summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJen Selby <jenselby@mit.edu>2002-06-26 21:15:11 +0000
committerJen Selby <jenselby@mit.edu>2002-06-26 21:15:11 +0000
commita522464928341b63106c397cd0635a7d8700bbc8 (patch)
tree6533fdaf87015c17dab651a46e5bf801314a43de /doc
parent6c3b5028ae243b6afbfe96547d08581c4894ce6b (diff)
downloadkrb5-a522464928341b63106c397cd0635a7d8700bbc8.tar.gz
krb5-a522464928341b63106c397cd0635a7d8700bbc8.tar.xz
krb5-a522464928341b63106c397cd0635a7d8700bbc8.zip
* Makefile: changed the way html output is generated, made "make all"
remove generated tex files * admin.texinfo: added sections about encryption types and salts, updated the configuration file sections, revised the example configuration files, updated dates on output strings, added an explanation of destroying a Kerberos database * build.texinfo: changed the description of the tarball * definitions.texinfo: added variables for all the default values so that they can all be updated in one place, changed the release from 1.2 to 1.3 * dnstxt.texinfo updated the information * install.texinfo added more description of the configuration files and the minimum needed in the files to set up a kerberos realm, revised the examples of the configuration file sections, took out old encryption type and salt information * kdcconf.texinfo: new file, taken from the admin guide and included in both the admin and install guides, provides descriptions of the sections in kdc.conf * krb425.texinfo: moved a texinfo tag so that makeinfo --html would work * krb5conf.texinfo: new file, take from the admin guide and included in both the admin and install guides, provides descriptions of the sections in krb5.conf * man2html, man2html.M: new files, a perl program to create html pages from the output of the man command * salts.texinfo: new file, a description of the different salt types that are currently supported * support-enc.texinfo: new file, a description of the currently supported encryptions types * user-guide.texinfo: added a section describing different ticket flags, added a way to have the man pages in the reference section accessible in the html version of the documentation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14587 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'doc')
-rw-r--r--doc/ChangeLog35
-rw-r--r--doc/Makefile22
-rw-r--r--doc/admin.texinfo350
-rw-r--r--doc/build.texinfo30
-rw-r--r--doc/definitions.texinfo100
-rw-r--r--doc/dnstxt.texinfo18
-rw-r--r--doc/install.texinfo176
-rw-r--r--doc/kdcconf.texinfo24
-rw-r--r--doc/krb425.texinfo3
-rw-r--r--doc/krb5conf.texinfo63
-rw-r--r--doc/man2html608
-rw-r--r--doc/man2html.M761
-rw-r--r--doc/salts.texinfo19
-rw-r--r--doc/support-enc.texinfo27
-rw-r--r--doc/user-guide.texinfo168
15 files changed, 2078 insertions, 326 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 37b52c4d0f..7ea57f4d79 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,38 @@
+2002-06-26 Jen Selby <jenselby@mit.edu>
+
+ * Makefile: changed the way html output is generated, made "make all"
+ remove generated tex files
+ * admin.texinfo: added sections about encryption types and salts,
+ updated the configuration file sections, revised the example
+ configuration files, updated dates on output strings, added an
+ explanation of destroying a Kerberos database
+ * build.texinfo: changed the description of the tarball
+ * definitions.texinfo: added variables for all the default values
+ so that they can all be updated in one place, changed the release
+ from 1.2 to 1.3
+ * dnstxt.texinfo updated the information
+ * install.texinfo added more description of the configuration files
+ and the minimum needed in the files to set up a kerberos realm,
+ revised the examples of the configuration file sections, took out
+ old encryption type and salt information
+ * kdcconf.texinfo: new file, taken from the admin guide and included
+ in both the admin and install guides, provides descriptions of the
+ sections in kdc.conf
+ * krb425.texinfo: moved a texinfo tag so that makeinfo --html would
+ work
+ * krb5conf.texinfo: new file, take from the admin guide and included
+ in both the admin and install guides, provides descriptions of the
+ sections in krb5.conf
+ * man2html, man2html.M: new files, a perl program to create html pages
+ from the output of the man command
+ * salts.texinfo: new file, a description of the different salt types
+ that are currently supported
+ * support-enc.texinfo: new file, a description of the currently
+ supported encryptions types
+ * user-guide.texinfo: added a section describing different ticket
+ flags, added a way to have the man pages in the reference section
+ accessible in the html version of the documentation
+
2002-06-21 Ezra Eeisach <epeisach@bu.edu>
* implementor.texinfo (IPv6 Support): Update fact that IRIX 6.5.16
diff --git a/doc/Makefile b/doc/Makefile
index f8c29969b7..a5b8d13fee 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -2,18 +2,22 @@ SRCDIR=../src
DVI=texi2dvi
DVIPS=dvips -o "$@"
INFO=makeinfo
-HTML=texi2html
+HTML=makeinfo --html
RM=rm -f
TAR=tar -chvf
GZIP=gzip -9
MANPS=./man2ps
+MANTXT=nroff -man
+MANHTML=./man2html
ADMIN_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \
- glossary.texinfo send-pr.texinfo
+ glossary.texinfo support-enc.texinfo salts.texinfo krb5conf.texinfo \
+ kdcconf.texinfo dnstxt.texinfo dnssrv.texinfo send-pr.texinfo
ADMIN_DEPS=admin.texinfo $(ADMIN_INCLUDES)
INSTALL_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \
- build.texinfo bug-report.texinfo send-pr.texinfo
+ dnstxt.texinfo dnssrv.texinfo build.texinfo bug-report.texinfo \
+ krb5conf.texinfo kdcconf.texinfo send-pr.texinfo
INSTALL_DEPS=install.texinfo $(INSTALL_INCLUDES)
USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo
@@ -23,7 +27,7 @@ KRB425_INCLUDES=definitions.texinfo copyright.texinfo
KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES)
.PHONY: all
-all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps
+all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex
.PHONY: admin-guide-full
admin-guide-full:: admin-guide admin-guide-info admin-guide-html
@@ -90,6 +94,16 @@ krb5-user.info: $(USER_GUIDE_DEPS)
user-guide-html:: user-guide.html
user-guide.html: $(USER_GUIDE_DEPS)
+ $(MANTXT) $(SRCDIR)/appl/gssftp/ftp/ftp.M | $(MANHTML) > ftp.html
+ $(MANTXT) $(SRCDIR)/clients/kdestroy/kdestroy.M | $(MANHTML) > kdestroy.html
+ $(MANTXT) $(SRCDIR)/clients/kinit/kinit.M | $(MANHTML) > kinit.html
+ $(MANTXT) $(SRCDIR)/clients/klist/klist.M | $(MANHTML) > klist.html
+ $(MANTXT) $(SRCDIR)/clients/ksu/ksu.M | $(MANHTML) > ksu.html
+ $(MANTXT) $(SRCDIR)/appl/bsd/rcp.M | $(MANHTML) > rcp.html
+ $(MANTXT) $(SRCDIR)/appl/bsd/rlogin.M | $(MANHTML) > rlogin.html
+ $(MANTXT) $(SRCDIR)/appl/bsd/rsh.M | $(MANHTML) > rsh.html
+ $(MANTXT) $(SRCDIR)/appl/telnet/telnet/telnet.1 | $(MANHTML) > telnet.html
+ $(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html
$(HTML) user-guide.texinfo
.PHONY: krb425-guide-full
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 37bda96692..d04ba75722 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -39,6 +39,7 @@
@ifinfo
This document describes how to administrate a @value{PRODUCT}
installation.
+@end ifinfo
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
@c function. Don't forget to run M-x texinfo-every-node-update after
@@ -71,7 +72,6 @@ installation.
@node Copyright, Introduction, Top, Top
@unnumbered Copyright
@include copyright.texinfo
-@end ifinfo
@node Introduction, How Kerberos Works, Copyright, Top
@@ -336,75 +336,31 @@ Following are definitions of some of the Kerberos terminology.
@chapter Configuration Files
@menu
+* Supported Encryption Types::
+* Salts::
* krb5.conf::
* kdc.conf::
@end menu
-@node krb5.conf, kdc.conf, Configuration Files, Configuration Files
-@section krb5.conf
-
-The @code{krb5.conf} file contains Kerberos configuration information,
-including the locations of KDCs and admin servers for the Kerberos
-realms of interest, defaults for the current realm and for Kerberos
-applications, and mappings of hostnames onto Kerberos realms. Normally,
-you should install your @code{krb5.conf} file in the directory
-@code{/etc}. You can override the default location by setting the
-environment variable @samp{KRB5_CONFIG}.
-
-The @code{krb5.conf} file is set up in the style of a Windows INI file.
-Sections are headed by the section name, in square brackets. Each
-section may contain zero or more relations, of the form:
-
-@smallexample
-foo = bar
-@end smallexample
-
-@noindent
-or
-
-@smallexample
-@group
-fubar = @{
- foo = bar
- baz = quux
-@}
-@end group
-@end smallexample
-
-The @code{krb5.conf} file may contain any or all of the following seven
-sections:
-
-@table @b
-@itemx libdefaults
-Contains default values used by the Kerberos V5 library.
+@node Supported Encryption Types, Salts, Configuration Files, Configuration Files
+@section Supported Encryption Types
-@itemx appdefaults
-Contains default values used by Kerberos V5 applications.
+@include support-enc.texinfo
-@itemx realms
-Contains subsections keyed by Kerberos realm names. Each subsection
-describes realm-specific information, including where to find the
-Kerberos servers for that realm.
+@node Salts, krb5.conf, Supported Encryption Types, Configuration Files
+@section Salts
-@itemx domain_realm
-Contains relations which map domain names and subdomains onto Kerberos
-realm names. This is used by programs to determine what realm a host
-should be in, given its fully qualified domain name.
+Your Kerberos key is derived from your password. To ensure that people
+who happen to pick the same password do not have the same key, Kerberos
+5 incorporates more information into the key using something called a
+salt. The supported values for salts are as follows.
-@itemx logging
-Contains relations which determine how Kerberos programs are to perform
-logging.
+@include salts.texinfo
-@itemx capaths
-Contains the authentication paths used with direct (nonhierarchical)
-cross-realm authentication. Entries in this section are used by the
-client to determine the intermediate realms which may be used in
-cross-realm authentication. It is also used by the end-service when
-checking the transited field for trusted intermediate realms.
+@node krb5.conf, kdc.conf, Salts, Configuration Files
+@section krb5.conf
-@itemx kdc
-For a KDC, may contain the location of the kdc.conf file.
-@end table
+@include krb5conf.texinfo
@menu
* libdefaults::
@@ -425,39 +381,84 @@ relations:
@table @b
@itemx default_realm
Identifies the default Kerberos realm for the client. Set its value to
-your Kerberos realm.
+your Kerberos realm. If this is not specified and the TXT record
+lookup is enabled (see @ref{Using DNS}), then that information will be
+used to determine the default realm. If this tag is not set in this
+configuration file and there is no DNS information found, then an error
+will be returned.
@itemx default_tgs_enctypes
Identifies the supported list of session key encryption types that
-should be returned by the KDC. The list may be delimited with commas or
-whitespace. Currently, the supported encryption types are
-"des3-hmac-sha1" and
-"des-cbc-crc". Support for other encryption types is planned in the
-future.
+should be returned by the KDC. The list may be delimited with commas
+or whitespace. Kerberos supports many different encryption types, and
+support for more is planned in the future. (see @ref{Supported Encryption
+Types} for a list of the accepted values for this tag). The default
+value is @value{DefaultDefaultTgsEnctypes}.
@itemx default_tkt_enctypes
-Identifies the supported list of session key encryption
-types that should be requested by the client. The format is the same as
-for @emph{default_tkt_enctypes}. Again, the only supported encryption
-types are "des3-hmac-sha1" and "des-cbc-crc".
+Identifies the supported list of session key encryption types that
+should be requested by the client. The format is the same as for
+@emph{default_tkt_enctypes}. The default value for this tag is
+@value{DefaultDefaultTktEnctypes}.
@itemx clockskew
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
-invalid. The default value is 300 seconds, or five minutes.
+invalid. The default value is @value{DefaultClockskew}.
-@itemx checksum_type
-Used for compatability with DCE security servers which do not support
-the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. A value
-of 1 indicates the default checksum type. Use a value of 2 to use the
-CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and earlier.
+@itemx kdc_req_checksum_type
+@itemx ap_req_checksum_type
+@itemx safe_checksum_type
+An integer which specifies the type of checksum to use. Used for
+compatability with DCE security servers which do not support the
+default @value{DefaultChecksumType} used by this version of Kerberos.
+The possible values and their meanings are as follows.
