This may recover principals that do not dump normally, in cases
where database corruption has occurred. In cases of such
@@ -196,8 +203,8 @@ doing a normal dump instead of a recursive traversal.
.SS load
.INDENT 0.0
.INDENT 3.5
-\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-hash\fP]
-[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP]
+\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
+[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP
.UNINDENT
.UNINDENT
.sp
@@ -212,44 +219,42 @@ database module, the \fB\-update\fP flag is required.
Options:
.INDENT 0.0
.TP
-.B \fB\-b7\fP
+\fB\-b7\fP
requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
.TP
-.B \fB\-ov\fP
+\fB\-ov\fP
requires the database to be in "ovsec_adm_import" format. Must be
used with the \fB\-update\fP option.
.TP
-.B \fB\-r13\fP
+\fB\-r13\fP
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
releases prior to 1.8.
.TP
-.B \fB\-r18\fP
+\fB\-r18\fP
requires the database to be in Kerberos 5 1.8 format ("kdb5_util
load_dump version 6"). This was the dump format produced on
releases prior to 1.11.
.TP
-.B \fB\-hash\fP
-requires the database to be stored as a hash. If this option is
-not specified, the database will be stored as a btree. This
-option is not recommended, as databases stored in hash format are
-known to corrupt data and lose principals.
+\fB\-hash\fP
+stores the database in hash format, if using the DB2 database
+type. If this option is not specified, the database will be
+stored in btree format. This option is not recommended, as
+databases stored in hash format are known to corrupt data and lose
+principals.
.TP
-.B \fB\-verbose\fP
+\fB\-verbose\fP
causes the name of each principal and policy to be printed as it
is dumped.
.TP
-.B \fB\-update\fP
+\fB\-update\fP
records from the dump file are added to or updated in the existing
database. Otherwise, a new database is created containing only
what is in the dump file and the old one destroyed upon successful
completion.
.UNINDENT
-.sp
-If specified, \fIdbname\fP overrides the value specified on the command
-line or the default.
.SS ark
.INDENT 0.0
.INDENT 3.5
@@ -271,12 +276,12 @@ salt types to be used for the new keys.
Adds a new master key to the master key principal, but does not mark
it as active. Existing master keys will remain. The \fB\-e\fP option
specifies the encryption type of the new master key; see
-\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible
+Encryption_types in kdc.conf(5) for a list of possible
values. The \fB\-s\fP option stashes the new master key in the stash
file, which will be created if it doesn\(aqt already exist.
.sp
After a new master key is added, it should be propagated to slave
-servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then,
+servers via a manual or periodic invocation of kprop(8)\&. Then,
the stash files on the slave servers should be updated with the
kdb5_util \fBstash\fP command. Once those steps are complete, the key
is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
@@ -291,7 +296,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
Once a master key becomes active, it will be used to encrypt newly
created principal keys. If no \fItime\fP argument is given, the current
time is used, causing the specified master key version to become
-active immediately. The format for \fItime\fP is \fIgetdate\fP string.
+active immediately. The format for \fItime\fP is getdate string.
.sp
After a new master key becomes active, the kdb5_util
\fBupdate_princ_encryption\fP command can be used to update all
@@ -305,7 +310,7 @@ principal keys to be encrypted in the new master key.
.sp
List all master keys, from most recent to earliest, in the master key
principal. The output will show the kvno, enctype, and salt type for
-each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A
+each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&. A
\fB*\fP following an mkey denotes the currently active master key.
.SS purge_mkeys
.INDENT 0.0
@@ -319,14 +324,14 @@ protect any principals. This command can be used to remove old master
keys all principal keys are protected by a newer master key.
.INDENT 0.0
.TP
-.B \fB\-f\fP
+\fB\-f\fP
does not prompt for confirmation.
.TP
-.B \fB\-n\fP
+\fB\-n\fP
performs a dry run, showing master keys that would be purged, but
not actually purging any keys.
.TP
-.B \fB\-v\fP
+\fB\-v\fP
gives more verbose output.
.UNINDENT
.SS update_princ_encryption
@@ -367,23 +372,23 @@ below).
Options:
.INDENT 0.0
.TP
-.B \fB\-H\fP
+\fB\-H\fP
suppress writing the field names in a header line
.TP
-.B \fB\-c\fP
+\fB\-c\fP
use comma separated values (CSV) format, with minimal quoting,
instead of the default tab\-separated (unquoted, unescaped) format
.TP
-.B \fB\-e\fP
+\fB\-e\fP
write empty hexadecimal string fields as empty fields instead of
as "\-1".
.TP
-.B \fB\-n\fP
+\fB\-n\fP
produce numeric output for fields that normally have symbolic
output, such as enctypes and flag names. Also requests output of
time stamps as decimal POSIX time_t values.
.TP
-.B \fB\-o\fP \fIoutfile\fP
+\fB\-o\fP \fIoutfile\fP
write the dump to the specified output file instead of to standard
output
.UNINDENT
@@ -391,38 +396,38 @@ output
Dump types:
.INDENT 0.0
.TP
-.B \fBkeydata\fP
+\fBkeydata\fP
principal encryption key information, including actual key data
(which is still encrypted in the master key)
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBkeyindex\fP
+\fBkeyindex\fP
index of this key in the principal\(aqs key list
.TP
-.B \fBkvno\fP
+\fBkvno\fP
key version number
.TP
-.B \fBenctype\fP
+\fBenctype\fP
encryption type
.TP
-.B \fBkey\fP
+\fBkey\fP
key data as a hexadecimal string
.TP
-.B \fBsalttype\fP
+\fBsalttype\fP
salt type
.TP
-.B \fBsalt\fP
+\fBsalt\fP
salt data as a hexadecimal string
.UNINDENT
.TP
-.B \fBkeyinfo\fP
+\fBkeyinfo\fP
principal encryption key information (as in \fBkeydata\fP above),
excluding actual key data
.TP
-.B \fBprinc_flags\fP
+\fBprinc_flags\fP
principal boolean attributes. Flag names print as hexadecimal
numbers if the \fB\-n\fP option is specified, and all flag positions
are printed regardless of whether or not they are set. If \fB\-n\fP
@@ -431,93 +436,93 @@ but only print hexadecimal flag names if the corresponding flag is
set.
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBflag\fP
+\fBflag\fP
flag name
.TP
-.B \fBvalue\fP
+\fBvalue\fP
boolean value (0 for clear, or 1 for set)
.UNINDENT
.TP
-.B \fBprinc_lockout\fP
+\fBprinc_lockout\fP
state information used for tracking repeated password failures
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBlast_success\fP
+\fBlast_success\fP
time stamp of most recent successful authentication
.TP
-.B \fBlast_failed\fP
+\fBlast_failed\fP
time stamp of most recent failed authentication
.TP
-.B \fBfail_count\fP
+\fBfail_count\fP
count of failed attempts
.UNINDENT
.TP
-.B \fBprinc_meta\fP
+\fBprinc_meta\fP
principal metadata
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBmodby\fP
+\fBmodby\fP
name of last principal to modify this principal
.TP
-.B \fBmodtime\fP
+\fBmodtime\fP
timestamp of last modification
.TP
-.B \fBlastpwd\fP
+\fBlastpwd\fP
timestamp of last password change
.TP
-.B \fBpolicy\fP
+\fBpolicy\fP
policy object name
.TP
-.B \fBmkvno\fP
+\fBmkvno\fP
key version number of the master key that encrypts this
principal\(aqs key data
.TP
-.B \fBhist_kvno\fP
+\fBhist_kvno\fP
key version number of the history key that encrypts the key
history data for this principal
.UNINDENT
.TP
-.B \fBprinc_stringattrs\fP
+\fBprinc_stringattrs\fP
string attributes (key/value pairs)
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBkey\fP
+\fBkey\fP
attribute name
.TP
-.B \fBvalue\fP
+\fBvalue\fP
attribute value
.UNINDENT
.TP
-.B \fBprinc_tktpolicy\fP
+\fBprinc_tktpolicy\fP
per\-principal ticket policy data, including maximum ticket
lifetimes
.INDENT 7.0
.TP
-.B \fBname\fP
+\fBname\fP
principal name
.TP
-.B \fBexpiration\fP
+\fBexpiration\fP
principal expiration date
.TP
-.B \fBpw_expiration\fP
+\fBpw_expiration\fP
password expiration date
.TP
-.B \fBmax_life\fP
+\fBmax_life\fP
maximum ticket lifetime
.TP
-.B \fBmax_renew_life\fP
+\fBmax_renew_life\fP
maximum renewable ticket lifetime
.UNINDENT
.UNINDENT
@@ -546,9 +551,13 @@ bar at EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
.fi
.UNINDENT
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkadmin(1)\fP
+kadmin(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index f6bdc62..2eda6aa 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -31,9 +31,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.sp
-The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
-are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
+The kdc.conf file supplements krb5.conf(5) for programs which
+are typically only used on a KDC, such as the krb5kdc(8) and
+kadmind(8) daemons and the kdb5_util(8) program.
Relations documented here may also be specified in krb5.conf; for the
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
single configuration profile.
@@ -47,7 +47,7 @@ changes to take effect.
.SH STRUCTURE
.sp
The kdc.conf file is set up in the same format as the
-\fIkrb5.conf(5)\fP file.
+krb5.conf(5) file.
.SH SECTIONS
.sp
The kdc.conf file may contain the following sections:
@@ -110,11 +110,11 @@ subsection does not contain a relation for the tag. See the
.UNINDENT
.INDENT 0.0
.TP
-.B \fBkdc_max_dgram_reply_size\fP
+\fBkdc_max_dgram_reply_size\fP
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
.TP
-.B \fBkdc_tcp_listen_backlog\fP
+\fBkdc_tcp_listen_backlog\fP
(Integer.) Set the size of the listen queue length for the KDC
daemon. The value may be limited by OS settings. The default
value is 5.
@@ -142,33 +142,33 @@ to define one parameter for the ATHENA.MIT.EDU realm:
The following tags may be specified in a [realms] subsection:
.INDENT 0.0
.TP
-.B \fBacl_file\fP
+\fBacl_file\fP
(String.) Location of the access control list file that
-\fIkadmind(8)\fP uses to determine which principals are allowed
+kadmind(8) uses to determine which principals are allowed
which permissions on the Kerberos database. To operate without an
ACL file, set this relation to the empty string with \fBacl_file =
""\fP\&. The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more
-information on Kerberos ACL file see \fIkadm5.acl(5)\fP\&.
+information on Kerberos ACL file see kadm5.acl(5)\&.
.TP
-.B \fBdatabase_module\fP
+\fBdatabase_module\fP
(String.) This relation indicates the name of the configuration
section under \fI\%[dbmodules]\fP for database\-specific parameters
used by the loadable database library. The default value is the
realm name. If this configuration section does not exist, default
values will be used for all database parameters.
.TP
-.B \fBdatabase_name\fP
+\fBdatabase_name\fP
(String, deprecated.) This relation specifies the location of the
Kerberos database for this realm, if the DB2 module is being used
and the \fI\%[dbmodules]\fP configuration section does not specify a
database name. The default value is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
.TP
-.B \fBdefault_principal_expiration\fP
-(\fIabstime\fP string.) Specifies the default expiration date of
+\fBdefault_principal_expiration\fP
+(abstime string.) Specifies the default expiration date of
principals created in this realm. The default value is 0, which
means no expiration date.
