diff options
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/k5identity.man | 11 | ||||
| -rw-r--r-- | src/man/k5login.man | 7 | ||||
| -rw-r--r-- | src/man/k5srvutil.man | 8 | ||||
| -rw-r--r-- | src/man/kadmin.man | 275 | ||||
| -rw-r--r-- | src/man/kadmind.man | 179 | ||||
| -rw-r--r-- | src/man/kdb5_ldap_util.man | 77 | ||||
| -rw-r--r-- | src/man/kdb5_util.man | 64 | ||||
| -rw-r--r-- | src/man/kdc.conf.man | 344 | ||||
| -rw-r--r-- | src/man/kdestroy.man | 14 | ||||
| -rw-r--r-- | src/man/kinit.man | 85 | ||||
| -rw-r--r-- | src/man/klist.man | 37 | ||||
| -rw-r--r-- | src/man/kpasswd.man | 5 | ||||
| -rw-r--r-- | src/man/kprop.man | 10 | ||||
| -rw-r--r-- | src/man/kpropd.man | 38 | ||||
| -rw-r--r-- | src/man/kproplog.man | 14 | ||||
| -rw-r--r-- | src/man/krb5.conf.man | 285 | ||||
| -rw-r--r-- | src/man/krb5kdc.man | 15 | ||||
| -rw-r--r-- | src/man/ksu.man | 51 | ||||
| -rw-r--r-- | src/man/kswitch.man | 13 | ||||
| -rw-r--r-- | src/man/ktutil.man | 14 | ||||
| -rw-r--r-- | src/man/kvno.man | 18 | ||||
| -rw-r--r-- | src/man/sclient.man | 4 | ||||
| -rw-r--r-- | src/man/sserver.man | 11 |
23 files changed, 525 insertions, 1054 deletions
diff --git a/src/man/k5identity.man b/src/man/k5identity.man index c4f588a088..c242940c3f 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . -.SH SYNOPSIS -.sp -\fB~/.k5identity\fP .SH DESCRIPTION .sp The .k5identity file, which resides in a user\(aqs home directory, @@ -44,7 +41,6 @@ Blank lines and lines beginning with \fB#\fP are ignored. Each line has the form: .INDENT 0.0 .INDENT 3.5 -.sp \fIprincipal\fP \fIfield\fP=\fIvalue\fP ... .UNINDENT .UNINDENT @@ -55,7 +51,6 @@ recognized: .INDENT 0.0 .TP .B \fBrealm\fP -.sp If the realm of the server principal is known, it is matched against \fIvalue\fP, which may be a pattern using shell wildcards. For host\-based server principals, the realm will generally only be @@ -63,13 +58,11 @@ known if there is a \fIdomain_realm\fP section in \fIkrb5.conf(5)\fP with a mapping for the hostname. .TP .B \fBservice\fP -.sp If the server principal is a host\-based principal, its service component is matched against \fIvalue\fP, which may be a pattern using shell wildcards. .TP .B \fBhost\fP -.sp If the server principal is a host\-based principal, its hostname component is converted to lower case and matched against \fIvalue\fP, which may be a pattern using shell wildcards. @@ -105,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5login.man b/src/man/k5login.man index 9f82dc8db5..d2bcf3ebe1 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . -.SH SYNOPSIS -.sp -\fB~/.k5login\fP .SH DESCRIPTION .sp The .k5login file, which resides in a user\(aqs home directory, contains @@ -89,6 +86,6 @@ kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index e20d7758f3..083f4852dd 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -44,12 +44,10 @@ a keytab or to add new keys to the keytab. .INDENT 0.0 .TP .B \fBlist\fP -.sp Lists the keys in a keytab showing version number and principal name. .TP .B \fBchange\fP -.sp Uses the kadmin protocol to update the keys in the Kerberos database to new randomly\-generated keys, and updates the keys in the keytab to match. If a key\(aqs version number doesn\(aqt match the @@ -61,7 +59,6 @@ If the \fB\-k\fP option is given, the old and new keys will be displayed. .TP .B \fBdelold\fP -.sp Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service @@ -69,7 +66,6 @@ have expired. If the \fB\-i\fP flag is given, then k5srvutil will prompt for confirmation for each principal. .TP .B \fBdelete\fP -.sp Deletes particular keys in the keytab, interactively prompting for each key. .UNINDENT @@ -85,6 +81,6 @@ place. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 6ab1a18a23..cc2e97d930 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -79,30 +79,25 @@ kadmin.local can be run on any host which can access the LDAP server. .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Use \fIrealm\fP as the default database realm. .TP .B \fB\-p\fP \fIprincipal\fP -.sp Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append \fB/admin\fP to the primary principal name of the default ccache, the value of the \fBUSER\fP environment variable, or the username as obtained with getpwuid, in order of preference. .TP .B \fB\-k\fP -.sp Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \fBhost/hostname\fP. If there is no keytab specified with the \fB\-t\fP option, then the default keytab will be used. .TP .B \fB\-t\fP \fIkeytab\fP -.sp Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. .TP .B \fB\-n\fP -.sp Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure \fBpkinit_anchors\fP in the client\(aqs @@ -118,7 +113,6 @@ principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. .TP .B \fB\-c\fP \fIcredentials_cache\fP -.sp Use \fIcredentials_cache\fP as the credentials cache. The cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin @@ -128,163 +122,67 @@ requests a new service ticket from the KDC, and stores it in its own temporary ccache. .TP .B \fB\-w\fP \fIpassword\fP -.sp Use \fIpassword\fP instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. .TP .B \fB\-q\fP \fIquery\fP -.sp Perform the specified query and then exit. This can be useful for writing scripts. .TP .B \fB\-d\fP \fIdbname\fP -.sp Specifies the name of the KDC database. This option does not apply to the LDAP database module. .TP .B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] -.sp Specifies the admin server which kadmin should contact. .TP .B \fB\-m\fP -.sp If using kadmin.local, prompt for the database master password instead of reading it from a stash file. .TP .B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." -.sp Sets the list of encryption types and salt types to be used for any new keys created. See \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of possible values. .TP .B \fB\-O\fP -.sp Force use of old AUTH_GSSAPI authentication flavor. .TP .B \fB\-N\fP -.sp Prevent fallback to AUTH_GSSAPI authentication flavor. .TP .B \fB\-x\fP \fIdb_args\fP -.sp Specifies the database specific arguments. Options supported for the LDAP database module are: .INDENT 7.0 .TP .B \fB\-x host=\fP\fIhostname\fP -.sp -specifies the LDAP server to connect to by a LDAP URI. +Specifies the LDAP server to connect to by a LDAP URI. .TP .B \fB\-x binddn=\fP\fIbind_dn\fP -.sp -specifies the DN of the object used by the administration +Specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the read and write privileges on the realm container, the principal container, and the subtree that is referenced by the realm. .TP .B \fB\-x bindpwd=\fP\fIbind_password\fP -.sp -specifies the password for the above mentioned binddn. Using +Specifies the password for the above mentioned binddn. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the \fBstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP. .UNINDENT .UNINDENT -.SH DATE FORMAT -.sp -Many of the kadmin commands take a duration or time as an -argument. The date can appear in a wide variety of formats, such as: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -1 month ago -2 hours ago -400000 seconds ago -last year -this Monday -next Monday -yesterday -tomorrow -now -second Monday -fortnight ago -3/31/92 10:00:07 PST -January 23, 1987 10:05pm -22:00 GMT -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Dates which do not have the "ago" specifier default to being absolute -dates, unless they appear in a field where a duration is expected. In -that case the time specifier will be interpreted as relative. -Specifying "ago" in a duration may result in unexpected behavior. -.sp -The following is a list of all of the allowable keywords. -.TS -center; -|l|l|. -_ -T{ -Months -T} T{ -january, jan, february, feb, march, mar, april, apr, may, -june, jun, july, jul, august, aug, september, sep, sept, -october, oct, november, nov, december, dec -T} -_ -T{ -Days -T} T{ -sunday, sun, monday, mon, tuesday, tues, tue, wednesday, -wednes, wed, thursday, thurs, thur, thu, friday, fri, -saturday, sat -T} -_ -T{ -Units -T} T{ -year, month, fortnight, week, day, hour, minute, min, -second, sec -T} -_ -T{ -Relative -T} T{ -tomorrow, yesterday, today, now, last, this, next, first, -second, third, fourth, fifth, sixth, seventh, eighth, -ninth, tenth, eleventh, twelfth, ago -T} -_ -T{ -Time Zones -T} T{ -kadmin recognizes abbreviations for most of the world\(aqs -time zones. -T} -_ -T{ -Meridians -T} T{ -am, pm -T} -_ -.TE .SH COMMANDS .sp When using the remote client, available commands may be restricted -according to the privileges specified in the kadm5.acl file on the -admin server. +according to the privileges specified in the \fIkadm5.acl(5)\fP file +on the admin server. .SS add_principal .INDENT 0.0 .INDENT 3.5 -.sp \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP .UNINDENT .UNINDENT @@ -304,76 +202,62 @@ Options: .INDENT 0.0 .TP .B \fB\-expire\fP \fIexpdate\fP -.sp -expiration date of the principal +(\fIgetdate\fP string) The expiration date of the principal. .TP .B \fB\-pwexpire\fP \fIpwexpdate\fP -.sp -password expiration date +(\fIgetdate\fP string) The password expiration date. .TP .B \fB\-maxlife\fP \fImaxlife\fP -.sp -maximum ticket life for the principal +(\fIgetdate\fP string) The maximum ticket life for the principal. .TP .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP -.sp -maximum renewable life of tickets for the principal +(\fIgetdate\fP string) The maximum renewable life of tickets for +the principal. .TP .B \fB\-kvno\fP \fIkvno\fP -.sp -initial key version number +The initial key version number. .TP .B \fB\-policy\fP \fIpolicy\fP -.sp -password policy used by this principal. If not specified, the +The password policy used by this principal. If not specified, the policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP is specified). .TP .B \fB\-clearpolicy\fP -.sp -prevents any policy from being assigned when \fB\-policy\fP is not +Prevents any policy from being assigned when \fB\-policy\fP is not specified. .TP .B {\-|+}\fBallow_postdated\fP -.sp \fB\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. \fB+allow_postdated\fP clears this flag. .TP .B {\-|+}\fBallow_forwardable\fP -.sp \fB\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. \fB+allow_forwardable\fP clears this flag. .TP .B {\-|+}\fBallow_renewable\fP -.sp \fB\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. \fB+allow_renewable\fP clears this flag. .TP .B {\-|+}\fBallow_proxiable\fP -.sp \fB\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. \fB+allow_proxiable\fP clears this flag. .TP .B {\-|+}\fBallow_dup_skey\fP -.sp \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a session key for another user. \fB+allow_dup_skey\fP clears this flag. .TP .B {\-|+}\fBrequires_preauth\fP -.sp \fB+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. \fB\-requires_preauth\fP clears this flag. .TP .B {\-|+}\fBrequires_hwauth\fP -.sp \fB+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. \fB\-requires_hwauth\fP clears this flag. .TP .B {\-|+}\fBok_as_delegate\fP -.sp \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when @@ -381,87 +265,71 @@ authenticating to the service. \fB\-ok_as_delegate\fP clears this flag. .TP .B {\-|+}\fBallow_svr\fP -.sp \fB\-allow_svr\fP prohibits the issuance of service tickets for this principal. \fB+allow_svr\fP clears this flag. .TP .B {\-|+}\fBallow_tgs_req\fP -.sp \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. \fB+allow_tgs_req\fP clears this flag. .TP .B {\-|+}\fBallow_tix\fP -.sp \fB\-allow_tix\fP forbids the issuance of any tickets for this principal. \fB+allow_tix\fP clears this flag. .TP .B {\-|+}\fBneedchange\fP -.sp \fB+needchange\fP forces a password change on the next initial authentication to this principal. \fB\-needchange\fP clears this flag. .TP .B {\-|+}\fBpassword_changing_service\fP -.sp \fB+password_changing_service\fP marks this principal as a password change service principal. .TP .B \fB\-randkey\fP -.sp -sets the key of the principal to a random value +Sets the key of the principal to a random value. .TP .B \fB\-pw\fP \fIpassword\fP -.sp -sets the password of the principal to the specified string and +Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. .TP .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... -.sp -uses the specified list of enctype\-salttype pairs for setting the +Uses the specified list of enctype\-salttype pairs for setting the key of the principal. .TP .B \fB\-x\fP \fIdb_princ_args\fP -.sp -indicates database\-specific options. The options for the LDAP +Indicates database\-specific options. The options for the LDAP database module are: .INDENT 7.0 .TP .B \fB\-x dn=\fP\fIdn\fP -.sp -specifies the LDAP object that will contain the Kerberos +Specifies the LDAP object that will contain the Kerberos principal being created. .TP .B \fB\-x linkdn=\fP\fIdn\fP -.sp -specifies the LDAP object to which the newly created Kerberos +Specifies the LDAP object to which the newly created Kerberos principal object will point. .TP .B \fB\-x containerdn=\fP\fIcontainer_dn\fP -.sp -specifies the container object under which the Kerberos +Specifies the container object under which the Kerberos principal is to be created. .TP .B \fB\-x tktpolicy=\fP\fIpolicy\fP -.sp -associates a ticket policy to the Kerberos principal. +Associates a ticket policy to the Kerberos principal. .UNINDENT .IP Note .INDENT 7.0 .IP \(bu 2 -. The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be specified with the \fBdn\fP option. .IP \(bu 2 -. If the \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. .IP \(bu 2 -. \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm. .UNINDENT @@ -488,7 +356,6 @@ kadmin: .SS modify_principal .INDENT 0.0 .INDENT 3.5 -.sp \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP .UNINDENT .UNINDENT @@ -506,7 +373,6 @@ Options (in addition to the \fBaddprinc\fP options): .INDENT 0.0 .TP .B \fB\-unlock\fP -.sp Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. @@ -514,7 +380,6 @@ to its password policy) so that it can successfully authenticate. .SS rename_principal .INDENT 0.0 .INDENT 3.5 -.sp \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP .UNINDENT .UNINDENT @@ -529,7 +394,6 @@ Alias: \fBrenprinc\fP .SS delete_principal .INDENT 0.0 .INDENT 3.5 -.sp \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP .UNINDENT .UNINDENT @@ -543,7 +407,6 @@ Alias: \fBdelprinc\fP .SS change_password .INDENT 0.0 .INDENT 3.5 -.sp \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP .UNINDENT .UNINDENT @@ -561,22 +424,18 @@ The following options are available: .INDENT 0.0 .TP .B \fB\-randkey\fP -.sp -Sets the key of the principal to a random value +Sets the key of the principal to a random value. .TP .B \fB\-pw\fP \fIpassword\fP -.sp Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. .TP .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... -.sp Uses the specified list of enctype\-salttype pairs for setting the key of the principal. .TP .B \fB\-keepold\fP -.sp Keeps the existing keys in the database. This flag is usually not necessary except perhaps for \fBkrbtgt\fP principals. .UNINDENT @@ -599,7 +458,6 @@ kadmin: .SS purgekeys .INDENT 0.0 .INDENT 3.5 -.sp \fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP .UNINDENT .UNINDENT @@ -612,7 +470,6 @@ This command requires the \fBmodify\fP privilege. .SS get_principal .INDENT 0.0 .INDENT 3.5 -.sp \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP .UNINDENT .UNINDENT @@ -660,7 +517,6 @@ kadmin: .SS list_principals .INDENT 0.0 .INDENT 3.5 -.sp \fBlist_principals\fP [\fIexpression\fP] .UNINDENT .UNINDENT @@ -696,13 +552,11 @@ kadmin: .SS get_strings .INDENT 0.0 .INDENT 3.5 -.sp \fBget_strings\fP \fIprincipal\fP .UNINDENT .UNINDENT .sp -Displays string attributes on \fIprincipal\fP. String attributes are used -to supply per\-principal configuration to some KDC plugin modules. +Displays string attributes on \fIprincipal\fP. .sp This command requires the \fBinquire\fP privilege. .sp @@ -710,12 +564,21 @@ Alias: \fBgetstr\fP .SS set_string .INDENT 0.0 .INDENT 3.5 -.sp \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP .UNINDENT .UNINDENT .sp -Sets a string attribute on \fIprincipal\fP. +Sets a string attribute on \fIprincipal\fP. String attributes are used to +supply per\-principal configuration to the KDC and some KDC plugin +modules. The following string attributes are recognized by the KDC: +.INDENT 0.0 +.TP +.B \fBsession_enctypes\fP +Specifies the encryption types supported for session keys when the +principal is authenticated to as a server. See +\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list +of the accepted values. +.UNINDENT .sp This command requires the \fBmodify\fP privilege. .sp @@ -723,7 +586,6 @@ Alias: \fBsetstr\fP .SS del_string .INDENT 0.0 .INDENT 3.5 -.sp \fBdel_string\fP \fIprincipal\fP \fIkey\fP .UNINDENT .UNINDENT @@ -736,7 +598,6 @@ Alias: \fBdelstr\fP .SS add_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP .UNINDENT .UNINDENT @@ -751,47 +612,47 @@ The following options are available: .INDENT 0.0 .TP .B \fB\-maxlife\fP \fItime\fP -.sp -sets the maximum lifetime of a password +(\fIgetdate\fP string) Sets the maximum lifetime of a password. .TP .B \fB\-minlife\fP \fItime\fP -.sp -sets the minimum lifetime of a password +(\fIgetdate\fP string) Sets the minimum lifetime of a password. .TP .B \fB\-minlength\fP \fIlength\fP -.sp -sets the minimum length of a password +Sets the minimum length of a password. .TP .B \fB\-minclasses\fP \fInumber\fP -.sp -sets the minimum number of character classes required in a +Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. .TP .B \fB\-history\fP \fInumber\fP -.sp -sets the number of past keys kept for a principal. This option is +Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .TP .B \fB\-maxfailure\fP \fImaxnumber\fP -.sp -sets the maximum number of authentication failures before the +Sets the maximum number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. .TP .B \fB\-failurecountinterval\fP \fIfailuretime\fP -.sp -sets the allowable time between authentication failures. If an -authentication failure happens after \fIfailuretime\fP has elapsed -since the previous failure, the number of authentication failures -is reset to 1. +(\fIgetdate\fP string) Sets the allowable time between +authentication failures. If an authentication failure happens +after \fIfailuretime\fP has elapsed since the previous failure, +the number of authentication failures is reset to 1. .TP .B \fB\-lockoutduration\fP \fIlockouttime\fP -.sp -sets the duration for which the principal is locked from -authenticating if too many authentication failures occur without -the specified failure count interval elapsing. A duration of 0 -means forever. +(\fIgetdate\fP string) Sets the duration for which the principal +is locked from authenticating if too many authentication failures +occur without the specified failure count interval elapsing. +A duration of 0 means forever. +.TP +.B \fB\-allowedkeysalts\fP +Specifies the key/salt tuples supported for long\-term keys when +setting or changing a principal\(aqs password/keys. See +\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list +of the accepted values, but note that key/salt tuples must be +separated with commas (\(aq,\(aq) only. To clear the allowed key/salt +policy use a value of \(aq\-\(aq. .UNINDENT .sp Example: @@ -809,7 +670,6 @@ kadmin: .SS modify_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP .UNINDENT .UNINDENT @@ -823,7 +683,6 @@ Alias: \fBmodpol\fP .SS delete_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP .UNINDENT .UNINDENT @@ -853,7 +712,6 @@ kadmin: .SS get_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP .UNINDENT .UNINDENT @@ -895,7 +753,6 @@ meaningful. .SS list_policies .INDENT 0.0 .INDENT 3.5 -.sp \fBlist_policies\fP [\fIexpression\fP] .UNINDENT .UNINDENT @@ -933,8 +790,11 @@ kadmin: .SS ktadd .INDENT 0.0 .INDENT 3.5 +.nf +\fBktadd\fP [options] \fIprincipal\fP +\fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP +.fi .sp -\fBktadd\fP [[\fIprincipal\fP|\fB\-glob\fP \fIprinc\-exp\fP] .UNINDENT .UNINDENT .sp @@ -944,27 +804,23 @@ The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP command. .sp This command requires the \fBinquire\fP and \fBchangepw\fP privileges. -With the \fB\-glob\fP option, it also requires the \fBlist\fP privilege. +With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege. .sp The options are: .INDENT 0.0 .TP .B \fB\-k[eytab]\fP \fIkeytab\fP -.sp Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... -.sp Use the specified list of enctype\-salttype pairs for setting the new keys of the principal. .TP .B \fB\-q\fP -.sp Display less verbose information. .TP .B \fB\-norandkey\fP -.sp Do not randomize the keys. The keys and their version numbers stay unchanged. This option is only available in kadmin.local, and cannot be specified in combination with the \fB\-e\fP option. @@ -992,8 +848,7 @@ kadmin: .SS ktremove .INDENT 0.0 .INDENT 3.5 -.sp -\fBktremove\fP \fIprincipal\fP [\fIkvno\fP|\fIall\fP| \fIold\fP] +\fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] .UNINDENT .UNINDENT .sp @@ -1010,12 +865,10 @@ The options are: .INDENT 0.0 .TP .B \fB\-k[eytab]\fP \fIkeytab\fP -.sp Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP .B \fB\-q\fP -.sp Display less verbose information. .UNINDENT .sp @@ -1060,6 +913,6 @@ interface to the OpenVision Kerberos administration program. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmind.man b/src/man/kadmind.man index 83167996e8..51bcaebb7e 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -39,6 +39,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-nofork\fP] [\fB\-port\fP \fIport\-number\fP] [\fB\-P\fP \fIpid_file\fP] +[\fB\-p\fP \fIkdb5_util_path\fP] +[\fB\-K\fP \fIkprop_path\fP] +[\fB\-F\fP \fIdump_file\fP] .SH DESCRIPTION .sp kadmind starts the Kerberos administration server. kadmind typically @@ -53,23 +56,17 @@ for it to work: .INDENT 0.0 .TP .B \fIkdc.conf(5)\fP -.sp The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related settings. .TP -.B ACL file -. +.B \fIkadm5.acl(5)\fP kadmind\(aqs ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the -ACL file can be specified with the \fBacl_file\fP kdc.conf variable; -by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. The syntax of the ACL -file is specified in the ACL FILE SYNTAX section below. -.sp -If the kadmind ACL file is modified, the kadmind daemon needs to -be restarted for changes to take effect. +ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP +variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. .UNINDENT .sp After the server begins running, it puts itself in the background and @@ -87,38 +84,44 @@ registered in the database. .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. .TP .B \fB\-m\fP -.sp causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the \fB\-nofork\fP option) rather than from a file on disk. .TP .B \fB\-nofork\fP -.sp causes the server to remain in the foreground and remain associated to the terminal. In normal operation, you should allow the server to place itself in the background. .TP .B \fB\-port\fP \fIport\-number\fP -.sp specifies the port on which the administration server listens for connections. The default port is determined by the \fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP. .TP .B \fB\-P\fP \fIpid_file\fP -.sp specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. .TP +.B \fB\-p\fP \fIkdb5_util_path\fP +specifies the path to the kdb5_util command to use when dumping the +KDB in response to full resync requests when iprop is enabled. +.TP +.B \fB\-K\fP \fIkprop_path\fP +specifies the path to the kprop command to use to send full dumps +to slaves in response to full resync requests. +.TP +.B \fB\-F\fP \fIdump_file\fP +specifies the file path to be used for dumping the KDB in response +to full resync requests when iprop is enabled. +.TP .B \fB\-x\fP \fIdb_args\fP -.sp specifies database\-specific arguments. .sp Options supported for LDAP database are: @@ -127,16 +130,13 @@ Options supported for LDAP database are: .INDENT 0.0 .TP .B \fB\-x nconns=\fP\fInumber_of_connections\fP -.sp specifies the number of connections to be maintained per LDAP server. .TP .B \fB\-x host=\fP\fIldapuri\fP -.sp specifies the LDAP server to connect to by URI. .TP .B \fB\-x binddn=\fP\fIbinddn\fP -.sp specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have read and write privileges on the realm container, the @@ -144,7 +144,6 @@ principal container, and the subtree that is referenced by the realm. .TP .B \fB\-x bindpwd=\fP\fIbind_password\fP -.sp specifies the password for the above mentioned binddn. Using this option may expose the password to other users on the system via the process list; to avoid this, instead @@ -154,149 +153,13 @@ stash the password using the \fBstashsrvpw\fP command of .UNINDENT .UNINDENT .UNINDENT -.SH ACL FILE SYNTAX -.sp -The ACL file controls which principals can or cannot perform which -administrative functions. For operations that affect principals, the -ACL file also controls which principals can operate on which other -principals. Empty lines and lines starting with the sharp sign -(\fB#\fP) are ignored. Lines containing ACL entries have the format: -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -principal operation\-mask [operation\-target] -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -Ordering is important. The first matching entry will control access -for an actor principal on a target principal. -.INDENT 0.0 -.TP -.B \fIprincipal\fP -.sp -may specify a partially or fully qualified Kerberos version 5 -principal name. Each component of the name may be wildcarded -using the \fB*\fP character. -.TP -.B \fIoperation\-target\fP -.sp -[Optional] may specify a partially or fully qualified Kerberos -version 5 principal name. Each component of the name may be -wildcarded using the \fB*\fP character. -.TP -.B \fIoperation\-mask\fP -.sp -Specifies what operations may or may not be performed by a -principal matching a particular entry. This is a string of one or -more of the following list of characters or their upper\-case -counterparts. If the character is upper\-case, then the operation -is disallowed. If the character is lower\-case, then the operation -is permitted. -.TS -center; -|l|l|. -_ -T{ -a -T} T{ -[Dis]allows the addition of principals or policies -T} -_ -T{ -d -T} T{ -[Dis]allows the deletion of principals or policies -T} -_ -T{ -m -T} T{ -[Dis]allows the modification of principals or policies -T} -_ -T{ -c -T} T{ -[Dis]allows the changing of passwords for principals -T} -_ -T{ -i -T} T{ -[Dis]allows inquiries about principals or policies -T} -_ -T{ -l -T} T{ -[Dis]allows the listing of principals or policies -T} -_ -T{ -p -T} T{ -[Dis]allows the propagation of the principal database -T} -_ -T{ -x -T} T{ -Short for admcil. -T} -_ -T{ -* -T} T{ -Same as x. -T} -_ -.TE -.sp -Some examples of valid entries here are: -.INDENT 7.0 -.TP -.B \fBuser/instance@realm adm\fP -.sp -A standard fully qualified name. The \fIoperation\-mask\fP only -applies to this principal and specifies that [s]he may add, -delete, or modify principals and policies, but not change -anybody else\(aqs password. -.TP -.B \fBuser/instance@realm cim service/instance@realm\fP -.sp -A standard fully qualified name and a standard fully qualified -target. The \fIoperation\-mask\fP only applies to this principal -operating on this target and specifies that [s]he may change -the target\(aqs password, request information about the target, -and modify it. -.TP -.B \fBuser/*@realm ac\fP -.sp -A wildcarded name. The \fIoperation\-mask\fP applies to all -principals in realm \fBrealm\fP whose first component is -\fBuser\fP and specifies that [s]he may add principals and -change anybody\(aqs password. -.TP -.B \fBuser/*@realm i */instance@realm\fP -.sp -A wildcarded name and target. The \fIoperation\-mask\fP applies to -all principals in realm \fBrealm\fP whose first component is -\fBuser\fP and specifies that [s]he may perform inquiries on -principals whose second component is \fBinstance\fP and realm is -\fBrealm\fP. -.UNINDENT -.UNINDENT .SH SEE ALSO .sp \fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP, -\fIkdb5_ldap_util(8)\fP +\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index 043d768f60..4f1e6bac96 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -45,17 +45,14 @@ services and ticket policies. .INDENT 0.0 .TP .B \fB\-D\fP \fIuser_dn\fP -.sp Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. .TP .B \fB\-w\fP \fIpasswd\fP -.sp Specifies the password of \fIuser_dn\fP. This option is not recommended. .TP .B \fB\-H\fP \fIldapuri\fP -.sp Specifies the URI of the LDAP server. It is recommended to use \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. .UNINDENT @@ -63,7 +60,6 @@ Specifies the URI of the LDAP server. It is recommended to use .SS create .INDENT 0.0 .INDENT 3.5 -.sp \fBcreate\fP [\fB\-subtrees\fP \fIsubtree_dn_list\fP] [\fB\-sscope\fP \fIsearch_scope\fP] @@ -73,8 +69,6 @@ Specifies the URI of the LDAP server. It is recommended to use [\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP] [\fB\-s\fP] [\fB\-r\fP \fIrealm\fP] -[\fB\-kdcdn\fP \fIkdc_service_list\fP] -[\fB\-admindn\fP \fIadmin_service_list\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] @@ -85,68 +79,56 @@ Creates realm in directory. Options: .INDENT 0.0 .TP .B \fB\-subtrees\fP \fIsubtree_dn_list\fP -.sp Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). .TP .B \fB\-sscope\fP \fIsearch_scope\fP -.sp Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP .B \fB\-containerref\fP \fIcontainer_reference_dn\fP -.sp Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. .TP .B \fB\-k\fP \fImkeytype\fP -.sp Specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in \fIkdc.conf(5)\fP. .TP .B \fB\-kv\fP \fImkeyVNO\fP -.sp Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP .B \fB\-m\fP -.sp Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. .TP .B \fB\-P\fP \fIpassword\fP -.sp Specifies the master database password. This option is not recommended. .