+@comment taken from krb5/src/include/krb5.h[in]
+@table @b
+@item 1
+CRC32
+@item 2
+RSA MD4
+@item 3
+RSA MD4 DES
+@item 4
+DES CBC
+@item 7
+RSA MD5
+@item 8
+RSA MD5 DES
+@item 9
+NIST SHA
+@item 12
+HMAC SHA1 DES3
+@item -138
+Microsoft MD5 HMAC checksum type
+@end table
+
+@comment see lib/krb5/ccache/fcc.h
@itemx ccache_type
-Use this parameter on systems which are DCE clients, to specify the type
-of cache to be created by kinit, or when forwarded tickets are received.
-DCE and Kerberos can share the cache, but some versions of DCE do not
-support the default cache as created by this version of Kerberos. Use a
-value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems.
+Use this parameter on systems which are DCE clients, to specify the
+type of cache to be created by kinit, or when forwarded tickets are
+received. DCE and Kerberos can share the cache, but some versions of
+DCE do not support the default cache as created by this version of
+Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
+DCE 1.1 systems. The default value is @value{DefaultCcacheTypeMac}
+for Macintosh computers and @value{DefaultCcacheType} for other
+platforms.
+
+@ignore
+@itemx tkt_lifetime
+The default lifetime of a ticket. The default is
+@value{DefaultTktLifetime}. This is currently not supported by the
+code.
+@end ignore
+
+@itemx kdc_timesync
+If this is set to 1 (for true), then client machines will attempt
+to sync their time with the KDC using the timestamps in the tickets.
+The default is @value{DefaultKDCTimesyncMac} for Macintosh computers
+and @value{DefaultKDCTimesync} for all other platforms.
@itemx dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs and
@@ -524,6 +525,12 @@ For example:
encrypt = true
autologin = true
@}
+ telnet = @{
+ @value{PRIMARYREALM} = @{
+ forward = false
+ @}
+ @}
+
@end group
@end smallexample
@@ -542,16 +549,27 @@ tags may be specified in the realm's subsection:
@table @b
@itemx kdc
The name of a host running a KDC for that realm. An optional port
-number (separated from the hostname by a colon) may be included.
+number (separated from the hostname by a colon) may be included. For
+your computer to be able to communicate with the KDC for each realm,
+this tag must be given a value in each realm subsection in the
+configuration file, or there must be DNS SRV records specifying the
+KDCs (see @ref{Using DNS}).
@itemx admin_server
Identifies the host where the administration server is running.
-Typically, this is the master Kerberos server.
+Typically, this is the master Kerberos server. This tag must be given
+a value in order to communicate with the kadmin server for the realm.
@itemx application defaults
Application defaults that are specific to a particular realm may be
specified within that realm's tag. Realm-specific application defaults
override the global defaults specified in the [appdefaults] section.
+
+@itemx default_domain
+This tag is used for Kerberos 4 compatibility. Kerberos 4 does not
+require the entire hostname of a server to be in its principal like
+Kerberos 5 does. This tag provides the domain name needed to produce a
+full hostname.
@end table
@node domain_realm, logging, realms (krb5.conf), krb5.conf
@@ -602,6 +620,10 @@ its logging. The relations in this section assign one or more values to
the entity name. Currently, the following entities are used:
@table @b
+
+@itemx kdc
+These entries specify how the KDC is to perform its logging.
+
@itemx admin_server
These entries specify how the administrative server
is to perform its logging.
@@ -768,16 +790,17 @@ Here is an example of a generic @code{krb5.conf} file:
@smallexample
@group
[libdefaults]
- ticket_lifetime = 600
default_realm = @value{PRIMARYREALM}
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
+ dns_lookup_kdc = true
+ dns_lookup_realm = false
[realms]
@value{PRIMARYREALM} = @{
kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
- kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+ kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:750
admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
default_domain = @value{PRIMARYDOMAIN}
@}
@@ -803,29 +826,7 @@ Here is an example of a generic @code{krb5.conf} file:
@node kdc.conf, , krb5.conf, Configuration Files
@section kdc.conf
-The @code{kdc.conf} file contains KDC configuration information,
-including defaults used when issuing Kerberos tickets. Normally, you
-should install your @code{kdc.conf} file in the directory
-@code{@value{ROOTDIR}/var/krb5kdc}. You can override the default
-location by setting the environment variable @samp{KRB5_KDC_PROFILE}.
-
-The @code{kdc.conf} file is set up in the same format as the
-@code{krb5.conf} file. (@xref{krb5.conf}.) The @code{kdc.conf} file
-may contain any or all of the following three sections:
-
-@table @b
-@itemx kdcdefaults
-Contains default values for overall behavior of the KDC.
-
-@itemx realms
-Contains subsections keyed by Kerberos realm names. Each subsection
-describes realm-specific information, including where to find the
-Kerberos servers for that realm.
-
-@itemx logging
-Contains relations which determine how Kerberos programs are to perform
-logging.
-@end table
+@include kdcconf.texinfo
@menu
* kdcdefaults::
@@ -840,11 +841,11 @@ The following relation is defined in the [kdcdefaults] section:
@table @b
@itemx kdc_ports
-This relation lists the ports on which the Kerberos server should listen
-by default. This list is a comma separated list of integers. If this
-relation is not specified, the compiled-in default is usually port 88
-(the assigned Kerberos port) and port 750 (the port used by Kerberos
-V4).
+This relation lists the ports on which the Kerberos server should
+listen by default. This list is a comma separated list of integers.
+If this relation is not specified, the compiled-in default is
+@value{DefaultKdcPorts}, the first being the assigned Kerberos port
+and the second which was used by Kerberos V4.
@end table
@node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf
@@ -861,38 +862,41 @@ subsection:
@itemx acl_file
(String.) Location of the access control list (acl) file that kadmin
uses to determine which principals are allowed which permissions on the
-database. The default is @code{@value{ROOTDIR}/var/krb5kdc/kadm5.acl}.
+database. The default is @code{@value{DefaultAclFile}}.
@itemx admin_keytab
(String.) Location of the keytab file that kadmin uses to authenticate
to the database. The default is
-@code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
+@code{@value{DefaultAdminKeytab}}.
@itemx database_name
(String.) Location of the Kerberos database for this realm. The
-default is @* @code{@value{ROOTDIR}/var/krb5kdc/principal}.
+default is @* @code{@value{DefaultDatabaseName}}.
@itemx default_principal_expiration
(Absolute time string.) Specifies the default expiration date of
-principals created in this realm.
+principals created in this realm. The default value for this tag is
+@value{DefaultDefaultPrincipalExpiration}.
@itemx default_principal_flags
(Flag string.) Specifies the default attributes of principals created
-in this realm.
+in this realm. The default value for this tag is
+@value{DefaultDefaultPrincipalFlags}.
@itemx dict_file
(String.) Location of the dictionary file containing strings that are
-not allowed as passwords. The default is
-@code{@value{ROOTDIR}/var/krb5kdc/kadm5.dict}.
+not allowed as passwords. If none is specified, no dictionary checks
+of passwords will be performed.
@itemx kadmind_port
(Port number.) Specifies the port that the kadmind daemon is to listen
-for this realm. The assigned port for kadmind is 749.
+for this realm. The assigned port for kadmind is
+@value{DefaultKadmindPort}.
@itemx key_stash_file
(String.) Specifies the location where the master key has been stored
(via @code{kdb5_util stash}). The default is
-@code{@value{ROOTDIR}/var/krb5kdc/.k5.@i{REALM}}, where @i{REALM} is the
+@code{@value{DefaultKeyStashFileStub}@i{REALM}}, where @i{REALM} is the
Kerberos realm.
@itemx kdc_ports
@@ -901,33 +905,33 @@ this realm. By default, the value of kdc_ports as specified in the
[kdcdefaults] section is used.
@itemx master_key_name
-(String.) Specifies the name of the master key.
+(String.) Specifies the name of the master key. The default is
+@value{DefaultMasterKeyName}.
@itemx master_key_type
-(Key type string.) Specifies the master key's key type. Either
-"des3-hmac-sha1" or
-"des-cbc-crc" may be used at this time.
+(Key type string.) Specifies the master key's key type. The default
+value for this is @value{DefaultMasterKeyType}. For a list of all
+possible values, see @ref{Supported Encryption Types}.
@itemx max_life
(Delta time string.) Specifes the maximum time period for which a
-ticket may be valid in this realm.
+ticket may be valid in this realm. The default value is
+@value{DefaultMaxLife}.
@itemx max_renewable_life
(Delta time string.) Specifies the maximum time period during which a
-valid ticket may be renewed in this realm.
+valid ticket may be renewed in this realm. The default value is
+@value{DefaultMaxRenewableLife}.
@itemx supported_enctypes
List of key:salt strings. Specifies the default key/salt combinations
of principals for this realm. Any principals created through
-@code{kadmin} will have keys of these types. If you do not yet wish to
-enable triple-DES support, you should set this tag to
-@samp{des-cbc-crc:normal des-cbc-crc:v4}; otherwise, put
-@samp{des3-hmac-sha1:normal} at the beginning of the list.
+@code{kadmin} will have keys of these types. For lists of possible
+values, see @ref{Supported Encryption Types} and @ref{Salts}.
@itemx kdc_supported_enctypes
-List of key:salt strings. Specifies the permitted key/salt combinations
-of principals for this realm. You should set this tag to
-@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}.
+Specifies the permitted key/salt combinations of principals for this
+realm. The format is the same as @code{supported_enctypes}
@itemx reject_bad_transit
A boolean value (@code{true}, @code{false}). If set to @code{true}, the
@@ -1097,10 +1101,9 @@ Pass @i{query} directly to @code{kadmin}. This is useful for writing
scripts that pass specific queries to @code{kadmin}.
@item @b{-e} @i{"enctypes ..."}
-@b{(For @code{kadmin.local} only.)}
-Sets the list of cryptosystem and salt types to be used for any new keys
-created. Available types include @samp{des3-cbc-sha1:normal},
-@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}.
+@b{(For @code{kadmin.local} only.)} Sets the list of cryptosystem and
+salt types to be used for any new keys created. See @ref{Supported
+Encryption Types} and @ref{Salts} for available types.
@end table
@@ -1216,10 +1219,10 @@ Maximum life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Master key version: 1
Expires: Mon Jan 18 22:14:07 EDT 2038
-Password expires: Mon Sep 19 14:40:00 EDT 1996
-Password last changed: Mon Jan 31 02:06:40 EDT 1996
+Password expires: Mon Sep 19 14:40:00 EDT 2004
+Password last changed: Mon Jan 31 02:06:40 EDT 2004
Last modified: by @value{ADMINUSER}/admin@@@value{PRIMARYREALM}
- on Wed Jul 13 18:27:08 EDT 1996
+ on Wed Jul 13 18:27:08 EDT 2004
Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE,
REQUIRES_HW_AUTH
Salt type: DEFAULT
@@ -1373,15 +1376,8 @@ following switches:
@table @b
@item -salt @i{salttype}
-Uses the specified salt for generating the key. The valid salt types
-are:
-
-@itemize @bullet
-@item full_name (aliases ``v5_salt'' and ``normal''; this is the default)
-@item name_only
-@item realm_only
-@item no_salt (alias ``v4_salt'')
-@end itemize
+Uses the specified salt for generating the key. For valid salt types,
+see @ref{Salts}.
@item -clearpolicy
For @code{modify_principal}, removes the current policy from a
@@ -1502,10 +1498,11 @@ prompt for a password (@code{add_principal} only). @value{COMPANY} does
not recommend using this option.
@item -e @i{enc:salt...}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal. The quotes are necessary if there are multiple
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2. See @ref{Supported Encryption Types} and
+@ref{Salts} for available types.
@end table
If you want to just use the default values, all you need to do is:
@@ -1619,10 +1616,11 @@ Sets the password to the string @i{password}. @value{COMPANY} does not
recommend using this option.
@item @b{-e} @i{"enc:salt..."}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal. The quotes are necessary if there are multiple
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2. See @ref{Supported Encryption Types} and
+@ref{Salts} for possible values.
@end table
For example:
@@ -2043,6 +2041,35 @@ It is important that you NOT FORGET this password.}
@end group
@end smallexample
+If you need to destroy the current Kerberos database, use the
+@code{kdb5_util} @code{destroy} command. The syntax is:
+
+@smallexample
+@b{kdb5_util destroy} [@b{-f}]
+@end smallexample
+
+The @code{destroy} command destroys the database, first overwriting the
+disk sectors and then unlinking the files. If you specify the
+@samp{-f} option, @code{kdb5_util} will not prompt you for a
+confirmation before destroying the database.
+
+@smallexample
+@group
+@b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} destroy
+@iftex
+@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure
+(type yes to confirm)?} @i{@doubleleftarrow{}yes}
+@end iftex
+@ifinfo
+@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure
+(type yes to confirm)?} @i{<== yes}
+@end ifinfo
+@b{OK, deleting database '@value{DefaultDatabaseName}'...}
+
+@b{shell%}
+@end group
+@end smallexample
+
@ignore
@c @node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating Kerberos Database Entries
@c @section The KDC Logs
@@ -2106,11 +2133,12 @@ The @code{ktadd} command takes the following switches:
use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the
default keytab file (@code{/etc/krb5.keytab}).
-@item @b{-e} @i{"enc:salt..."}
-Uses the specified list of enctype-salttype pairs for setting the key of
-the principal. The quotes are necessary if there are multiple
+@item @b{-e} @i{"enc:salt..."}
+Uses the specified list of enctype-salttype pairs for setting the key
+of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
-earlier than krb5-1.2.
+earlier than krb5-1.2. See @ref{Supported Encryption Types} and
+@ref{Salts} for all possible values.
@item -q
run in quiet mode. This causes @code{ktadd} to display less verbose
diff --git a/doc/build.texinfo b/doc/build.texinfo
index 18e51011a8..671f55089e 100644
--- a/doc/build.texinfo
+++ b/doc/build.texinfo
@@ -35,20 +35,22 @@ link tree for your build tree.
@node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5
@section Unpacking the Sources
-The first step in each of these build procedures is to unpack the source
-distribution. The Kerberos V5 distribution comes in two compressed tar
-files. The first file, which is generally named
-@file{krb5-@value{RELEASE}.src.tar.gz}, contains the sources for all of Kerberos
-except for the crypto library, which is found in the file
-@file{krb5-@value{RELEASE}.crypto.tar.gz}.
-
-Both files should be unpacked in the same directory, such as
-@file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we will assume that
-you have chosen to unpack the Kerberos V5 source distribution in this
-directory. Note that the tarfiles will by default all unpack into the
-@file{./krb5-@value{RELEASE}} directory, so that if your current directory is
-@file{/u1} when you unpack the tarfiles, you will get
-@file{/u1/krb5-@value{RELEASE}/src}, etc.)
+The first step in each of these build procedures is to unpack the
+source distribution. The Kerberos V5 distribution comes in a tar file,
+generally named @file{krb5-@value{RELEASE}.tar}, which contains a
+compressed tar file consisting of the sources for all of Kerberos
+(generally @file{krb5-@value{RELEASE}.tar.gz}) and a PGP signature for
+this source tree (generally @file{krb5-@value{RELEASE}.tar.gz.asc}).
+@value{COMPANY} highly recommends that you verify the integrity of the
+source code using this signature.
+
+Unpack the compressed tar file in some directory, such as
+@file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we
+will assume that you have chosen to unpack the Kerberos V5 source
+distribution in this directory. Note that the tarfiles will by default
+all unpack into the @file{./krb5-@value{RELEASE}} directory, so that if
+your current directory is @file{/u1} when you unpack the tarfiles, you
+will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
@node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5
diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo
index 5a5b37cbf1..91058b8cf5 100644
--- a/doc/definitions.texinfo
+++ b/doc/definitions.texinfo
@@ -19,8 +19,8 @@
@set RANDOMUSER johndoe
@set RANDOMUSER1 jennifer
@set RANDOMUSER2 david
-@set RELEASE 1.2
-@set PREVRELEASE 1.1
+@set RELEASE 1.3
+@set PREVRELEASE 1.2
@set INSTALLDIR /usr/@value{LCPRODUCT}
@set PREVINSTALLDIR @value{INSTALLDIR}
@set ROOTDIR /usr/local
@@ -28,3 +28,99 @@
@set SECONDDOMAIN fubar.org
@set SECONDREALM FUBAR.ORG
@set UPDATED @today
+
+@ignore
+The rest of the variables in this file are defaults for tags in the
+configuration files. Each group of defaults come from the same file in
+the code, which is specified in the ignore comment above the group.
+After each variable, there should be a comment specifying the variable
+in the code that holds the default variable, or the line in which the
+default was set.
+@end ignore
+
+@ignore
+the following should be consistent with the variables set in
+krb5/src/lib/krb5/krb/init_ctx.c
+@end ignore
+@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
+@comment DEFAULT_ETYPE_LIST
+@set DefaultDefaultTgsEnctypes @value{DefaultETypeList}
+@set DefaultDefaultTktEnctypes @value{DefaultETypeList}
+@set DefaultClockskew 300 seconds, or five minutes
+@comment libdefaults, clockskew
+@set DefaultChecksumType RSA MD5
+@comment libdefaults, kdc_req_checksum_type, ap_req_checksum_type, safe_checksum_type
+@set DefaultCcacheType 3
+@comment DEFAULT_CCACHE_TYPE
+@set DefaultCcacheTypeMac 4
+@comment DEFAULT_CCACHE_TYPE
+@set DefaultTktLifetime 10 hours
+@comment libdefaults, tkt_lifetime
+@set DefaultKDCTimesyncMac 1
+@set DefaultKDCTimesync 0
+@comment DEFAULT_KDC_TIMESYNC
+
+@ignore
+the following defaults should be consistent with default variables set
+in krb5/src/include/krb5/stock/osconf.h
+@end ignore
+@set DefaultMasterKeyType des-cbc-crc
+@comment DEFAULT_KDC_ENCTYPE
+@set DefaultKadmindPort 749
+@comment DEFAULT_KADM5_PORT
+@set DefaultAclFile @value{ROOTDIR}/krb5kdc/kadm5.acl
+@comment DEFAULT_KADM5_ACL_FILE
+@set DefaultAdminKeytab @value{ROOTDIR}/krb5kdc/kadm5.keytab
+@comment DEFAULT_KADM5_KEYTAB
+@set DefaultDatabaseName /usr/local/var/krb5kdc/principal
+@comment DEFAULT_KDB_FILE (@LOCALSTATEDIR is /usr/local/var)
+@set DefaultKdcPorts 88,750
+@comment DEFAULT_KDC_PORTLIST
+@set DefaultKpasswdPort 464
+@comment DEFAULT_KPASSWD_PORT
+@set DefaultSecPort 750
+@comment KRB5_DEFAULT_SEC_PORT
+@set DefaultPort 88
+@comment KRB5_DEFAULT_PORT
+@set DefaultKeyStashFileStub /usr/local/var/krb5kdc/.k5.
+@comment DEFAULT_KEYFILE_STUB
+
+@ignore
+the following defaults should be consistent with the numbers set in
+krb5/src/lib/kadm5/alt_prof.c
+@end ignore
+@set DefaultMaxLife 10 hours
+@comment line 608
+@set DefaultMaxRenewableLife 0
+@comment line 622
+@set DefaultDefaultPrincipalExpiration 0
+@comment line 639
+
+@ignore
+the following defaults should be consistent with the values set in
+krb5/src/include/krb5/kdb.h
+@end ignore
+@set DefaultDefaultPrincipalFlags no flags set
+@comment KRB5_KDB_DEF_FLAGS set to 0
+
+@ignore
+in krb5/src/include/k5-int.h, the values KRB5_KDB_MAX_LIFE,
+KRB5_KDB_MAX_RLIFE, and KRB5_KDB_EXPIRATION are set to one day, one week,
+and Thursday Jan 1 2038, respectively
+@end ignore
+
+@ignore
+the following defaults should be consistent with the values set in
+include/krb5/kdb.h
+@end ignore
+@set DefaultMasterKeyName K/M
+@comment KRB5_KDB_M_NAME
+
+@ignore
+krb5/src/lib/krb5/krb/init_ctx.c, line 195 has libdefault
+kdc_default_options (KDC_OPT_RENEWABLE_OKAY)
+@end ignore
+
+@comment this should be verified in the code
+@set DefaultDNSLookupKDC true
+@set DefaultDNSLookupRealm false
diff --git a/doc/dnstxt.texinfo b/doc/dnstxt.texinfo
index 535ac44381..e06d220cf9 100644
--- a/doc/dnstxt.texinfo
+++ b/doc/dnstxt.texinfo
@@ -8,15 +8,15 @@ hostname-by-hostname basis. Since greater specificity takes precedence,
you would do this by specifying the mappings for a given domain or
subdomain and listing the exceptions.
-The second mechanism, recently introduced into the MIT code base but not
-currently used by default, works by looking up the information in
-special @code{TXT} records in the Domain Name Service. If this
-mechanism is enabled on the client, it will try to look up a @code{TXT}
-record for the DNS name formed by putting the prefix @code{_kerberos} in
-front of the hostname in question. If that record is not found, it will
-try using @code{_kerberos} and the host's domain name, then its parent
-domain, and so forth. So for the hostname
-BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
+The second mechanism works by looking up the information in special
+@code{TXT} records in the Domain Name Service. This is currently not
+used by default because security holes could result if the DNS TXT
+records were spoofed. If this mechanism is enabled on the client,
+it will try to look up a @code{TXT} record for the DNS name formed by
+putting the prefix @code{_kerberos} in front of the hostname in question.
+If that record is not found, it will try using @code{_kerberos} and the
+host's domain name, then its parent domain, and so forth. So for the
+hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
@smallexample
_kerberos.boston.engineering.foobar.com
diff --git a/doc/install.texinfo b/doc/install.texinfo
index 9dfd27958a..9aa6654bc0 100644
--- a/doc/install.texinfo
+++ b/doc/install.texinfo
@@ -42,6 +42,8 @@
This file documents how to install the @value{RELEASE} release of
@value{PRODUCT}.
+@end ifinfo
+
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
@c function. Don't forget to run M-x texinfo-every-node-update after
@c you add a new section or subsection, or after you've rearranged the
@@ -66,15 +68,12 @@ This file documents how to install the @value{RELEASE} release of
* Installing Kerberos V5::
* Upgrading Existing Kerberos V5 Installations::
* Bug Reports for Kerberos V5::
-* Files::
@end menu
@node Copyright, Introduction, Top, Top
@unnumbered Copyright
@include copyright.texinfo
-@end ifinfo
-
@node Introduction, Realm Configuration Decisions, Copyright, Top
@chapter Introduction
@@ -367,6 +366,8 @@ first few steps must be done on the master KDC.
@menu
* Edit the Configuration Files::
+* krb5.conf::
+* kdc.conf::
* Create the Database::
* Add Administrators to the Acl File::
* Add Administrators to the Kerberos Database::
@@ -374,21 +375,51 @@ first few steps must be done on the master KDC.
* Start the Kerberos Daemons::
@end menu
-@node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC
+@node Edit the Configuration Files, krb5.conf, Install the Master KDC, Install the Master KDC
@subsubsection Edit the Configuration Files
-Modify the configuration files, @code{/etc/krb5.conf}
-(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf}
-(@pxref{kdc.conf}) to reflect the correct information (such as the
-hostnames and realm name) for your realm. @value{COMPANY} recommends
-that you keep @code{krb5.conf} in @code{/etc}.
-
-Among the settings in your @code{/etc/krb5.conf} file, be sure to create
-a @code{[logging]} stanza so that the KDC and kadmind will generate
-logging output. For example:
+Modify the configuration files, @code{/etc/krb5.conf} and
+@code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} to reflect the correct
+information (such as the hostnames and realm name) for your realm.
+@value{COMPANY} recommends that you keep @code{krb5.conf} in @code{/etc}.
+
+Most of the tags in the configuration have default values that will
+work well for most sites. There are some tags in the @code{krb5.conf}
+file whose values must be specified, and this section will explain
+those as well as give an overview of all of the sections in both
+configuration files. For more information on changing defaults with
+the configuration files, see the @value{PRODUCT} System Administrator's
+Guide sections on configuration files.
+
+@node krb5.conf, kdc.conf, Edit the Configuration Files, Install the Master KDC
+@subsubsection krb5.conf
+
+@include krb5conf.texinfo
+
+If you are not using DNS TXT records, you must specify the
+@code{default_realm} in the @code{libdefaults} section. If you are not
+using DNS SRV records, you must include the @code{kdc} tag for each
+realm in the @code{realms} section. To communicate with the kadmin
+server in each realm, the @code{admin_server} tag must be set in the
+@code{realms} section. If your domain name and realm name are not the
+same, you must provide a translation in @code{domain_realm}. It is
+also higly recommeneded that you create a @code{[logging]} stanza if
+the computer will be functioning as a KDC so that the KDC and kadmind
+will generate logging output.
