diff options
author | Ben Kaduk <kaduk@mit.edu> | 2013-05-30 18:49:36 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2013-05-31 13:09:45 -0400 |
commit | 7425e9b69566c241c54eb2686fb37f216122423f (patch) | |
tree | 8e77d441a2491fc908e094231c93c5ae88a484d7 /doc/admin | |
parent | 3662723a2857a3ad42cb267044e29f516232cdf7 (diff) | |
download | krb5-7425e9b69566c241c54eb2686fb37f216122423f.tar.gz krb5-7425e9b69566c241c54eb2686fb37f216122423f.tar.xz krb5-7425e9b69566c241c54eb2686fb37f216122423f.zip |
Document preauth flags for service principals
These flags are overloaded to mean different things for clients and
servers; previously we only documented the client behavior.
ticket: 7653 (new)
tags: pullup
target_version: 1.11.4
Diffstat (limited to 'doc/admin')
-rw-r--r-- | doc/admin/admin_commands/kadmin_local.rst | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index 3072eec715..39351dfd90 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -242,12 +242,18 @@ Options: {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this - flag. + flag. When **+requires_preauth** is set on a service principal, + the KDC will only issue service tickets for that service principal + if the client's initial authentication was performed using + preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. - **-requires_hwauth** clears this flag. + **-requires_hwauth** clears this flag. When **+requires_hwauth** is + set on a service principal, the KDC will only issue service tickets + for that service principal if the client's initial authentication was + performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets |