summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Move kprop error explanation into TroubleshootingZhanna Tsitkov2013-12-192-48/+77
| | | | | | | The plan is to make Troubleshooting section of the documentation a one-stop-shop place for all error diagnostics, explanations and possible solutions. The relocation of kprop error messages descriptions is part of this consolidation effort.
* Clarify klist -s documentationGreg Hudson2013-12-171-4/+3
| | | | | | | | | | | | The documentation for klist -s erroneously suggests that it doesn't affect the exit status behavior and that it merely checks for the existence of the ccache (only mentioning the expired ticket check at the end). Make it clearer and simpler, but avoid going into a lot of detail about the nature of the expiration check. ticket: 7806 (new) target_version: 1.12.1 tags: pullup
* Better keysalt docsTom Yu2013-12-096-39/+62
| | | | | | | | | | Add a new section to kdc_conf.rst to describe keysalt lists, and update other documentation to better distinguish enctype lists from keysalt lists. ticket: 7608 target_version: 1.12 tags: pullup
* Fix error message quotations in install_kdc.rstTom Yu2013-12-031-6/+5
| | | | | | | | | | | Some error messages that kprop could print were quoted incorrectly in install_kdc.rst. Also fix minor typos. ticket: 7785 (new) target_version: 1.12 tags: pullup
* Update doc for current kdb5_util dump versionTom Yu2013-11-221-1/+1
| | | | | | | | | kdb5_util.rst incorrectly describes the current default dump format version as 6 when it should be 7. Reported by Jeff D'Angelo. ticket: 7777 target_version: 1.12 tags: pullup
* Edit ccache_def.rstGreg Hudson2013-11-221-79/+83
| | | | | | | Re-fill to 70 columns. Replace non-ascii apostrophes with ASCII ones. Edit wording slightly. ticket: 7776
* Added a new ccache doc to "Kerberos V5 concepts"Zhanna Tsitkov2013-11-222-0/+135
| | | | | | | | | This is to add a short introductory document on credential caches to the Concepts section of Kerberos documentation. ticket: 7776 (new) target_version: 1.12 tags: pullup
* Correct kadm5.acl back-reference documentationGreg Hudson2013-11-211-3/+4
| | | | | | | | | In kadm5.acl, *N in the target principal name refers to the Nth wildcard in the acting principal pattern, not the Nth component. ticket: 7774 (new) target_version: 1.12 tags: pullup
* Clarify lockout replication issues in docsGreg Hudson2013-11-181-7/+13
| | | | | | | | | | | | In the "KDC replication and account lockout" section of lockout.rst, specifically call out kprop and incremental propagation as the mechanisms which do not replicate account lockout state, and add a note that KDCs using LDAP may not be affected by that section's concerns. ticket: 7773 (new) target_version: 1.12 tags: pullup
* Remove dangling --with-kdc-kdb-update referencesGreg Hudson2013-11-171-9/+0
| | | | | | This configure option hasn't done anything since 1.8, so don't mention it in configure --help or the documentation. The disable_last_success and disable_lockout DB options are now used to turn it off.
* Clarify realm and dbmodules configuration docsGreg Hudson2013-11-061-23/+34
| | | | | | | | | | | | | In kdc_conf.rst, add examples showing how to configure a realm parameter and a database parameter. Document that the default DB configuration section is the realm name, and use that in the example. Move the db_module_dir description to the end of the [dbmodules] documentation since it is rarely used and could confuse a reader about the usual structure of the section. ticket: 7759 (new) target_version: 1.12 tags: pullup
* Clarify kpropd standalone mode documentationGreg Hudson2013-11-011-15/+12
| | | | | | | | | | | | The kpropd -S option is no longer needed to run kpropd in standalone mode, but its functionality is not deprecated; standalone mode is automatically activated when appropriate. Clarify the kpropd documentation on standalone mode to avoid giving the impression that the mode is deprecated. ticket: 7751 (new) target_version: 1.12 tags: pullup
* Document master key rolloverGreg Hudson2013-10-301-0/+51
| | | | | | | | | Add a new section to database.rst documenting the procedure for rolling the master key. ticket: 7732 (new) target_version: 1.12 tags: pullup
* Use active master key in update_princ_encryptionGreg Hudson2013-10-251-2/+2
| | | | | | | | | kdb5_util update_princ_encryption should update to the active master key version, not the most recent. ticket: 6507 target_version: 1.12 tags: pullup
* Discuss cert expiry, no-key princs in PKINIT docsGreg Hudson2013-10-172-6/+46
| | | | | | | | | | | | In pkinit.rst, add "-days" options to the example commands for creating certificate and briefly discuss the issue of expiration dates so that the administrator thinks about it. In troubleshoot.rst, add an entry for the "certificate has expired" error which results from PKINIT (when linked with OpenSSL) when a certificate has expired. ticket: 7719 (new) target_version: 1.12 tags: pullup
* Fix literal blocks in gssapi.rstTom Yu2013-09-201-2/+2
| | | | | | Some literal blocks in the new AEAD and IOV documentation in gssapi.rst started with ":" instead of "::", causing documentation build errors.