+
+An example @code{krb5.conf} file:
@smallexample
@group
+[libdefaults]
+ default_realm = @value{PRIMARYREALM}
+
+[realms]
+ kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+ kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
+ kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+ admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
@@ -396,7 +427,12 @@ logging output. For example:
@end group
@end smallexample
-@node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC
+@node kdc.conf, Create the Database, krb5.conf, Install the Master KDC
+@subsubsection kdc.conf
+
+@include kdcconf.texinfo
+
+@node Create the Database, Add Administrators to the Acl File, kdc.conf, Install the Master KDC
@subsubsection Create the Database
You will use the @code{kdb5_util} command @emph{on the Master KDC} to
@@ -1439,120 +1475,10 @@ your application servers, and then change the default to include
triple-DES. We recommend that you always include @code{des-cbc-crc} in
the default list.
-@node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top
+@node Bug Reports for Kerberos V5, , Upgrading Existing Kerberos V5 Installations, Top
@chapter Bug Reports for @value{PRODUCT}
@include send-pr.texinfo
-@node Files, , Bug Reports for Kerberos V5, Top
-@appendix Files
-
-@menu
-* krb5.conf::
-* kdc.conf::
-@end menu
-
-@node krb5.conf, kdc.conf, Files, Files
-@appendixsec krb5.conf
-
-Here is an example @code{krb5.conf} file:
-
-@smallexample
-@group
-[libdefaults]
- ticket_lifetime = 600
- default_realm = @value{PRIMARYREALM}
- default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
- default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
-
-[realms]
- @value{PRIMARYREALM} = @{
- kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88
- kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88
- kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88
- admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749
- default_domain = @value{PRIMARYDOMAIN}
- @}
-
-[domain_realm]
- .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
- @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
-@end group
-@end smallexample
-
-For the KDCs, add a section onto the end of the @code{krb5.conf} file
-telling how logging information should be stored, as in the following
-example:
-
-@smallexample
-@group
-[logging]
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmin.log
- default = FILE:/var/log/krb5lib.log
-@end group
-@end smallexample
-
-@iftex
-@vfill
-@end iftex
-@page
-
-@node kdc.conf, , krb5.conf, Files
-@appendixsec kdc.conf
-
-Here's an example of a kdc.conf file:
-
-@smallexample
-@group
-[kdcdefaults]
- kdc_ports = 88,750
-
-[realms]
- @value{PRIMARYREALM} = @{
- database_name = @value{ROOTDIR}/var/krb5kdc/principal
- admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
- acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl
- dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict
- key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM}
- kadmind_port = 749
- max_life = 10h 0m 0s
- max_renewable_life = 7d 0h 0m 0s
- master_key_type = des3-hmac-sha1
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
- @}
-@end group
-@end smallexample
-
-To add Kerberos V4 support, add @code{des-cbc-crc:v4} to the
-@code{supported_enctypes} line.
-
-@menu
-* Encryption Types and Salt Types::
-@end menu
-
-@node Encryption Types and Salt Types, , kdc.conf, kdc.conf
-@appendixsubsec Encryption Types and Salt Types
-
-Currently, @value{PRODUCT} supports only DES and triple-DES encryption.
-The encoding types include
-@code{des-cbc-crc} and @code{des3-cbc-sha1}. The @dfn{salt} is
-additional information encoded within the key that tells what kind of
-key it is. The only salts that you will be likely to encounter are:
-
-@itemize @bullet
-@item @dfn{normal}, which @value{COMPANY} recommends using for all of
-your @value{PRODUCT} keys
-
-@item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
-or a v4 version of @code{kinit}, and then only with @code{des-cbc-crc}
-encryption
-
-@item @dfn{afs}, which you will never need to generate, and which you will
-encounter only if you dump an AFS database into a Kerberos database
-@end itemize
-
-Support for additional encryption types is planned in the future.
-
@contents
@bye
diff --git a/doc/kdcconf.texinfo b/doc/kdcconf.texinfo
new file mode 100644
index 0000000000..8ff1f35709
--- /dev/null
+++ b/doc/kdcconf.texinfo
@@ -0,0 +1,24 @@
+The @code{kdc.conf} file contains KDC configuration information,
+including defaults used when issuing Kerberos tickets. Normally, you
+should install your @code{kdc.conf} file in the directory
+@code{@value{ROOTDIR}/var/krb5kdc}. You can override the default
+location by setting the environment variable @samp{KRB5_KDC_PROFILE}.
+
+The @code{kdc.conf} file is set up in the same format as the
+@code{krb5.conf} file. (@xref{krb5.conf}.) The @code{kdc.conf} file
+may contain any or all of the following three sections:
+
+@table @b
+@itemx kdcdefaults
+Contains default values for overall behavior of the KDC.
+
+@itemx realms
+Contains subsections keyed by Kerberos realm names. Each subsection
+describes realm-specific information, including where to find the
+Kerberos servers for that realm.
+
+@itemx logging
+Contains relations which determine how Kerberos programs are to perform
+logging.
+@end table
+
diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo
index 12572e5cbe..447383514d 100644
--- a/doc/krb425.texinfo
+++ b/doc/krb425.texinfo
@@ -38,6 +38,7 @@
@ifinfo
This document describes how to convert to @value{PRODUCT} from Kerberos V4.
+@end ifinfo
@menu
* Copyright::
@@ -53,8 +54,6 @@ This document describes how to convert to @value{PRODUCT} from Kerberos V4.
@unnumbered Copyright
@include copyright.texinfo
-@end ifinfo
-
@node Introduction, Configuration Files, Copyright, Top
@chapter Introduction
diff --git a/doc/krb5conf.texinfo b/doc/krb5conf.texinfo
new file mode 100644
index 0000000000..a712ee583f
--- /dev/null
+++ b/doc/krb5conf.texinfo
@@ -0,0 +1,63 @@
+The @code{krb5.conf} file contains Kerberos configuration information,
+including the locations of KDCs and admin servers for the Kerberos
+realms of interest, defaults for the current realm and for Kerberos
+applications, and mappings of hostnames onto Kerberos realms. Normally,
+you should install your @code{krb5.conf} file in the directory
+@code{/etc}. You can override the default location by setting the
+environment variable @samp{KRB5_CONFIG}.
+
+The @code{krb5.conf} file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets. Each
+section may contain zero or more relations, of the form:
+
+@smallexample
+foo = bar
+@end smallexample
+
+@noindent
+or
+
+@smallexample
+@group
+fubar = @{
+ foo = bar
+ baz = quux
+@}
+@end group
+@end smallexample
+
+The @code{krb5.conf} file may contain any or all of the following seven
+sections:
+
+@table @b
+@itemx libdefaults
+Contains default values used by the Kerberos V5 library.
+
+@itemx appdefaults
+Contains default values used by Kerberos V5 applications.
+
+@itemx realms
+Contains subsections keyed by Kerberos realm names. Each subsection
+describes realm-specific information, including where to find the
+Kerberos servers for that realm.
+
+@itemx domain_realm
+Contains relations which map domain names and subdomains onto Kerberos
+realm names. This is used by programs to determine what realm a host
+should be in, given its fully qualified domain name.
+
+@itemx logging
+Contains relations which determine how Kerberos programs are to perform
+logging.
+
+@itemx capaths
+Contains the authentication paths used with direct (nonhierarchical)
+cross-realm authentication. Entries in this section are used by the
+client to determine the intermediate realms which may be used in
+cross-realm authentication. It is also used by the end-service when
+checking the transited field for trusted intermediate realms.
+
+@itemx kdc
+For a KDC, may contain the location of the kdc.conf file.
+@end table
+
diff --git a/doc/man2html b/doc/man2html
new file mode 100644
index 0000000000..ea45686b89
--- /dev/null
+++ b/doc/man2html
@@ -0,0 +1,608 @@
+#!/usr/athena/bin/perl
+#!/usr/local/bin/perl
+##---------------------------------------------------------------------------##
+## File:
+## @(#) man2html 1.2 97/08/12 12:57:30 @(#)
+## Author:
+## Earl Hood, ehood@medusa.acs.uci.edu
+## Description:
+## man2html is a Perl program to convert formatted nroff output
+## to HTML.
+##
+## Recommend command-line options based on platform:
+##
+## Platform Options
+## ---------------------------------------------------------------------
+## c2mp <None, the defaults should be okay>
+## hp9000s700/800 -leftm 1 -topm 8
+## sun4 -sun
+## ---------------------------------------------------------------------
+##
+##---------------------------------------------------------------------------##
+## Copyright (C) 1995-1997 Earl Hood, ehood@medusa.acs.uci.edu
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+## 02111-1307, USA
+##---------------------------------------------------------------------------##
+
+package Man2Html;
+
+use Getopt::Long;
+
+($PROG = $0) =~ s/.*\///;
+$VERSION = "3.0.1";
+
+## Input and outputs filehandles
+$InFH = \*STDIN unless $InFH;
+$OutFH = \*STDOUT unless $OutFH;
+
+## Backspace character: Used in overstriking detection
+*bs = \"\b";
+
+## Hash of section titles and their HTML tag wrapper.
+## This list allows customization of what HTML tag is used for
+## a given section head.
+##
+## The section title can be a regular expression. Therefore, one must
+## be careful about quoting special characters.
+##
+%SectionHead = (
+
+ '\S.*OPTIONS.*' => '<H2>',
+ 'AUTHORS?' => '<H2>',
+ 'BUGS' => '<H2>',
+ 'COMPATIBILITY' => '<H2>',
+ 'DEPENDENCIES' => '<H2>',
+ 'DESCRIPTION' => '<H2>',
+ 'DIAGNOSTICS' => '<H2>',
+ 'ENVIRONMENT' => '<H2>',
+ 'ERRORS' => '<H2>',
+ 'EXAMPLES' => '<H2>',
+ 'EXTERNAL INFLUENCES' => '<H2>',
+ 'FILES' => '<H2>',
+ 'LIMITATIONS' => '<H2>',
+ 'NAME' => '<H2>',
+ 'NOTES?' => '<H2>',
+ 'OPTIONS' => '<H2>',
+ 'REFERENCES' => '<H2>',
+ 'RETURN VALUE' => '<H2>',
+ 'SECTION.*:' => '<H2>',
+ 'SEE ALSO' => '<H2>',
+ 'STANDARDS CONFORMANCE' => '<H2>',
+ 'STYLE CONVENTION' => '<H2>',
+ 'SYNOPSIS' => '<H2>',
+ 'SYNTAX' => '<H2>',
+ 'WARNINGS' => '<H2>',
+ '\s+Section.*:' => '<H3>',
+
+);
+
+## Fallback tag if above is not found
+$HeadFallback = '<H2>';
+
+## Other gobals
+
+$Bare = 0; # Skip printing HTML head/foot flag
+$BTag = 'B'; # Overstrike tag
+$CgiUrl = ''; # CGI URL expression
+$Compress = 0; # Do blank line compression flag
+$K = 0; # Do keyword search processing flag
+$NoDepage = 0; # Do not strip page information
+$NoHeads = 0; # Do no header detection flag
+$SeeAlso = 0; # Do only SEE ALSO xrefs flag
+$Solaris = 0; # Solaris keyword search processing flag
+$Sun = 0; # Headers not overstriken flag
+$Title = ''; # Title
+$UTag = 'I'; # Underline tag
+$ftsz = 7; # Bottome margin size
+$hdsz = 7; # Top margin size
+$leftm = ''; # Left margin pad
+$leftmsz = 0; # Left margin size
+$pgsz = 66; # Size of page size
+$txsz = 52; # Text body length size
+
+#############################################################################
+## Main Block
+#############################################################################
+{
+ if (get_cli_opts()) {
+ if ($K) {
+ man_k();
+ } else {
+ do_it();
+ }
+ } else {
+ usage();
+ }
+}
+
+#############################################################################
+## Subroutines
+#############################################################################
+
+sub do_it {
+
+ ## Define while loop and then eval it when used. The reason
+ ## is to avoid the regular expression reevaulation in the
+ ## section head detection code.
+
+ $doitcode =<<'EndOfDoItCode';
+
+ my($line, $tmp, $i, $head, $preindent, $see_also, $do);
+
+ $see_also = !$SeeAlso;
+ print $OutFH "<!-- Manpage converted by man2html $VERSION -->\n";
+ LOOP: while(!eof($InFH)) {
+ $blank = 0;
+ for ($i=0; $i < $hdsz; $i++) {
+ last LOOP unless defined($_ = <$InFH>);
+ }
+ for ($i=0; $i < $txsz; $i++) {
+ last LOOP unless defined($_ = <$InFH>);
+
+ ## Check if compress consecutive blank lines
+ if ($Compress and !/\S/) {
+ if ($blank) { next; } else { $blank = 1; }
+ } else {
+ $blank = 0;
+ }
+
+ ## Try to check if line space is needed at page boundaries ##
+ if (!$NoDepage && ($i==0 || $i==($txsz-1)) && !/^\s*$/) {
+ /^(\s*)/; $tmp = length($1);
+ if ($do) {
+ if ($tmp < $preindent) { print $OutFH "\n"; }
+ } else {
+ $do = 1;
+ }
+ $preindent = $tmp;
+ } else {
+ $do = 0; $preindent = 0;
+ }
+
+ ## Interpret line
+ $line = $_;
+ entitize(\$_); # Convert [$<>] to entity references
+
+ ## Check for 'SEE ALSO' link only
+ if (!$see_also && $CgiUrl && $SeeAlso) {
+ ($tmp = $line) =~ s/.\010//go;
+ if ($tmp =~ /^\s*SEE\s+ALSO\s*$/o) { $see_also = 1; }
+ else { $see_also = 0; }
+ }
+
+ ## Create anchor links for manpage references
+ s/((((.\010)+)?[\+_\.\w-])+\(((.\010)+)?