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .TP .B \fB\-sf\fP \fIstashfilename\fP -.sp Specifies the stash file of the master database password. .TP .B \fB\-s\fP -.sp Specifies that the stash file is to be created. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals in this realm. +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals in this -realm. +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. .TP .B \fIticket_flags\fP -.sp Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. @@ -173,14 +155,11 @@ Re\-enter KDC database master key to verify: .SS modify .INDENT 0.0 .INDENT 3.5 -.sp \fBmodify\fP [\fB\-subtrees\fP \fIsubtree_dn_list\fP] [\fB\-sscope\fP \fIsearch_scope\fP] [\fB\-containerref\fP \fIcontainer_reference_dn\fP] [\fB\-r\fP \fIrealm\fP] -[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]] -[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] @@ -191,37 +170,31 @@ Modifies the attributes of a realm. Options: .INDENT 0.0 .TP .B \fB\-subtrees\fP \fIsubtree_dn_list\fP -.sp Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). This list replaces the existing list. .TP .B \fB\-sscope\fP \fIsearch_scope\fP -.sp Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP .B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the -.sp container object in which the principals of a realm will be created. .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals in this realm. +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals in this -realm. +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. .TP .B \fIticket_flags\fP -.sp Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. @@ -245,7 +218,6 @@ shell% .SS view .INDENT 0.0 .INDENT 3.5 -.sp \fBview\fP [\fB\-r\fP \fIrealm\fP] .UNINDENT .UNINDENT @@ -254,7 +226,6 @@ Displays the attributes of a realm. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -281,7 +252,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .SS destroy .INDENT 0.0 .INDENT 3.5 -.sp \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] .UNINDENT .UNINDENT @@ -290,11 +260,9 @@ Destroys an existing realm. Options: .INDENT 0.0 .TP .B \fB\-f\fP -.sp If specified, will not prompt the user for confirmation. .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -318,7 +286,6 @@ shell% .SS list .INDENT 0.0 .INDENT 3.5 -.sp \fBlist\fP .UNINDENT .UNINDENT @@ -345,7 +312,6 @@ shell% .SS stashsrvpw .INDENT 0.0 .INDENT 3.5 -.sp \fBstashsrvpw\fP [\fB\-f\fP \fIfilename\fP] \fIservicedn\fP @@ -358,12 +324,10 @@ to the LDAP server. Options: .INDENT 0.0 .TP .B \fB\-f\fP \fIfilename\fP -.sp Specifies the complete path of the service password file. By default, \fB/usr/local/var/service_passwd\fP is used. .TP .B \fIservicedn\fP -.sp Specifies Distinguished Name (DN) of the service object whose password is to be stored in file. .UNINDENT @@ -385,7 +349,6 @@ Re\-enter password for "cn=service\-kdc,o=org": .SS create_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBcreate_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] @@ -399,26 +362,23 @@ Creates a ticket policy in the directory. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals. +(\fIgetdate\fP string) Specifies maximum ticket life for +principals. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals. +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals. .TP .B \fIticket_flags\fP -.sp Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. .TP .B \fIpolicy_name\fP -.sp Specifies the name of the ticket policy. .UNINDENT .sp @@ -440,7 +400,6 @@ Password for "cn=admin,o=org": .SS modify_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBmodify_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] @@ -471,7 +430,6 @@ Password for "cn=admin,o=org": .SS view_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBview_policy\fP [\fB\-r\fP \fIrealm\fP] \fIpolicy_name\fP @@ -482,7 +440,6 @@ Displays the attributes of a ticket policy. Options: .INDENT 0.0 .TP .B \fIpolicy_name\fP -.sp Specifies the name of the ticket policy. .UNINDENT .sp @@ -506,7 +463,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .SS destroy_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBdestroy_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-force\fP] @@ -518,16 +474,13 @@ Destroys an existing ticket policy. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .TP .B \fB\-force\fP -.sp Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. .TP .B \fIpolicy_name\fP -.sp Specifies the name of the ticket policy. .UNINDENT .sp @@ -550,7 +503,6 @@ This will delete the policy object \(aqtktpolicy\(aq, are you sure? .SS list_policy .INDENT 0.0 .INDENT 3.5 -.sp \fBlist_policy\fP [\fB\-r\fP \fIrealm\fP] .UNINDENT @@ -561,7 +513,6 @@ realm. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -587,6 +538,6 @@ userpolicy .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index b35513886b..b89ed00c88 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -59,46 +59,38 @@ commands. .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp specifies the Kerberos realm of the database. .TP .B \fB\-d\fP \fIdbname\fP -.sp specifies the name under which the principal database is stored; by default the database is that listed in \fIkdc.conf(5)\fP. The password policy database and lock files are also derived from this value. .TP .B \fB\-k\fP \fImkeytype\fP -.sp specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in \fIkdc.conf(5)\fP. .TP .B \fB\-kv\fP \fImkeyVNO\fP -.sp Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP .B \fB\-M\fP \fImkeyname\fP -.sp principal name for the master key in the database. If not specified, the name is determined by the \fBmaster_key_name\fP variable in \fIkdc.conf(5)\fP. .TP .B \fB\-m\fP -.sp specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. .TP .B \fB\-sf\fP \fIstash_file\fP -.sp specifies the stash filename of the master database password. If not specified, the filename is determined by the \fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP. .TP .B \fB\-P\fP \fIpassword\fP -.sp specifies the master database password. Using this option may expose the password to other users on the system via the process list. @@ -107,7 +99,6 @@ list. .SS create .INDENT 0.0 .INDENT 3.5 -.sp \fBcreate\fP [\fB\-s\fP] .UNINDENT .UNINDENT @@ -119,7 +110,6 @@ if it had already existed when the program was first run. .SS destroy .INDENT 0.0 .INDENT 3.5 -.sp \fBdestroy\fP [\fB\-f\fP] .UNINDENT .UNINDENT @@ -130,17 +120,16 @@ the \fB\-f\fP argument, does not prompt the user. .SS stash .INDENT 0.0 .INDENT 3.5 -.sp \fBstash\fP [\fB\-f\fP \fIkeyfile\fP] .UNINDENT .UNINDENT .sp Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP -argument can be used to override the \fIkeyfile\fP specified at startup. +argument can be used to override the \fIkeyfile\fP specified in +\fIkdc.conf(5)\fP. .SS dump .INDENT 0.0 .INDENT 3.5 -.sp \fBdump\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]] @@ -154,55 +143,50 @@ load_dump version 6". If filename is not specified, or is the string .INDENT 0.0 .TP .B \fB\-old\fP -.sp causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit load_dump version 2.0"). .TP .B \fB\-b6\fP -.sp causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0"). .TP .B \fB\-b7\fP -.sp causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP .B \fB\-ov\fP -.sp causes the dump to be in "ovsec_adm_export" format. .TP .B \fB\-r13\fP -.sp causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. .TP +.B \fB\-r18\fP +causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util +load_dump version 6"). This was the dump format produced on +releases prior to 1.11. +.TP .B \fB\-verbose\fP -.sp causes the name of each principal and policy to be printed as it is dumped. .TP .B \fB\-mkey_convert\fP -.sp prompts for a new master key. This new master key will be used to re\-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. .TP .B \fB\-new_mkey_file\fP \fImkey_file\fP -.sp the filename of a stash file. The master key in this stash file will be used to re\-encrypt the key data in the dumpfile. The key data in the database will not be changed. .TP .B \fB\-rev\fP -.sp dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. .TP .B \fB\-recurse\fP -.sp causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such @@ -212,7 +196,6 @@ than the \fB\-rev\fP option will. .SS load .INDENT 0.0 .INDENT 3.5 -.sp \fBload\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP] .UNINDENT @@ -230,39 +213,42 @@ Options: .INDENT 0.0 .TP .B \fB\-old\fP -.sp requires the database to be in the Kerberos 5 Beta 5 and earlier format ("kdb5_edit load_dump version 2.0"). .TP .B \fB\-b6\fP -.sp requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0"). .TP .B \fB\-b7\fP -.sp requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). .TP .B \fB\-ov\fP -.sp requires the database to be in "ovsec_adm_import" format. Must be used with the \fB\-update\fP option. .TP +.B \fB\-r13\fP +requires the database to be in Kerberos 5 1.3 format ("kdb5_util +load_dump version 5"). This was the dump format produced on +releases prior to 1.8. +.TP +.B \fB\-r18\fP +requires the database to be in Kerberos 5 1.8 format ("kdb5_util +load_dump version 6"). This was the dump format produced on +releases prior to 1.11. +.TP .B \fB\-hash\fP -.sp requires the database to be stored as a hash. If this option is not specified, the database will be stored as a btree. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. .TP .B \fB\-verbose\fP -.sp causes the name of each principal and policy to be printed as it is dumped. .TP .B \fB\-update\fP -.sp records from the dump file are added to or updated in the existing database. (This is useful in conjunction with an ovsec_adm_export format dump if you want to preserve per\-principal policy @@ -277,7 +263,6 @@ line or the default. .SS ark .INDENT 0.0 .INDENT 3.5 -.sp \fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP .UNINDENT .UNINDENT @@ -289,7 +274,6 @@ salt types to be used for the new keys. .SS add_mkey .INDENT 0.0 .INDENT 3.5 -.sp \fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP] .UNINDENT .UNINDENT @@ -309,7 +293,6 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. .SS use_mkey .INDENT 0.0 .INDENT 3.5 -.sp \fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP] .UNINDENT .UNINDENT @@ -318,8 +301,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no \fItime\fP argument is given, the current time is used, causing the specified master key version to become -active immediately. The format of \fItime\fP is specified in the -\fIdate_format\fP section of the \fIkadmin(1)\fP man page. +active immediately. The format for \fItime\fP is \fIgetdate\fP string. .sp After a new master key becomes active, the kdb5_util \fBupdate_princ_encryption\fP command can be used to update all @@ -327,7 +309,6 @@ principal keys to be encrypted in the new master key. .SS list_mkeys .INDENT 0.0 .INDENT 3.5 -.sp \fBlist_mkeys\fP .UNINDENT .UNINDENT @@ -339,7 +320,6 @@ each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP. A .SS purge_mkeys .INDENT 0.0 .INDENT 3.5 -.sp \fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] .UNINDENT .UNINDENT @@ -350,22 +330,18 @@ keys all principal keys are protected by a newer master key. .INDENT 0.0 .TP .B \fB\-f\fP -.sp does not prompt for confirmation. .TP .B \fB\-n\fP -.sp performs a dry run, showing master keys that would be purged, but not actually purging any keys. .TP .B \fB\-v\fP -.sp gives more verbose output. .UNINDENT .SS update_princ_encryption .INDENT 0.0 .INDENT 3.5 -.sp \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fIprinc\-pattern\fP] .UNINDENT @@ -386,6 +362,6 @@ showing the actions which would have been taken. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 9cbf09bc81..c82119032e 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .sp The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which @@ -39,6 +39,9 @@ Relations documented here may also be specified in krb5.conf. Normally, the kdc.conf file is found in the KDC state directory, \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the environment variable \fBKRB5_KDC_PROFILE\fP. +.sp +Please note that you need to restart the KDC daemon for any configuration +changes to take effect. .SH STRUCTURE .sp The kdc.conf file is set up in the same format as the @@ -63,12 +66,6 @@ Realm\-specific database configuration and settings T} _ T{ -\fI\%[logging]\fP -T} T{ -Controls how Kerberos daemons perform logging -T} -_ -T{ \fI\%[dbdefaults]\fP T} T{ Default database settings @@ -80,6 +77,12 @@ T} T{ Per\-database settings T} _ +T{ +\fI\%[logging]\fP +T} T{ +Controls how Kerberos daemons perform logging +T} +_ .TE .SS [kdcdefaults] .sp @@ -89,53 +92,44 @@ subsection does not contain a relation for the tag. See the \fI\%[realms]\fP section for the definitions of these relations. .INDENT 0.0 .IP \(bu 2 -. \fBhost_based_services\fP .IP \(bu 2 -. \fBkdc_ports\fP .IP \(bu 2 -. \fBkdc_tcp_ports\fP .IP \(bu 2 -. \fBno_host_referral\fP .IP \(bu 2 -. \fBrestrict_anonymous_to_tgt\fP .UNINDENT .INDENT 0.0 .TP .B \fBkdc_max_dgram_reply_size\fP -.sp Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. .UNINDENT .SS [realms] .sp -Each tag in the [realms] section of the file names a Kerberos realm. -The value of the tag is a subsection where the relations in that -subsection define KDC parameters for that particular realm. +Each tag in the [realms] section is the name of a Kerberos realm. +The value of the tag is a subsection where the relations define KDC +parameters for that particular realm. .sp -For each realm, the following tags may be specified in the [realms] -subsection: +For each realm, the following tags may be specified: .INDENT 0.0 .TP .B \fBacl_file\fP -.sp (String.) Location of the access control list file that \fIkadmind(8)\fP uses to determine which principals are allowed -which permissions on the database. The default value is -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. +which permissions on the Kerberos database. The default value is +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. For more information on Kerberos ACL +file see \fIkadm5.acl(5)\fP. .TP .B \fBdatabase_module\fP -.sp This relation indicates the name of the configuration section under \fI\%[dbmodules]\fP for database specific parameters used by the loadable database library. .TP .B \fBdatabase_name\fP -.sp (String.) This string specifies the location of the Kerberos database for this realm, if the DB2 back\-end is being used. If a \fBdatabase_module\fP is specified for the realm and the @@ -144,13 +138,11 @@ value will take precedence over this one. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP. .TP .B \fBdefault_principal_expiration\fP -.sp -(Absolute time string.) Specifies the default expiration date of +(\fIabstime\fP string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. .TP .B \fBdefault_principal_flags\fP -.sp (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\-separated list of flags, with \(aq+\(aq before each flag that @@ -163,69 +155,57 @@ There are a number of possible flags: .INDENT 7.0 .TP .B \fBallow\-tickets\fP -.sp Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. .TP .B \fBdup\-skey\fP -.sp Enabling this flag allows the principal to obtain a session key for another user, permitting user\-to\-user authentication for this principal. .TP .B \fBforwardable\fP -.sp Enabling this flag allows the principal to obtain forwardable tickets. .TP .B \fBhwauth\fP -.sp If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. .TP .B \fBno\-auth\-data\-required\fP -.sp -Enabling this flag prvents PAC data from being added to the -service tickets. +Enabling this flag prevents PAC data from being added to +service tickets for the principal. .TP .B \fBok\-as\-delegate\fP -.sp If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. .TP .B \fBok\-to\-auth\-as\-delegate\fP -.sp -Enabling this flag allows the principal to use S4USelf ticket. +Enabling this flag allows the principal to use S4USelf tickets. .TP .B \fBpostdateable\fP -.sp Enabling this flag allows the principal to obtain postdateable tickets. .TP .B \fBpreauth\fP -.sp If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated -ticket set. +bit set. .TP .B \fBproxiable\fP -.sp Enabling this flag allows the principal to obtain proxy tickets. .TP .B \fBpwchange\fP -.sp Enabling this flag forces a password change for this principal. .TP .B \fBpwservice\fP -.sp If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user\(aqs password has expired, then the user @@ -234,60 +214,56 @@ the normal password authentication in order to be able to change the password. .TP .B \fBrenewable\fP -.sp Enabling this flag allows the principal to obtain renewable tickets. .TP .B \fBservice\fP -.sp Enabling this flag allows the the KDC to issue service tickets for this principal. .TP .B \fBtgt\-based\fP -.sp Enabling this flag allows a principal to obtain tickets based on a ticket\-granting\-ticket, rather than repeating the authentication process that was used to obtain the TGT. .UNINDENT .TP .B \fBdict_file\fP -.sp (String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. .TP .B \fBhost_based_services\fP -.sp (Whitespace\- or comma\-separated list.) Lists services which will get host\-based referral processing even if the server principal is not marked as host\-based by the client. .TP .B \fBiprop_enable\fP -.sp (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. .TP .B \fBiprop_master_ulogsize\fP -.sp (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The maximum value is 2500; the default value is 1000. .TP .B \fBiprop_slave_poll\fP -.sp (Delta time string.) Specifies how often the slave KDC polls for new updates from the master. The default value is \fB2m\fP (that is, two minutes). .TP .B \fBiprop_port\fP -.sp (Port number.) Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. .TP +.B \fBiprop_resync_timeout\fP +(Delta time string.) Specifies the amount of time to wait for a +full propagation to complete. This is optional in configuration +files, and is used by slave KDCs only. The default value is 5 +minutes (\fB5m\fP). +.TP .B \fBiprop_logfile\fP -.sp (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the \fBdatabase_name\fP entry from the realms section of the krb5 config @@ -299,18 +275,15 @@ back end is being used, or the file name is specified in the default value will not use values from the [dbmodules] section.) .TP .B \fBkadmind_port\fP -.sp (Port number.) Specifies the port on which the \fIkadmind(8)\fP daemon is to listen for this realm. The assigned port for kadmind -is 749. +is 749, which is used by default. .TP .B \fBkey_stash_file\fP -.sp (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. .TP .B \fBkdc_ports\fP -.sp (Whitespace\- or comma\-separated list.) Lists the ports on which the Kerberos server should listen for UDP requests, as a comma\-separated list of integers. The default value is @@ -318,7 +291,6 @@ comma\-separated list of integers. The default value is historically used by Kerberos V4. .TP .B \fBkdc_tcp_ports\fP -.sp (Whitespace\- or comma\-separated list.) Lists the ports on which the Kerberos server should listen for TCP connections, as a comma\-separated list of integers. If this relation is not @@ -330,38 +302,39 @@ has little protection against denial\-of\-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88. .TP .B \fBmaster_key_name\fP -.sp (String.) Specifies the name of the principal associated with the master key. The default is \fBK/M\fP. .TP .B \fBmaster_key_type\fP -.sp (Key type string.) Specifies the master key\(aqs key type. The default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible values, see \fI\%Encryption and salt types\fP. .TP .B \fBmax_life\fP -.sp -(Delta time string.) Specifies the maximum time period for which -a ticket may be valid in this realm. The default value is 24 -hours. +(\fIduration\fP string.) Specifies the maximum time period for +which a ticket may be valid in this realm. The default value is +24 hours. .TP .B \fBmax_renewable_life\fP -.sp -(Delta time string.) Specifies the maximum time period during -which a valid ticket may be renewed in this realm. The default -value is 0. +(\fIduration\fP string.) Specifies the maximum time period +during which a valid ticket may be renewed in this realm. +The default value is 0. .TP .B \fBno_host_referral\fP -.sp (Whitespace\- or comma\-separated list.) Lists services to block from getting host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fBhost_based_services\fP. \fBno_host_referral = *\fP will disable referral processing altogether. .TP +.B \fBdes_crc_session_supported\fP +(Boolean value). If set to true, the KDC will assume that service +principals support des\-cbc\-crc for session key enctype negotiation +purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is +false, or if des\-cbc\-crc is not a permitted enctype, then this +variable has no effect. Defaults to true. +.TP .B \fBreject_bad_transit\fP -.sp (Boolean value.) If set to true, the KDC will check the list of transited realms for cross\-realm tickets against the transit path computed from the realm names and the capaths section of its @@ -383,7 +356,6 @@ only to TGS requests. The default value is true. .TP .B \fBrestrict_anonymous_to_tgt\fP -.sp (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm\(aqs ticket\-granting service. This option allows @@ -392,97 +364,12 @@ without allowing anonymous authentication to services. The default value is false. .TP .B \fBsupported_enctypes\fP -.sp (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through \fIkadmin(1)\fP will have keys of these types. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of possible values, see \fI\%Encryption and salt types\fP. .UNINDENT -.SS [logging] -.sp -The [logging] section indicates how \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP perform logging. The keys in this section are -daemon names, which may be one of: -.INDENT 0.0 -.TP -.B \fBadmin_server\fP -.sp -Specifies how \fIkadmind(8)\fP performs logging. -.TP -.B \fBkdc\fP -.sp -Specifies how \fIkrb5kdc(8)\fP performs logging. -.TP -.B \fBdefault\fP -.sp -Specifies how either daemon performs logging in the absence of -relations specific to the daemon. -.UNINDENT -.sp -Values are of the following forms: -.INDENT 0.0 -.TP -.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP -.sp -This value causes the daemon\(aqs logging messages to go to the -\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten. -If the \fB:\fP form is used, the file is appended to. -.TP -.B \fBSTDERR\fP -.sp -This value causes the daemon\(aqs logging messages to go to its -standard error stream. -.TP -.B \fBCONSOLE\fP -.sp -This value causes the daemon\(aqs logging messages to go to the -console, if the system supports it. -.TP -.B \fBDEVICE=\fP\fI<devicename>\fP -.sp -This causes the daemon\(aqs logging messages to go to the specified -device. -.TP -.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] -.sp -This causes the daemon\(aqs logging messages to go to the system log. -.sp -The severity argument specifies the default severity of system log -messages. This may be any of the following severities supported -by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, -\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, -and \fBDEBUG\fP. -.sp -The facility argument specifies the facility under which the -messages are logged. This may be any of the following facilities -supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, -\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, -\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP. -.sp -If no severity is specified, the default is \fBERR\fP. If no -facility is specified, the default is \fBAUTH\fP. -.UNINDENT -.sp -In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG_DAEMON with -default severity of LOG_INFO; and the logging messages from the -administrative server will be appended to the file -\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP. -.INDENT 0.0 -.INDENT 3.5 -.sp -.nf -.ft C -[logging] - kdc = CONSOLE - kdc = SYSLOG:INFO:DAEMON - admin_server = FILE:/var/adm/kadmin.log - admin_server = DEVICE=/dev/tty04 -.ft P -.fi -.UNINDENT -.UNINDENT .SS [dbdefaults] .sp The [dbdefaults] section specifies default values for some database @@ -491,33 +378,27 @@ a relation for the tag. See the \fI\%[dbmodules]\fP section for the definitions of these relations. .INDENT 0.0 .IP \(bu 2 -. \fBldap_kerberos_container_dn\fP .IP \(bu 2 -. \fBldap_kdc_dn\fP .IP \(bu 2 -. \fBldap_kadmind_dn\fP .IP \(bu 2 -. \fBldap_service_password_file\fP .IP \(bu 2 -. \fBldap_servers\fP .IP \(bu 2 -. \fBldap_conns_per_server\fP .UNINDENT .SS [dbmodules] .sp The [dbmodules] section contains parameters used by the KDC database -library and database modules. The following tag may be specified -in the [dbmodules] section: +library and database modules. +.sp +The following tag may be specified in the [dbmodules] section: .INDENT 0.0 .TP .B \fBdb_module_dir\fP -.sp This tag controls where the plugin system looks for modules. The value should be an absolute path. .UNINDENT @@ -529,45 +410,40 @@ the subsection: .INDENT 0.0 .TP .B \fBdatabase_name\fP -.sp This DB2\-specific tag indicates the location of the database in the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP. .TP .B \fBdb_library\fP -.sp This tag indicates the name of the loadable database module. The value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the LDAP module. .TP .B \fBdisable_last_success\fP -.sp If set to \fBtrue\fP, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never -update the "Last successful authentication" field.). +update the "Last successful authentication" field.). First +introduced in version 1.9. .TP .B \fBdisable_lockout\fP -.sp If set to \fBtrue\fP, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may -improve performance, but also disables account lockout. +improve performance, but also disables account lockout. First +introduced in version 1.9. .TP .B \fBldap_conns_per_server\fP -.sp This LDAP\-specific tag indicates the number of connections to be maintained per LDAP server. .TP .B \fBldap_kadmind_dn\fP -.sp This LDAP\-specific tag indicates the default bind DN for the \fIkadmind(8)\fP daemon. kadmind does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. .TP .B \fBldap_kdc_dn\fP -.sp This LDAP\-specific tag indicates the default bind DN for the \fIkrb5kdc(8)\fP daemon. The KDC does a login to the directory as this object. This object should have the rights to read the @@ -575,12 +451,10 @@ Kerberos data in the LDAP database, and to write data unless \fBdisable_lockout\fP and \fBdisable_last_success\fP are true. .TP .B \fBldap_kerberos_container_dn\fP -.sp This LDAP\-specific tag indicates the DN of the container object where the realm objects will be located. .TP .B \fBldap_servers\fP -.sp This LDAP\-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. @@ -588,15 +462,89 @@ It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect to the LDAP server. .TP .B \fBldap_service_password_file\fP -.sp This LDAP\-specific tag indicates the file containing the stashed passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the \fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects. This file must be kept secure. .UNINDENT +.SS [logging] +.sp +The [logging] section indicates how \fIkrb5kdc(8)\fP and +\fIkadmind(8)\fP perform logging. The keys in this section are +daemon names, which may be one of: +.INDENT 0.0 +.TP +.B \fBadmin_server\fP +Specifies how \fIkadmind(8)\fP performs logging. +.TP +.B \fBkdc\fP +Specifies how \fIkrb5kdc(8)\fP performs logging. +.TP +.B \fBdefault\fP +Specifies how either daemon performs logging in the absence of +relations specific to the daemon. +.UNINDENT +.sp +Values are of the following forms: +.INDENT 0.0 +.TP +.