.TP
-.B \fBdefault_principal_flags\fP
+\fBdefault_principal_flags\fP
(Flag string.) Specifies the default attributes of principals
created in this realm. The format for this string is a
comma\-separated list of flags, with \(aq+\(aq before each flag that
@@ -180,42 +180,42 @@ disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP,
There are a number of possible flags:
.INDENT 7.0
.TP
-.B \fBallow\-tickets\fP
+\fBallow\-tickets\fP
Enabling this flag means that the KDC will issue tickets for
this principal. Disabling this flag essentially deactivates
the principal within this realm.
.TP
-.B \fBdup\-skey\fP
+\fBdup\-skey\fP
Enabling this flag allows the principal to obtain a session
key for another user, permitting user\-to\-user authentication
for this principal.
.TP
-.B \fBforwardable\fP
+\fBforwardable\fP
Enabling this flag allows the principal to obtain forwardable
tickets.
.TP
-.B \fBhwauth\fP
+\fBhwauth\fP
If this flag is enabled, then the principal is required to
preauthenticate using a hardware device before receiving any
tickets.
.TP
-.B \fBno\-auth\-data\-required\fP
+\fBno\-auth\-data\-required\fP
Enabling this flag prevents PAC or AD\-SIGNEDPATH data from
being added to service tickets for the principal.
.TP
-.B \fBok\-as\-delegate\fP
+\fBok\-as\-delegate\fP
If this flag is enabled, it hints the client that credentials
can and should be delegated when authenticating to the
service.
.TP
-.B \fBok\-to\-auth\-as\-delegate\fP
+\fBok\-to\-auth\-as\-delegate\fP
Enabling this flag allows the principal to use S4USelf tickets.
.TP
-.B \fBpostdateable\fP
+\fBpostdateable\fP
Enabling this flag allows the principal to obtain postdateable
tickets.
.TP
-.B \fBpreauth\fP
+\fBpreauth\fP
If this flag is enabled on a client principal, then that
principal is required to preauthenticate to the KDC before
receiving any tickets. On a service principal, enabling this
@@ -223,15 +223,15 @@ flag means that service tickets for this principal will only
be issued to clients with a TGT that has the preauthenticated
bit set.
.TP
-.B \fBproxiable\fP
+\fBproxiable\fP
Enabling this flag allows the principal to obtain proxy
tickets.
.TP
-.B \fBpwchange\fP
+\fBpwchange\fP
Enabling this flag forces a password change for this
principal.
.TP
-.B \fBpwservice\fP
+\fBpwservice\fP
If this flag is enabled, it marks this principal as a password
change service. This should only be used in special cases,
for example, if a user\(aqs password has expired, then the user
@@ -239,54 +239,54 @@ has to get tickets for that principal without going through
the normal password authentication in order to be able to
change the password.
.TP
-.B \fBrenewable\fP
+\fBrenewable\fP
Enabling this flag allows the principal to obtain renewable
tickets.
.TP
-.B \fBservice\fP
+\fBservice\fP
Enabling this flag allows the the KDC to issue service tickets
for this principal.
.TP
-.B \fBtgt\-based\fP
+\fBtgt\-based\fP
Enabling this flag allows a principal to obtain tickets based
on a ticket\-granting\-ticket, rather than repeating the
authentication process that was used to obtain the TGT.
.UNINDENT
.TP
-.B \fBdict_file\fP
+\fBdict_file\fP
(String.) Location of the dictionary file containing strings that
are not allowed as passwords. The file should contain one string
per line, with no additional whitespace. If none is specified or
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
.TP
-.B \fBencrypted_challenge_indicator\fP
+\fBencrypted_challenge_indicator\fP
(String.) Specifies the authentication indicator value that the KDC
asserts into tickets obtained using FAST encrypted challenge
pre\-authentication. New in 1.16.
.TP
-.B \fBhost_based_services\fP
+\fBhost_based_services\fP
(Whitespace\- or comma\-separated list.) Lists services which will
get host\-based referral processing even if the server principal is
not marked as host\-based by the client.
.TP
-.B \fBiprop_enable\fP
+\fBiprop_enable\fP
(Boolean value.) Specifies whether incremental database
propagation is enabled. The default value is false.
.TP
-.B \fBiprop_master_ulogsize\fP
+\fBiprop_master_ulogsize\fP
(Integer.) Specifies the maximum number of log entries to be
retained for incremental propagation. The default value is 1000.
Prior to release 1.11, the maximum value was 2500.
.TP
-.B \fBiprop_slave_poll\fP
+\fBiprop_slave_poll\fP
(Delta time string.) Specifies how often the slave KDC polls for
new updates from the master. The default value is \fB2m\fP (that
is, two minutes).
.TP
-.B \fBiprop_listen\fP
+\fBiprop_listen\fP
(Whitespace\- or comma\-separated list.) Specifies the iprop RPC
-listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+listening addresses and/or ports for the kadmind(8) daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -296,22 +296,22 @@ default (when \fBiprop_enable\fP is true) is to bind to the wildcard
address at the port specified in \fBiprop_port\fP\&. New in release
1.15.
.TP
-.B \fBiprop_port\fP
+\fBiprop_port\fP
(Port number.) Specifies the port number to be used for
incremental propagation. When \fBiprop_enable\fP is true, this
relation is required in the slave configuration file, and this
relation or \fBiprop_listen\fP is required in the master
configuration file, as there is no default port number. Port
numbers specified in \fBiprop_listen\fP entries will override this
-port number for the \fIkadmind(8)\fP daemon.
+port number for the kadmind(8) daemon.
.TP
-.B \fBiprop_resync_timeout\fP
+\fBiprop_resync_timeout\fP
(Delta time string.) Specifies the amount of time to wait for a
full propagation to complete. This is optional in configuration
files, and is used by slave KDCs only. The default value is 5
minutes (\fB5m\fP). New in release 1.11.
.TP
-.B \fBiprop_logfile\fP
+\fBiprop_logfile\fP
(File name.) Specifies where the update log file for the realm
database is to be stored. The default is to use the
\fBdatabase_name\fP entry from the realms section of the krb5 config
@@ -322,9 +322,9 @@ back end is being used, or the file name is specified in the
\fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP
default value will not use values from the [dbmodules] section.)
.TP
-.B \fBkadmind_listen\fP
+\fBkadmind_listen\fP
(Whitespace\- or comma\-separated list.) Specifies the kadmin RPC
-listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+listening addresses and/or ports for the kadmind(8) daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -334,19 +334,19 @@ default is to bind to the wildcard address at the port specified
in \fBkadmind_port\fP, or the standard kadmin port (749). New in
release 1.15.
.TP
-.B \fBkadmind_port\fP
-(Port number.) Specifies the port on which the \fIkadmind(8)\fP
+\fBkadmind_port\fP
+(Port number.) Specifies the port on which the kadmind(8)
daemon is to listen for this realm. Port numbers specified in
\fBkadmind_listen\fP entries will override this port number. The
assigned port for kadmind is 749, which is used by default.
.TP
-.B \fBkey_stash_file\fP
+\fBkey_stash_file\fP
(String.) Specifies the location where the master key has been
stored (via kdb5_util stash). The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
.TP
-.B \fBkdc_listen\fP
+\fBkdc_listen\fP
(Whitespace\- or comma\-separated list.) Specifies the UDP
-listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+listening addresses and/or ports for the krb5kdc(8) daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -356,16 +356,16 @@ to any of the specified addresses, it will fail to start. The
default is to bind to the wildcard address on the standard port.
New in release 1.15.
.TP
-.B \fBkdc_ports\fP
+\fBkdc_ports\fP
(Whitespace\- or comma\-separated list, deprecated.) Prior to
release 1.15, this relation lists the ports for the
-\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+krb5kdc(8) daemon to listen on for UDP requests. In
release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
if that relation is not defined.
.TP
-.B \fBkdc_tcp_listen\fP
+\fBkdc_tcp_listen\fP
(Whitespace\- or comma\-separated list.) Specifies the TCP
-listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+listening addresses and/or ports for the krb5kdc(8) daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
@@ -376,16 +376,16 @@ If the KDC daemon fails to bind to any of the specified addresses,
it will fail to start. The default is to bind to the wildcard
address on the standard port. New in release 1.15.
.TP
-.B \fBkdc_tcp_ports\fP
+\fBkdc_tcp_ports\fP
(Whitespace\- or comma\-separated list, deprecated.) Prior to
release 1.15, this relation lists the ports for the
-\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+krb5kdc(8) daemon to listen on for UDP requests. In
release 1.15 and later, it has the same meaning as
\fBkdc_tcp_listen\fP if that relation is not defined.
.TP
-.B \fBkpasswd_listen\fP
+\fBkpasswd_listen\fP
(Comma\-separated list.) Specifies the kpasswd listening addresses
-and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be
+and/or ports for the kadmind(8) daemon. Each entry may be
an interface address, a port number, or an address and port number
separated by a colon. If the address contains colons, enclose it
in square brackets. If no address is specified, the wildcard
@@ -394,51 +394,51 @@ addresses, it will fail to start. The default is to bind to the
wildcard address at the port specified in \fBkpasswd_port\fP, or the
standard kpasswd port (464). New in release 1.15.
.TP
-.B \fBkpasswd_port\fP
-(Port number.) Specifies the port on which the \fIkadmind(8)\fP
+\fBkpasswd_port\fP
+(Port number.) Specifies the port on which the kadmind(8)
daemon is to listen for password change requests for this realm.
Port numbers specified in \fBkpasswd_listen\fP entries will override
this port number. The assigned port for password change requests
is 464, which is used by default.
.TP
-.B \fBmaster_key_name\fP
+\fBmaster_key_name\fP
(String.) Specifies the name of the principal associated with the
master key. The default is \fBK/M\fP\&.
.TP
-.B \fBmaster_key_type\fP
+\fBmaster_key_type\fP
(Key type string.) Specifies the master key\(aqs key type. The
default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible
values, see \fI\%Encryption types\fP\&.
.TP
-.B \fBmax_life\fP
-(\fIduration\fP string.) Specifies the maximum time period for
+\fBmax_life\fP
+(duration string.) Specifies the maximum time period for
which a ticket may be valid in this realm. The default value is
24 hours.
.TP
-.B \fBmax_renewable_life\fP
-(\fIduration\fP string.) Specifies the maximum time period
+\fBmax_renewable_life\fP
+(duration string.) Specifies the maximum time period
during which a valid ticket may be renewed in this realm.
The default value is 0.
.TP
-.B \fBno_host_referral\fP
+\fBno_host_referral\fP
(Whitespace\- or comma\-separated list.) Lists services to block
from getting host\-based referral processing, even if the client
marks the server principal as host\-based or the service is also
listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will
disable referral processing altogether.
.TP
-.B \fBdes_crc_session_supported\fP
+\fBdes_crc_session_supported\fP
(Boolean value). If set to true, the KDC will assume that service
principals support des\-cbc\-crc for session key enctype negotiation
-purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is
+purposes. If \fBallow_weak_crypto\fP in libdefaults is
false, or if des\-cbc\-crc is not a permitted enctype, then this
variable has no effect. Defaults to true. New in release 1.11.
.TP
-.B \fBreject_bad_transit\fP
+\fBreject_bad_transit\fP
(Boolean value.) If set to true, the KDC will check the list of
transited realms for cross\-realm tickets against the transit path
computed from the realm names and the capaths section of its
-\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued
+krb5.conf(5) file; if the path in the ticket to be issued
contains any realms not in the computed path, the ticket will not
be issued, and an error will be returned to the client instead.
If this value is set to false, such tickets will be issued
@@ -455,7 +455,7 @@ only to TGS requests.
.sp
The default value is true.
.TP
-.B \fBrestrict_anonymous_to_tgt\fP
+\fBrestrict_anonymous_to_tgt\fP
(Boolean value.) If set to true, the KDC will reject ticket
requests from anonymous principals to service principals other
than the realm\(aqs ticket\-granting service. This option allows
@@ -463,10 +463,10 @@ anonymous PKINIT to be enabled for use as FAST armor tickets
without allowing anonymous authentication to services. The
default value is false. New in release 1.9.
.TP
-.B \fBsupported_enctypes\fP
+\fBsupported_enctypes\fP
(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
-through \fIkadmin(1)\fP will have keys of these types. The
+through kadmin(1) will have keys of these types. The
default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of
possible values, see \fI\%Keysalt lists\fP\&.
.UNINDENT
@@ -530,16 +530,16 @@ define one database parameter for the ATHENA.MIT.EDU realm:
The following tags may be specified in a [dbmodules] subsection:
.INDENT 0.0
.TP
-.B \fBdatabase_name\fP
+\fBdatabase_name\fP
This DB2\-specific tag indicates the location of the database in
the filesystem. The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
.TP
-.B \fBdb_library\fP
+\fBdb_library\fP
This tag indicates the name of the loadable database module. The
value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the
LDAP module.
.TP
-.B \fBdisable_last_success\fP
+\fBdisable_last_success\fP
If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
authentication" field of principal entries requiring
preauthentication. Setting this flag may improve performance.
@@ -547,21 +547,21 @@ preauthentication. Setting this flag may improve performance.
update the "Last successful authentication" field.). First
introduced in release 1.9.
.TP
-.B \fBdisable_lockout\fP
+\fBdisable_lockout\fP
If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
authentication" and "Failed password attempts" fields of principal
entries requiring preauthentication. Setting this flag may
improve performance, but also disables account lockout. First
introduced in release 1.9.
.TP
-.B \fBldap_conns_per_server\fP
+\fBldap_conns_per_server\fP
This LDAP\-specific tag indicates the number of connections to be
maintained per LDAP server.
.TP
-.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
+\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
These LDAP\-specific tags indicate the default DN for binding to
-the LDAP server. The \fIkrb5kdc(8)\fP daemon uses
-\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other
+the LDAP server. The krb5kdc(8) daemon uses
+\fBldap_kdc_dn\fP, while the kadmind(8) daemon and other
administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN
must have the rights to read and write the Kerberos data in the
LDAP database. The KDC DN must have the same rights, unless
@@ -570,12 +570,12 @@ which case it only needs to have rights to read the Kerberos data.
These tags are ignored if a SASL mechanism is set with
\fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&.
.TP
-.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
+\fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
These LDAP\-specific tags specify the SASL mechanism (such as
\fBEXTERNAL\fP) to use when binding to the LDAP server. New in
release 1.13.
.TP
-.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
+\fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
These LDAP\-specific tags specify the SASL authentication identity
to use when binding to the LDAP server. Not all SASL mechanisms
require an authentication identity. If the SASL mechanism
@@ -584,35 +584,35 @@ tags also determine the name within the
\fBldap_service_password_file\fP where the secret is stashed. New
in release 1.13.
.TP
-.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
+\fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
These LDAP\-specific tags specify the SASL authorization identity
to use when binding to the LDAP server. In most circumstances
they do not need to be specified. New in release 1.13.
.TP
-.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
+\fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
These LDAP\-specific tags specify the SASL realm to use when
binding to the LDAP server. In most circumstances they do not
need to be set. New in release 1.13.
.TP
-.B \fBldap_kerberos_container_dn\fP
+\fBldap_kerberos_container_dn\fP
This LDAP\-specific tag indicates the DN of the container object
where the realm objects will be located.
.TP
-.B \fBldap_servers\fP
+\fBldap_servers\fP
This LDAP\-specific tag indicates the list of LDAP servers that the
Kerberos servers can connect to. The list of LDAP servers is
whitespace\-separated. The LDAP server is specified by a LDAP URI.
It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect
to the LDAP server.
.TP
-.B \fBldap_service_password_file\fP
+\fBldap_service_password_file\fP
This LDAP\-specific tag indicates the file containing the stashed
passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
\fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
for SASL authentication. This file must be kept secure.
.TP
-.B \fBunlockiter\fP
+\fBunlockiter\fP
If set to \fBtrue\fP, this DB2\-specific tag causes iteration
operations to release the database lock while processing each
principal. Setting this flag to \fBtrue\fP can prevent extended
@@ -624,28 +624,28 @@ The following tag may be specified directly in the [dbmodules]
section to control where database modules are loaded from:
.INDENT 0.0
.TP
-.B \fBdb_module_dir\fP
+\fBdb_module_dir\fP
This tag controls where the plugin system looks for database
modules. The value should be an absolute path.
.UNINDENT
.SS [logging]
.sp
-The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging. It may contain the following
+The [logging] section indicates how krb5kdc(8) and
+kadmind(8) perform logging. It may contain the following
relations:
.INDENT 0.0
.TP
-.B \fBadmin_server\fP
-Specifies how \fIkadmind(8)\fP performs logging.
+\fBadmin_server\fP
+Specifies how kadmind(8) performs logging.
.TP
-.B \fBkdc\fP
-Specifies how \fIkrb5kdc(8)\fP performs logging.
+\fBkdc\fP
+Specifies how krb5kdc(8) performs logging.
.TP
-.B \fBdefault\fP
+\fBdefault\fP
Specifies how either daemon performs logging in the absence of
relations specific to the daemon.
.TP
-.B \fBdebug\fP
+\fBdebug\fP
(Boolean value.) Specifies whether debugging messages are
included in log outputs other than SYSLOG. Debugging messages are
always included in the system log output because syslog performs
@@ -656,24 +656,24 @@ release 1.15.
Logging specifications may have the following forms:
.INDENT 0.0
.TP
-.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
+\fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
This value causes the daemon\(aqs logging messages to go to the
\fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten.
If the \fB:\fP form is used, the file is appended to.
.TP
-.B \fBSTDERR\fP
+\fBSTDERR\fP
This value causes the daemon\(aqs logging messages to go to its
standard error stream.
.TP
-.B \fBCONSOLE\fP
+\fBCONSOLE\fP
This value causes the daemon\(aqs logging messages to go to the
console, if the system supports it.
.TP
-.B \fBDEVICE=\fP\fI<devicename>\fP
+\fBDEVICE=\fP\fI<devicename>\fP
This causes the daemon\(aqs logging messages to go to the specified
device.
.TP
-.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
+\fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
This causes the daemon\(aqs logging messages to go to the system log.
.sp
The severity argument specifies the default severity of system log
@@ -720,13 +720,13 @@ One Time Password request to a RADIUS server.
For each token type, the following tags may be specified:
.INDENT 0.0
.TP
-.B \fBserver\fP
+\fBserver\fP
This is the server to send the RADIUS request to. It can be a
hostname with optional port, an ip address with optional port, or
a Unix domain socket address. The default is
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&.
.TP
-.B \fBsecret\fP
+\fBsecret\fP
This tag indicates a filename (which may be relative to \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP)
containing the secret used to encrypt the RADIUS packets. The
secret should appear in the first line of the file by itself;
@@ -735,22 +735,22 @@ the value of \fBserver\fP is a Unix domain socket address, this tag
is optional, and an empty secret will be used if it is not
specified. Otherwise, this tag is required.
.TP
-.B \fBtimeout\fP
+\fBtimeout\fP
An integer which specifies the time in seconds during which the
KDC should attempt to contact the RADIUS server. This tag is the
total time across all retries and should be less than the time
which an OTP value remains valid for. The default is 5 seconds.
.TP
-.B \fBretries\fP
+\fBretries\fP
This tag specifies the number of retries to make to the RADIUS
server. The default is 3 retries (4 tries).
.TP
-.B \fBstrip_realm\fP
+\fBstrip_realm\fP
If this tag is \fBtrue\fP, the principal without the realm will be
passed to the RADIUS server. Otherwise, the realm will be
included. The default value is \fBtrue\fP\&.
.TP
-.B \fBindicator\fP
+\fBindicator\fP
This tag specifies an authentication indicator to be included in
the ticket if this token type is used to authenticate. This
option may be specified multiple times. (New in release 1.14.)
@@ -836,21 +836,21 @@ generic value in the [kdcdefaults] section:
.UNINDENT
.sp
For information about the syntax of some of these options, see
-\fISpecifying PKINIT identity information\fP in
-\fIkrb5.conf(5)\fP\&.
+Specifying PKINIT identity information in
+krb5.conf(5)\&.
.INDENT 0.0
.TP
-.B \fBpkinit_anchors\fP
+\fBpkinit_anchors\fP
Specifies the location of trusted anchor (root) certificates which
the KDC trusts to sign client certificates. This option is
required if pkinit is to be supported by the KDC. This option may
be specified multiple times.
.TP
-.B \fBpkinit_dh_min_bits\fP
+\fBpkinit_dh_min_bits\fP
Specifies the minimum number of bits the KDC is willing to accept
for a client\(aqs Diffie\-Hellman key. The default is 2048.
.TP
-.B \fBpkinit_allow_upn\fP
+\fBpkinit_allow_upn\fP
Specifies that the KDC is willing to accept client certificates
with the Microsoft UserPrincipalName (UPN) Subject Alternative
Name (SAN). This means the KDC accepts the binding of the UPN in
@@ -861,49 +861,49 @@ Without this option, the KDC will only accept certificates with
the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently
no option to disable SAN checking in the KDC.
.TP
-.B \fBpkinit_eku_checking\fP
+\fBpkinit_eku_checking\fP
This option specifies what Extended Key Usage (EKU) values the KDC
is willing to accept in client certificates. The values
recognized in the kdc.conf file are:
.INDENT 7.0
.TP
-.B \fBkpClientAuth\fP
+\fBkpClientAuth\fP
This is the default value and specifies that client
certificates must have the id\-pkinit\-KPClientAuth EKU as
defined in \fI\%RFC 4556\fP\&.
.TP
-.B \fBscLogin\fP
+\fBscLogin\fP
If scLogin is specified, client certificates with the
Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be
accepted.
.TP
-.B \fBnone\fP
+\fBnone\fP
If none is specified, then client certificates will not be
checked to verify they have an acceptable EKU. The use of
this option is not recommended.
.UNINDENT
.TP
-.B \fBpkinit_identity\fP
+\fBpkinit_identity\fP
Specifies the location of the KDC\(aqs X.509 identity information.
This option is required if pkinit is to be supported by the KDC.
.TP
-.B \fBpkinit_indicator\fP
+\fBpkinit_indicator\fP
Specifies an authentication indicator to include in the ticket if
pkinit is used to authenticate. This option may be specified
multiple times. (New in release 1.14.)
.TP
-.B \fBpkinit_pool\fP
+\fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client\(aqs
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
-.B \fBpkinit_revoke\fP
+\fBpkinit_revoke\fP
Specifies the location of Certificate Revocation List (CRL)
information to be used by the KDC when verifying the validity of
client certificates. This option may be specified multiple times.
