| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The plan is to make Troubleshooting section of the documentation a
one-stop-shop place for all error diagnostics, explanations and possible
solutions. The relocation of kprop error messages descriptions is part of
this consolidation effort.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The documentation for klist -s erroneously suggests that it doesn't
affect the exit status behavior and that it merely checks for the
existence of the ccache (only mentioning the expired ticket check at
the end). Make it clearer and simpler, but avoid going into a lot of
detail about the nature of the expiration check.
ticket: 7806 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
Add a new section to kdc_conf.rst to describe keysalt lists, and
update other documentation to better distinguish enctype lists from
keysalt lists.
ticket: 7608
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
| |
Some error messages that kprop could print were quoted incorrectly in
install_kdc.rst.
Also fix minor typos.
ticket: 7785 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
| |
kdb5_util.rst incorrectly describes the current default dump format
version as 6 when it should be 7. Reported by Jeff D'Angelo.
ticket: 7777
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
| |
Re-fill to 70 columns. Replace non-ascii apostrophes with ASCII ones.
Edit wording slightly.
ticket: 7776
|
|
|
|
|
|
|
|
|
| |
This is to add a short introductory document on credential
caches to the Concepts section of Kerberos documentation.
ticket: 7776 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
| |
In kadm5.acl, *N in the target principal name refers to the Nth
wildcard in the acting principal pattern, not the Nth component.
ticket: 7774 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the "KDC replication and account lockout" section of lockout.rst,
specifically call out kprop and incremental propagation as the
mechanisms which do not replicate account lockout state, and add a
note that KDCs using LDAP may not be affected by that section's
concerns.
ticket: 7773 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
| |
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kdc_conf.rst, add examples showing how to configure a realm
parameter and a database parameter. Document that the default DB
configuration section is the realm name, and use that in the example.
Move the db_module_dir description to the end of the [dbmodules]
documentation since it is rarely used and could confuse a reader about
the usual structure of the section.
ticket: 7759 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kpropd -S option is no longer needed to run kpropd in standalone
mode, but its functionality is not deprecated; standalone mode is
automatically activated when appropriate. Clarify the kpropd
documentation on standalone mode to avoid giving the impression that
the mode is deprecated.
ticket: 7751 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
| |
Add a new section to database.rst documenting the procedure for
rolling the master key.
ticket: 7732 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
| |
kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.
ticket: 6507
target_version: 1.12
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
In pkinit.rst, add "-days" options to the example commands for
creating certificate and briefly discuss the issue of expiration dates
so that the administrator thinks about it. In troubleshoot.rst, add
an entry for the "certificate has expired" error which results from
PKINIT (when linked with OpenSSL) when a certificate has expired.
ticket: 7719 (new)
target_version: 1.12
tags: pullup
|
|
|
|
|
|
| |
Some literal blocks in the new AEAD and IOV documentation in
gssapi.rst started with ":" instead of "::", causing documentation
build errors.
|
|
|
|
| |
Release 1.9.5 was the last planned release for the krb5-1.9 series.
|
| |
|
|
|
|
|
|
|
|
| |
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|
|
|
|
|
|
|
|
|
|
| |
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
|
|
|
|
|
|
|
|
|
| |
Put a note in the the policies section of the documentation for how to
apply policies to principals.
[kaduk@mit.edu: reformat commit message]
ticket: 7693 (new)
|
|
|
|
| |
ticket: 7687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
ticket: 7690 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
| |
Add new types and constants to the apiref index files.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
|
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
|
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
|
|
|
|
|
| |
The previous commit updated the header file references for 1.12 in the
clpreauth and kdcpreauth plugin interface documentation. Add a
parenthetical so that the reference is still useful for prior
releases.
|
|
|
|
|
|
| |
The clpreauth and kdcpreauth header files are split up for 1.12. In
clpreauth.rst and kdcpreauth.rst, reference the correct header files
for each.
|
|
|
|
|
| |
Briefly describe the format of the kadmin dictionary file in
kdc_conf.rst.
|
|
|
|
|
|
|
| |
Register built-in localauth modules in the order we want them used by
default, and document accordingly.
ticket: 7665
|
|
|
|
|
|
|
|
| |
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.
ticket: 7665 (new)
|
|
|
|
|
|
|
|
|
|
| |
The "previous three lists" are not previous any more.
Say explicitly which three lists, and make the parenthetical bind
to the correct noun.
ticket: 7655 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
| |
Explain why DES keys should be removed from principals, and clarify
that allow_weak_crypto overrides all other configuration.
ticket: 7654 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
| |
These flags are overloaded to mean different things for clients and
servers; previously we only documented the client behavior.
ticket: 7653 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
| |
If yasm and cpuid.h are present on a Linux i686 or x64 system, compile
the modified Intel AES-NI assembly sources. In the builtin AES enc
provider, check at runtime whether the CPU supports AES-NI
instructions and use the assembly functions if so.
|
|
|
|
|
|
| |
Add assembly files from the Intel AESNI Sample Library, version 1.2,
which implement AES encryption using AES-NI instructions. Trailing
whitespace was removed.
|
|
|
|
| |
These two files are merged into the profile for KDC applications
|
|
|
|
|
|
|
|
| |
On many Linux systems, due to what is arguably a bug in rpcbind, the
portmapper doesn't allow service registration from non-root processes.
This causes the RPC tests to be frequently skipped. Modify the tests
so that they don't need the portmapper, by grabbing the port number
from the server process and passing it to the client.
|
|
|
|
|
|
| |
The addition of the KRB5_PADATA_AS_CHECKSUM macro in d7d74867952f caused
the doxygen bridge to emit a new RST file. This file was not included in
the API reference toctree, causing a build failure in maintainer-mode.
|
|
|
|
| |
Missed when converting the old nroff man pages.
|
|
|
|
|
|
|
| |
Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it
to simplify the krb5 GSS acquire_cred code.
ticket: 7599 (new)
|
| |
|
|
|
|
|
|
| |
Also exclude copyright.rst from the notice.txt build, as maintainer-mode
builds error out due to the "document isn't included in any toctree"
warning otherwise produced.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
k5srvutil is a little more convenient to use for rolling keys than
kadmin is. When migrating off 1DES, though, it may be desirable to
explicitly specify the desired keysalts. This adds an option, -e, to
k5srvutil to specify desired keysalts.
[ghudson@mit.edu: style fix; make whitespace in keysalt list work]
ticket: 7589 (new)
|
|
|
|
| |
ticket: 7583
|
|
|
|
|
|
|
| |
Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public
API.
ticket: 7584
|
|
|
|
|
|
|
| |
Get rid of the code to dump and load -b6 and -old format dump files.
Loading these versions hasn't worked since at least 1.3.
ticket: 7564 (new)
|
| |
|