+ \d((.\010)+)?\w?\))
+ /make_xref($1)
+ /geox if $see_also;
+
+ ## Emphasize underlined words
+ # s/((_\010[^_])+[\.\(\)_]?(_\010[^_])+\)?)/emphasize($1)/oge;
+ # s/((_\010[^_])+([\.\(\)_]?(_\010[^_])+)?)/emphasize($1)/oge;
+ #
+ # The previous expressions were trying to be clever about
+ # detecting underlined text which contain non-alphanumeric
+ # characters. nroff will not underline non-alphanumeric
+ # characters in an underlined phrase, and the above was trying
+ # to detect that. It does not work all the time, and it
+ # screws up other text, so a simplified expression is used.
+
+ s/((_\010[^_])+)/emphasize($1)/oge;
+
+ $secth = 0;
+ ## Check for strong text and headings
+ if ($Sun || /.\010./o) {
+ if (!$NoHeads) {
+ $line =~ s/.\010//go;
+ $tmp = $HeadFallback;
+EndOfDoItCode
+
+ ## Create switch statement for detecting a heading
+ ##
+ $doitcode .= "HEADSW: {\n";
+ foreach $head (keys %SectionHead) {
+ $doitcode .= join("", "\$tmp = '$SectionHead{$head}', ",
+ "\$secth = 1, last HEADSW ",
+ "if \$line =~ /^$leftm$head/o;\n");
+ }
+ $doitcode .= "}\n";
+
+ ## Rest of routine
+ ##
+ $doitcode .=<<'EndOfDoItCode';
+ if ($secth || $line =~ /^$leftm\S/o) {
+ chop $line;
+ $_ = $tmp . $line . $tmp;
+ s%<([^>]*)>$%</$1>%;
+ $_ = "\n</PRE>\n" . $_ . "<PRE>\n";
+ } else {
+ s/(((.\010)+.)+)/strongize($1)/oge;
+ }
+ } else {
+ s/(((.\010)+.)+)/strongize($1)/oge;
+ }
+ }
+ print $OutFH $_;
+ }
+
+ for ($i=0; $i < $ftsz; $i++) {
+ last LOOP unless defined($_ = <$InFH>);
+ }
+ }
+EndOfDoItCode
+
+
+ ## Perform processing.
+
+ printhead() unless $Bare;
+ print $OutFH "<PRE>\n";
+ eval $doitcode; # $doitcode defined above
+ print $OutFH "</PRE>\n";
+ printtail() unless $Bare;
+}
+
+##---------------------------------------------------------------------------
+##
+sub get_cli_opts {
+ return 0 unless
+ GetOptions(
+ "bare", # Leave out HTML, HEAD, BODY tags.
+ "belem=s", # HTML Element for overstriked text (def: "B")
+ "botm=i", # Number of lines for bottom margin (def: 7)
+ "cgiurl=s", # CGI URL for linking to other manpages
+ "cgiurlexp=s", # CGI URL Perl expr for linking to other manpages
+ "compress", # Compress consecutive blank lines
+ "headmap=s", # Filename of user section head map file
+ "k", # Process input from 'man -k' output.
+ "leftm=i", # Character width of left margin (def: 0)
+ "nodepage", # Do not remove pagination lines
+ "noheads", # Do not detect for section heads
+ "pgsize=i", # Number of lines in a page (def: 66)
+ "seealso", # Link to other manpages only in the SEE ALSO section
+ "solaris", # Parse 'man -k' output from a solaris system
+ "sun", # Section heads are not overstriked in input
+ "title=s", # Title of manpage (def: Not defined)
+ "topm=i", # Number of lines for top margin (def: 7)
+ "uelem=s", # HTML Element for underlined text (def: "I")
+
+ "help" # Short usage message
+ );
+ return 0 if defined($opt_help);
+
+ $pgsz = $opt_pgsize || $pgsz;
+ if (defined($opt_nodepage)) {
+ $hdsz = 0;
+ $ftsz = 0;
+ } else {
+ $hdsz = $opt_topm if defined($opt_topm);
+ $ftsz = $opt_botm if defined($opt_botm);
+ }
+ $txsz = $pgsz - ($hdsz + $ftsz);
+ $leftmsz = $opt_leftm if defined($opt_leftm);
+ $leftm = ' ' x $leftmsz;
+
+ $Bare = defined($opt_bare);
+ $Compress = defined($opt_compress);
+ $K = defined($opt_k);
+ $NoDepage = defined($opt_nodepage);
+ $NoHeads = defined($opt_noheads);
+ $SeeAlso = defined($opt_seealso);
+ $Solaris = defined($opt_solaris);
+ $Sun = defined($opt_sun);
+
+ $Title = $opt_title || $Title;
+ $CgiUrl = $opt_cgiurlexp ||
+ ($opt_cgiurl ? qq{return "$opt_cgiurl"} : '');
+
+ $BTag = $opt_belem || $BTag;
+ $UTag = $opt_uelem || $UTag;
+ $BTag =~ s/[<>]//g;
+ $UTag =~ s/[<>]//g;
+
+ if (defined($opt_headmap)) {
+ require $opt_headmap or warn "Unable to read $opt_headmap\n";
+ }
+ 1;
+}
+
+##---------------------------------------------------------------------------
+sub printhead {
+ print $OutFH "<HTML>\n";
+ print $OutFH "<HEAD>\n",
+ "<TITLE>$Title</TITLE>\n",
+ "</HEAD>\n" if $Title;
+ print $OutFH "<BODY>\n";
+ print $OutFH "<H1>$Title</H1>\n",
+ "<HR>\n" if $Title;
+}
+
+##---------------------------------------------------------------------------
+sub printtail {
+ print $OutFH <<EndOfRef;
+<HR>
+<ADDRESS>
+Man(1) output converted with
+<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
+</ADDRESS>
+</BODY>
+</HTML>
+EndOfRef
+}
+
+##---------------------------------------------------------------------------
+sub emphasize {
+ my($txt) = shift;
+ $txt =~ s/.\010//go;
+ $txt = "<$UTag>$txt</$UTag>";
+ $txt;
+}
+
+##---------------------------------------------------------------------------
+sub strongize {
+ my($txt) = shift;
+ $txt =~ s/.\010//go;
+ $txt = "<$BTag>$txt</$BTag>";
+ $txt;
+}
+
+##---------------------------------------------------------------------------
+sub entitize {
+ my($txt) = shift;
+
+ ## Check for special characters in overstrike text ##
+ $$txt =~ s/_\010\&/strike('_', '&')/geo;
+ $$txt =~ s/_\010</strike('_', '<')/geo;
+ $$txt =~ s/_\010>/strike('_', '>')/geo;
+
+ $$txt =~ s/(\&\010)+\&/strike('&', '&')/geo;
+ $$txt =~ s/(<\010)+</strike('<', '<')/geo;
+ $$txt =~ s/(>\010)+>/strike('>', '>')/geo;
+
+ ## Check for special characters in regular text. Must be careful
+ ## to check before/after character in expression because it might be
+ ## a special character.
+ $$txt =~ s/([^\010]\&[^\010])/htmlize2($1)/geo;
+ $$txt =~ s/([^\010]<[^\010])/htmlize2($1)/geo;
+ $$txt =~ s/([^\010]>[^\010])/htmlize2($1)/geo;
+}
+
+##---------------------------------------------------------------------------
+## escape special characters in a string, in-place
+##
+sub htmlize {
+ my($str) = shift;
+ $$str =~ s/&/\&amp;/g;
+ $$str =~ s/</\&lt;/g;
+ $$str =~ s/>/\&gt;/g;
+ $$str;
+}
+
+##---------------------------------------------------------------------------
+## htmlize2() is used by entitize.
+##
+sub htmlize2 {
+ my($str) = shift;
+ $str =~ s/&/\&amp;/g;
+ $str =~ s/</\&lt;/g;
+ $str =~ s/>/\&gt;/g;
+ $str;
+}
+
+##---------------------------------------------------------------------------
+## strike converts HTML special characters in overstriked text
+## into entity references. The entities are overstriked so
+## strongize() and emphasize() will recognize the entity to be
+## wrapped in tags.
+##
+sub strike {
+ my($w, $char) = @_;
+ my($ret);
+ if ($w eq '_') {
+ if ($char eq '&') {
+ $ret = "_$bs\&_${bs}a_${bs}m_${bs}p_${bs};";
+ } elsif ($char eq '<') {
+ $ret = "_$bs\&_${bs}l_${bs}t_${bs};";
+ } elsif ($char eq '>') {
+ $ret = "_$bs\&_${bs}g_${bs}t_${bs};";
+ } else {
+ warn qq|Unrecognized character, "$char", passed to strike()\n|;
+ }
+ } else {
+ if ($char eq '&') {
+ $ret = "\&$bs\&a${bs}am${bs}mp${bs}p;${bs};";
+ } elsif ($char eq '<') {
+ $ret = "\&$bs\&l${bs}lt${bs}t;${bs};";
+ } elsif ($char eq '>') {
+ $ret = "\&$bs\&g${bs}gt${bs}t;${bs};";
+ } else {
+ warn qq|Unrecognized character, "$char", passed to strike()\n|;
+ }
+ }
+ $ret;
+}
+
+##---------------------------------------------------------------------------
+## make_xref() converts a manpage crossreference into a hyperlink.
+##
+sub make_xref {
+ my $str = shift;
+ $str =~ s/.\010//go; # Remove overstriking
+
+ if ($CgiUrl) {
+ my($title,$section,$subsection) =
+ ($str =~ /([\+_\.\w-]+)\((\d)(\w?)\)/);
+
+ $title =~ s/\+/%2B/g;
+ my($href) = (eval $CgiUrl);
+ qq|<B><A HREF="$href">$str</A></B>|;
+ } else {
+ qq|<B>$str</B>|;
+ }
+}
+
+##---------------------------------------------------------------------------
+## man_k() process a keyword search. The problem we have is there
+## is no standard for keyword search results from man. Solaris
+## systems have a different enough format to warrent dealing
+## with it as a special case. For other cases, we try our best.
+## Unfortunately, there are some lines of results that may be
+## skipped.
+##
+sub man_k {
+ my($line,$refs,$section,$subsection,$desc,$i,
+ %Sec1, %Sec1sub, %Sec2, %Sec2sub, %Sec3, %Sec3sub,
+ %Sec4, %Sec4sub, %Sec5, %Sec5sub, %Sec6, %Sec6sub,
+ %Sec7, %Sec7sub, %Sec8, %Sec8sub, %Sec9, %Sec9sub,
+ %SecN, %SecNsub, %SecNsec);
+
+ printhead() unless $Bare;
+ print $OutFH "<!-- Man keyword results converted by ",
+ "man2html $VERSION -->\n";
+
+ while ($line = <$InFH>) {
+ next if $line !~ /\(\d\w?\)\s+-\s/; # check if line can be handled
+ ($refs,$section,$subsection,$desc) =
+ $line =~ /^\s*(.*)\((\d)(\w?)\)\s*-\s*(.*)$/;
+
+ if ($Solaris) {
+ $refs =~ s/^\s*([\+_\.\w-]+)\s+([\+_\.\w-]+)\s*$/$1/;
+ # <topic> <manpage>
+ } else {
+ $refs =~ s/\s(and|or)\s/,/gi; # Convert and/or to commas
+ $refs =~ s/^[^:\s]:\s*//; # Remove prefixed whatis path
+ }
+ $refs =~ s/\s//g; # Remove all whitespace
+ $refs =~ s/,/, /g; # Put space after comma
+ htmlize(\$desc); # Check for special chars in desc
+ $desc =~ s/^(.)/\U$1/; # Uppercase first letter in desc
+
+ if ($section eq '1') {
+ $Sec1{$refs} = $desc; $Sec1sub{$refs} = $subsection;
+ } elsif ($section eq '2') {
+ $Sec2{$refs} = $desc; $Sec2sub{$refs} = $subsection;
+ } elsif ($section eq '3') {
+ $Sec3{$refs} = $desc; $Sec3sub{$refs} = $subsection;
+ } elsif ($section eq '4') {
+ $Sec4{$refs} = $desc; $Sec4sub{$refs} = $subsection;
+ } elsif ($section eq '5') {
+ $Sec5{$refs} = $desc; $Sec5sub{$refs} = $subsection;
+ } elsif ($section eq '6') {
+ $Sec6{$refs} = $desc; $Sec6sub{$refs} = $subsection;
+ } elsif ($section eq '7') {
+ $Sec7{$refs} = $desc; $Sec7sub{$refs} = $subsection;
+ } elsif ($section eq '8') {
+ $Sec8{$refs} = $desc; $Sec8sub{$refs} = $subsection;
+ } elsif ($section eq '9') {
+ $Sec9{$refs} = $desc; $Sec9sub{$refs} = $subsection;
+ } else { # Catch all
+ $SecN{$refs} = $desc; $SecNsec{$refs} = $section;
+ $SecNsub{$refs} = $subsection;
+ }
+ }
+ print_mank_sec(\%Sec1, 1, \%Sec1sub);
+ print_mank_sec(\%Sec2, 2, \%Sec2sub);
+ print_mank_sec(\%Sec3, 3, \%Sec3sub);
+ print_mank_sec(\%Sec4, 4, \%Sec4sub);
+ print_mank_sec(\%Sec5, 5, \%Sec5sub);
+ print_mank_sec(\%Sec6, 6, \%Sec6sub);
+ print_mank_sec(\%Sec7, 7, \%Sec7sub);
+ print_mank_sec(\%Sec8, 8, \%Sec8sub);
+ print_mank_sec(\%Sec9, 9, \%Sec9sub);
+ print_mank_sec(\%SecN, 'N', \%SecNsub, \%SecNsec);
+
+ printtail() unless $Bare;
+}
+##---------------------------------------------------------------------------
+## print_mank_sec() prints out manpage cross-refs of a specific section.
+##
+sub print_mank_sec {
+ my($sec, $sect, $secsub, $secsec) = @_;
+ my(@array, @refs, $href, $item, $title, $subsection, $i, $section,
+ $xref);
+ $section = $sect;
+
+ @array = sort keys %$sec;
+ if ($#array >= 0) {
+ print $OutFH "<H2>Section $section</H2>\n",
+ "<DL COMPACT>\n";
+ foreach $item (@array) {
+ @refs = split(/,/, $item);
+ $section = $secsec->{$item} if $sect eq 'N';
+ $subsection = $secsub->{$item};
+ if ($CgiUrl) {
+ ($title = $refs[0]) =~ s/\(\)//g; # watch out for extra ()'s
+ $xref = eval $CgiUrl;
+ }
+ print $OutFH "<DT>\n";
+ $i = 0;
+ foreach (@refs) {
+ if ($CgiUrl) {
+ print $OutFH qq|<B><A HREF="$xref">$_</A></B>|;
+ } else {
+ print $OutFH $_;
+ }
+ print $OutFH ", " if $i < $#refs;
+ $i++;
+ }
+ print $OutFH " ($section$subsection)\n",
+ "</DT><DD>\n",
+ $sec->{$item}, "</DD>\n";
+ }
+ print $OutFH "</DL>\n";
+ }
+}
+
+##---------------------------------------------------------------------------
+##
+sub usage {
+ print $OutFH <<EndOfUsage;
+Usage: $PROG [ options ] < infile > outfile
+Options:
+ -bare : Do not put in HTML, HEAD, BODY tags
+ -belem <elem> : HTML Element for overstriked text (def: "B")
+ -botm <#> : Number of lines for bottom margin (def: 7)
+ -cgiurl <url> : URL for linking to other manpages
+ -cgiurlexp <url> : Perl expression URL for linking to other manpages
+ -compress : Compress consective blank lines
+ -headmap <file> : Filename of user section head map file
+ -help : This message
+ -k : Process a keyword search result
+ -leftm <#> : Character width of left margin (def: 0)
+ -nodepage : Do not remove pagination lines
+ -noheads : Turn off section head detection
+ -pgsize <#> : Number of lines in a page (def: 66)
+ -seealso : Link to other manpages only in the SEE ALSO section
+ -solaris : Process keyword search result in Solaris format
+ -sun : Section heads are not overstriked in input
+ -title <string> : Title of manpage (def: Not defined)
+ -topm <#> : Number of lines for top margin (def: 7)
+ -uelem <elem> : HTML Element for underlined text (def: "I")
+
+Description:
+ $PROG takes formatted manpages from STDIN and converts it to HTML sent
+ to STDOUT. The -topm and -botm arguments are the number of lines to the
+ main body text and NOT to the running headers/footers.
+
+Version:
+ $VERSION
+ Copyright (C) 1995-1997 Earl Hood, ehood\@medusa.acs.uci.edu
+ $PROG comes with ABSOLUTELY NO WARRANTY and $PROG may be copied only
+ under the terms of the GNU General Public License, which may be found in
+ the $PROG distribution.
+
+EndOfUsage
+ exit 0;
+}
diff --git a/doc/man2html.M b/doc/man2html.M
new file mode 100644
index 0000000000..537d6073b3
--- /dev/null
+++ b/doc/man2html.M
@@ -0,0 +1,761 @@
+.\" sccsid = "@(#) man2html.1 1.2 08/12/97"
+.\"
+.\" ================================================
+.\" ARGUMENT MACRO: .Ar "arg" [B]
+.de Ar
+.ie \\$2B \%\fB\\$1\fR
+.el \%\fI\\$1\fR
+..
+.\" ================================================
+.\" BRACKETED ARGUMENT MACRO: .Br "arg" [B]
+.de Br
+.ie \\$2B \%[\|\fB\\$1\fR\|]
+.el \%[\|\fI\\$1\fR\|]
+..
+.\" ================================================
+.\" OPTION FLAG MACRO .Of -x [arg]
+.de Of
+.ie \\n(.$==1 \%[\|\fB\\$1\fR\|]
+.el .if \\n(.$==2 \%[\|\fB\\$1\fR\0\fI\fI\\$2\fR\|]
+..
+.\" ================================================
+.\" SYNOPSIS START MACRO
+.de Ss .Ss name
+.na
+.nr aA \w\\$1\\0u
+.in +\\n(aAu
+'ti -\\n(aAu
+.ta \\n(aAu
+\&\fB\\$1\fR\t\c
+..
+.\" ================================================
+.\" SYNOPSIS END MACRO
+.de Se .Se
+.ad
+.in
+..
+.\" ================================================
+.\"
+.\"
+.TH MAN2HTML 1 "97/08/12"
+.SH NAME
+.na
+man2html \- convert UNIX nroff(1) manual pages to HTML format
+.SH SYNOPSIS
+.na
+.Ss man2html
+.Of -bare
+.Of -belem name
+.Of -botm lines
+.Of -cgiurl string
+.Of -cgiurlexp expr
+.Of -compress
+.Of -headmap mapfile
+.Of -help
+.Of -k
+.Of -leftm chars
+.Of -nodepage
+.Of -noheads
+.Of -pgsize lines
+.Of -seealso
+.Of -solaris
+.Of -sun
+.Of -title string
+.Of -topm lines
+.Of -uelem name
+.Se
+.sp 2
+Typical Usage:
+.sp
+.Ss man2html
+.Of -options
+.BI "\0<\0" infile
+.BI "\0\0>\0" outfile
+.Se
+.sp
+.B man
+.I topic
+.B | man2html
+.Of -options
+.BI "\0>\0" outfile
+.\"
+.SH DESCRIPTION
+.na
+The
+.B man2html
+filter reads formatted nroff text from standard input
+.RI ( stdin )
+and writes a \s-1HTML\s+1 document to standard output
+.RI ( stdout ).
+.LP
+The formatted nroff output is surrounded with
+.B \s-1<PRE>\s+1
+tags with the following exceptions/additions:
+.RS 4n
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu Section heads are wrapped in \s-1HTML\s+1
+.I header
+tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+The
+.B \%-noheads
+option can be used to disable this feature.
+.ad
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu Bold words designated by a \%"<char><bs><char>"
+sequences are wrapped in
+.B \s-1<B>\s+1
+tags (or the element specified via the
+.B \%-belem
+option).
+.ad
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu Underlined words designated by a \%"_<bs><char>"
+sequences are wrapped in
+.B \s-1<I>\s+1
+tags (or the element specified via the
+.B \%-uelem
+option).
+.ad
+.RE
+.SH OPTIONS
+.na
+.TP 0.5i
+.B -bare
+This option will eliminate \s-1HTML\s+1
+.B \s-1<HEAD>\s+1
+and
+.B \s-1<BODY>\s+1
+tags from the output.
+This is useful when you wish to incorporate the output into another
+\s-1HTML\s+1 document.
+.TP 0.5i
+.BI -belem\0 name
+Use
+.I name
+as the name of the element to wrap overstriken characters.
+The default is \fBB\fR.
+.TP 0.5i
+.BI -botm\0 lines
+The
+.I lines
+argument specifies the number of lines representing the bottom
+margin of the formatted nroff input.
+The line count includes any running footers.
+The default value is 7.
+.TP 0.5i
+.BI -cgiurl\0 string
+The
+.I string
+argument specifies a template \s-1URL\s+1 for creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -cgiurlexp\0 expr
+The
+.I expr
+argument specifies a Perl expression evaluting to a \s-1URL\s+1 for
+creating links to other manpages.
+See the
+.B "\s-1LINKING\ TO\ OTHER\ MANPAGES\s+1"
+section below for additional information.
+.TP 0.5i
+.B -compress
+Compress consecutive blank lines into a single line.
+.TP 0.5i
+.BI -headmap\0 mapfile
+The
+.I mapfile
+argument is read to determine which \s-1HTML\s+1
+header tags are to be used for various section heading in the manpage.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for information on the format of the map file.
+.TP 0.5i
+.B -help
+Print out a short usage message and then exit immediately.
+.TP 0.5i
+.B -k
+Process input resulting from a manpage keyword search
+.RB ( "man\ -k" ).
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.BI -leftm\0 chars
+The
+.I chars
+argument specifies the width of the number of characters making
+up the left margin of the formatted nroff input.
+The default value is 0.
+.TP 0.5i
+.B -nodepage
+By default,
+.B man2html
+merges multi-page formatted nroff into a single page.
+This option may be used to disable depagination, causing
+running headers and footers in the formatted nroff input
+to be carried over into the \s-1HTML\s+1 output.
+.TP 0.5i
+.B -noheads
+By default,
+.B man2html
+wraps section heads in \s-1HTML\s+1
+header tags.
+See the
+.B "\s-1SECTION\ HEAD\ MAP\ FILE\s+1"
+section below for additional information.
+This option may be specified to disabled this feature.
+.TP 0.5i
+.BI -pgsize\0 lines
+The
+.I lines
+argument specifies the number of lines making up the page size (length)
+of the formatted nroff input.
+The default value is 66.
+.TP 0.5i
+.B -seealso
+If the
+.B -cgiurl
+option has been specified, then this option restricts the
+creation of links to other manual pages to the
+.B "\%\s-1SEE\ ALSO\s+1"
+section only.
+.TP 0.5i
+.B -solaris
+If the
+.B -k
+option has been specified, then this option modifies its operation
+to process the alternate manual page keyword search format produced
+by the
+.BR man (1)
+utility on systems running
+.IR Solaris .
+See the
+.B "\s-1KEYWORD\ SEARCH\s+1"
+section below for additional information.
+.TP 0.5i
+.B -sun
+Do not require a section head to have bold overstriking in the
+formatted nroff input.
+The option is called
+.B \%sun
+because it was on a Sun workstation that section heads in
+manpages were found to not be overstruck.
+.TP 0.5i
+.BI -title\0 string
+By default,
+.B man2html
+does not generate a \s-1HTML\s+1 title
+.RB ( \s-1<TITLE>\s+1 ).
+This option sets the title of the \s-1HTML\s+1 output to the specified
+.IR string .
+.TP 0.5i
+.BI -topm\0 lines
+The
+.I lines
+argument specifies number number of lines representing the
+top margin of the formatted nroff input.
+The line count includes any running headers.
+The default value is 7.
+.TP 0.5i
+.BI -uelem\0 name
+Use
+.I name
+as the name of the element to wrap underscored characters.
+The default is \fBI\fR.
+.\"
+.SH "SECTION HEAD MAP FILE"
+.na
+.LP
+The
+.B \%-headmap
+option may be used to customize which \s-1HTML\s+1 header tags,
+.BR "\s-1<H1>\s+1 ... \s-1<H6>\s+1" ,
+are used in manpage section headings.