.TP
-.B \fBpkinit_require_crl_checking\fP
+\fBpkinit_require_crl_checking\fP
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
@@ -1190,7 +1190,7 @@ Here\(aqs an example of a kdc.conf file:
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
.SH SEE ALSO
.sp
-\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP
+krb5.conf(5), krb5kdc(8), kadm5.acl(5)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 5d793db..6c6f637 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -45,15 +45,15 @@ credentials cache is destroyed.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-A\fP
+\fB\-A\fP
Destroys all caches in the collection, if a cache collection is
available.
.TP
-.B \fB\-q\fP
+\fB\-q\fP
Run quietly. Normally kdestroy beeps if it fails to destroy the
user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior.
.TP
-.B \fB\-c\fP \fIcache_name\fP
+\fB\-c\fP \fIcache_name\fP
Use \fIcache_name\fP as the credentials (ticket) cache name and
location; if this option is not used, the default cache name and
location are used.
@@ -69,17 +69,8 @@ your .logout file, so that your tickets are destroyed automatically
when you log out.
.SH ENVIRONMENT
.sp
-kdestroy uses the following environment variable:
-.INDENT 0.0
-.TP
-.B \fBKRB5CCNAME\fP
-Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
-\fBFILE\fP type is assumed. The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory
-to be present in the collection.
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH FILES
.INDENT 0.0
.TP
@@ -88,7 +79,7 @@ Default location of Kerberos 5 credentials cache
.UNINDENT
.SH SEE ALSO
.sp
-\fIkinit(1)\fP, \fIklist(1)\fP
+kinit(1), klist(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kerberos.man b/src/man/kerberos.man
index 026f460..e3aa75d 100644
--- a/src/man/kerberos.man
+++ b/src/man/kerberos.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos"
+.TH "KERBEROS" "7" " " "1.16.1" "MIT Kerberos"
.SH NAME
kerberos \- Overview of using Kerberos
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index b992d4c..9dc36a6 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -63,11 +63,11 @@ choice of principal name.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-V\fP
+\fB\-V\fP
display verbose output.
.TP
-.B \fB\-l\fP \fIlifetime\fP
-(\fIduration\fP string.) Requests a ticket with the lifetime
+\fB\-l\fP \fIlifetime\fP
+(duration string.) Requests a ticket with the lifetime
\fIlifetime\fP\&.
.sp
For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
@@ -77,62 +77,62 @@ If the \fB\-l\fP option is not specified, the default ticket lifetime
longer than the maximum ticket lifetime (configured by each site)
will not override the configured maximum ticket lifetime.
.TP
-.B \fB\-s\fP \fIstart_time\fP
-(\fIduration\fP string.) Requests a postdated ticket. Postdated
+\fB\-s\fP \fIstart_time\fP
+(duration string.) Requests a postdated ticket. Postdated
tickets are issued with the \fBinvalid\fP flag set, and need to be
resubmitted to the KDC for validation before use.
.sp
\fIstart_time\fP specifies the duration of the delay before the ticket
can become valid.
.TP
-.B \fB\-r\fP \fIrenewable_life\fP
-(\fIduration\fP string.) Requests renewable tickets, with a total
+\fB\-r\fP \fIrenewable_life\fP
+(duration string.) Requests renewable tickets, with a total
lifetime of \fIrenewable_life\fP\&.
.TP
-.B \fB\-f\fP
+\fB\-f\fP
requests forwardable tickets.
.TP
-.B \fB\-F\fP
+\fB\-F\fP
requests non\-forwardable tickets.
.TP
-.B \fB\-p\fP
+\fB\-p\fP
requests proxiable tickets.
.TP
-.B \fB\-P\fP
+\fB\-P\fP
requests non\-proxiable tickets.
.TP
-.B \fB\-a\fP
+\fB\-a\fP
requests tickets restricted to the host\(aqs local address[es].
.TP
-.B \fB\-A\fP
+\fB\-A\fP
requests tickets not restricted by address.
.TP
-.B \fB\-C\fP
+\fB\-C\fP
requests canonicalization of the principal name, and allows the
KDC to reply with a different client principal from the one
requested.
.TP
-.B \fB\-E\fP
+\fB\-E\fP
treats the principal name as an enterprise name (implies the
\fB\-C\fP option).
.TP
-.B \fB\-v\fP
+\fB\-v\fP
requests that the ticket\-granting ticket in the cache (with the
\fBinvalid\fP flag set) be passed to the KDC for validation. If the
ticket is within its requested time range, the cache is replaced
with the validated ticket.
.TP
-.B \fB\-R\fP
+\fB\-R\fP
requests renewal of the ticket\-granting ticket. Note that an
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
.sp
Note that renewable tickets that have expired as reported by
-\fIklist(1)\fP may sometimes be renewed using this option,
+klist(1) may sometimes be renewed using this option,
because the KDC applies a grace period to account for client\-KDC
-clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting.
+clock skew. See krb5.conf(5) \fBclockskew\fP setting.
.TP
-.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
+\fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
requests a ticket, obtained from a key in the local host\(aqs keytab.
The location of the keytab may be specified with the \fB\-t\fP
\fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
@@ -144,12 +144,12 @@ the KDC database and look up the key directly. This permits an
administrator to obtain tickets as any principal that supports
authentication based on the key.
.TP
-.B \fB\-n\fP
+\fB\-n\fP
Requests anonymous processing. Two types of anonymous principals
are supported.
.sp
For fully anonymous Kerberos, configure pkinit on the KDC and
-configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&.
+configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&.
Then use the \fB\-n\fP option with a principal of the form \fB at REALM\fP
(an empty principal name followed by the at\-sign and a realm
name). If permitted by the KDC, an anonymous ticket will be
@@ -177,7 +177,7 @@ preselecting the same methods of authenticating to the KDC.
.UNINDENT
.INDENT 0.0
.TP
-.B \fB\-T\fP \fIarmor_ccache\fP
+\fB\-T\fP \fIarmor_ccache\fP
Specifies the name of a credentials cache that already contains a
ticket. If supported by the KDC, this cache will be used to armor
the request, preventing offline dictionary attacks and allowing
@@ -185,7 +185,7 @@ the use of additional preauthentication mechanisms. Armoring also
makes sure that the response from the KDC is not modified in
transit.
.TP
-.B \fB\-c\fP \fIcache_name\fP
+\fB\-c\fP \fIcache_name\fP
use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
location. If this option is not used, the default cache location
is used.
@@ -199,11 +199,11 @@ principal is selected or a new one is created and becomes the new
primary cache. Otherwise, any existing contents of the default
cache are destroyed by kinit.
.TP
-.B \fB\-S\fP \fIservice_name\fP
+\fB\-S\fP \fIservice_name\fP
specify an alternate service name to use when getting initial
tickets.
.TP
-.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
+\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
interpreted by pre\-authentication modules. The acceptable
attribute and value values vary from module to module. This
@@ -214,30 +214,21 @@ The following attributes are recognized by the PKINIT
pre\-authentication mechanism:
.INDENT 7.0
.TP
-.B \fBX509_user_identity\fP=\fIvalue\fP
+\fBX509_user_identity\fP=\fIvalue\fP
specify where to find user\(aqs X509 identity information
.TP
-.B \fBX509_anchors\fP=\fIvalue\fP
+\fBX509_anchors\fP=\fIvalue\fP
specify where to find trusted X509 anchor information
.TP
-.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
+\fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
specify use of RSA, rather than the default Diffie\-Hellman
protocol
.UNINDENT
.UNINDENT
.SH ENVIRONMENT
.sp
-kinit uses the following environment variables:
-.INDENT 0.0
-.TP
-.B \fBKRB5CCNAME\fP
-Location of the default Kerberos 5 credentials cache, in the form
-\fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP
-type is assumed. The type of the default cache may determine the
-availability of a cache collection; for instance, a default cache
-of type \fBDIR\fP causes caches within the directory to be present
-in the collection.
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH FILES
.INDENT 0.0
.TP
@@ -249,7 +240,7 @@ default location for the local host\(aqs keytab.
.UNINDENT
.SH SEE ALSO
.sp
-\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1)
+klist(1), kdestroy(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/klist.man b/src/man/klist.man
index 682a292..a3b38c2 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -46,24 +46,24 @@ credentials cache, or the keys held in a keytab file.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-e\fP
+\fB\-e\fP
Displays the encryption types of the session key and the ticket
for each credential in the credential cache, or each key in the
keytab file.
.TP
-.B \fB\-l\fP
+\fB\-l\fP
If a cache collection is available, displays a table summarizing
the caches present in the collection.
.TP
-.B \fB\-A\fP
+\fB\-A\fP
If a cache collection is available, displays the contents of all
of the caches in the collection.
.TP
-.B \fB\-c\fP
+\fB\-c\fP
List tickets held in a credentials cache. This is the default if
neither \fB\-c\fP nor \fB\-k\fP is specified.
.TP
-.B \fB\-f\fP
+\fB\-f\fP
Shows the flags present in the credentials, using the following
abbreviations:
.INDENT 7.0
@@ -90,39 +90,39 @@ a anonymous
.UNINDENT
.UNINDENT
.TP
-.B \fB\-s\fP
+\fB\-s\fP
Causes klist to run silently (produce no output). klist will exit
with status 1 if the credentials cache cannot be read or is
expired, and with status 0 otherwise.
.TP
-.B \fB\-a\fP
+\fB\-a\fP
Display list of addresses in credentials.
.TP
-.B \fB\-n\fP
+\fB\-n\fP
Show numeric addresses instead of reverse\-resolving addresses.
.TP
-.B \fB\-C\fP
+\fB\-C\fP
List configuration data that has been stored in the credentials
cache when klist encounters it. By default, configuration data
is not listed.
.TP
-.B \fB\-k\fP
+\fB\-k\fP
List keys held in a keytab file.
.TP
-.B \fB\-i\fP
+\fB\-i\fP
In combination with \fB\-k\fP, defaults to using the default client
keytab instead of the default acceptor keytab, if no name is
given.
.TP
-.B \fB\-t\fP
+\fB\-t\fP
Display the time entry timestamps for each keytab entry in the
keytab file.
.TP
-.B \fB\-K\fP
+\fB\-K\fP
Display the value of the encryption key in each keytab entry in
the keytab file.
.TP
-.B \fB\-V\fP
+\fB\-V\fP
Display the Kerberos version number and exit.
.UNINDENT
.sp
@@ -132,17 +132,8 @@ appropriate. If the \fBKRB5CCNAME\fP environment variable is set, its
value is used to locate the default ticket cache.
.SH ENVIRONMENT
.sp
-klist uses the following environment variable:
-.INDENT 0.0
-.TP
-.B \fBKRB5CCNAME\fP
-Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
-\fBFILE\fP type is assumed. The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory
-to be present in the collection.
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH FILES
.INDENT 0.0
.TP
@@ -154,7 +145,7 @@ Default location for the local host\(aqs keytab file.
.UNINDENT
.SH SEE ALSO
.sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP
+kinit(1), kdestroy(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index d9c5de8..d754621 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -53,9 +53,13 @@ Otherwise, kpasswd uses the principal name from an existing ccache
if there is one; if not, the principal is derived from the
identity of the user invoking the kpasswd command.
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkadmin(1)\fP, \fIkadmind(8)\fP
+kadmin(1), kadmind(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 6a9daf0..a75342e 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -44,38 +44,36 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
kprop is used to securely propagate a Kerberos V5 database dump file
from the master Kerberos server to a slave Kerberos server, which is
specified by \fIslave_host\fP\&. The dump file must be created by
-\fIkdb5_util(8)\fP\&.
+kdb5_util(8)\&.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the realm of the master server.
.TP
-.B \fB\-f\fP \fIfile\fP
+\fB\-f\fP \fIfile\fP
Specifies the filename where the dumped principal database file is
to be found; by default the dumped database file is normally
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&.
.TP
-.B \fB\-P\fP \fIport\fP
-Specifies the port to use to contact the \fIkpropd(8)\fP server
+\fB\-P\fP \fIport\fP
+Specifies the port to use to contact the kpropd(8) server
on the remote host.
.TP
-.B \fB\-d\fP
+\fB\-d\fP
Prints debugging information.
.TP
-.B \fB\-s\fP \fIkeytab\fP
+\fB\-s\fP \fIkeytab\fP
Specifies the location of the keytab file.
.UNINDENT
.SH ENVIRONMENT
.sp
-\fIkprop\fP uses the following environment variable:
-.INDENT 0.0
-.IP \(bu 2
-\fBKRB5_CONFIG\fP
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP
+kpropd(8), kdb5_util(8), krb5kdc(8),
+kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index a6920e3..c2b0935 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -46,15 +46,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
The \fIkpropd\fP command runs on the slave KDC server. It listens for
-update requests made by the \fIkprop(8)\fP program. If incremental
+update requests made by the kprop(8) program. If incremental
propagation is enabled, it periodically requests incremental updates
from the master KDC.
.sp
When the slave receives a kprop request from the master, kpropd
accepts the dumped KDC database and places it in a file, and then runs
-\fIkdb5_util(8)\fP to load the dumped database into the active
-database which is used by \fIkrb5kdc(8)\fP\&. This allows the master
-Kerberos server to use \fIkprop(8)\fP to propagate its database to
+kdb5_util(8) to load the dumped database into the active
+database which is used by krb5kdc(8)\&. This allows the master
+Kerberos server to use kprop(8) to propagate its database to
the slave servers. Upon a successful download of the KDC database
file, the slave Kerberos server will have an up\-to\-date KDC database.
.sp
@@ -82,58 +82,58 @@ kpropd in standalone mode; this option is now accepted for backward
compatibility but does nothing.
.sp
Incremental propagation may be enabled with the \fBiprop_enable\fP
-variable in \fIkdc.conf(5)\fP\&. If incremental propagation is
+variable in kdc.conf(5)\&. If incremental propagation is
enabled, the slave periodically polls the master KDC for updates, at
an interval determined by the \fBiprop_slave_poll\fP variable. If the
slave receives updates, kpropd updates its log file with any updates
-from the master. \fIkproplog(8)\fP can be used to view a summary of
+from the master. kproplog(8) can be used to view a summary of
the update entry log on the slave KDC. If incremental propagation is
enabled, the principal \fBkiprop/slavehostname at REALM\fP (where
\fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the
name of the Kerberos realm) must be present in the slave\(aqs keytab
file.
.sp
-\fIkproplog(8)\fP can be used to force full replication when iprop is
+kproplog(8) can be used to force full replication when iprop is
enabled.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-r\fP \fIrealm\fP
+\fB\-r\fP \fIrealm\fP
Specifies the realm of the master server.
.TP
-.B \fB\-A\fP \fIadmin_server\fP
+\fB\-A\fP \fIadmin_server\fP
Specifies the server to be contacted for incremental updates; by
default, the master admin server is contacted.
.TP
-.B \fB\-f\fP \fIfile\fP
+\fB\-f\fP \fIfile\fP
Specifies the filename where the dumped principal database file is
to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&.
.TP
-.B \fB\-p\fP
-Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
+\fB\-p\fP
+Allows the user to specify the pathname to the kdb5_util(8)
program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP\&.
.TP
-.B \fB\-d\fP
+\fB\-d\fP
Turn on debug mode. In this mode, kpropd will not detach
itself from the current job and run in the background. Instead,
it will run in the foreground and print out debugging messages
during the database propagation.
.TP
-.B \fB\-t\fP
+\fB\-t\fP
In standalone mode without incremental propagation, exit after one
dump file is received. In incremental propagation mode, exit as
soon as the database is up to date, or if the master returns an
error.
.TP
-.B \fB\-P\fP
+\fB\-P\fP
Allow for an alternate port number for kpropd to listen on. This
is only useful in combination with the \fB\-S\fP option.
.TP
-.B \fB\-a\fP \fIacl_file\fP
+\fB\-a\fP \fIacl_file\fP
Allows the user to specify the path to the kpropd.acl file; by
default the path used is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&.
.TP
-.B \fB\-\-pid\-file\fP=\fIpid_file\fP
+\fB\-\-pid\-file\fP=\fIpid_file\fP
In standalone mode, write the process ID of the daemon into
\fIpid_file\fP\&.
.UNINDENT
@@ -153,11 +153,16 @@ kpropd uses the following environment variables:
Access file for kpropd; the default location is
\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line
containing the principal of a host from which the local machine
-will allow Kerberos database propagation via \fIkprop(8)\fP\&.
+will allow Kerberos database propagation via kprop(8)\&.
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8)
+kprop(8), kdb5_util(8), krb5kdc(8),
+kerberos(7), inetd(8)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index e495f1a..d772ec2 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -39,8 +39,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
The kproplog command displays the contents of the KDC database update
log to standard output. It can be used to keep track of incremental
updates to the principal database. The update log file contains the
-update log maintained by the \fIkadmind(8)\fP process on the master
-KDC server and the \fIkpropd(8)\fP process on the slave KDC servers.
+update log maintained by the kadmind(8) process on the master
+KDC server and the kpropd(8) process on the slave KDC servers.
When updates occur, they are logged to this file. Subsequently any
KDC slave configured for incremental updates will request the current
data from the master KDC and update their log file with any updates
@@ -57,22 +57,22 @@ last update received and the associated time stamp of the last update.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-R\fP
+\fB\-R\fP
Reset the update log. This forces full resynchronization. If used
on a slave then that slave will request a full resync. If used on
the master then all slaves will request full resyncs.
.TP
-.B \fB\-h\fP
+\fB\-h\fP
Display a summary of the update log. This information includes
the database version number, state of the database, the number of
updates in the log, the time stamp of the first and last update,
and the version number of the first and last update entry.
.TP
-.B \fB\-e\fP \fInum\fP
+\fB\-e\fP \fInum\fP
Display the last \fInum\fP update entries in the log. This is useful
when debugging synchronization between KDC servers.
.TP
-.B \fB\-v\fP
+\fB\-v\fP
Display individual attributes per update. An example of the
output generated for one entry:
.INDENT 7.0
@@ -101,14 +101,11 @@ Update Entry
.UNINDENT
.SH ENVIRONMENT
.sp
-kproplog uses the following environment variables:
-.INDENT 0.0
-.IP \(bu 2
-\fBKRB5_KDC_PROFILE\fP
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkpropd(8)\fP
+kpropd(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index c6b21fe..29784ef 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -41,39 +41,39 @@ and link programs against the installed Kerberos libraries.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-\fP\fB\-help\fP
+\fB\-\fP\fB\-help\fP
prints a usage message. This is the default behavior when no options
are specified.
.TP
-.B \fB\-\fP\fB\-all\fP
+\fB\-\fP\fB\-all\fP
prints the version, vendor, prefix, and exec\-prefix.
.TP
-.B \fB\-\fP\fB\-version\fP
+\fB\-\fP\fB\-version\fP
prints the version number of the Kerberos installation.
.TP
-.B \fB\-\fP\fB\-vendor\fP
+\fB\-\fP\fB\-vendor\fP
prints the name of the vendor of the Kerberos installation.
.TP
-.B \fB\-\fP\fB\-prefix\fP
+\fB\-\fP\fB\-prefix\fP
prints the prefix for which the Kerberos installation was built.
.TP
-.B \fB\-\fP\fB\-exec\-prefix\fP
+\fB\-\fP\fB\-exec\-prefix\fP
prints the prefix for executables for which the Kerberos installation
was built.
.TP
-.B \fB\-\fP\fB\-defccname\fP
+\fB\-\fP\fB\-defccname\fP
prints the built\-in default credentials cache location.
.TP
-.B \fB\-\fP\fB\-defktname\fP
+\fB\-\fP\fB\-defktname\fP
prints the built\-in default keytab location.
.TP
-.B \fB\-\fP\fB\-defcktname\fP
+\fB\-\fP\fB\-defcktname\fP
prints the built\-in default client (initiator) keytab location.
.TP
-.B \fB\-\fP\fB\-cflags\fP
+\fB\-\fP\fB\-cflags\fP
prints the compilation flags used to build the Kerberos installation.
.TP
-.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
+\fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
prints the compiler options needed to link against \fIlibrary\fP\&.
Allowed values for \fIlibrary\fP are:
.TS
@@ -132,7 +132,7 @@ shell% krb5\-config \-\-libs krb5
.UNINDENT
.SH SEE ALSO
.sp
-kerberos(1), cc(1)
+kerberos(7), cc(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index ea73f50..9eb7227 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -137,7 +137,7 @@ module MODULEPATH:RESIDUAL
\fIMODULEPATH\fP may be relative to the library path of the krb5
installation, or it may be an absolute path. \fIRESIDUAL\fP is provided
to the module at initialization time. If krb5.conf uses a module
-directive, \fIkdc.conf(5)\fP should also use one if it exists.
+directive, kdc.conf(5) should also use one if it exists.
.SH SECTIONS
.sp
The krb5.conf file may contain the following sections:
@@ -184,15 +184,15 @@ _
.TE
.sp
Additionally, krb5.conf may include any of the relations described in
-\fIkdc.conf(5)\fP, but it is not a recommended practice.
+kdc.conf(5), but it is not a recommended practice.
.SS [libdefaults]
.sp
The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
-.B \fBallow_weak_crypto\fP
+\fBallow_weak_crypto\fP
If this flag is set to false, then weak encryption types (as noted
-in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
+in Encryption_types in kdc.conf(5)) will be filtered
out of the lists \fBdefault_tgs_enctypes\fP,
\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default
value for this tag is false, which may cause authentication
@@ -200,7 +200,7 @@ failures in existing Kerberos infrastructures that do not support
strong crypto. Users in affected environments should set this tag
to true until their infrastructure adopts stronger ciphers.
.TP
-.B \fBap_req_checksum_type\fP
+\fBap_req_checksum_type\fP
An integer which specifies the type of AP\-REQ checksum to use in
authenticators. This variable should be unset so the appropriate
checksum for the encryption key in use will be used. This can be
@@ -208,20 +208,20 @@ set if backward compatibility requires a specific checksum type.
See the \fBkdc_req_checksum_type\fP configuration option for the
possible values and their meanings.
.TP
-.B \fBcanonicalize\fP
+\fBcanonicalize\fP
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
answers with different client principals than the requested
principal will be accepted. The default value is false.
.TP
-.B \fBccache_type\fP
+\fBccache_type\fP
This parameter determines the format of credential cache types
-created by \fIkinit(1)\fP or other programs. The default value
+created by kinit(1) or other programs. The default value
is 4, which represents the most current format. Smaller values
can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.
.TP
-.B \fBclockskew\fP
+\fBclockskew\fP
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
@@ -232,34 +232,34 @@ their expiration time can still be used (and renewed if they are
renewable tickets) if they have been expired for a shorter
duration than the \fBclockskew\fP setting.
