summaryrefslogtreecommitdiffstats
path: root/doc/admin.texinfo
Commit message (Collapse)AuthorAgeFilesLines
* Remove admin_keytab references in code and docsGreg Hudson2012-03-041-5/+0
| | | | | | | | | The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
* Use built-in modules for encrypted timestampGreg Hudson2011-10-071-0/+3
| | | | | | | | Break out the encrypted timestamp code from kdc_preauth.c and preauth2.c into built-in modules, allowing admins to disable it and reducing the size of the framework code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25319 dc483132-0cff-0310-8789-dd5450dbe970
* Fix several krb5.conf doc inconsistenciesGreg Hudson2011-08-031-2/+18
| | | | | | | | ldap_servers was incorrectly documented as ldap_server in the admin guide. realm_try_domains and preferred_preauth_types were documented in the man page but not the admin guide. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25068 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typo in preauth plugin krb5.conf docsGreg Hudson2011-06-291-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25001 dc483132-0cff-0310-8789-dd5450dbe970
* Document built-in modules for clpreauth/kdcpreauthGreg Hudson2011-06-261-12/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24991 dc483132-0cff-0310-8789-dd5450dbe970
* Document clpreauth/kdcpreauth module configurationGreg Hudson2011-06-231-1/+17
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24982 dc483132-0cff-0310-8789-dd5450dbe970
* Document the lockout-related options in kadmin (modprinc -unlock andGreg Hudson2011-05-161-0/+21
| | | | | | | | | | addpol/modpol -maxfailure, -failurecountinterval, and -lockoutduration), in the man page and in admin.texinfo. Based on text submitted by shawn.emery@oracle.com. ticket: 6910 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970
* Improve acceptor name flexibilityGreg Hudson2011-02-071-0/+9
| | | | | | | | | | | | | | | | | | | | | | Be more flexible about the principal names we will accept for a given GSS acceptor name. Also add support for a new libdefaults profile variable ignore_acceptor_hostname, which causes the hostnames of host-based service principals to be ignored when passed by server applications as acceptor names. Note that we still always invoke krb5_sname_to_principal() when importing a gss-krb5 mechanism name, even though we won't always use the result. This is an unfortunate waste of getaddrinfo/getnameinfo queries in some situations, but the code surgery necessary to defer it appears too risky at this time. The project proposal for this change is at: http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names ticket: 6855 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970
* Document rdns libdefault settingTom Yu2010-12-201-0/+7
| | | | | | | | ticket: 6794 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584 dc483132-0cff-0310-8789-dd5450dbe970
* Correct typo in admin documentation for restrict_anonymous_to_tgtGreg Hudson2010-12-011-2/+2
| | | | | | ticket: 6829 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24550 dc483132-0cff-0310-8789-dd5450dbe970
* Implement restrict_anonymous_to_tgt realm flagGreg Hudson2010-12-011-1/+14
| | | | | | | | | | | | | Implement a new realm flag to reject ticket requests from anonymous principals to any principal other than the local TGT. Allows FAST to be deployed using anonymous tickets as armor in realms where the set of authenticatable users must be constrained. ticket: 6829 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
* copyright notice updatesTom Yu2010-10-141-19/+26
| | | | | | | | | | | | Update copyright.texinfo. Move full copyright notices to appendices of documentation. New rules to generate top-level NOTICE file from copyright.texinfo. Regenerate NOTICE file. ticket: 6802 tags: pullup target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24455 dc483132-0cff-0310-8789-dd5450dbe970
* Add a kadm5 RPC for purging old keys from the KDB (e.g., fromTom Yu2010-10-081-12/+9
| | | | | | | | | | | | | | | change_password -keepold), and add a kadmin CLI command for it. Keeping ticket open because an automated test needs to be added. Long-term future work includes start/expire dates on keys, or not-yet-valid flags. ticket: 1219 status: open target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
* Document kadm5_hook interfaceSam Hartman2010-10-051-1/+12
| | | | | | | | * krb5.conf * admin.texinfo * kadm5_hook_plugin.h: document initvt requirement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24422 dc483132-0cff-0310-8789-dd5450dbe970
* Implement k5login_directory and k5login_authoritative optionsGreg Hudson2010-10-011-0/+14
| | | | | | | | Add and document two new options for controlling k5login behavior. ticket: 6792 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970
* Correct the admin documentation for auth_to_localGreg Hudson2010-09-301-15/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24387 dc483132-0cff-0310-8789-dd5450dbe970
* Password quality pluggable interfaceGreg Hudson2010-09-011-2/+61
| | | | | | | | | | | Merge branches/plugins2 to trunk. Adds a password quality pluggable interface described in this project page: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface ticket: 6765 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
