diff options
author | Tom Yu <tlyu@mit.edu> | 2014-09-24 14:43:56 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2014-09-25 16:06:41 -0400 |
commit | c832e5dffca879f3a0c0b0f29413092a6977f338 (patch) | |
tree | ac8c0b7a78058819dc08f98a76b2b0e0cade0cb3 | |
parent | 11131b6764be463209f81d2930a0f94ac79b1428 (diff) | |
download | krb5-c832e5dffca879f3a0c0b0f29413092a6977f338.zip krb5-c832e5dffca879f3a0c0b0f29413092a6977f338.tar.gz krb5-c832e5dffca879f3a0c0b0f29413092a6977f338.tar.bz2 |
Update manpages
-rw-r--r-- | src/man/kdc.conf.man | 12 | ||||
-rw-r--r-- | src/man/kinit.man | 5 | ||||
-rw-r--r-- | src/man/krb5.conf.man | 6 |
3 files changed, 16 insertions, 7 deletions
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 3f83afc..7fbe7d5 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -310,13 +310,11 @@ historically used by Kerberos V4. .B \fBkdc_tcp_ports\fP (Whitespace\- or comma\-separated list.) Lists the ports on which the Kerberos server should listen for TCP connections, as a -comma\-separated list of integers. If this relation is not -specified, the compiled\-in default is not to listen for TCP -connections at all. -.sp -If you wish to change this (note that the current implementation -has little protection against denial\-of\-service attacks), the -standard port number assigned for Kerberos TCP traffic is port 88. +comma\-separated list of integers. To disable listening on TCP, +set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&. +If this relation is not specified, the default is to listen on TCP +port 88 (the standard port). Prior to release 1.13, the default +was not to listen for TCP connections at all. .TP .B \fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the diff --git a/src/man/kinit.man b/src/man/kinit.man index 560460c..ae1a448 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -123,6 +123,11 @@ with the validated ticket. requests renewal of the ticket\-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. +.sp +Note that renewable tickets that have expired as reported by +\fIklist(1)\fP may sometimes be renewed using this option, +because the KDC applies a grace period to account for client\-KDC +clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting. .TP .B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] requests a ticket, obtained from a key in the local host\(aqs keytab. diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index 6647ae5..f6a87d4 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -216,6 +216,12 @@ Kerberos which interact with credential caches on the same host. Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. +.sp +The clockskew setting is also used when evaluating ticket start +and expiration times. For example, tickets that have reached +their expiration time can still be used (and renewed if they are +renewable tickets) if they have been expired for a shorter +duration than the \fBclockskew\fP setting. .TP .B \fBdefault_ccache_name\fP This relation specifies the name of the default credential cache. |