diff options
authorZhanna Tsitkov <>2014-02-24 14:17:43 -0500
committerZhanna Tsitkov <>2014-02-26 11:54:20 -0500
commit1121a7fa68f44167471dc94cf5795a838587e84c (patch)
parente87bba2e8a8c753b761227dda5f2e216a6771db2 (diff)
Update kadmin set_string document
Added 'otp' as an acceptable attribute name. Added examples. Also, x-ref kadmin document from otp.rst.
2 files changed, 22 insertions, 6 deletions
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 7f334a5..39545c0 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -573,11 +573,12 @@ Alias: **getstr**
- **set_string** *principal* *key* *value*
+ **set_string** *principal* *name* *value*
Sets a string attribute on *principal*. String attributes are used to
supply per-principal configuration to the KDC and some KDC plugin
-modules. The following string attributes are recognized by the KDC:
+modules. The following string attribute names are recognized by the
Specifies the encryption types supported for session keys when the
@@ -585,10 +586,22 @@ modules. The following string attributes are recognized by the KDC:
:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the
accepted values.
+ Enables One Time Passwords (OTP) preauthentication for a client
+ *principal*. The *value* is a JSON string representing an array
+ of objects, each having optional ``type`` and ``username`` fields.
This command requires the **modify** privilege.
Alias: **setstr**
+ ::
+ set_string host/ session_enctypes aes128-cts
+ set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]
.. _set_string_end:
.. _del_string:
diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst
index 9c634d6..9baf7a7 100644
--- a/doc/admin/otp.rst
+++ b/doc/admin/otp.rst
@@ -20,8 +20,8 @@ details of authentication.
Defining token types
-Token types are defined in either krb5.conf or kdc.conf according to
-the following format::
+Token types are defined in either :ref:`krb5.conf(5)` or
+:ref:`kdc.conf(5)` according to the following format::
<name> = {
@@ -63,8 +63,11 @@ Token instance configuration
To enable OTP for a client principal, the administrator must define
-the **otp** string attribute for that principal. The **otp** user
-string is a JSON string of the format::
+the **otp** string attribute for that principal. (See
+:ref:`set_string`.) The **otp** user string is a JSON string of the
+.. code-block:: xml
"type": <string>,