* Document the disable_last_success and disable_lockout variables inGreg Hudson2010-05-211-2/+2
| | | | | | | | | krb5.conf.M. Also document database_name in krb5.conf.M and slightly adjust the wording in admin.texinfo. ticket: 6719 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24078 dc483132-0cff-0310-8789-dd5450dbe970
* When parsing a KDC or admin server string, allow the name or addressGreg Hudson2010-05-181-6/+8
| | | | | | | | | to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
* Add lockout-related performance tuning variablesGreg Hudson2010-05-101-4/+17
| | | | | | | | | | | | | | | The account lockout feature of krb5 1.8 came at a cost in database accesses for principals requiring preauth, even if lockout is not used. Add dbmodules variables disable_last_success and disable_lockout for the DB2 and LDAP back ends, allowing the admin to recover the lost performance at the cost of new functionality. (Unrelated documentation fix: document database_name as a DB2-specific dbmodules variable instead of the realm variable it used to be.) ticket: 6719 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970
* Document the ticket_lifetime libdefaults setting (which was added inGreg Hudson2010-03-191-7/+5
| | | | | | | | | | r16656, #2656). Based on a patch from nalin@redhat.com. ticket: 6680 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820 dc483132-0cff-0310-8789-dd5450dbe970
* doc updates for allow_weak_cryptoTom Yu2010-02-251-2/+5
| | | | | | | | | | Update documentation to be more helpful about allow_weak_crypto. ticket: 6669 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970
* Minimal support for updating history keyGreg Hudson2010-02-111-1/+27
| | | | | | | | | | | | | | | | | | Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an outdated parenthetical comment about master_kdc; we actuallyGreg Hudson2009-10-071-3/+1
| | | | | | do check if the response came from the master KDC now. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22864 dc483132-0cff-0310-8789-dd5450dbe970
* Enctype list configuration enhancementsGreg Hudson2009-07-291-0/+9
| | | | | | | | | | | In the processing code for enctype lists, add support for "DEFAULT" to indicate the default list, for families (des/des3/aes/rc4), and for removing entries from the current list (-foo). Also add unit tests and document. ticket: 6539 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22469 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a typo in the admin guide (with not keyword -> with no keyword)Greg Hudson2009-06-011-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22396 dc483132-0cff-0310-8789-dd5450dbe970
* Fix formatting of ok_as_delegate documentation in admin guideGreg Hudson2009-05-031-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22304 dc483132-0cff-0310-8789-dd5450dbe970
* Document ok_as_delegate in the admin guideGreg Hudson2009-04-301-0/+15
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22293 dc483132-0cff-0310-8789-dd5450dbe970
* In the cross-realm setup example in the admin documentation, useGreg Hudson2009-04-221-2/+2
| | | | | | | "addprinc" instead of "add_princ" since the latter is not a recognized alias for add_principal. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22266 dc483132-0cff-0310-8789-dd5450dbe970
* Document allow_weak_cryptoGreg Hudson2009-04-101-0/+8
| | | | | | | | | | | Also document which cryptosystems are defined to be weak, and add some enctype entries which weren't in the documentation. ticket: 6452 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22188 dc483132-0cff-0310-8789-dd5450dbe970
* Unfortunately, pre-1.7 krshd fails to support keyed checksums becauseSam Hartman2009-04-031-2/+2
| | | | | | | | | | | | | | | | it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override ticket: 1624 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970
* Use the preferred checksum for non-DES keys in the kdc_req path andSam Hartman2009-04-011-1/+2
| | | | | | | | | | | | all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. ticket: 1624 Target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970
* Document alias support in LDAP back endGreg Hudson2009-03-151-0/+20
| | | | | | | | | | | | Add a few paragraphs to the LDAP instructions on creating aliases through direct manipulation of the LDAP data, and briefly explain when aliases will be used. ticket: 6419 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22089 dc483132-0cff-0310-8789-dd5450dbe970
* Improve LDAP admin documentationGreg Hudson2009-03-141-86/+101
| | | | | | | | | | | | | | | | | | Use dc=example,dc=com as the example base DN instead of more archaic forms. Provide a little more cross-referencing of concepts and mechanisms. Add additional steps in the OpenLDAP setup instructions for choosing DNs for the Kerberos container, KDC service, and kadmin service. Explain a little bit about what the Kerberos container and realm container are. Be clearer that using separate subtrees from the realm container for principals is an option, not a necessity, and don't use the base DN as an example of a separate subtree (it's confusing). ticket: 6418 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22088 dc483132-0cff-0310-8789-dd5450dbe970