.TP
-.B \fBdefault_ccache_name\fP
+\fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
The default is \fB at CCNAME@\fP\&. This relation is subject to parameter
expansion (see below). New in release 1.11.
.TP
-.B \fBdefault_client_keytab_name\fP
+\fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
obtaining client credentials. The default is \fB at CKTNAME@\fP\&. This
relation is subject to parameter expansion (see below).
New in release 1.11.
.TP
-.B \fBdefault_keytab_name\fP
+\fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
application servers such as sshd. The default is \fB at KTNAME@\fP\&. This
relation is subject to parameter expansion (see below).
.TP
-.B \fBdefault_realm\fP
+\fBdefault_realm\fP
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
-invoking programs such as \fIkinit(1)\fP\&.
+invoking programs such as kinit(1)\&.
.TP
-.B \fBdefault_tgs_enctypes\fP
+\fBdefault_tgs_enctypes\fP
Identifies the supported list of session key encryption types that
the client should request when making a TGS\-REQ, in order of
preference from highest to lowest. The list may be delimited with
-commas or whitespace. See \fIEncryption_types\fP in
-\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
+commas or whitespace. See Encryption_types in
+kdc.conf(5) for a list of the accepted values for this tag.
The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
@@ -269,7 +269,7 @@ compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.
.TP
-.B \fBdefault_tkt_enctypes\fP
+\fBdefault_tkt_enctypes\fP
Identifies the supported list of session key encryption types that
the client should request when making an AS\-REQ, in order of
preference from highest to lowest. The format is the same as for
@@ -283,14 +283,14 @@ compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.
.TP
-.B \fBdns_canonicalize_hostname\fP
+\fBdns_canonicalize_hostname\fP
Indicate whether name lookups will be used to canonicalize
hostnames for use in service principal names. Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
fully\-qualified hostnames. The default value is true.
.TP
-.B \fBdns_lookup_kdc\fP
+\fBdns_lookup_kdc\fP
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. (Note that the admin_server
@@ -306,30 +306,30 @@ it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
-.B \fBdns_uri_lookup\fP
+\fBdns_uri_lookup\fP
Indicate whether DNS URI records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. SRV records are used as a
fallback if no URI records were found. The default value is true.
New in release 1.15.
.TP
-.B \fBerr_fmt\fP
+\fBerr_fmt\fP
This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
normal error message for %M and an error code for %C in the value.
.TP
-.B \fBextra_addresses\fP
+\fBextra_addresses\fP
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
using address\-restricted tickets. The addresses should be in a
comma\-separated list. This option has no effect if
\fBnoaddresses\fP is true.
.TP
-.B \fBforwardable\fP
+\fBforwardable\fP
If this flag is true, initial tickets will be forwardable by
default, if allowed by the KDC. The default value is false.
.TP
-.B \fBignore_acceptor_hostname\fP
+\fBignore_acceptor_hostname\fP
When accepting GSSAPI or krb5 security contexts for host\-based
service principals, ignore any hostname passed by the calling
application, and allow clients to authenticate to any service
@@ -339,15 +339,15 @@ flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
default value is false. New in release 1.10.
.TP
-.B \fBk5login_authoritative\fP
+\fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \fI\&.k5login(5)\fP
+k5login file to be granted login access, if a \&.k5login(5)
file exists. If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal. The default value is
true.
.TP
-.B \fBk5login_directory\fP
+\fBk5login_directory\fP
If set, the library will look for a local user\(aqs k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
@@ -355,25 +355,25 @@ files in the user\(aqs home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.
.TP
-.B \fBkcm_mach_service\fP
+\fBkcm_mach_service\fP
On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is \fB\-\fP, Mach RPC will not be used to contact the KCM
daemon. The default value is \fBorg.h5l.kcm\fP\&.
.TP
-.B \fBkcm_socket\fP
+\fBkcm_socket\fP
Determines the path to the Unix domain socket used to access the
KCM daemon for the KCM credential cache type. If the value is
\fB\-\fP, Unix domain sockets will not be used to contact the KCM
daemon. The default value is
\fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
.TP
-.B \fBkdc_default_options\fP
+\fBkdc_default_options\fP
Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
(KDC_OPT_RENEWABLE_OK).
.TP
-.B \fBkdc_timesync\fP
+\fBkdc_timesync\fP
Accepted values for this relation are 1 or 0. If it is nonzero,
client machines will compute the difference between their time and
the time returned by the KDC in the timestamps in the tickets and
@@ -382,7 +382,7 @@ requesting service tickets or authenticating to services. This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock. The default value is 1.
.TP
-.B \fBkdc_req_checksum_type\fP
+\fBkdc_req_checksum_type\fP
An integer which specifies the type of checksum to use for the KDC
requests, for compatibility with very old KDC implementations.
This value is only used for DES keys; other keys use the preferred
@@ -449,40 +449,40 @@ T}
_
.TE
.TP
-.B \fBnoaddresses\fP
+\fBnoaddresses\fP
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs. The default value is true.
.TP
-.B \fBpermitted_enctypes\fP
+\fBpermitted_enctypes\fP
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
-.B \fBplugin_base_dir\fP
+\fBplugin_base_dir\fP
If set, determines the base directory where krb5 plugins are
located. The default value is the \fBkrb5/plugins\fP subdirectory
of the krb5 library directory.
.TP
-.B \fBpreferred_preauth_types\fP
+\fBpreferred_preauth_types\fP
This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
KDC. The default value for this setting is "17, 16, 15, 14",
which forces libkrb5 to attempt to use PKINIT if it is supported.
.TP
-.B \fBproxiable\fP
+\fBproxiable\fP
If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC. The default value is false.
.TP
-.B \fBrdns\fP
+\fBrdns\fP
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names. If \fBdns_canonicalize_hostname\fP is set
to false, this flag has no effect. The default value is true.
.TP
-.B \fBrealm_try_domains\fP
+\fBrealm_try_domains\fP
Indicate whether a host\(aqs domain components should be used to
determine the Kerberos realm of the host. The value of this
variable is an integer: \-1 means not to search, 0 means to try the
@@ -492,11 +492,11 @@ Kerberos realms is used to determine whether a domain is a valid
realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
set. The default is not to search domain components.
.TP
-.B \fBrenew_lifetime\fP
-(\fIduration\fP string.) Sets the default renewable lifetime
+\fBrenew_lifetime\fP
+(duration string.) Sets the default renewable lifetime
for initial ticket requests. The default value is 0.
.TP
-.B \fBsafe_checksum_type\fP
+\fBsafe_checksum_type\fP
An integer which specifies the type of checksum to use for the
KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
compatibility with applications linked against DCE version 1.1 or
@@ -505,11 +505,11 @@ DES instead. This field is ignored when its value is incompatible
with the session key type. See the \fBkdc_req_checksum_type\fP
configuration option for the possible values and their meanings.
.TP
-.B \fBticket_lifetime\fP
-(\fIduration\fP string.) Sets the default lifetime for initial
+\fBticket_lifetime\fP
+(duration string.) Sets the default lifetime for initial
ticket requests. The default value is 1 day.
.TP
-.B \fBudp_preference_limit\fP
+\fBudp_preference_limit\fP
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
\fBudp_preference_limit\fP\&. If the message is smaller than
@@ -517,7 +517,7 @@ before UDP if the size of the message is above
Regardless of the size, both protocols will be tried if the first
attempt fails.
.TP
-.B \fBverify_ap_req_nofail\fP
+\fBverify_ap_req_nofail\fP
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab. The default value is false.
@@ -530,20 +530,20 @@ define the properties of that particular realm. For each realm, the
following tags may be specified in the realm\(aqs subsection:
.INDENT 0.0
.TP
-.B \fBadmin_server\fP
+\fBadmin_server\fP
Identifies the host where the administration server is running.
Typically, this is the master Kerberos server. This tag must be
-given a value in order to communicate with the \fIkadmind(8)\fP
+given a value in order to communicate with the kadmind(8)
server for the realm.
.TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being
translated. The possible values are:
.INDENT 7.0
.TP
-.B \fBRULE:\fP\fIexp\fP
+\fBRULE:\fP\fIexp\fP
The local name will be formulated from \fIexp\fP\&.
.sp
The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
@@ -559,7 +559,7 @@ string. The optional \fBg\fP will cause the substitution to be
global over the \fIstring\fP, instead of replacing only the first
match in the \fIstring\fP\&.
.TP
-.B \fBDEFAULT\fP
+\fBDEFAULT\fP
The principal name will be used as the local user name. If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
@@ -592,18 +592,18 @@ principal with a second component of \fBroot\fP\&. The exception to
these two rules are any principals \fBjohndoe/*\fP, which will
always get the local name \fBguest\fP\&.
.TP
-.B \fBauth_to_local_names\fP
+\fBauth_to_local_names\fP
This subsection allows you to set explicit mappings from principal
names to local user names. The tag is the mapping name, and the
value is the corresponding local user name.
.TP
-.B \fBdefault_domain\fP
+\fBdefault_domain\fP
This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \fBrcmd.hostname\fP to
\fBhost/hostname.domain\fP).
.TP
-.B \fBhttp_anchors\fP
+\fBhttp_anchors\fP
When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
can be used to specify the location of the CA certificate which should be
trusted to issue the certificate for a proxy server. If left unspecified,
@@ -629,7 +629,7 @@ to a value conforming to one of the previous values. For example,
\fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
.TP
-.B \fBkdc\fP
+\fBkdc\fP
The name or address of a host running a KDC for that realm. An
optional port number, separated from the hostname by a colon, may
be included. If the name or address contains colons (for example,
@@ -639,12 +639,13 @@ be able to communicate with the KDC for each realm, this tag must
be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.
.TP
-.B \fBkpasswd_server\fP
+\fBkpasswd_server\fP
Points to the server where all the password changes are performed.
-If there is no such entry, the port 464 on the \fBadmin_server\fP
+If there is no such entry, DNS will be queried (unless forbidden
+by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP
host will be tried.
.TP
-.B \fBmaster_kdc\fP
+\fBmaster_kdc\fP
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
@@ -652,14 +653,14 @@ master KDC, in case the user\(aqs password has just been changed, and
the updated database has not been propagated to the slave servers
yet.
.TP
-.B \fBv4_instance_convert\fP
+\fBv4_instance_convert\fP
This subsection allows the administrator to configure exceptions
to the \fBdefault_domain\fP mapping rule. It contains V4 instances
(the tag name) which should be translated to some specific
hostname (the tag value) as the second component in a Kerberos V5
principal name.
.TP
-.B \fBv4_realm\fP
+\fBv4_realm\fP
This relation is used by the krb524 library routines when
converting a V5 principal name to a V4 principal name. It is used
when the V4 realm name and the V5 realm name are not the same, but
@@ -869,17 +870,17 @@ Each pluggable interface corresponds to a subsection of [plugins].
All subsections support the same tags:
.INDENT 0.0
.TP
-.B \fBdisable\fP
+\fBdisable\fP
This tag may have multiple values. If there are values for this
tag, then the named modules will be disabled for the pluggable
interface.
.TP
-.B \fBenable_only\fP
+\fBenable_only\fP
This tag may have multiple values. If there are values for this
tag, then only the named modules will be enabled for the pluggable
interface.