* Release krb5-1.9 is not supported anymoreZhanna Tsitkov2013-09-191-1/+1
| | | | Release 1.9.5 was the last planned release for the krb5-1.9 series.
* Document AEAD and IOV GSSAPI extensionsGreg Hudson2013-09-181-0/+295
|
* Add a flag to prevent all host canonicalizationGreg Hudson2013-09-061-1/+9
| | | | | | | | If dns_canonicalize_hostname is set to false in [libdefaults], krb5_sname_to_principal will not canonicalize the hostname using either forward or reverse lookups. ticket: 7703 (new)
* Omit signedpath if no_auth_data_required is setGreg Hudson2013-08-202-2/+11
| | | | | | | | | | The no_auth_data_required bit was introduced to suppress PACs in service tickets when the back end supports them. Make it also suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket can be avoided for services which aren't going to do constrained delegation. ticket: 7697 (new)
* Add a note about how to apply/remove policiesBrad Davis2013-08-161-0/+9
| | | | | | | | | Put a note in the the policies section of the documentation for how to apply policies to principals. [kaduk@mit.edu: reformat commit message] ticket: 7693 (new)
* Document hostrealm interfaceGreg Hudson2013-08-153-0/+66
| | | | ticket: 7687
* Remove redundant domain_realm mappingsBen Kaduk2013-08-121-7/+11
| | | | | | | | | | | | | | | | | | | This fixes a long-standing documentation bug where we claimed that a domain_realm mapping for a host name would not affect entries under that domain name. The code has always had the behavior where a host name mapping implies the corresponding domain name mapping, since the 1.0 release. While here, replace media-lab with csail in example files, as the media lab realm is no longer in use. Also strip port 88 from KDC specifications, and drop the harmful default_{tgs,tkt}_enctypes lines from src/util/profile/krb5.conf. Further cleanup on these files to remove defunct realms may be in order. ticket: 7690 (new) tags: pullup target_version: 1.11.4
* Fix doc build after PKINIT responder changesGreg Hudson2013-07-182-0/+6
| | | | Add new types and constants to the apiref index files.
* Add non-JSON APIs for PKINIT responder itemsNalin Dahyabhai2013-07-172-0/+19
| | | | | | | | | | | | | | | | | Add wrappers for the JSON-oriented APIs for PKINIT responder items, modeled after the API we provide for OTP items: * krb5_responder_pkinit_get_challenge() returns the list of identities for which we need PINs * krb5_responder_pkinit_challenge_free() frees the structure that was returned by krb5_responder_pkinit_get_challenge() * krb5_responder_pkinit_set_answer() sets the answer to the PIN for one of the identities [ghudson@mit.edu: style cleanup; added comment pointing to main body of PKINIT module] ticket: 7680
* Add kadmin support for principals without keysGreg Hudson2013-07-151-2/+8
| | | | | | | | | Add kadmin support for "addprinc -nokey", which creates a principal with no keys, and "purgekeys -all", which deletes all keys from a principal. The KDC was modified by #7630 to support principals without keys. ticket: 7679 (new)
* Add server-side otp preauth pluginNathaniel McCallum2013-07-113-0/+152
| | | | | | | | | | This plugin implements the proposal for providing OTP support by proxying requests to RADIUS. Details can be found inside the provided documentation as well as on the project page. http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS ticket: 7678
* Mention old preauth header file in docsGreg Hudson2013-07-102-2/+4
| | | | | | | The previous commit updated the header file references for 1.12 in the clpreauth and kdcpreauth plugin interface documentation. Add a parenthetical so that the reference is still useful for prior releases.
* Reference correct preauth header filesGreg Hudson2013-07-032-2/+2
| | | | | | The clpreauth and kdcpreauth header files are split up for 1.12. In clpreauth.rst and kdcpreauth.rst, reference the correct header files for each.
* Document dict_file formatGreg Hudson2013-07-011-3/+4
| | | | | Briefly describe the format of the kadmin dictionary file in kdc_conf.rst.