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP +This value causes the daemon\(aqs logging messages to go to the +\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten. +If the \fB:\fP form is used, the file is appended to. +.TP +.B \fBSTDERR\fP +This value causes the daemon\(aqs logging messages to go to its +standard error stream. +.TP +.B \fBCONSOLE\fP +This value causes the daemon\(aqs logging messages to go to the +console, if the system supports it. +.TP +.B \fBDEVICE=\fP\fI<devicename>\fP +This causes the daemon\(aqs logging messages to go to the specified +device. +.TP +.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] +This causes the daemon\(aqs logging messages to go to the system log. +.sp +The severity argument specifies the default severity of system log +messages. This may be any of the following severities supported +by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, +\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, +and \fBDEBUG\fP. +.sp +The facility argument specifies the facility under which the +messages are logged. This may be any of the following facilities +supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, +\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, +\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP. +.sp +If no severity is specified, the default is \fBERR\fP. If no +facility is specified, the default is \fBAUTH\fP. +.UNINDENT +.sp +In the following example, the logging messages from the KDC will go to +the console and to the system log under the facility LOG_DAEMON with +default severity of LOG_INFO; and the logging messages from the +administrative server will be appended to the file +\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON + admin_server = FILE:/var/adm/kadmin.log + admin_server = DEVICE=/dev/tty04 +.ft P +.fi +.UNINDENT +.UNINDENT .SH PKINIT OPTIONS .IP Note -. The following are pkinit\-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm\-specific subsection of [realms]. Also note that a @@ -605,7 +553,6 @@ realm\-specific value over\-rides, does not add to, a generic .RE .INDENT 0.0 .IP 1. 3 -. realm\-specific subsection of [realms], .INDENT 3.0 .INDENT 3.5 @@ -614,14 +561,13 @@ realm\-specific subsection of [realms], .ft C [realms] EXAMPLE.COM = { - pkinit_anchors = FILE\e:/usr/local/example.com.crt + pkinit_anchors = FILE:/usr/local/example.com.crt } .ft P .fi .UNINDENT .UNINDENT .IP 2. 3 -. generic value in the [kdcdefaults] section. .INDENT 3.0 .INDENT 3.5 @@ -629,7 +575,7 @@ generic value in the [kdcdefaults] section. .nf .ft C [kdcdefaults] - pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/ + pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .ft P .fi .UNINDENT @@ -642,19 +588,16 @@ For information about the syntax of some of these options, see .INDENT 0.0 .TP .B \fBpkinit_anchors\fP -.sp Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. .TP .B \fBpkinit_dh_min_bits\fP -.sp Specifies the minimum number of bits the KDC is willing to accept for a client\(aqs Diffie\-Hellman key. The default is 2048. .TP .B \fBpkinit_allow_upn\fP -.sp Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in @@ -666,60 +609,50 @@ the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. There is currently no option to disable SAN checking in the KDC. .TP .B \fBpkinit_eku_checking\fP -.sp This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: .INDENT 7.0 .TP .B \fBkpClientAuth\fP -.sp This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as defined in \fI\%RFC 4556\fP. .TP .B \fBscLogin\fP -.sp If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be accepted. .TP .B \fBnone\fP -.sp If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP .B \fBpkinit_identity\fP -.sp Specifies the location of the KDC\(aqs X.509 identity information. This option is required if pkinit is to be supported by the KDC. .TP .B \fBpkinit_kdc_ocsp\fP -.sp Specifies the location of the KDC\(aqs OCSP. .TP .B \fBpkinit_mapping_file\fP -.sp Specifies the name of the ACL pkinit mapping file. This file maps principals to the certificates that they can use. .TP .B \fBpkinit_pool\fP -.sp Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs certificate and a trusted anchor. This option may be specified multiple times. .TP .B \fBpkinit_revoke\fP -.sp Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. .TP .B \fBpkinit_require_crl_checking\fP -.sp The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -916,11 +849,30 @@ Here\(aqs an example of a kdc.conf file: max_renewable_life = 7d 0h 0m 0s master_key_type = des3\-hmac\-sha1 supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4 + database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log + +[dbdefaults] + ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu + +[dbmodules] + openldap_ldapconf = { + db_library = kldap + disable_last_success = true + ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 + } .ft P .fi .UNINDENT @@ -930,10 +882,10 @@ Here\(aqs an example of a kdc.conf file: \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP .SH SEE ALSO .sp -\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP +\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index c178522496..0832c655eb 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -46,17 +46,14 @@ credentials cache is destroyed. .INDENT 0.0 .TP .B \fB\-A\fP -.sp Destroys all caches in the collection, if a cache collection is available. .TP .B \fB\-q\fP -.sp Run quietly. Normally kdestroy beeps if it fails to destroy the user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior. .TP .B \fB\-c\fP \fIcache_name\fP -.sp Use \fIcache_name\fP as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. @@ -76,7 +73,6 @@ kdestroy uses the following environment variable: .INDENT 0.0 .TP .B \fBKRB5CCNAME\fP -.sp Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -87,10 +83,8 @@ to be present in the collection. .SH FILES .INDENT 0.0 .TP -.B \fB/tmp/krb5cc_[uid]\fP -.sp -Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the -decimal UID of the user). +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache .UNINDENT .SH SEE ALSO .sp @@ -98,6 +92,6 @@ decimal UID of the user). .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kinit.man b/src/man/kinit.man index 4d88691bcc..257cc98109 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -60,110 +60,82 @@ kinit obtains and caches an initial ticket\-granting ticket for .INDENT 0.0 .TP .B \fB\-V\fP -.sp display verbose output. .TP .B \fB\-l\fP \fIlifetime\fP +(\fIduration\fP string.) Requests a ticket with the lifetime +\fIlifetime\fP. .sp -requests a ticket with the lifetime \fIlifetime\fP. The integer value -for \fIlifetime\fP must be followed immediately by one of the -following delimiters: -.INDENT 7.0 -.INDENT 3.5 -.sp -.nf -.ft C -s seconds -m minutes -h hours -d days -.ft P -.fi -.UNINDENT -.UNINDENT -.sp -as in \fBkinit \-l 90m\fP. You cannot mix units; a value of -\fB3h30m\fP will result in an error. +For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP. .sp If the \fB\-l\fP option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) -results in a ticket with the maximum lifetime. +will not override the configured maximum ticket lifetime. .TP .B \fB\-s\fP \fIstart_time\fP +(\fIduration\fP string.) Requests a postdated ticket. Postdated +tickets are issued with the \fBinvalid\fP flag set, and need to be +resubmitted to the KDC for validation before use. .sp -requests a postdated ticket, valid starting at \fIstart_time\fP. -Postdated tickets are issued with the \fBinvalid\fP flag set, and -need to be resubmitted to the KDC for validation before use. +\fIstart_time\fP specifies the duration of the delay before the ticket +can become valid. .TP .B \fB\-r\fP \fIrenewable_life\fP -.sp -requests renewable tickets, with a total lifetime of -\fIrenewable_life\fP. The duration is in the same format as the -\fB\-l\fP option, with the same delimiters. +(\fIduration\fP string.) Requests renewable tickets, with a total +lifetime of \fIrenewable_life\fP. .TP .B \fB\-f\fP -.sp requests forwardable tickets. .TP .B \fB\-F\fP -.sp requests non\-forwardable tickets. .TP .B \fB\-p\fP -.sp requests proxiable tickets. .TP .B \fB\-P\fP -.sp requests non\-proxiable tickets. .TP .B \fB\-a\fP -.sp requests tickets restricted to the host\(aqs local address[es]. .TP .B \fB\-A\fP -.sp requests tickets not restricted by address. .TP .B \fB\-C\fP -.sp requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. .TP .B \fB\-E\fP -.sp treats the principal name as an enterprise name (implies the \fB\-C\fP option). .TP .B \fB\-v\fP -.sp requests that the ticket\-granting ticket in the cache (with the \fBinvalid\fP flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. .TP .B \fB\-R\fP -.sp requests renewal of the ticket\-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. .TP -.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP] -.sp +.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] requests a ticket, obtained from a key in the local host\(aqs keytab. The location of the keytab may be specified with the \fB\-t\fP -\fIkeytab_file\fP option; otherwise the default keytab will be used. -By default, a host ticket for the local host is requested, but any -principal may be specified. On a KDC, the special keytab location -\fBKDB:\fP can be used to indicate that kinit should open the KDC -database and look up the key directly. This permits an +\fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use +of the default client keytab; otherwise the default keytab will be +used. By default, a host ticket for the local host is requested, +but any principal may be specified. On a KDC, the special keytab +location \fBKDB:\fP can be used to indicate that kinit should open +the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. .TP .B \fB\-n\fP -.sp Requests anonymous processing. Two types of anonymous principals are supported. .sp @@ -184,7 +156,6 @@ As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. .TP .B \fB\-T\fP \fIarmor_ccache\fP -.sp Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing @@ -193,7 +164,6 @@ makes sure that the response from the KDC is not modified in transit. .TP .B \fB\-c\fP \fIcache_name\fP -.sp use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. @@ -208,12 +178,10 @@ primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. .TP .B \fB\-S\fP \fIservice_name\fP -.sp specify an alternate service name to use when getting initial tickets. .TP .B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] -.sp specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be interpreted by pre\-authentication modules. The acceptable attribute and value values vary from module to module. This @@ -225,15 +193,12 @@ pre\-authentication mechanism: .INDENT 7.0 .TP .B \fBX509_user_identity\fP=\fIvalue\fP -.sp specify where to find user\(aqs X509 identity information .TP .B \fBX509_anchors\fP=\fIvalue\fP -.sp specify where to find trusted X509 anchor information .TP .B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] -.sp specify use of RSA, rather than the default Diffie\-Hellman protocol .UNINDENT @@ -244,7 +209,6 @@ kinit uses the following environment variables: .INDENT 0.0 .TP .B \fBKRB5CCNAME\fP -.sp Location of the default Kerberos 5 credentials cache, in the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the @@ -255,13 +219,10 @@ in the collection. .SH FILES .INDENT 0.0 .TP -.B \fB/tmp/krb5cc_[uid]\fP -.sp -default location of Kerberos 5 credentials cache ([\fIuid\fP] is the -decimal UID of the user). +.B \fB@CCNAME@\fP +default location of Kerberos 5 credentials cache .TP -.B \fB/etc/krb5.keytab\fP -.sp +.B \fB@KTNAME@\fP default location for the local host\(aqs keytab. .UNINDENT .SH SEE ALSO @@ -270,6 +231,6 @@ default location for the local host\(aqs keytab. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/klist.man b/src/man/klist.man index 80b1f12ce3..cb074d190c 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -28,13 +28,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp \fBklist\fP [\fB\-e\fP] [[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]] +[\fB\-C\fP] [\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]] [\fB\-V\fP] [\fIcache_name\fP|\fIkeytab_name\fP] @@ -46,28 +47,23 @@ credentials cache, or the keys held in a keytab file. .INDENT 0.0 .TP .B \fB\-e\fP -.sp Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. .TP .B \fB\-l\fP -.sp If a cache collection is available, displays a table summarizing the caches present in the collection. .TP .B \fB\-A\fP -.sp If a cache collection is available, displays the contents of all of the caches in the collection. .TP .B \fB\-c\fP -.sp List tickets held in a credentials cache. This is the default if neither \fB\-c\fP nor \fB\-k\fP is specified. .TP .B \fB\-f\fP -.sp Shows the flags present in the credentials, using the following abbreviations: .INDENT 7.0 @@ -95,36 +91,39 @@ a anonymous .UNINDENT .TP .B \fB\-s\fP -.sp Causes klist to run silently (produce no output), but to still set the exit status according to whether it finds the credentials cache. The exit status is \(aq0\(aq if klist finds a credentials cache, and \(aq1\(aq if it does not or if the tickets are expired. .TP .B \fB\-a\fP -.sp Display list of addresses in credentials. .TP .B \fB\-n\fP -.sp Show numeric addresses instead of reverse\-resolving addresses. .TP +.B \fB\-C\fP +List configuration data that has been stored in the credentials +cache when klist encounters it. By default, configuration data +is not listed. +.TP .B \fB\-k\fP -.sp List keys held in a keytab file. .TP +.B \fB\-i\fP +In combination with \fB\-k\fP, defaults to using the default client +keytab instead of the default acceptor keytab, if no name is +given. +.TP .B \fB\-t\fP -.sp Display the time entry timestamps for each keytab entry in the keytab file. .TP .B \fB\-K\fP -.sp Display the value of the encryption key in each keytab entry in the keytab file. .TP .B \fB\-V\fP -.sp Display the Kerberos version number and exit. .UNINDENT .sp @@ -138,7 +137,6 @@ klist uses the following environment variable: .INDENT 0.0 .TP .B \fBKRB5CCNAME\fP -.sp Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -149,13 +147,10 @@ to be present in the collection. .SH FILES .INDENT 0.0 .TP -.B \fB/tmp/krb5cc_[uid]\fP -.sp -Default location of Kerberos 5 credentials cache ([uid] is the -decimal UID of the user). +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache .TP -.B \fB/etc/krb5.keytab\fP -.sp +.B \fB@KTNAME@\fP Default location for the local host\(aqs keytab file. .UNINDENT .SH SEE ALSO @@ -164,6 +159,6 @@ Default location for the local host\(aqs keytab file. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index 0aab125b79..177091f5a4 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -48,7 +48,6 @@ characters.) .INDENT 0.0 .TP .B \fIprincipal\fP -.sp Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the @@ -60,6 +59,6 @@ identity of the user invoking the kpasswd command. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kprop.man b/src/man/kprop.man index 210e6a32f7..f7a3792936 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -49,26 +49,21 @@ specified by \fIslave_host\fP. The dump file must be created by .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the realm of the master server. .TP .B \fB\-f\fP \fIfile\fP -.sp Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP. .TP .B \fB\-P\fP \fIport\fP -.sp Specifies the port to use to contact the \fIkpropd(8)\fP server on the remote host. .TP .B \fB\-d\fP -.sp Prints debugging information. .TP .B \fB\-s\fP \fIkeytab\fP -.sp Specifies the location of the keytab file. .UNINDENT .SH ENVIRONMENT @@ -76,7 +71,6 @@ Specifies the location of the keytab file. \fIkprop\fP uses the following environment variable: .INDENT 0.0 .IP \(bu 2 -. \fBKRB5_CONFIG\fP .UNINDENT .SH SEE ALSO @@ -85,6 +79,6 @@ Specifies the location of the keytab file. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpropd.man b/src/man/kpropd.man index e6da04b129..c429401d57 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -40,7 +40,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-p\fP \fIkdb5_util_prog\fP] [\fB\-P\fP \fIport\fP] [\fB\-d\fP] -[\fB\-S\fP] .SH DESCRIPTION .sp The \fIkpropd\fP command runs on the slave KDC server. It listens for @@ -56,8 +55,9 @@ Kerberos server to use \fIkprop(8)\fP to propagate its database to the slave servers. Upon a successful download of the KDC database file, the slave Kerberos server will have an up\-to\-date KDC database. .sp -Normally, kpropd is invoked out of inetd(8). This is done by adding -a line to the \fB/etc/inetd.conf\fP file which looks like this: +Where incremental propagation is not used, kpropd is commonly invoked +out of inetd(8) as a nowait service. This is done by adding a line to +the \fB/etc/inetd.conf\fP file which looks like this: .INDENT 0.0 .INDENT 3.5 .sp @@ -69,9 +69,9 @@ kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd .UNINDENT .UNINDENT .sp -kpropd can also run as a standalone daemon by specifying the \fB\-S\fP -option. This is done for debugging purposes, or if for some reason -the system administrator just doesn\(aqt want to run it out of inetd(8). +kpropd can also run as a standalone daemon. This is required for +incremental propagation. But this is also useful for debugging +purposes. .sp Incremental propagation may be enabled with the \fBiprop_enable\fP variable in \fIkdc.conf(5)\fP. If incremental propagation is @@ -84,45 +84,42 @@ enabled, the principal \fBkiprop/slavehostname@REALM\fP (where \fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the name of the Kerberos realm) must be present in the slave\(aqs keytab file. +.sp +\fIkproplog(8)\fP can be used to force full replication when iprop is +enabled. .SH OPTIONS .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP -.sp Specifies the realm of the master server. .TP .B \fB\-f\fP \fIfile\fP -.sp Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP. .TP .B \fB\-p\fP -.sp Allows the user to specify the pathname to the \fIkdb5_util(8)\fP program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP. .TP .B \fB\-S\fP -.sp -Turn on standalone mode. Normally, kpropd is invoked out of +[DEPRECATED] Enable standalone mode. Normally kpropd is invoked by inetd(8) so it expects a network connection to be passed to it -from inetd(8). If the \fB\-S\fP option is specified, kpropd will put -itself into the background, and wait for connections on port 754 -(or the port specified with the \fB\-P\fP option if given). +from inetd(8). If the \fB\-S\fP option is specified, or if standard +input is not a socket, kpropd will put itself into the background, +and wait for connections on port 754 (or the port specified with the +\fB\-P\fP option if given). .TP .B \fB\-d\fP -.sp Turn on debug mode. In this mode, if the \fB\-S\fP option is selected, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages during the database propagation. .TP .B \fB\-P\fP -.sp Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the \fB\-S\fP option. .TP .B \fB\-a\fP \fIacl_file\fP -.sp Allows the user to specify the path to the kpropd.acl file; by default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP. .UNINDENT @@ -131,17 +128,14 @@ default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP. kpropd uses the following environment variables: .INDENT 0.0 .IP \(bu 2 -. \fBKRB5_CONFIG\fP .IP \(bu 2 -. \fBKRB5_KDC_PROFILE\fP .UNINDENT .SH FILES .INDENT 0.0 .TP .B kpropd.acl -. Access file for kpropd; the default location is \fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line containing the principal of a host from which the local machine @@ -153,6 +147,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kproplog.man b/src/man/kproplog.man index d5bd21c1ac..974f0bcae3 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -28,11 +28,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp \fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] +\fBkproplog\fP [\-R] .SH DESCRIPTION .sp The kproplog command displays the contents of the KDC database update @@ -56,20 +57,22 @@ last update received and the associated time stamp of the last update. .SH OPTIONS .INDENT 0.0 .TP +.B \fB\-R\fP +Reset the update log. This forces full resynchronization. If used +on a slave then that slave will request a full resync. If used on +the master then all slaves will request full resyncs. +.TP .B \fB\-h\fP -.sp Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. .TP .B \fB\-e\fP \fInum\fP -.sp Display the last \fInum\fP update entries in the log. This is useful when debugging synchronization between KDC servers. .TP .B \fB\-v\fP -.sp Display individual attributes per update. An example of the output generated for one entry: .INDENT 7.0 @@ -101,7 +104,6 @@ Update Entry kproplog uses the following environment variables: .INDENT 0.0 .IP \(bu 2 -. \fBKRB5_KDC_PROFILE\fP .UNINDENT .SH SEE ALSO @@ -110,6 +112,6 @@ kproplog uses the following environment variables: .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index cc85bb9ea8..07021eb0df 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .sp The krb5.conf file contains Kerberos configuration information, @@ -169,13 +169,15 @@ Controls plugin module registration T} _ .TE +.sp +Additionally, krb5.conf may include any of the relations described in +\fIkdc.conf(5)\fP, but it is not a recommended practice. .SS [libdefaults] .sp The libdefaults section may contain any of the following relations: .INDENT 0.0 .TP .B \fBallow_weak_crypto\fP -.sp If this flag is set to false, then weak encryption types will be filtered out of the previous three lists (as noted in \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The @@ -186,7 +188,6 @@ should set this tag to true until their infrastructure adopts stronger ciphers. .TP .B \fBap_req_checksum_type\fP -.sp An integer which specifies the type of AP\-REQ checksum to use in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be @@ -195,14 +196,12 @@ See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP .B \fBcanonicalize\fP -.sp If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. .TP .B \fBccache_type\fP -.sp This parameter determines the format of credential cache types created by \fIkinit(1)\fP or other programs. The default value is 4, which represents the most current format. Smaller values @@ -210,45 +209,51 @@ can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. .TP .B \fBclockskew\fP -.sp Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. .TP +.B \fBdefault_ccache_name\fP +This relation specifies the name of the default credential cache. +The default is \fB@CCNAME@\fP. This relation is subject to parameter +expansion (see below). +.TP +.B \fBdefault_client_keytab_name\fP +This relation specifies the name of the default keytab for +obtaining client credentials. The default is \fB@CKTNAME@\fP. This +relation is subject to parameter expansion (see below). +.TP .B \fBdefault_keytab_name\fP -.sp This relation specifies the default keytab name to be used by -application servers such as telnetd and rlogind. The default is -\fB/etc/krb5.keytab\fP. +application servers such as sshd. The default is \fB@KTNAME@\fP. This +relation is subject to parameter expansion (see below). .TP .B \fBdefault_realm\fP -.sp Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as \fIkinit(1)\fP. .TP .B \fBdefault_tgs_enctypes\fP -.sp Identifies the supported list of session key encryption types that -should be returned by the KDC. The list may be delimited with -commas or whitespace. See \fIEncryption_and_salt_types\fP in +should be returned by the KDC, in order of preference from +highest to lowest. The list may be delimited with commas or +whitespace. See \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of the accepted values for this tag. The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBdefault_tkt_enctypes\fP -.sp Identifies the supported list of session key encryption types that -should be requested by the client. The format is the same as for +should be requested by the client, in order of preference from +highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBdns_lookup_kdc\fP -.sp Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server @@ -265,7 +270,6 @@ data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. .TP .B \fBextra_addresses\fP -.sp This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\-restricted tickets. The addresses should be in a @@ -273,12 +277,10 @@ comma\-separated list. This option has no effect if \fBnoaddresses\fP is true. .TP .B \fBforwardable\fP -.sp If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. .TP .B \fBignore_acceptor_hostname\fP -.sp When accepting GSSAPI or krb5 security contexts for host\-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service @@ -289,7 +291,6 @@ compromise the security of virtual hosting environments. The default value is false. .TP .B \fBk5login_authoritative\fP -.sp If this flag is true, principals must be listed in a local user\(aqs k5login file to be granted login access, if a \fI.k5login(5)\fP file exists. If this flag is false, a principal may still be @@ -298,7 +299,6 @@ file exists but does not list the principal. The default value is true. .TP .B \fBk5login_directory\fP -.sp If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login @@ -307,23 +307,20 @@ For security reasons, .k5login files must be owned by the local user or by root. .TP .B \fBkdc_default_options\fP -.sp Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). .TP .B \fBkdc_timesync\fP -.sp -If this flag is true, client machines will compute the difference -between their time and the time returned by the KDC in the -timestamps in the tickets and use this value to correct for an -inaccurate system clock when requesting service tickets or -authenticating to services. This corrective factor is only used -by the Kerberos library; it is not used to change the system -clock. The default value is true. +Accepted values for this relation are 1 or 0. If it is nonzero, +client machines will compute the difference between their time and +the time returned by the KDC in the timestamps in the tickets and +use this value to correct for an inaccurate system clock when +requesting service tickets or authenticating to services. This +corrective factor is only used by the Kerberos library; it is not +used to change the system clock. The default value is 1. .TP .B \fBkdc_req_checksum_type\fP -.sp An integer which specifies the type of checksum to use for the KDC requests, for compatibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred @@ -391,13 +388,11 @@ _ .TE .TP .B \fBnoaddresses\fP -.sp If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. .TP .B \fBpermitted_enctypes\fP -.sp Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly @@ -405,47 +400,40 @@ removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBplugin_base_dir\fP -.sp If set, determines the base directory where krb5 plugins are located. The default value is the \fBkrb5/plugins\fP subdirectory of the krb5 library directory. .TP .B \fBpreferred_preauth_types\fP -.sp This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. .TP .B \fBproxiable\fP -.sp If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. .TP .B \fBrdns\fP -.sp If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. The default value is true. .TP .B \fBrealm_try_domains\fP -.sp Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the host\(aqs domain itself, 1 means to also try the domain\(aqs immediate parent, and so forth. The library\(aqs usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid -realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is +realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is set. The default is not to search domain components. .TP .B \fBrenew_lifetime\fP -.sp -Sets the default renewable lifetime for initial ticket requests. -The default value is 0. +(\fIduration\fP string.) Sets the default renewable lifetime +for initial ticket requests. The default value is 0. .TP .B \fBsafe_checksum_type\fP -.sp An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For compatibility with applications linked against DCE version 1.1 or @@ -455,12 +443,10 @@ with the session key type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP .B \fBticket_lifetime\fP -.sp -Sets the default lifetime for initial ticket requests. The -default value is 1 day. +(\fIduration\fP string.) Sets the default lifetime for initial +ticket requests. The default value is 1 day. .TP .B \fBudp_preference_limit\fP -.sp When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fBudp_preference_limit\fP. If the message is smaller than @@ -469,7 +455,6 @@ Regardless of the size, both protocols will be tried if the first attempt fails. .TP .B \fBverify_ap_req_nofail\fP -.sp If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. @@ -483,14 +468,12 @@ following tags may be specified in the realm\(aqs subsection: .INDENT 0.0 .TP .B \fBadmin_server\fP -.sp Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the \fIkadmind(8)\fP server for the realm. .TP .B \fBauth_to_local\fP -.sp This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being @@ -498,7 +481,6 @@ translated. The possible values are: .INDENT 7.0 .TP .B \fBRULE:\fP\fIexp\fP -.sp The local name will be formulated from \fIexp\fP. .sp The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP. @@ -506,7 +488,7 @@ The integer \fIn\fP indicates how many components the target principal should have. If this matches, then a string will be formed from \fIstring\fP, substituting the realm of the principal for \fB$0\fP and the \fIn\fP\(aqth component of the principal for -\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then +\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then \fB[2:$2$1foo]\fP would result in the string \fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then the \fBs//[g]\fP substitution command will be run over the @@ -515,7 +497,6 @@ global over the \fIstring\fP, instead of replacing only the first match in the \fIstring\fP. .TP .B \fBDEFAULT\fP -.sp The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion @@ -545,20 +526,17 @@ these two rules are any principals \fBjohndoe/*\fP, which will always get the local name \fBguest\fP. .TP .B \fBauth_to_local_names\fP -.sp This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. .TP .B \fBdefault_domain\fP -.sp This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \fBrcmd.hostname\fP to \fBhost/hostname.domain\fP). .TP .B \fBkdc\fP -.sp The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, @@ -569,13 +547,11 @@ be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. .TP .B \fBkpasswd_server\fP -.sp Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the \fBadmin_server\fP host will be tried. .TP .B \fBmaster_kdc\fP -.sp Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the @@ -584,7 +560,6 @@ the updated database has not been propagated to the slave servers yet. .TP .B \fBv4_instance_convert\fP -.sp This subsection allows the administrator to configure exceptions to the \fBdefault_domain\fP mapping rule. It contains V4 instances (the tag name) which should be translated to some specific @@ -592,7 +567,6 @@ hostname (the tag value) as the second component in a Kerberos V5 principal name. .TP .B \fBv4_realm\fP -.sp This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but @@ -776,13 +750,10 @@ are overridden by those specified in the \fI\%realms\fP section. .INDENT 3.5 .INDENT 0.0 .IP \(bu 2 -. \fI\%pwqual\fP interface .IP \(bu 2 -. \fI\%kadm5_hook\fP interface .IP \(bu 2 -. \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces .UNINDENT .UNINDENT @@ -798,19 +769,16 @@ All subsections support the same tags: .INDENT 0.0 .TP .B \fBdisable\fP -.sp This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. .TP .B \fBenable_only\fP -.sp This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. .TP .B \fBmodule\fP -.sp This tag may have multiple values. Each value is a string of the form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named @@ -830,12 +798,10 @@ disabled with the disable tag): .INDENT 0.0 .TP .B \fBk5identity\fP -.sp Uses a .k5identity file in the user\(aqs home directory to select a client principal .TP .B \fBrealm\fP -.sp Uses the service realm to guess an appropriate cache from the collection .UNINDENT @@ -847,20 +813,16 @@ changed. The following built\-in modules exist for this interface: .INDENT 0.0 .TP .B \fBdict\fP -.sp Checks against the realm dictionary file .TP .B \fBempty\fP -.sp Rejects empty passwords .TP .B \fBhesiod\fP -.sp Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) .TP .B \fBprinc\fP -.sp Checks against components of the principal name .UNINDENT .SS kadm5_hook interface @@ -878,20 +840,16 @@ built\-in modules exist for these interfaces: .INDENT 0.0 .TP .B \fBpkinit\fP -.sp This module implements the PKINIT preauthentication mechanism. .TP .B \fBencrypted_challenge\fP -.sp This module implements the encrypted challenge FAST factor. .TP .B \fBencrypted_timestamp\fP -.sp This module implements the encrypted timestamp mechanism. .UNINDENT .SH PKINIT OPTIONS .IP Note -. The following are PKINIT\-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm\-specific subsection of [libdefaults], or may be @@ -901,7 +859,6 @@ A realm\-specific value overrides, not adds to, a generic .RE .INDENT 0.0 .IP 1. 3 -. realm\-specific subsection of [libdefaults]: .INDENT 3.0 .INDENT 3.5 @@ -910,14 +867,13 @@ realm\-specific subsection of [libdefaults]: .ft C [libdefaults] EXAMPLE.COM = { - pkinit_anchors = FILE\e:/usr/local/example.com.crt + pkinit_anchors = FILE:/usr/local/example.com.crt } .ft P .fi .UNINDENT .UNINDENT .IP 2. 3 -. realm\-specific value in the [realms] section, .INDENT 3.0 .INDENT 3.5 @@ -926,14 +882,13 @@ realm\-specific value in the [realms] section, .ft C [realms] OTHERREALM.ORG = { - pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt + pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } .ft P .fi .UNINDENT .UNINDENT .IP 3. 3 -. generic value in the [libdefaults] section. .INDENT 3.0 .INDENT 3.5 @@ -941,7 +896,7 @@ generic value in the [libdefaults] section. .nf .ft C [libdefaults] - pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/ + pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .ft P .fi .UNINDENT @@ -954,7 +909,6 @@ information for PKINIT is as follows: .INDENT 0.0 .TP .B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] -.sp This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP @@ -967,7 +921,6 @@ In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .TP .B \fBDIR:\fP\fIdirname\fP -.sp This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP @@ -991,12 +944,10 @@ but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP .B \fBPKCS12:\fP\fIfilename\fP -.sp \fIfilename\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. .TP .B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] -.sp All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodname\fP. If no @@ -1009,7 +960,6 @@ See the \fBpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for PKINIT. .TP .B \fBENV:\fP\fIenvvar\fP -.sp \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable @@ -1019,14 +969,12 @@ example, \fBENV:X509_PROXY\fP, where environment variable .INDENT 0.0 .TP .B \fBpkinit_anchors\fP -.sp Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. .TP .B \fBpkinit_cert_match\fP -.sp Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other @@ -1043,7 +991,6 @@ DN values. The syntax of the matching rules is: .INDENT 7.0 .INDENT 3.5 -.sp [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... .UNINDENT .UNINDENT @@ -1052,13 +999,11 @@ where: .INDENT 7.0 .TP .B \fIrelation\-operator\fP -.sp can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The default is \fB&&\fP. .TP .B \fIcomponent\-rule\fP -.sp can be one of the following. Note that there is no punctuation or whitespace between component rules. .INDENT 7.0 @@ -1080,16 +1025,12 @@ must be present in the certificate. Extended Key Usage values can be: .INDENT 7.0 .IP \(bu 2 -. pkinit .IP \(bu 2 -. msScLogin .IP \(bu 2 -. clientAuth .IP \(bu 2 -. emailProtection .UNINDENT .sp @@ -1098,10 +1039,8 @@ Usage values. All values in the list must be present in the certificate. Key Usage values can be: .INDENT 7.0 .IP \(bu 2 -. digitalSignature .IP \(bu 2 -. keyEncipherment .UNINDENT .UNINDENT @@ -1121,7 +1060,6 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature .UNINDENT .TP .B \fBpkinit_eku_checking\fP -.sp This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded @@ -1131,30 +1069,25 @@ recognized in the krb5.conf file are: .INDENT 7.0 .TP .B \fBkpKDC\fP -.sp This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP. .TP .B \fBkpServerAuth\fP -.sp If \fBkpServerAuth\fP is specified, a KDC certificate with the id\-kp\-serverAuth EKU as used by Microsoft will be accepted. .TP .B \fBnone\fP -.sp If \fBnone\fP is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP .B \fBpkinit_dh_min_bits\fP -.sp Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. .TP .B \fBpkinit_identities\fP -.sp Specifies the location(s) to be used to find the user\(aqs X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity @@ -1163,7 +1096,6 @@ these values are not used if the user specifies \fBX509_user_identity\fP on the command line. .TP .B \fBpkinit_kdc_hostname\fP -.sp The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as @@ -1172,18 +1104,15 @@ times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP .B \fBpkinit_longhorn\fP -.sp If this flag is set to true, we are talking to the Longhorn KDC. .TP .B \fBpkinit_pool\fP -.sp Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. .TP .B \fBpkinit_require_crl_checking\fP -.sp The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -1200,24 +1129,130 @@ fails. policy is such that up\-to\-date CRLs must be present for every CA. .TP .B \fBpkinit_revoke\fP -.sp Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .TP .B \fBpkinit_win2k\fP -.sp This flag specifies whether the target realm is assumed to support only the old, pre\-RFC version of the protocol. The default is false. .TP .B \fBpkinit_win2k_require_binding\fP -.sp If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. The default is false. .UNINDENT +.SH PARAMETER EXPANSION +.sp +Several variables, such as \fBdefault_keytab_name\fP, allow parameters +to be expanded. Valid parameters are: +.INDENT 0.0 +.INDENT 3.5 +.TS +center; +|l|l|. +_ +T{ +%{TEMP} +T} T{ +Temporary directory +T} +_ +T{ +%{uid} +T} T{ +Unix real UID or Windows SID +T} +_ +T{ +%{euid} +T} T{ +Unix effective user ID or Windows SID +T} +_ +T{ +%{USERID} +T} T{ +Same as %{uid} +T} +_ +T{ +%{null} +T} T{ +Empty string +T} +_ +T{ +%{LIBDIR} +T} T{ +Installation library directory +T} +_ +T{ +%{BINDIR} +T} T{ +Installation binary directory +T} +_ +T{ +%{SBINDIR} +T} T{ +Installation admin binary directory +T} +_ +T{ +%{username} +T} T{ +(Unix) Username of effective user ID +T} +_ +T{ +%{APPDATA} +T} T{ +(Windows) Roaming application data for current user +T} +_ +T{ +%{COMMON_APPDATA} +T} T{ +(Windows) Application data for all users +T} +_ +T{ +%{LOCAL_APPDATA} +T} T{ +(Windows) Local application data for current user +T} +_ +T{ +%{SYSTEM} +T} T{ +(Windows) Windows system folder +T} +_ +T{ +%{WINDOWS} +T} T{ +(Windows) Windows folder +T} +_ +T{ +%{USERCONFIG} +T} T{ +(Windows) Per\-user MIT krb5 config file directory +T} +_ +T{ +%{COMMONCONFIG} +T} T{ +(Windows) Common MIT krb5 config file directory +T} +_ +.TE +.UNINDENT +.UNINDENT .SH SAMPLE KRB5.CONF FILE .sp Here is an example of a generic krb5.conf file: @@ -1247,11 +1282,6 @@ Here is an example of a generic krb5.conf file: kdc = kerberos\-1.example.com admin_server = kerberos.example.com } - OPENLDAP.MIT.EDU = { - kdc = kerberos.mit.edu - admin_server = kerberos.mit.edu - database_module = openldap_ldapconf - } [domain_realm] .mit.edu = ATHENA.MIT.EDU @@ -1264,27 +1294,6 @@ Here is an example of a generic krb5.conf file: EXAMPLE.COM = { ATHENA.MIT.EDU = . } - -[logging] - kdc = SYSLOG:INFO - admin_server = FILE=/var/kadm5.log -[dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com -[dbmodules] - openldap_ldapconf = { - db_library = kldap - disable_last_success = true - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com - ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read rights on - # the realm container and principal subtrees - ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read and write rights on - # the realm container and principal subtrees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 -} .ft P .fi .UNINDENT @@ -1298,6 +1307,6 @@ syslog(3) .