.TP
-.B \fBmodule\fP
+\fBmodule\fP
This tag may have multiple values. Each value is a string of the
form \fBmodulename:pathname\fP, which causes the shared object
located at \fIpathname\fP to be registered as a dynamic module named
@@ -904,15 +905,15 @@ dynamic modules, the following built\-in modules exist (and may be
disabled with the disable tag):
.INDENT 0.0
.TP
-.B \fBk5identity\fP
+\fBk5identity\fP
Uses a .k5identity file in the user\(aqs home directory to select a
client principal
.TP
-.B \fBrealm\fP
+\fBrealm\fP
Uses the service realm to guess an appropriate cache from the
collection
.TP
-.B \fBhostname\fP
+\fBhostname\fP
If the service principal is host\-based, uses the service hostname
to guess an appropriate cache from the collection
.UNINDENT
@@ -923,17 +924,17 @@ interface, which is used to reject weak passwords when passwords are
changed. The following built\-in modules exist for this interface:
.INDENT 0.0
.TP
-.B \fBdict\fP
+\fBdict\fP
Checks against the realm dictionary file
.TP
-.B \fBempty\fP
+\fBempty\fP
Rejects empty passwords
.TP
-.B \fBhesiod\fP
+\fBhesiod\fP
Checks against user information stored in Hesiod (only if Kerberos
was built with Hesiod support)
.TP
-.B \fBprinc\fP
+\fBprinc\fP
Checks against components of the principal name
.UNINDENT
.SS kadm5_hook interface
@@ -951,11 +952,11 @@ client principal is allowed to perform a kadmin operation. The
following built\-in modules exist for this interface:
.INDENT 0.0
.TP
-.B \fBacl\fP
-This module reads the \fIkadm5.acl(5)\fP file, and authorizes
+\fBacl\fP
+This module reads the kadm5.acl(5) file, and authorizes
operations which are allowed according to the rules in the file.
.TP
-.B \fBself\fP
+\fBself\fP
This module authorizes self\-service operations including password
changes, creation of new random keys, fetching the client\(aqs
principal record or string attributes, and fetching the policy
@@ -968,13 +969,13 @@ provide client and KDC preauthentication mechanisms. The following
built\-in modules exist for these interfaces:
.INDENT 0.0
.TP
-.B \fBpkinit\fP
+\fBpkinit\fP
This module implements the PKINIT preauthentication mechanism.
.TP
-.B \fBencrypted_challenge\fP
+\fBencrypted_challenge\fP
This module implements the encrypted challenge FAST factor.
.TP
-.B \fBencrypted_timestamp\fP
+\fBencrypted_timestamp\fP
This module implements the encrypted timestamp mechanism.
.UNINDENT
.SS hostrealm interface
@@ -985,17 +986,17 @@ hostnames to realm names and the choice of default realm. The following
built\-in modules exist for this interface:
.INDENT 0.0
.TP
-.B \fBprofile\fP
+\fBprofile\fP
This module consults the [domain_realm] section of the profile for
authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP
variable for the default realm.
.TP
-.B \fBdns\fP
+\fBdns\fP
This module looks for DNS records for fallback host\-to\-realm
mappings and the default realm. It only operates if the
\fBdns_lookup_realm\fP variable is set to true.
.TP
-.B \fBdomain\fP
+\fBdomain\fP
This module applies heuristics for fallback host\-to\-realm
mappings. It implements the \fBrealm_try_domains\fP variable, and
uses the uppercased parent domain of the hostname if that does not
@@ -1009,28 +1010,28 @@ between Kerberos principals and local system accounts. The following
built\-in modules exist for this interface:
.INDENT 0.0
.TP
-.B \fBdefault\fP
+\fBdefault\fP
This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
values.
.TP
-.B \fBrule\fP
+\fBrule\fP
This module implements the \fBRULE\fP type for \fBauth_to_local\fP
values.
.TP
-.B \fBnames\fP
+\fBnames\fP
This module looks for an \fBauth_to_local_names\fP mapping for the
principal name.
.TP
-.B \fBauth_to_local\fP
+\fBauth_to_local\fP
This module processes \fBauth_to_local\fP values in the default
realm\(aqs section, and applies the default method if no
\fBauth_to_local\fP values exist.
.TP
-.B \fBk5login\fP
+\fBk5login\fP
This module authorizes a principal to a local account according to
-the account\(aqs \fI\&.k5login(5)\fP file.
+the account\(aqs \&.k5login(5) file.
.TP
-.B \fBan2ln\fP
+\fBan2ln\fP
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
@@ -1042,18 +1043,18 @@ certificate is allowed to preauthenticate a user via PKINIT. The
following built\-in modules exist for this interface:
.INDENT 0.0
.TP
-.B \fBpkinit_san\fP
+\fBpkinit_san\fP
This module authorizes the certificate if it contains a PKINIT
Subject Alternative Name for the requested client principal, or a
Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
is set to true for the realm.
.TP
-.B \fBpkinit_eku\fP
+\fBpkinit_eku\fP
This module rejects the certificate if it does not contain an
Extended Key Usage attribute consistent with the
\fBpkinit_eku_checking\fP value for the realm.
.TP
-.B \fBdbmatch\fP
+\fBdbmatch\fP
This module authorizes or rejects the certificate according to
whether it matches the \fBpkinit_cert_match\fP string attribute on
the client principal, if that attribute is present.
@@ -1122,7 +1123,7 @@ The syntax for specifying Public Key identity, trust, and revocation
information for PKINIT is as follows:
.INDENT 0.0
.TP
-.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
+\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
@@ -1134,7 +1135,7 @@ private key is expected to be in \fIfilename\fP as well. Otherwise,
In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
be the name of an OpenSSL\-style ca\-bundle file.
.TP
-.B \fBDIR:\fP\fIdirname\fP
+\fBDIR:\fP\fIdirname\fP
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
@@ -1157,11 +1158,11 @@ named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.
.TP
-.B \fBPKCS12:\fP\fIfilename\fP
+\fBPKCS12:\fP\fIfilename\fP
\fIfilename\fP is the name of a PKCS #12 format file, containing the
user\(aqs certificate and private key.
.TP
-.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
+\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the \fImodname\fP\&. If no
@@ -1173,7 +1174,7 @@ force the selection of a particular certificate on the device.
See the \fBpkinit_cert_match\fP configuration option for more ways
to select a particular certificate to use for PKINIT.
.TP
-.B \fBENV:\fP\fIenvvar\fP
+\fBENV:\fP\fIenvvar\fP
\fIenvvar\fP specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fP, where environment variable
@@ -1182,13 +1183,13 @@ example, \fBENV:X509_PROXY\fP, where environment variable
.SS PKINIT krb5.conf options
.INDENT 0.0
.TP
-.B \fBpkinit_anchors\fP
+\fBpkinit_anchors\fP
Specifies the location of trusted anchor (root) certificates which
the client trusts to sign KDC certificates. This option may be
specified multiple times. These values from the config file are
not used if the user specifies X509_anchors on the command line.
.TP
-.B \fBpkinit_cert_match\fP
+\fBpkinit_cert_match\fP
Specifies matching rules that the client certificate must match
before it is used to attempt PKINIT authentication. If a user has
multiple certificates available (on a smart card, or via other
@@ -1273,7 +1274,7 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
.UNINDENT
.UNINDENT
.TP
-.B \fBpkinit_eku_checking\fP
+\fBpkinit_eku_checking\fP
This option specifies what Extended Key Usage value the KDC
certificate presented to the client must contain. (Note that if
the KDC certificate has the pkinit SubjectAlternativeName encoded
@@ -1282,35 +1283,35 @@ issuing CA has certified this as a KDC certificate.) The values
recognized in the krb5.conf file are:
.INDENT 7.0
.TP
-.B \fBkpKDC\fP
+\fBkpKDC\fP
This is the default value and specifies that the KDC must have
the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
.TP
-.B \fBkpServerAuth\fP
+\fBkpServerAuth\fP
If \fBkpServerAuth\fP is specified, a KDC certificate with the
id\-kp\-serverAuth EKU will be accepted. This key usage value
is used in most commercially issued server certificates.
.TP
-.B \fBnone\fP
+\fBnone\fP
If \fBnone\fP is specified, then the KDC certificate will not be
checked to verify it has an acceptable EKU. The use of this
option is not recommended.
.UNINDENT
.TP
-.B \fBpkinit_dh_min_bits\fP
+\fBpkinit_dh_min_bits\fP
Specifies the size of the Diffie\-Hellman key the client will
attempt to use. The acceptable values are 1024, 2048, and 4096.
The default is 2048.
.TP
-.B \fBpkinit_identities\fP
+\fBpkinit_identities\fP
Specifies the location(s) to be used to find the user\(aqs X.509
-identity information. This option may be specified multiple
-times. Each value is attempted in order until identity
-information is found and authentication is attempted. Note that
-these values are not used if the user specifies
-\fBX509_user_identity\fP on the command line.
+identity information. If this option is specified multiple times,
+the first valid value is used; this can be used to specify an
+environment variable (with \fBENV:\fP\fIenvvar\fP) followed by a
+default value. Note that these values are not used if the user
+specifies \fBX509_user_identity\fP on the command line.
.TP
-.B \fBpkinit_kdc_hostname\fP
+\fBpkinit_kdc_hostname\fP
The presense of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\-pkinit\-san as
@@ -1318,13 +1319,13 @@ defined in \fI\%RFC 4556\fP\&. This option may be specified multiple
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
.TP
-.B \fBpkinit_pool\fP
+\fBpkinit_pool\fP
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
-.B \fBpkinit_require_crl_checking\fP
+\fBpkinit_require_crl_checking\fP
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
@@ -1340,7 +1341,7 @@ fails.
\fBpkinit_require_crl_checking\fP should be set to true if the
policy is such that up\-to\-date CRLs must be present for every CA.
.TP
-.B \fBpkinit_revoke\fP
+\fBpkinit_revoke\fP
Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented. This option may be specified
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 2e2c889..303892d 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -80,7 +80,7 @@ process.
The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers
which the KDC should listen on for Kerberos version 5 requests, as a
comma\-separated list. This value overrides the UDP port numbers
-specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but
+specified in the kdcdefaults section of kdc.conf(5), but
may be overridden by realm\-specific values. If no value is given from
any source, the default port is 88.
.sp
@@ -92,18 +92,8 @@ will relay SIGHUP signals to the worker subprocesses, and will
terminate the worker subprocess if the it is itself terminated or if
any other worker process exits.
.sp
-\fBNOTE:\fP
-.INDENT 0.0
-.INDENT 3.5
-On operating systems which do not have \fIpktinfo\fP support,
-using worker processes will prevent the KDC from listening
-for UDP packets on network interfaces created after the KDC
-starts.
-.UNINDENT
-.UNINDENT
-.sp
The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
-See \fIDatabase Options\fP in \fIkadmin(1)\fP for
+See Database Options in kadmin(1) for
supported arguments.
.sp
The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
@@ -129,24 +119,19 @@ krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3
.sp
specifies that the KDC listen on port 2001 for REALM1 and on port 2002
for REALM2 and REALM3. Additionally, per\-realm parameters may be
-specified in the \fIkdc.conf(5)\fP file. The location of this file
+specified in the kdc.conf(5) file. The location of this file
may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable.
Per\-realm parameters specified in this file take precedence over
-options specified on the command line. See the \fIkdc.conf(5)\fP
+options specified on the command line. See the kdc.conf(5)
description for further details.
