Update manpages

3 files changed, 16 insertions, 7 deletions

diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 3f83afc..7fbe7d5 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -310,13 +310,11 @@ historically used by Kerberos V4.
 .B \fBkdc_tcp_ports\fP
 (Whitespace\- or comma\-separated list.)  Lists the ports on which
 the Kerberos server should listen for TCP connections, as a
-comma\-separated list of integers.  If this relation is not
-specified, the compiled\-in default is not to listen for TCP
-connections at all.
-.sp
-If you wish to change this (note that the current implementation
-has little protection against denial\-of\-service attacks), the
-standard port number assigned for Kerberos TCP traffic is port 88.
+comma\-separated list of integers.  To disable listening on TCP,
+set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&.
+If this relation is not specified, the default is to listen on TCP
+port 88 (the standard port).  Prior to release 1.13, the default
+was not to listen for TCP connections at all.
 .TP
 .B \fBmaster_key_name\fP
 (String.)  Specifies the name of the principal associated with the
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 560460c..ae1a448 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -123,6 +123,11 @@ with the validated ticket.
 requests renewal of the ticket\-granting ticket.  Note that an
 expired ticket cannot be renewed, even if the ticket is still
 within its renewable life.
+.sp
+Note that renewable tickets that have expired as reported by
+\fIklist(1)\fP may sometimes be renewed using this option,
+because the KDC applies a grace period to account for client\-KDC
+clock skew.  See \fIkrb5.conf(5)\fP \fBclockskew\fP setting.
 .TP
 .B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
 requests a ticket, obtained from a key in the local host\(aqs keytab.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 6647ae5..f6a87d4 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -216,6 +216,12 @@ Kerberos which interact with credential caches on the same host.
 Sets the maximum allowable amount of clockskew in seconds that the
 library will tolerate before assuming that a Kerberos message is
 invalid.  The default value is 300 seconds, or five minutes.
+.sp
+The clockskew setting is also used when evaluating ticket start
+and expiration times.  For example, tickets that have reached
+their expiration time can still be used (and renewed if they are
+renewable tickets) if they have been expired for a shorter
+duration than the \fBclockskew\fP setting.
 .TP
 .B \fBdefault_ccache_name\fP
 This relation specifies the name of the default credential cache.