+Normally,
+.B man2html
+treats lines that are flush to the left margin
+.RB ( -leftm ),
+and contain overstriking (overstrike check is canceled with the
+.B -sun
+option), as section heads.
+However, you can augment/override what \s-1HTML\s+1 header tags are used for
+any given section head.
+.LP
+In order to write a section head map file, you will need to know about
+.BR perl (1)
+associative arrays.
+You do not need to be an expert in
+.B perl
+to write a map file, however, having knowledge of
+.B perl
+allows you to be more clever.
+.\"
+.SS "Augmenting the Default Map"
+.LP
+To add to the default mapping defined by
+.BR man2html ,
+your map file will contain lines with the following syntax:
+.sp
+.if t .RS 4n
+.B "$SectionHead{'<section head text>'} = '<html header tag>';"
+.if t .RE
+.sp
+where
+.IP "\fB\%<section\ head\ text>\fR"
+is the text of the manpage section head.
+For example:
+.B \s-1SYNOPSIS\s+1
+or
+.BR \s-1DESCRIPTION\s+1 .
+.IP "\fB\%<html\ header\ tag>\fR"
+is the \s-1HTML\s+1 header tag to wrap the section head in.
+Legal values are:
+.BR \s-1<H1>\s+1 ,
+.BR \s-1<H2>\s+1 ,
+.BR \s-1<H3>\s+1 ,
+.BR \s-1<H4>\s+1 ,
+.BR \s-1<H5>\s+1 ,
+.BR \s-1<H6>\s+1 .
+.SS "Overriding the Default Map"
+To override the default mapping with your own, then your map file will
+have the following syntax:
+.sp
+.RS 4n
+.ft B
+.nf
+.ne 6v
+%SectionHead = (
+ \&'<section head text>', '<html header tag>',
+ \&'<section head text>', '<html header tag>',
+ \&# ... More section head/tag pairs
+ \&'<section head text>', '<html header tag>',
+);
+.fi
+.ft
+.RE
+.SS "The Default Map"
+.LP
+As of this writing, this is the default map used by
+.BR man2html :
+.RS 4n
+.sp
+.ft C
+.nf
+.ne 29v
+%SectionHead = (
+.ps -1
+ \&'\\S.*OPTIONS.*' => '<H2>',
+ \&'AUTHORS?' => '<H2>',
+ \&'BUGS' => '<H2>',
+ \&'COMPATIBILITY' => '<H2>',
+ \&'DEPENDENCIES' => '<H2>',
+ \&'DESCRIPTION' => '<H2>',
+ \&'DIAGNOSTICS' => '<H2>',
+ \&'ENVIRONMENT' => '<H2>',
+ \&'ERRORS' => '<H2>',
+ \&'EXAMPLES' => '<H2>',
+ \&'EXTERNAL INFLUENCES' => '<H2>',
+ \&'FILES' => '<H2>',
+ \&'LIMITATIONS' => '<H2>',
+ \&'NAME' => '<H2>',
+ \&'NOTES?' => '<H2>',
+ \&'OPTIONS' => '<H2>',
+ \&'REFERENCES' => '<H2>',
+ \&'RETURN VALUE' => '<H2>',
+ \&'SECTION.*:' => '<H2>',
+ \&'SEE ALSO' => '<H2>',
+ \&'STANDARDS CONFORMANCE' => '<H2>',
+ \&'STYLE CONVENTION' => '<H2>',
+ \&'SYNOPSIS' => '<H2>',
+ \&'SYNTAX' => '<H2>',
+ \&'WARNINGS' => '<H2>',
+ \&'\\s+Section.*:' => '<H3>',
+.ps +1
+);
+$HeadFallback = '\s-1<H2>\s+1'; # Fallback tag if above is not found.
+.fi
+.ft
+.RE
+.LP
+Check the
+.B perl
+source code of
+.B man2html
+for the latest default mapping.
+.LP
+You can reassign the
+.B \%$HeadFallback
+variable to a different value if you choose.
+This value is used as the header tag of a section head if
+no matches are found in the \%\fB%SectionHead\fR map.
+.SS "Using Regular Expressions in the Map File"
+.LP
+You may have noticed unusual characters in the default map file, like
+"\\s" or "*".
+The
+.B man2html
+utility actual treats the
+.B "\%<section\ head\ text>"
+as a
+.B perl
+regular expression.
+If you are comfortable with
+.B perl
+regular expressions, then you have their full power to use
+in your map file.
+.LP
+.I Caution:
+The
+.B man2html
+utility already anchors the regular expression to the beginning of the
+line with left margin spacing specified by the
+.B \%-leftm
+option.
+Therefore, do not use the `\fB\fR^' character to anchor your regular
+expression to the beginning.
+However, you may end your expression with a `\fB$\fR' to anchor it to
+the end of the line.
+.LP
+Since the
+.B "\%<section\ head\ text>"
+is actually a regular expression, you will have to be careful of
+special characters if you want them to be treated literally.
+Any of the characters
+.RB ` "[ ] ( ) . ^ { } $ * ? + \\ |" '
+should be escaped by prefixing them by the
+\&`\fB\\\fR' character if you want
+.B perl
+to treat them "as is".
+.LP
+.I Caution:
+One should use single quotes instead of double quotes to delimit
+.BR "\%<section\ head\ text>" .
+This will preserve any `\fB\\\fR' characters for character escaping
+or when the `\fB\\\fR' is used for special
+.B perl
+character matching sequences (e.g., \fB\\s\fR, \fB\\w\fR, \fB\\S\fR).
+.SS "Other Tid-bits on the Map File"
+.LP
+Comments can be inserted in the map file by using the '\fB#\fR'
+character.
+Anything after, and including, the '\fB#\fR' character is ignored,
+up to the end of line.
+.LP
+You might be thinking that the above is quite-a-bit-of-stuff just for
+doing manpage section heads.
+However, you will be surprised how much better the \s-1HTML\s+1 output looks
+with header tags, even though, everything else is in a
+.B \s-1<PRE>\s+1
+tag.
+.\"
+.SH "LINKING TO OTHER MANPAGES"
+.na
+.LP
+The
+.B man2html
+utility allows the ability to link to other manpage references.
+If the
+.B \%-cgiurl
+option is specified,
+.B man2html
+will create anchors that link to other manpages.
+.LP
+The \s-1URL\s+1 entered with the
+.B \%-cgiurl
+option is actually a template that determines the actual \s-1URL\s+1 used to
+link to other manpages.
+The following variables are defined during run time that may be used in
+the template string:
+.sp
+.RS 4n
+.IP \fB$title\fR
+The title of the manual page referenced.
+.IP \fB$section\fR
+The section number of the manual page referenced.
+.IP \fB$subsection\fR
+The subsection of the manual page referenced.
+.RE
+.LP
+Any other text in the template is preserved "as is".
+.LP
+.I Caution:
+The
+.B man2html
+utility evaluates the template string as a
+.B perl
+string expression.
+Therefore, one might need to surround the variable names with
+\&'\fB{\|}\fR' (e.g.,
+.BR ${\|title\|}\| )
+so that
+.B man2html
+properly recognizes the variable.
+.LP
+.I Note:
+If a \s-1CGI\s+1 program calling
+.B man2html
+is actually a shell script or a
+.B perl
+program, make sure to properly escape the '\fB$\fR' character
+in the \s-1URL\s+1 template to avoid variable interpolation by the \s-1CGI\s+1
+program.
+.LP
+Normally, the \s-1URL\s+1 calls a \s-1CGI\s+1 program (hence the option name),
+but the \s-1URL\s+1 can easily link to statically converted documents.
+.SS "Example1:"
+.LP
+The following template string is specified to call a \s-1CGI\s+1 program to
+retrieve the appropriate manpage linked to:
+.LP
+.nf
+.B "/cgi-bin/man.cgi?section=${section}${subsection}&topic=${title}"
+.fi
+.LP
+If the
+.BR ls (1)
+manpage is referenced in the
+.B "SEE ALSO"
+section, the above template will translate to the following \s-1URL\s+1:
+.LP
+.B "/cgi-bin/man.cgi?section=1&topic=ls"
+.LP
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A\ HREF="/cgi-bin/man.cgi?section=1&topic=ls">ls(1)</A>\fR
+.SS "Example2:"
+.LP
+The following template string is specified to retrieve pre-converted
+manpages:
+.LP
+.B "http://foo.org/man$section/$title.$section$subsection.html"
+.LP
+If the
+.BR mount (1M)
+manpage is referenced, the above template will translate to the
+following \s-1URL\s+1:
+.LP
+.B "http://foo.org/man1/mount.1M.html"
+.LP
+The actual \s-1HTML\s+1 markup will look like the following:
+.LP
+\fB<A HREF="http://foo.org/man1/mount.1M.html">mount(1M)</A>\fR
+.SS "-cgiurlexp"
+The option
+.B \%-cgiurlexp
+is a more general form of the
+.B \%-cgiurl
+option.
+.B \%-cgiurlexp
+allows one to specify a general Perl expression. For example:
+.LP
+\fB$title=~/^db_/i?"$title.html":"/cgi-bin/man?$title+$section"\fR
+.LP
+A
+.B \%-cgiurl
+.I string
+can be expressed as follows with \fB-cgiurlexp\fR:
+.LP
+\fBreturn "\fIstring\fB"\fR
+.\"
+.SH "KEYWORD SEARCH"
+.na
+.LP
+The
+.B man2html
+utility has the ability to process keyword search output generated
+by the \%\fBman\ -k\fR or \%\fBapropos\fR commands, through the
+use of the
+.B -k
+option.
+The
+.B man2html
+utility will generate an \s-1HTML\s+1 document of the keyword search input
+having the following format:
+.RS 4n
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu All manpage references are listed by section.
+.ad
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu Within each section listing, the manpage references
+are sorted alphabetically (case-sensitive) in a
+.B \s-1<DL>\s+1
+tag.
+The manpage references are listed in the
+.B \s-1<DT>\s+1
+section, and the summary text is listed in the
+.B \s-1<DD>\s+1
+section.
+.ad
+.LP
+.na
+'ti -2n
+'ta 2n
+\(bu Each manpage reference listed is a hyperlink to the
+actual manpage as specified by the
+.B \%-cgiurl
+option.
+.ad
+.RE
+.LP
+.na
+This ability to process keyword searches gives nice added functionality
+to a \s-1WWW\s+1 forms interface to
+.BR man (1).
+Even if you have statically converted manpages to \s-1HTML\s+1 via another
+man->\s-1HTML\s+1 program, you can use
+.B man2html
+and "\fBman\ -k\fR" to provide keyword search capabilities easily for
+your \s-1HTML\s+1 manpages.
+.SS "Processing Keyword Search Results"
+.na
+.LP
+Unfortunately, there is no standard controlling the format of keyword
+search results.
+The
+.B man2html
+utility tries it best to handle all the variations.
+However, the keyword search results generated by the
+.I Solaris
+operating system is different enough from other systems that a
+special command-line option
+.RB ( -solaris )
+must be specified to handle its output.
+.SS "Example of raw Solaris-type keyword search results:"
+.LP
+.ft C
+.nf
+.ne 10v
+strcpy strcpy (9f) - copy a string from one location to another.
+strcpy string (3c) - string operations
+strncpy strcpy (9f) - copy a string from one location to another.
+strncpy string (3c) - string operations
+.fi
+.ft
+.LP
+If keyword search results on your systems appear in the following format:
+.LP
+.RS 4n
+.B "<topic> <actual_manpage> (#) - Description"
+.RE
+.LP
+then you need to specify the
+.B \%-solaris
+option in addition to the
+.B -k
+option.
+.SH "ADDITIONAL NOTES"
+.na
+.LP
+Different systems format manpages differently.
+Here is a list of recommended command-line options for certain systems:
+.RS 4n
+.LP
+.ta 1i
+.nf
+.ne 3v
+\fBConvex\fR: <defaults should be okay>
+\fBHP\fR: \fB-leftm 1 -topm 8\fR
+\fBSun\fR: \fB-sun\fR (and \fB-solaris\fR when using \fB-k\fR)
+.fi
+.RE
+.LP
+Some line spacing gets lost in the formatted nroff since the
+spacing would occur in the middle of a page break.
+This can cause text to be merged that shouldn't be merged when
+.B man2html
+depaginates the text.
+To avoid this problem,
+.B man2html
+keeps track of the margin indent right before and after a page break.
+If the margin width of the line after the page break is less than the
+line before the page break, then
+.B man2html
+inserts a blank line in the \s-1HTML\s+1 output.
+.LP
+A manpage cross-reference is detected by the following pseudo expression:
+\%\fB[A-z.-+_]+([0-9][A-z]?)\fR
+.LP
+The
+.B man2html
+utility only recognizes lines with "\fB - \fR" (the normal separator
+between manpage references and summary text) while in keyword
+search mode.
+.LP
+The
+.B man2html
+utility can be hooked in a \s-1CGI\s+1 script/program to convert manpages
+on the fly.
+This is the reason for the
+.B \%-cgiurl
+option.
+.SH LIMITATIONS
+.na
+.LP
+The order that section head mapping is searched is not defined.
+Therefore, if two or more
+.B "\%<section\ head\ text>"
+can match a give manpage section, there is no way to determine
+which map tag is chosen.
+.LP
+If
+.B \%-seealso
+is specified, all xrefs are detected after the
+.B "\%SEE\ ALSO"
+heading.
+In other words, sections after
+.B "\%SEE\ ALSO"
+may contain hyperlinked xrefs.
+.SH BUGS
+.na
+.LP
+Text that is flush to the left margin, but is not actually a
+section head, can be mistaken for a section head.
+This mistake is more likely when the
+.B \%-sun
+option is in affect.
+.SH VERSION
+.na
+This documentation describes
+.B man2html
+version 3.0.1
+.SH "SEE ALSO"
+.na
+.BR man (1),
+.BR nroff (1),
+.BR perl (1)
+.LP
+.I http://www.oac.uci.edu/indiv/ehood/man2html.html
+.SH AUTHOR
+.LP
+.B Earl Hood
+.br
+.I ehood@medusa.acs.uci.edu
+.\"
+.SH "ERRORS AND OMISSIONS"
+.na
+Troff version of this document initially created for version 2.1.0
+by C. Jeffery Small
+.RI ( jeff@cjsa.com )
+by copying, reformatting, rearranging and partially rewriting
+the contents of the ascii text file
+.BR doc/man2html.txt .
diff --git a/doc/salts.texinfo b/doc/salts.texinfo
new file mode 100644
index 0000000000..3ed43db0e1
--- /dev/null
+++ b/doc/salts.texinfo
@@ -0,0 +1,19 @@
+@ignore
+the information in this file should be consistent with the information
+in krb5/src/lib/krb5/krb/str_conv.c, in the struct salttype_lookup_entry
+@end ignore
+
+@table @code
+@item normal
+default for Kerberos Version 5
+@item v4
+the only type used by Kerberos Version 4, no salt
+@item norealm
+same as the default, without using realm information
+@item onlyrealm
+uses only realm information as the salt
+@item afs3
+AFS version 3, only used for compatibility with Kerberos 4 in AFS
+@item special
+only used in very special cases; not fully supported
+@end table
diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo
new file mode 100644
index 0000000000..3f030bad9e
--- /dev/null
+++ b/doc/support-enc.texinfo
@@ -0,0 +1,27 @@
+@ignore
+the information in this file should be consistent with the information
+in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?)
+@end ignore
+
+@table @code
+@item des-cbc-crc
+DES cbc mode with CRC-32
+@item des-cbc-md4
+DES cbc mode with RSA-MD4
+@item des-cbc-md5
+DES cbc mode with RSA-MD5
+@item des3-cbc-sha1
+@itemx des3-hmac-sha1
+@itemx des3-cbc-sha1-kd
+triple DES cbc mode with HMAC/sha1
+@item des-hmac-sha1
+DES with HMAC/sha1
+@item arcfour-hmac
+@itemx rc4-hmac
+@itemx arcfour-hmac-md5
+RC4 with HMAC/MD5
+@item arcfour-hmac-exp
+@itemx rc4-hmac-exp
+@itemx arcfour-hmac-md5-exp
+exportable RC4 with HMAC/MD5
+@end table
diff --git a/doc/user-guide.texinfo b/doc/user-guide.texinfo
index 59b9b08c53..78c45df407 100644
--- a/doc/user-guide.texinfo
+++ b/doc/user-guide.texinfo
@@ -36,6 +36,7 @@
@ifinfo
This file describes how to use the @value{PRODUCT} client programs.
+@end ifinfo
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
@c function. Don't forget to run M-x texinfo-every-node-update after
@@ -62,7 +63,6 @@ This file describes how to use the @value{PRODUCT} client programs.
@unnumbered Copyright
@include copyright.texinfo
-@end ifinfo
@node Introduction, Kerberos V5 Tutorial, Copyright, Top
@chapter Introduction
@@ -96,11 +96,11 @@ a layer of security that is not dependent on which side of a firewall
either client is on. Since studies have shown that half of the computer
security breaches in industry happen from @i{inside} firewalls,
@value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
-nework security.
+network security.
The @value{PRODUCT} package is designed to be easy to use. Most of the
-commands are nearly identical to UNIX network programs you are already
-used to. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
+commands are nearly identical to UNIX network programs you already
+use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
that you have to type your password only once per session, and Kerberos
does the authenticating and encrypting transparently.
@@ -226,12 +226,92 @@ or use a screensaver that locks the screen.
@need 2000
@menu
+* Kerberos Ticket Properties::
* Obtaining Tickets with kinit::
* Viewing Your Tickets with klist::
* Destroying Your Tickets with kdestroy::
@end menu
-@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
+@node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
+@subsection Kerberos Ticket Properties
+
+There are various properties that Kerberos tickets can have:
+
+If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
+a different network address based on the forwardable ticket. This
+allows for authentication forwarding without requiring a password to be
+typed in again. For example, if a user with a forwardable TGT logs
+into a remote system, the KDC could issue a new TGT for that user with
+the netword address of the remote system, allowing authentication on
+that host to work as though the user were logged in locally.
+
+When the KDC creates a new ticket based on a forwardable ticket, it
+sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
+created based on a ticket with the forwarded flag set will also have
+their forwarded flags set.
+
+A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
+allows a service to take on the identity of the client. Unlike a
+forwardable ticket, however, a proxiable ticket is only issued for
+specific services. In other words, a ticket-granting ticket cannot be
+issued based on a ticket that is proxiable but not forwardable.
+
+A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
+
+If a tickets is @dfn{postdated}, this means that it will become valid at a
+specific time in the future. Postdated tickets can be issued for the
+time at which a job is going to start so that the time that valid
+tickets exist unused on a machine is minimized.
+
+Tickets with the @dfn{postdateable} flag set can be used to issue postdated
+tickets.
+
+@dfn{Renewable} tickets can be used to obtain new session keys without the
+user entering a new password. A renewable ticket has two expiration
+times. The first is the time at which this particular ticket expires.
+The second is the latest possible expiration time for any ticket issued
+based on this renewable ticket.
+
+A ticket with the @dfn{initial} flag set was issued based on the
+authentication protocol, and not on a ticket-granting ticket. Clients
+that wish to ensure that the user's key has been recently presented for
+verification could specify that this flag must be set to accept the
+ticket.
+
+An @dfn{initial} ticket must be rejected by application servers. Postdated
+tickets are usually issued with this flag set, and must be validated by
+the KDC before they can be used.
+
+A @dfn{preauthenticated} ticket is one that was only issued after the
+client requesting the ticket had authenticated itself to the KDC.
+
+The @dfn{hardware authentication} flag is set on a ticket which required
+the use of hardware expected to be possessed soley by the requesting
+client for authentication.
+
+If a ticket has the @dfn{transit policy checked} flag set, the the KDC that
+issued this ticket implements the transited-realm check policy and
+checked the transited-realms list on the ticket. The transited-realms
+list contains a list of all intermediate realms between the realm of the
+KDC that issued the first ticket and that of the one that issued the
+current ticket. If this flag is not set, then the application server
+must check the transited realms itself or else reject the ticket.
+
+The @dfn{okay as delegate} flag indicates that the server specified in the
+ticket is suitable as a delegate as determined by the policy of that
+realm. A server that is acting as a delegate has been granted a proxy
+or a forwarded TGT. The client can use this flag in its decision of
+whether or not to use this server as a delgate. This flag is a new
+addition to the @value{PRODUCT} protocol and is not yet implemented on MIT
+servers.
+
+An @dfn{anonymous} ticket is one in which the named principal is a generic
+principal for that realm; it does not actually specify the individual
+that will be using the ticket. This ticket is meant only to securely
+distribute a session key. This is a new addition to the @value{PRODUCT}
+protocol and is not yet implemented on MIT servers.
+
+@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
@subsection Obtaining Tickets with kinit
If your site is using the @value{PRODUCT} login program, you will get
@@ -438,6 +518,16 @@ post@b{d}ated
@b{I}nitial
@itemx i
@b{i}nvalid
+@itemx H
+@b{H}ardeware authenticated
+@itemx A
+pre@b{A}uthenticated
+@itemx T
+@b{T}ransit policy checked
+@itemx O
+@b{O}kay as delegate
+@itemx a
+@b{a}nonymous
@end table
@need 1500
@@ -893,7 +983,7 @@ requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
@itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
@itemx --noencrypt
turns off encryption.
@@ -936,7 +1026,7 @@ and request an encrypted session as follows:
@smallexample
@group
@b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
-@b{This rlogin session is using DES encryption for all data transmissions.
+@b{This rlogin session is encrypting all data transmissions.
Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
Not checking quotas. Try quota.real if you need them.
@@ -1043,7 +1133,7 @@ requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
@itemx -x, --encrypt
-turns on encryption.
+encrypts the input and output data streams (the command line is not encrypted)
@itemx --noencrypt
turns off encryption.
@@ -1057,7 +1147,7 @@ run the @samp{date} program as follows:
@smallexample
@group
@b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
-@b{This rsh session is using DES encryption for all data transmissions.
+@b{This rsh session is encrypting input/output data transmissions.
Fri Jun 21 17:06:12 EDT 1996
shell%}
@end group
@@ -1352,6 +1442,12 @@ M-x manual-entry @emph{command}
Type @kbd{M-x manual-entry kinit} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="kinit.html"> kinit manpage</a>
+@end rawhtml
+@end ifhtml
+
@node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference
@section klist Reference
@@ -1364,6 +1460,12 @@ Type @kbd{M-x manual-entry kinit} to read this manual page.
Type @kbd{M-x manual-entry klist} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="klist.html"> klist manpage</a>
+@end rawhtml
+@end ifhtml
+
@node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference
@section kdestroy Reference
@@ -1376,6 +1478,12 @@ Type @kbd{M-x manual-entry klist} to read this manual page.
Type @kbd{M-x manual-entry kdestroy} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="kdestroy.html"> kdestroy manpage</a>
+@end rawhtml
+@end ifhtml
+
@node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
@section kpasswd Reference
@@ -1388,6 +1496,12 @@ Type @kbd{M-x manual-entry kdestroy} to read this manual page.
Type @kbd{M-x manual-entry kpasswd} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="kpasswd.html"> kpasswd manpage</a>
+@end rawhtml
+@end ifhtml
+
@node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference
@section telnet Reference
@@ -1432,6 +1546,12 @@ Type @kbd{M-x manual-entry kpasswd} to read this manual page.
Type @kbd{M-x manual-entry telnet} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="telnet.html"> telnet manpage</a>
+@end rawhtml
+@end ifhtml
+
@node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference
@section rlogin Reference
@@ -1448,6 +1568,12 @@ Type @kbd{M-x manual-entry telnet} to read this manual page.
Type @kbd{M-x manual-entry rlogin} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="rlogin.html"> rlogin manpage</a>
+@end rawhtml
+@end ifhtml
+
@node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference
@section FTP Reference
@@ -1488,6 +1614,12 @@ Type @kbd{M-x manual-entry rlogin} to read this manual page.
Type @kbd{M-x manual-entry FTP} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="ftp.html"> ftp manpage</a>
+@end rawhtml
+@end ifhtml
+
@node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference
@section rsh Reference
@@ -1504,6 +1636,12 @@ Type @kbd{M-x manual-entry FTP} to read this manual page.
Type @kbd{M-x manual-entry rsh} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="rsh.html"> rsh manpage</a>
+@end rawhtml
+@end ifhtml
+
@node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference
@section rcp Reference
@@ -1516,6 +1654,12 @@ Type @kbd{M-x manual-entry rsh} to read this manual page.
Type @kbd{M-x manual-entry rcp} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="rcp.html"> rcp manpage</a>
+@end rawhtml
+@end ifhtml
+
@node ksu Reference, , rcp Reference, Kerberos V5 Reference
@section ksu Reference
@@ -1544,6 +1688,12 @@ Type @kbd{M-x manual-entry rcp} to read this manual page.
Type @kbd{M-x manual-entry ksu} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="ksu.html"> ksu manpage</a>
+@end rawhtml
+@end ifhtml
+
@node Kerberos Glossary, , Kerberos V5 Reference, Top
@appendix Kerberos Glossary