* Rely on module ordering for localauthGreg Hudson2013-06-272-19/+19
| | | | | | | Register built-in localauth modules in the order we want them used by default, and document accordingly. ticket: 7665
* Provide plugin module ordering guaranteesGreg Hudson2013-06-271-0/+6
| | | | | | | | Rewrite the plugin internals so that modules have a well-defined order--either the order of enable_only tags, or dynamic modules followed by the built-in modules in order of registration. ticket: 7665 (new)
* Clean up dangling antecedent in allow_weak_cryptoBen Kaduk2013-05-311-6/+6
| | | | | | | | | | The "previous three lists" are not previous any more. Say explicitly which three lists, and make the parenthetical bind to the correct noun. ticket: 7655 (new) tags: pullup target_version: 1.11.4
* Clarify retiring-des based on user feedbackBen Kaduk2013-05-311-2/+18
| | | | | | | | | Explain why DES keys should be removed from principals, and clarify that allow_weak_crypto overrides all other configuration. ticket: 7654 (new) tags: pullup target_version: 1.11.4
* Document preauth flags for service principalsBen Kaduk2013-05-311-2/+8
| | | | | | | | | These flags are overloaded to mean different things for clients and servers; previously we only documented the client behavior. ticket: 7653 (new) tags: pullup target_version: 1.11.4
* Add AES-NI support on LinuxGreg Hudson2013-05-241-0/+3
| | | | | | | If yasm and cpuid.h are present on a Linux i686 or x64 system, compile the modified Intel AES-NI assembly sources. In the builtin AES enc provider, check at runtime whether the CPU supports AES-NI instructions and use the assembly functions if so.
* Add Intel AESNI assembly filesGreg Hudson2013-05-241-0/+38
| | | | | | Add assembly files from the Intel AESNI Sample Library, version 1.2, which implement AES encryption using AES-NI instructions. Trailing whitespace was removed.
* Clarify that kdc.conf and krb5.conf are mergedBen Kaduk2013-05-202-1/+14
| | | | These two files are merged into the profile for KDC applications
* Don't use portmapper in RPC testsGreg Hudson2013-05-011-3/+0
| | | | | | | | On many Linux systems, due to what is arguably a bug in rpcbind, the portmapper doesn't allow service registration from non-root processes. This causes the RPC tests to be frequently skipped. Modify the tests so that they don't need the portmapper, by grabbing the port number from the server process and passing it to the client.
* Fix doc buildBen Kaduk2013-04-181-0/+1
| | | | | | The addition of the KRB5_PADATA_AS_CHECKSUM macro in d7d74867952f caused the doxygen bridge to emit a new RST file. This file was not included in the API reference toctree, causing a build failure in maintainer-mode.
* Add a krb5-config man pageBen Kaduk2013-04-033-0/+87
| | | | Missed when converting the old nroff man pages.
* Add krb5_kt_dup API and use it in two placesGreg Hudson2013-04-011-0/+1
| | | | | | | Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it to simplify the krb5 GSS acquire_cred code. ticket: 7599 (new)
* Replace "First introduced" with concise "New"Zhanna Tsitkov2013-03-255-13/+10
|
* Rebuild NOTICE for 2013Ben Kaduk2013-03-211-2/+2
| | | | | | Also exclude copyright.rst from the notice.txt build, as maintainer-mode builds error out due to the "document isn't included in any toctree" warning otherwise produced.
* Documentation Copyrights notice dates: 1985-2013Zhanna Tsitkov2013-03-203-3/+3
|
* Add support for k5srvutil -e keysaltsAlex Dehnert2013-03-111-1/+4
| | | | | | | | | | | k5srvutil is a little more convenient to use for rolling keys than kadmin is. When migrating off 1DES, though, it may be desirable to explicitly specify the desired keysalts. This adds an option, -e, to k5srvutil to specify desired keysalts. [ghudson@mit.edu: style fix; make whitespace in keysalt list work] ticket: 7589 (new)
* Document localauth interfaceGreg Hudson2013-03-093-0/+79
| | | | ticket: 7583
* Add krb5_free_enctypes APIGreg Hudson2013-02-271-0/+1
| | | | | | | Rename krb5_free_ktypes to krb5_free_enctypes and add it to the public API. ticket: 7584
* Remove -b6 and -old dump formatsGreg Hudson2013-02-041-21/+5
| | | | | | | Get rid of the code to dump and load -b6 and -old format dump files. Loading these versions hasn't worked since at least 1.3. ticket: 7564 (new)
* Refactor rellinks formatting in layout.htmlTom Yu2013-01-311-23/+15
|
generated by cgit (git 2.34.1) at 2024-06-10 00:07:29 +0000