Update man pages

3 files changed, 21 insertions, 19 deletions

diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 9043775..25a237f 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -230,16 +230,17 @@ sms@ATHENA.MIT.EDU        x   * \-maxlife 9h \-postdateable # line 6
 .UNINDENT
 .UNINDENT
 .sp
-(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with
-an \fBadmin\fP instance has all administrative privileges.
+(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an
+\fBadmin\fP instance has all administrative privileges except extracting
+keys.
 .sp
-(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his
-\fBadmin\fP instance, \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line
-1).  He has no permissions at all with his null instance,
-\fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2).  His \fBroot\fP and other
-non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire permissions with any principal that has the instance \fBroot\fP
-(matches line 3).
+(lines 1\-3) The user \fBjoeadmin\fP has all permissions except
+extracting keys with his \fBadmin\fP instance,
+\fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line 1).  He has no
+permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP
+(matches line 2).  His \fBroot\fP and other non\-\fBadmin\fP, non\-null
+instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions
+with any principal that has the instance \fBroot\fP (matches line 3).
 .sp
 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
 or change the password of their null instance, but not any other
@@ -253,9 +254,9 @@ permission can only be granted globally, not to specific target
 principals.
 .sp
 (line 6) Finally, the Service Management System principal
-\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+\fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
 .SH SEE ALSO
 .sp
 \fIkdc.conf(5)\fP, \fIkadmind(8)\fP
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 10b333c..1744af3 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1031,7 +1031,7 @@ _
 T{
 aes
 T}	T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
 T}
 _
 T{
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 4e350bd..6924759 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -112,9 +112,10 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 .sp
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -257,7 +258,7 @@ the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See \fIEncryption_types\fP in
 \fIkdc.conf(5)\fP for a list of the accepted values for this tag.
-The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
 .sp
@@ -271,7 +272,7 @@ Identifies the supported list of session key encryption types that
 the client should request when making an AS\-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .sp
@@ -454,7 +455,7 @@ used across NATs.  The default value is true.
 .B \fBpermitted_enctypes\fP
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP