summaryrefslogtreecommitdiffstats
path: root/src/man/krb5.conf.man
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/krb5.conf.man')
-rw-r--r--src/man/krb5.conf.man42
1 files changed, 39 insertions, 3 deletions
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index c382c7b6a9..a653b69fa4 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -216,12 +216,13 @@ invalid. The default value is 300 seconds, or five minutes.
.B \fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
The default is \fB@CCNAME@\fP. This relation is subject to parameter
-expansion (see below).
+expansion (see below). New in release 1.11.
.TP
.B \fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
obtaining client credentials. The default is \fB@CKTNAME@\fP. This
relation is subject to parameter expansion (see below).
+New in release 1.11.
.TP
.B \fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
@@ -298,7 +299,7 @@ principal in the keytab matching the service name and realm name
(if given). This option can improve the administrative
flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
-default value is false.
+default value is false. New in release 1.10.
.TP
.B \fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
@@ -774,6 +775,8 @@ modules and to turn modules on and off. Not every krb5 pluggable
interface uses the [plugins] section; the ones that do are documented
here.
.sp
+New in release 1.9.
+.sp
Each pluggable interface corresponds to a subsection of [plugins].
All subsections support the same tags:
.INDENT 0.0
@@ -858,6 +861,39 @@ This module implements the encrypted challenge FAST factor.
.B \fBencrypted_timestamp\fP
This module implements the encrypted timestamp mechanism.
.UNINDENT
+.SS localauth interface
+.sp
+The localauth section (introduced in release 1.12) controls modules
+for the local authorization interface, which affects the relationship
+between Kerberos principals and local system accounts. The following
+built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBauth_to_local\fP
+This module processes \fBauth_to_local\fP values in the default
+realm\(aqs section, and applies the default method if no
+\fBauth_to_local\fP values exist.
+.TP
+.B \fBan2ln\fP
+This module authorizes a principal to a local account if the
+principal name maps to the local account name.
+.TP
+.B \fBdefault\fP
+This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
+values.
+.TP
+.B \fBk5login\fP
+This module authorizes a principal to a local account according to
+the account\(aqs \fI.k5login(5)\fP file.
+.TP
+.B \fBnames\fP
+This module looks for an \fBauth_to_local_names\fP mapping for the
+principal name.
+.TP
+.B \fBrule\fP
+This module implements the \fBRULE\fP type for \fBauth_to_local\fP
+values.
+.UNINDENT
.SH PKINIT OPTIONS
.IP Note
The following are PKINIT\-specific options. These values may
@@ -1318,6 +1354,6 @@ syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
generated by cgit (git 2.34.1) at 2024-06-18 09:31:10 +0000