* Remove documentation references to krb4 functionality we no longerGreg Hudson2008-12-181-60/+1
| | | | | | | | | have. Remove the krb425 transition guide since we no longer have compatibility code to assist with a transition. ticket: 6303 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21545 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-011-5/+397
| | | | | | | | | | | | | | | | Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
* misc cleanups in admin guide ldap sectionsKen Raeburn2006-12-201-55/+98
| | | | | | | | | | | | | | | | | | | | There are a bunch of instances of incorrect punctuation, inconsistent use of @-commands with option names, typos in names of principal flags, and a couple spelling errors. I only fixed what I noticed; I haven't subjected the rest to careful review. Also, the long section names for eDirectory-specific documentation cause the tar files generated for snapshots (which include generated html docs) to reach the 100-character limit for file names in traditional tar format; GNU tar can create archives holding them, but older tar implementations cannot read the archives properly. So, several eDirectory-related section names have been shortened. ticket: new target: 1.6 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19001 dc483132-0cff-0310-8789-dd5450dbe970
* Restore inadvertently deleted section. Minor editorial changesTom Yu2006-12-181-70/+127
| | | | | | ticket: 5027 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18957 dc483132-0cff-0310-8789-dd5450dbe970
* pull up r18933 to trunkTom Yu2006-12-181-55/+1158
| | | | | | | | | | | | | | | r18933@cathode-dark-space: rsavitha | 2006-12-08 04:37:01 -0500 ticket: new subject: admin guide changes for the LDAP backend Target_Version: 1.6 Tags: pullup Added LDAP backend related information to the admin guide ticket: 5027 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18956 dc483132-0cff-0310-8789-dd5450dbe970
* Document how to change the krbtgt key for a realmRuss Allbery2006-11-091-1/+33
| | | | | | | | | | ticket: new Componet: krb5-doc Version_Reported: 1.4.4 Target_Version: 1.6 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18792 dc483132-0cff-0310-8789-dd5450dbe970
* Add dircategory and direntry lines to the texinfo source for better infoRuss Allbery2006-06-121-1/+6
| | | | | | | | | documentation. Fix a few typos in variable names. Ticket: 3014 Version_Reported: 1.4.2 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18111 dc483132-0cff-0310-8789-dd5450dbe970
* * admin.texinfo (Supported Encryption Types): Reflect new AES support inKen Raeburn2004-06-101-17/+14
| | | | | | | | | | GSSAPI, but keep a warning about interoperability with old versions. ticket: 2585 tags: pullup target_version: 1.3.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16430 dc483132-0cff-0310-8789-dd5450dbe970
* * admin.texinfo (realms (krb5.conf)): Add description of master_kdc tag.Ken Raeburn2003-07-251-0/+10
| | | | | | | | | (Sample krb5.conf File): Add it to the example. ticket: 1692 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15737 dc483132-0cff-0310-8789-dd5450dbe970
* Don't document kdc_supported_enctypesSam Hartman2003-07-241-5/+0
| | | | | | | | | | | Since the code for kdc_supported_enctypes was removed, the docs should be as well. Ticket: new Target_Version: 1.3.1 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15734 dc483132-0cff-0310-8789-dd5450dbe970
* * definitions.texinfo (DefaultCcacheType, DefaultKDCTimesync,Ken Raeburn2003-05-301-6/+2
| | | | | | | | | | | | | DefaultMasterKeyType): Updated for code changes. (DefaultCcacheTypeMac, DefaultKDCTimesyncMac): Deleted. * admin.texinfo (libdefaults): Update kdc_timesync and ccache_type descriptions to not separate Mac case. ticket: 1190 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15531 dc483132-0cff-0310-8789-dd5450dbe970
* Document that we support AES and the constraints on that supportSam Hartman2003-05-301-0/+19
| | | | | | | Ticket: 1535 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15526 dc483132-0cff-0310-8789-dd5450dbe970
* Docs for admin keytab changes... only this one change need pullupTom Yu2003-05-271-3/+3
| | | | | | | | | | | | | | * admin.texinfo (realms (kdc.conf)): Update to reflect that kadm5.keytab is only used by legacy admin daemons. * install.texinfo (Create a kadmind Keytab (optional)): Update to reflect that kadm5.keytab is only used by legacy admin daemons. ticket: 1372 version_fixed: 1.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15510 dc483132-0cff-0310-8789-dd5450dbe970
* * admin.texinfo (appdefaults): Clarify afs_krb5 slightlyTom Yu2003-05-231-6/+6
| | | | | | ticket: 1192 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15486 dc483132-0cff-0310-8789-dd5450dbe970
* Document afs_krb5 appdefaults sectionSam Hartman2003-05-231-0/+27
| | | | | | | Ticket: 1192 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15484 dc483132-0cff-0310-8789-dd5450dbe970
* Added a few more tags in libdefaultsJen Selby2003-02-201-1/+23
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15194 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-07 10:03:28 +0000