.SH ENVIRONMENT
.sp
-krb5kdc uses the following environment variables:
-.INDENT 0.0
-.IP \(bu 2
-\fBKRB5_CONFIG\fP
-.IP \(bu 2
-\fBKRB5_KDC_PROFILE\fP
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP,
-\fIkdb5_ldap_util(8)\fP
+kdb5_util(8), kdc.conf(5), krb5.conf(5),
+kdb5_ldap_util(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/ksu.man b/src/man/ksu.man
index f2e5cfd..cfcb159 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -99,7 +99,7 @@ option, see the OPTIONS section.
Upon successful authentication, ksu checks whether the target
principal is authorized to access the target account. In the target
user\(aqs home directory, ksu attempts to access two authorization files:
-\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line
+\&.k5login(5) and .k5users. In the .k5login file each line
contains the name of a principal that is authorized to access the
account.
.sp
@@ -182,7 +182,7 @@ source cache.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-n\fP \fItarget_principal_name\fP
+\fB\-n\fP \fItarget_principal_name\fP
Specify a Kerberos target principal name. Used in authentication
and authorization phases of ksu.
.sp
@@ -263,33 +263,33 @@ krb5cc_1984.2
.UNINDENT
.INDENT 0.0
.TP
-.B \fB\-k\fP
+\fB\-k\fP
Do not delete the target cache upon termination of the target
shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes
the target cache.
.TP
-.B \fB\-z\fP
+\fB\-z\fP
Restrict the copy of tickets from the source cache to the target
cache to only the tickets where client == the target principal
name. Use the \fB\-n\fP option if you want the tickets for other then
the default principal. Note that the \fB\-z\fP option is mutually
exclusive with the \fB\-Z\fP option.
.TP
-.B \fB\-Z\fP
+\fB\-Z\fP
Don\(aqt copy any tickets from the source cache to the target cache.
Just create a fresh target cache, where the default principal name
of the cache is initialized to the target principal name. Note
that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP
option.
.TP
-.B \fB\-q\fP
+\fB\-q\fP
Suppress the printing of status messages.
.UNINDENT
.sp
Ticket granting ticket options:
.INDENT 0.0
.TP
-.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
+\fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
The ticket granting ticket options only apply to the case where
there are no appropriate tickets in the cache to authenticate the
source user. In this case if ksu is configured to prompt users
@@ -297,25 +297,25 @@ for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the
ticket granting ticket options that are specified will be used
when getting a ticket granting ticket from the Kerberos server.
.TP
-.B \fB\-l\fP \fIlifetime\fP
-(\fIduration\fP string.) Specifies the lifetime to be requested
+\fB\-l\fP \fIlifetime\fP
+(duration string.) Specifies the lifetime to be requested
for the ticket; if this option is not specified, the default ticket
lifetime (12 hours) is used instead.
.TP
-.B \fB\-r\fP \fItime\fP
-(\fIduration\fP string.) Specifies that the \fBrenewable\fP option
+\fB\-r\fP \fItime\fP
+(duration string.) Specifies that the \fBrenewable\fP option
should be requested for the ticket, and specifies the desired
total lifetime of the ticket.
.TP
-.B \fB\-p\fP
+\fB\-p\fP
specifies that the \fBproxiable\fP option should be requested for
the ticket.
.TP
-.B \fB\-f\fP
+\fB\-f\fP
option specifies that the \fBforwardable\fP option should be
requested for the ticket.
.TP
-.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
+\fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
ksu proceeds exactly the same as if it was invoked without the
\fB\-e\fP option, except instead of executing the target shell, ksu
executes the specified command. Example of usage:
@@ -379,7 +379,7 @@ then command can be either a full or a relative path leading to
the target program. Otherwise, the user must specify either a
full path or just the program name.
.TP
-.B \fB\-a\fP \fIargs\fP
+\fB\-a\fP \fIargs\fP
Specify arguments to be passed to the target shell. Note that all
flags and parameters following \-a will be passed to the shell,
thus all options intended for ksu must precede \fB\-a\fP\&.
@@ -404,7 +404,7 @@ used as follows:
ksu can be compiled with the following four flags:
.INDENT 0.0
.TP
-.B \fBGET_TGT_VIA_PASSWD\fP
+\fBGET_TGT_VIA_PASSWD\fP
In case no appropriate tickets are found in the source cache, the
user will be prompted for a Kerberos password. The password is
then used to get a ticket granting ticket from the Kerberos
@@ -412,17 +412,17 @@ server. The danger of configuring ksu with this macro is if the
source user is logged in remotely and does not have a secure
channel, the password may get exposed.
.TP
-.B \fBPRINC_LOOK_AHEAD\fP
+\fBPRINC_LOOK_AHEAD\fP
During the resolution of the default principal name,
\fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in
the .k5users file as described in the OPTIONS section
(see \fB\-n\fP option).
.TP
-.B \fBCMD_PATH\fP
+\fBCMD_PATH\fP
Specifies a list of directories containing programs that users are
authorized to execute (via .k5users file).
.TP
-.B \fBHAVE_GETUSERSHELL\fP
+\fBHAVE_GETUSERSHELL\fP
If the source user is non\-root, ksu insists that the target user\(aqs
shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is
called to obtain the names of "legal shells". Note that the
@@ -453,6 +453,13 @@ ksu deletes all expired tickets from the source cache.
.SH AUTHOR OF KSU
.sp
GENNADY (ARI) MEDVINSKY
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
+.SH SEE ALSO
+.sp
+kerberos(7), kinit(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 1ac283c..d9a1685 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -41,27 +41,18 @@ collection, if a cache collection is available.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-c\fP \fIcachename\fP
+\fB\-c\fP \fIcachename\fP
Directly specifies the credential cache to be made primary.
.TP
-.B \fB\-p\fP \fIprincipal\fP
+\fB\-p\fP \fIprincipal\fP
Causes the cache collection to be searched for a cache containing
credentials for \fIprincipal\fP\&. If one is found, that collection is
made primary.
.UNINDENT
.SH ENVIRONMENT
.sp
-kswitch uses the following environment variables:
-.INDENT 0.0
-.TP
-.B \fBKRB5CCNAME\fP
-Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the
-\fBFILE\fP type is assumed. The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory
-to be present in the collection.
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH FILES
.INDENT 0.0
.TP
@@ -70,7 +61,8 @@ Default location of Kerberos 5 credentials cache
.UNINDENT
.SH SEE ALSO
.sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1)
+kinit(1), kdestroy(1), klist(1),
+kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index c17eac3..365df81 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -162,9 +162,13 @@ ktutil:
.UNINDENT
.UNINDENT
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
+kadmin(1), kdb5_util(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 3335705..60d2065 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -48,37 +48,37 @@ and prints out the key version numbers of each.
.SH OPTIONS
.INDENT 0.0
.TP
-.B \fB\-c\fP \fIccache\fP
+\fB\-c\fP \fIccache\fP
Specifies the name of a credentials cache to use (if not the
default)
.TP
-.B \fB\-e\fP \fIetype\fP
+\fB\-e\fP \fIetype\fP
Specifies the enctype which will be requested for the session key
of all the services named on the command line. This is useful in
certain backward compatibility situations.
.TP
-.B \fB\-q\fP
+\fB\-q\fP
Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
.TP
-.B \fB\-h\fP
+\fB\-h\fP
Prints a usage statement and exits.
.TP
-.B \fB\-P\fP
+\fB\-P\fP
Specifies that the \fIservice1 service2\fP ... arguments are to be
treated as services for which credentials should be acquired using
constrained delegation. This option is only valid when used in
conjunction with protocol transition.
.TP
-.B \fB\-S\fP \fIsname\fP
+\fB\-S\fP \fIsname\fP
Specifies that the \fIservice1 service2\fP ... arguments are
interpreted as hostnames, and the service principals are to be
constructed from those hostnames and the service name \fIsname\fP\&.
The service hostnames will be canonicalized according to the usual
rules for constructing service principals.
.TP
-.B \fB\-U\fP \fIfor_user\fP
+\fB\-U\fP \fIfor_user\fP
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of \fIfor_user\fP\&. If constrained
delegation is not requested, the service name must match the
@@ -86,12 +86,8 @@ credentials cache client principal.
.UNINDENT
.SH ENVIRONMENT
.sp
-kvno uses the following environment variable:
-.INDENT 0.0
-.TP
-.B \fBKRB5CCNAME\fP
-Location of the credentials (ticket) cache.
-.UNINDENT
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH FILES
.INDENT 0.0
.TP
@@ -100,7 +96,7 @@ Default location of the credentials cache
.UNINDENT
.SH SEE ALSO
.sp
-\fIkinit(1)\fP, \fIkdestroy(1)\fP
+kinit(1), kdestroy(1), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 96d2a73..6f24205 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -36,12 +36,16 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.SH DESCRIPTION
.sp
sclient is a sample application, primarily useful for testing
-purposes. It contacts a sample server \fIsserver(8)\fP and
+purposes. It contacts a sample server sserver(8) and
authenticates to it using Kerberos version 5 tickets, then displays
the server\(aqs response.
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIkinit(1)\fP, \fIsserver(8)\fP
+kinit(1), sserver(8), kerberos(7)
.SH AUTHOR
MIT
.SH COPYRIGHT
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 25b053d..234e77a 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -38,7 +38,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[ \fIserver_port\fP ]
.SH DESCRIPTION
.sp
-sserver and \fIsclient(1)\fP are a simple demonstration client/server
+sserver and sclient(1) are a simple demonstration client/server
application. When sclient connects to sserver, it performs a Kerberos
authentication, and then sserver returns to sclient the Kerberos
principal which was used for the Kerberos authentication. It makes a
@@ -47,7 +47,7 @@ good test that Kerberos has been successfully installed on a machine.
The service name used by sserver and sclient is sample. Hence,
sserver will require that there be a keytab entry for the service
\fBsample/hostname.domain.name at REALM.NAME\fP\&. This keytab is generated
-using the \fIkadmin(1)\fP program. The keytab file is usually
+using the kadmin(1) program. The keytab file is usually
installed as \fB at KTNAME@\fP\&.
.sp
The \fB\-S\fP option allows for a different keytab than the default.
@@ -80,8 +80,8 @@ sample 13135/tcp
.UNINDENT
.sp
When using sclient, you will first have to have an entry in the
-Kerberos database, by using \fIkadmin(1)\fP, and then you have to get
-Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running
+Kerberos database, by using kadmin(1), and then you have to get
+Kerberos tickets, by using kinit(1)\&. Also, if you are running
the sclient program on a different host than the sserver it will be
connecting to, be sure that both hosts have an entry in /etc/services
for the sample tcp port, and that the same port number is in both
@@ -164,7 +164,7 @@ sclient: Server not found in Kerberos database while using
.sp
This means that the \fBsample/hostname at LOCAL.REALM\fP service was not
defined in the Kerberos database; it should be created using
-\fIkadmin(1)\fP, and a keytab file needs to be generated to make
+kadmin(1), and a keytab file needs to be generated to make
the key for that service principal available for sclient.
.IP 5. 3
sclient returns the error:
@@ -183,9 +183,13 @@ sendauth rejected, error reply is:
This probably means sserver couldn\(aqt find the keytab file. It was
probably not installed in the proper directory.
.UNINDENT
+.SH ENVIRONMENT
+.sp
+See kerberos(7) for a description of Kerberos environment
+variables.
.SH SEE ALSO
.sp
-\fIsclient(1)\fP, services(5), inetd(8)
+sclient(1), kerberos(7), services(5), inetd(8)
.SH AUTHOR
MIT
.SH COPYRIGHT
More information about the cvs-krb5
mailing list