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index 97bee967a8..1dbe739b42 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -43,6 +43,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-n\fP] [\fB\-w\fP \fInumworkers\fP] [\fB\-P\fP \fIpid_file\fP] +[\fB\-T\fP \fItime_offset\fP] .SH DESCRIPTION .sp krb5kdc is the Kerberos version 5 Authentication Service and Key @@ -91,7 +92,6 @@ will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. .IP Note -. On operating systems which do not have \fIpktinfo\fP support, using worker processes will prevent the KDC from listening for UDP packets on network interfaces created after the KDC @@ -105,23 +105,19 @@ Options supported for the LDAP database module are: .INDENT 0.0 .TP .B \fB\-x\fP nconns=<number_of_connections> -.sp Specifies the number of connections to be maintained per LDAP server. .TP .B \fB\-x\fP host=<ldapuri> -.sp Specifies the LDAP server to connect to by URI. .TP .B \fB\-x\fP binddn=<binddn> -.sp Specifies the DN of the object used by the KDC server to bind to the LDAP server. This object should have read and write privileges to the realm container, the principal container, and the subtree that is referenced by the realm. .TP .B \fB\-x\fP bindpwd=<bind_password> -.sp Specifies the password for the above mentioned binddn. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the @@ -130,6 +126,9 @@ password using the \fBstashsrvpw\fP command of .UNINDENT .UNINDENT .UNINDENT +.sp +The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which +the KDC will operate under. It is intended only for testing purposes. .SH EXAMPLE .sp The KDC may service requests for multiple realms (maximum 32 realms). @@ -161,10 +160,8 @@ description for further details. krb5kdc uses the following environment variables: .INDENT 0.0 .IP \(bu 2 -. \fBKRB5_CONFIG\fP .IP \(bu 2 -. \fBKRB5_KDC_PROFILE\fP .UNINDENT .SH SEE ALSO @@ -174,6 +171,6 @@ krb5kdc uses the following environment variables: .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ksu.man b/src/man/ksu.man index d45a5f5962..7830a7efa9 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -54,10 +54,9 @@ ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. .IP Note -. For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" -(e.g. "source user", "source cache", etc.). +(e.g., "source user", "source cache", etc.). .sp Likewise, all references to and attributes of the target account will start with "target". @@ -67,12 +66,12 @@ account will start with "target". To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his -principal name with the \fB\-n\fP option (e.g. \fB\-n jqpublic@USC.EDU\fP) +principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see \fB\-n\fP option). The target user name must be the first argument to ksu; if not specified root is the default. If \fB.\fP is specified then the target user will be the -source user (e.g. \fBksu .\fP). If the source user is root or the +source user (e.g., \fBksu .\fP). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. @@ -167,7 +166,6 @@ not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. .IP Note -. During authentication, only the tickets that could be obtained without providing a password are cached in in the source cache. @@ -176,7 +174,6 @@ source cache. .INDENT 0.0 .TP .B \fB\-n\fP \fItarget_principal_name\fP -.sp Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. .sp @@ -184,7 +181,6 @@ If ksu is invoked without \fB\-n\fP, a default principal name is assigned via the following heuristic: .INDENT 7.0 .IP \(bu 2 -. Case 1: source user is non\-root. .sp If the target user is the source user the default principal name @@ -201,13 +197,10 @@ cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. .INDENT 2.0 .IP a. 3 -. default principal of the source cache .IP b. 3 -. target_user@local_realm .IP c. 3 -. source_user@local_realm .UNINDENT .sp @@ -227,7 +220,6 @@ example if candidate a) is \fBjqpublic@ISI.EDU\fP and account then the default principal is set to \fBjqpublic/secure@ISI.EDU\fP. .IP \(bu 2 -. Case 2: source user is root. .sp If the target user is non\-root then the default principal name @@ -241,8 +233,7 @@ exist, default principal name is set to \fBroot\e@local_realm\fP. \fB\-c\fP \fIsource_cache_name\fP .INDENT 0.0 .INDENT 3.5 -.sp -Specify source cache name (e.g. \fB\-c FILE:/tmp/my_cache\fP). If +Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If \fB\-c\fP option is not used then the name is obtained from \fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not defined the source cache name is set to \fBkrb5cc_<source uid>\fP. @@ -264,17 +255,14 @@ krb5cc_1984.2 .INDENT 0.0 .TP .B \fB\-k\fP -.sp Do not delete the target cache upon termination of the target shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes the target cache. .TP .B \fB\-D\fP -.sp Turn on debug mode. .TP .B \fB\-z\fP -.sp Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the \fB\-n\fP option if you want the tickets for other then @@ -282,7 +270,6 @@ the default principal. Note that the \fB\-z\fP option is mutually exclusive with the \fB\-Z\fP option. .TP .B \fB\-Z\fP -.sp Don\(aqt copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note @@ -290,7 +277,6 @@ that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP option. .TP .B \fB\-q\fP -.sp Suppress the printing of status messages. .UNINDENT .sp @@ -298,7 +284,6 @@ Ticket granting ticket options: .INDENT 0.0 .TP .B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP -.sp The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users @@ -307,29 +292,24 @@ ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. .TP .B \fB\-l\fP \fIlifetime\fP -.sp -specifies the lifetime to be requested for the ticket; if this -option is not specified, the default ticket lifetime (configured -by each site) is used instead. +(\fIduration\fP string.) Specifies the lifetime to be requested +for the ticket; if this option is not specified, the default ticket +lifetime (12 hours) is used instead. .TP .B \fB\-r\fP \fItime\fP -.sp -specifies that the \fBrenewable\fP option should be requested for -the ticket, and specifies the desired total lifetime of the -ticket. +(\fIduration\fP string.) Specifies that the \fBrenewable\fP option +should be requested for the ticket, and specifies the desired +total lifetime of the ticket. .TP .B \fB\-p\fP -.sp specifies that the \fBproxiable\fP option should be requested for the ticket. .TP .B \fB\-f\fP -.sp option specifies that the \fBforwardable\fP option should be requested for the ticket. .TP .B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...] -.sp ksu proceeds exactly the same as if it was invoked without the \fB\-e\fP option, except instead of executing the target shell, ksu executes the specified command. Example of usage: @@ -394,7 +374,6 @@ the target program. Otherwise, the user must specify either a full path or just the program name. .TP .B \fB\-a\fP \fIargs\fP -.sp Specify arguments to be passed to the target shell. Note that all flags and parameters following \-a will be passed to the shell, thus all options intended for ksu must precede \fB\-a\fP. @@ -420,7 +399,6 @@ ksu can be compiled with the following four flags: .INDENT 0.0 .TP .B \fBGET_TGT_VIA_PASSWD\fP -.sp In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos @@ -429,19 +407,16 @@ source user is logged in remotely and does not have a secure channel, the password may get exposed. .TP .B \fBPRINC_LOOK_AHEAD\fP -.sp During the resolution of the default principal name, \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see \fB\-n\fP option). .TP .B \fBCMD_PATH\fP -.sp Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). .TP .B \fBHAVE_GETUSERSHELL\fP -.sp If the source user is non\-root, ksu insists that the target user\(aqs shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is called to obtain the names of "legal shells". Note that the @@ -460,7 +435,7 @@ ksu should be owned by root and have the set user id bit turned on. .sp ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g. \fBhost/nii.isi.edu@ISI.EDU\fP). The keytab +Kerberos database (e.g., \fBhost/nii.isi.edu@ISI.EDU\fP). The keytab file must be in an appropriate location. .SH SIDE EFFECTS .sp @@ -471,6 +446,6 @@ GENNADY (ARI) MEDVINSKY .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kswitch.man b/src/man/kswitch.man index b265b78fb0..753f008322 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -42,11 +42,9 @@ collection, if a cache collection is available. .INDENT 0.0 .TP .B \fB\-c\fP \fIcachename\fP -.sp Directly specifies the credential cache to be made primary. .TP .B \fB\-p\fP \fIprincipal\fP -.sp Causes the cache collection to be searched for a cache containing credentials for \fIprincipal\fP. If one is found, that collection is made primary. @@ -57,7 +55,6 @@ kswitch uses the following environment variables: .INDENT 0.0 .TP .B \fBKRB5CCNAME\fP -.sp Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -68,10 +65,8 @@ to be present in the collection. .SS FILES .INDENT 0.0 .TP -.B \fB/tmp/krb5cc_[uid]\fP -.sp -Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the -decimal UID of the user). +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache .UNINDENT .SS SEE ALSO .sp @@ -79,6 +74,6 @@ decimal UID of the user). .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ktutil.man b/src/man/ktutil.man index be2cc7da4d..31b0d51c53 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -42,7 +42,6 @@ V4 srvtab file. .SS list .INDENT 0.0 .INDENT 3.5 -.sp \fBlist\fP .UNINDENT .UNINDENT @@ -53,7 +52,6 @@ Alias: \fBl\fP .SS read_kt .INDENT 0.0 .INDENT 3.5 -.sp \fBread_kt\fP \fIkeytab\fP .UNINDENT .UNINDENT @@ -64,7 +62,6 @@ Alias: \fBrkt\fP .SS read_st .INDENT 0.0 .INDENT 3.5 -.sp \fBread_st\fP \fIsrvtab\fP .UNINDENT .UNINDENT @@ -75,7 +72,6 @@ Alias: \fBrst\fP .SS write_kt .INDENT 0.0 .INDENT 3.5 -.sp \fBwrite_kt\fP \fIkeytab\fP .UNINDENT .UNINDENT @@ -86,7 +82,6 @@ Alias: \fBwkt\fP .SS write_st .INDENT 0.0 .INDENT 3.5 -.sp \fBwrite_st\fP \fIsrvtab\fP .UNINDENT .UNINDENT @@ -97,7 +92,6 @@ Alias: \fBwst\fP .SS clear_list .INDENT 0.0 .INDENT 3.5 -.sp \fBclear_list\fP .UNINDENT .UNINDENT @@ -108,7 +102,6 @@ Alias: \fBclear\fP .SS delete_entry .INDENT 0.0 .INDENT 3.5 -.sp \fBdelete_entry\fP \fIslot\fP .UNINDENT .UNINDENT @@ -119,7 +112,6 @@ Alias: \fBdelent\fP .SS add_entry .INDENT 0.0 .INDENT 3.5 -.sp \fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP \fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP .UNINDENT @@ -131,7 +123,6 @@ Alias: \fBaddent\fP .SS list_requests .INDENT 0.0 .INDENT 3.5 -.sp \fBlist_requests\fP .UNINDENT .UNINDENT @@ -142,7 +133,6 @@ Aliases: \fBlr\fP, \fB?\fP .SS quit .INDENT 0.0 .INDENT 3.5 -.sp \fBquit\fP .UNINDENT .UNINDENT @@ -174,6 +164,6 @@ ktutil: .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kvno.man b/src/man/kvno.man index 38ef7af2d4..e66b911ed2 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -49,35 +49,29 @@ and prints out the key version numbers of each. .INDENT 0.0 .TP .B \fB\-c\fP \fIccache\fP -.sp Specifies the name of a credentials cache to use (if not the default) .TP .B \fB\-e\fP \fIetype\fP -.sp Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. .TP .B \fB\-q\fP -.sp Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. .TP .B \fB\-h\fP -.sp Prints a usage statement and exits. .TP .B \fB\-P\fP -.sp Specifies that the \fIservice1 service2\fP ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. .TP .B \fB\-S\fP \fIsname\fP -.sp Specifies that the \fIservice1 service2\fP ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name \fIsname\fP. @@ -85,7 +79,6 @@ The service hostnames will be canonicalized according to the usual rules for constructing service principals. .TP .B \fB\-U\fP \fIfor_user\fP -.sp Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of \fIfor_user\fP. If constrained delegation is not requested, the service name must match the @@ -97,16 +90,13 @@ kvno uses the following environment variable: .INDENT 0.0 .TP .B \fBKRB5CCNAME\fP -.sp Location of the credentials (ticket) cache. .UNINDENT .SH FILES .INDENT 0.0 .TP -.B \fB/tmp/krb5cc_[uid]\fP -.sp -Default location of the credentials cache ([\fIuid\fP] is the decimal -UID of the user). +.B \fB@CCNAME@\fP +Default location of the credentials cache .UNINDENT .SH SEE ALSO .sp @@ -114,6 +104,6 @@ UID of the user). .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sclient.man b/src/man/sclient.man index 0d0c95102a..2473e9a308 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -45,6 +45,6 @@ the server\(aqs response. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sserver.man b/src/man/sserver.man index aa07d4f24f..1c48cc3507 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .SH SYNOPSIS .sp @@ -48,7 +48,7 @@ The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service \fBsample/hostname.domain.name@REALM.NAME\fP. This keytab is generated using the \fIkadmin(1)\fP program. The keytab file is usually -installed as \fB/etc/krb5.keytab\fP. +installed as \fB@KTNAME@\fP. .sp The \fB\-S\fP option allows for a different keytab than the default. .sp @@ -103,7 +103,6 @@ You are nlgilman@JIMI.MIT.EDU .SH COMMON ERROR MESSAGES .INDENT 0.0 .IP 1. 3 -. kinit returns the error: .INDENT 3.0 .INDENT 3.5 @@ -120,7 +119,6 @@ kinit: Client not found in Kerberos database while getting This means that you didn\(aqt create an entry for your username in the Kerberos database. .IP 2. 3 -. sclient returns the error: .INDENT 3.0 .INDENT 3.5 @@ -136,7 +134,6 @@ unknown service sample/tcp; check /etc/services This means that you don\(aqt have an entry in /etc/services for the sample tcp port. .IP 3. 3 -. sclient returns the error: .INDENT 3.0 .INDENT 3.5 @@ -152,7 +149,6 @@ connect: Connection refused This probably means you didn\(aqt edit /etc/inetd.conf correctly, or you didn\(aqt restart inetd after editing inetd.conf. .IP 4. 3 -. sclient returns the error: .INDENT 3.0 .INDENT 3.5 @@ -171,7 +167,6 @@ defined in the Kerberos database; it should be created using \fIkadmin(1)\fP, and a keytab file needs to be generated to make the key for that service principal available for sclient. .IP 5. 3 -. sclient returns the error: .INDENT 3.0 .INDENT 3.5 @@ -194,6 +189,6 @@ probably not installed in the proper directory. .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . |