krb5.git/doc/admin, branch master MIT Kerberos patches Remove indent workaround in man page RST sources 2014-07-02T14:11:00+00:00 Greg Hudson ghudson@mit.edu 2014-06-12T18:34:26+00:00 4bd50f73c80a86852ec0879abdf52202be40892b docutils 0.10 properly adds indentation to example blocks in man pages, so we do not need to force an extra indentation level. Get rid of the workaround wherever we use it. ticket: 7954 (new) target_version: 1.12.2 tags: pullup 
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level.  Get rid
of the workaround wherever we use it.

ticket: 7954 (new)
target_version: 1.12.2
tags: pullup
Consolidate DB option documentation 2014-06-18T18:55:36+00:00 Greg Hudson ghudson@mit.edu 2014-06-16T19:46:09+00:00 1cddc360c25386a55dc2f2d44056c88721784dd6 Document DB options in the kadmin/kadmin.local man page, in their own section. Refer to that section from the documentation of the -x parameter of each other command which supports DB options. Add documentation for the "dbname" DB2 option. ticket: 7946 (new) target_version: 1.12.2 tags: pullup 
Document DB options in the kadmin/kadmin.local man page, in their own
section.  Refer to that section from the documentation of the -x
parameter of each other command which supports DB options.  Add
documentation for the "dbname" DB2 option.

ticket: 7946 (new)
target_version: 1.12.2
tags: pullup
Update the kadm5.acl example 2014-06-16T19:43:10+00:00 Ben Kaduk kaduk@mit.edu 2014-06-13T18:59:39+00:00 70b2ba4852913ceb2bdc9a57edd487da8230f813 Make the example and documentation a closer match to reality. In particular, the list permission is all-or-nothing; it is not restricted in scope by the target_principal field. Change the table entry to try and indicate this fact, and do not put list permissions on any example line that is scoped by a target_principal pattern. While here, remove the nonsensical granting of global inquire permissions to */* (inaccurately described as "all principals"), and the granting of privileges to foreign-realm principals. It is not possible to obtain an initial ticket (as required by the kadmin service) for a principal in a different realm, and the current kadmind implementation can serve only a single realm at a time -- this permission literally has no effect. Replace it with a (presumably automated) "Service Management System" example, where it might make sense to limit the principals which are automatically created. ticket: 7939 
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field.  Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.

While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect.  Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.

ticket: 7939
Remove pkinit_win2k_require_binding option 2014-06-13T04:31:27+00:00 Greg Hudson ghudson@mit.edu 2014-06-07T03:24:00+00:00 823bad7f3f314647feb14284bc36fa231c9c7875 When constructing a draft9 PKINIT request, always include KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack. Do not accept a draft9 ReplyKeyPack in the KDC response. For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC support for generating a draft9 ReplyKeyPack when a draft9 PKINIT request does not contain KRB5_PADATA_AS_CHECKSUM. ticket: 7933 
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.

For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.

ticket: 7933
Remove PKINIT longhorn compatibility option 2014-06-12T17:16:24+00:00 Greg Hudson ghudson@mit.edu 2014-06-07T02:48:04+00:00 cd06659844f9671d6ca9955fa6d3ee6e0806c7f1 Remove the PKINIT Windows Server 2008 beta compatibility code conditionalized under the "longhorn" variable. It is not required to interoperate with any released version of Windows. ticket: 7934 (new) 
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable.  It is not required to
interoperate with any released version of Windows.

ticket: 7934 (new)
Improve PKINIT certificate documentation 2014-06-12T17:14:08+00:00 Greg Hudson ghudson@mit.edu 2014-06-06T21:41:51+00:00 677c7753923e5efa078074611d4474fbcc10f6a1 Describe how to use a commercially-issued server certificate for anonymous PKINIT. Separate the KDC and client configuration instructions so that the steps necessary for anonymous PKINIT are not combined with the additional steps necessary for regular PKINIT. Describe kpServerAuth as the EKU used in commercially issued server certificates, not as the value used by Microsoft (which does not appear to be true according to [MS-PKCA]). ticket: 7931 (new) target_version: 1.12.2 tags: pullup 
Describe how to use a commercially-issued server certificate for
anonymous PKINIT.  Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).

ticket: 7931 (new)
target_version: 1.12.2
tags: pullup
Do not document pkinit_win2k 2014-06-11T20:38:38+00:00 Greg Hudson ghudson@mit.edu 2014-06-06T21:57:40+00:00 e161636590429aa78a3f04a8bbe0a36dda48a8ab This variable was never used in the PKINIT code as it was contributed; there was only code to read its value. ticket: 7932 (new) target_version: 1.12.2 tags: pullup 
This variable was never used in the PKINIT code as it was contributed;
there was only code to read its value.

ticket: 7932 (new)
target_version: 1.12.2
tags: pullup
Do not document pkinit_mapping_file 2014-06-03T16:19:52+00:00 Greg Hudson ghudson@mit.edu 2014-06-01T14:41:27+00:00 8da21b0ec18cf9306a8c1b3410d5c6ab36acdd21 This feature was never implemented in the PKINIT code as it was contributed; there was only stub support for reading the filename. ticket: 7928 (new) target_version: 1.12.2 tags: pullup 
This feature was never implemented in the PKINIT code as it was
contributed; there was only stub support for reading the filename.

ticket: 7928 (new)
target_version: 1.12.2
tags: pullup
Add some longer-form docs for HTTPS 2014-06-02T22:40:49+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2014-04-22T20:31:14+00:00 b52acabf478e8d1aa19f7823aade81eed1553143 Add some longer-form documentation for the new HTTPS support, walking a prospective administrator through generating a bare minimal signing setup, deploying a WSGI-based proxy server onto an Apache httpd server using mod_ssl and mod_wsgi, and configuring clients to use it. ticket: 7929 
Add some longer-form documentation for the new HTTPS support, walking a
prospective administrator through generating a bare minimal signing
setup, deploying a WSGI-based proxy server onto an Apache httpd server
using mod_ssl and mod_wsgi, and configuring clients to use it.

ticket: 7929
Load custom anchors when using KKDCP 2014-06-02T22:09:47+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2014-04-17T21:17:13+00:00 f220067c2969aab107bd1300ad1cb8d4855389a7 Add an http_anchors per-realm setting which we'll apply when using an HTTPS proxy, more or less mimicking the syntax of its similarly-named PKINIT counterpart. We only check the [realms] section, though. ticket: 7929 
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart.  We only check the [realms] section, though.

ticket: 7929