diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/k5identity.man | 12 | ||||
-rw-r--r-- | src/man/k5login.man | 2 | ||||
-rw-r--r-- | src/man/k5srvutil.man | 12 | ||||
-rw-r--r-- | src/man/kadm5.acl.man | 12 | ||||
-rw-r--r-- | src/man/kadmin.man | 202 | ||||
-rw-r--r-- | src/man/kadmind.man | 42 | ||||
-rw-r--r-- | src/man/kdb5_ldap_util.man | 88 | ||||
-rw-r--r-- | src/man/kdb5_util.man | 156 | ||||
-rw-r--r-- | src/man/kdc.conf.man | 246 | ||||
-rw-r--r-- | src/man/kdestroy.man | 10 | ||||
-rw-r--r-- | src/man/kinit.man | 62 | ||||
-rw-r--r-- | src/man/klist.man | 32 | ||||
-rw-r--r-- | src/man/kpasswd.man | 2 | ||||
-rw-r--r-- | src/man/kprop.man | 16 | ||||
-rw-r--r-- | src/man/kpropd.man | 36 | ||||
-rw-r--r-- | src/man/kproplog.man | 14 | ||||
-rw-r--r-- | src/man/krb5-config.man | 22 | ||||
-rw-r--r-- | src/man/krb5.conf.man | 198 | ||||
-rw-r--r-- | src/man/krb5kdc.man | 12 | ||||
-rw-r--r-- | src/man/ksu.man | 38 | ||||
-rw-r--r-- | src/man/kswitch.man | 8 | ||||
-rw-r--r-- | src/man/ktutil.man | 2 | ||||
-rw-r--r-- | src/man/kvno.man | 18 | ||||
-rw-r--r-- | src/man/sclient.man | 4 | ||||
-rw-r--r-- | src/man/sserver.man | 12 |
25 files changed, 629 insertions, 629 deletions
diff --git a/src/man/k5identity.man b/src/man/k5identity.man index 7f01e55..4a351c1 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -50,19 +50,19 @@ principal is chosen as the client principal. The following fields are recognized: .INDENT 0.0 .TP -.B \fBrealm\fP +\fBrealm\fP If the realm of the server principal is known, it is matched against \fIvalue\fP, which may be a pattern using shell wildcards. For host\-based server principals, the realm will generally only be -known if there is a \fIdomain_realm\fP section in -\fIkrb5.conf(5)\fP with a mapping for the hostname. +known if there is a domain_realm section in +krb5.conf(5) with a mapping for the hostname. .TP -.B \fBservice\fP +\fBservice\fP If the server principal is a host\-based principal, its service component is matched against \fIvalue\fP, which may be a pattern using shell wildcards. .TP -.B \fBhost\fP +\fBhost\fP If the server principal is a host\-based principal, its hostname component is converted to lower case and matched against \fIvalue\fP, which may be a pattern using shell wildcards. @@ -94,7 +94,7 @@ alice/mail@EXAMPLE.COM host=mail.example.com service=imap .UNINDENT .SH SEE ALSO .sp -kerberos(1), \fIkrb5.conf(5)\fP +kerberos(1), krb5.conf(5) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/k5login.man b/src/man/k5login.man index c4acdf3..ab1e79a 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -56,7 +56,7 @@ bob@FOOBAR.ORG This would allow \fBbob\fP to use Kerberos network applications, such as ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos tickets. In a default configuration (with \fBk5login_authoritative\fP set -to true in \fIkrb5.conf(5)\fP), this .k5login file would not let +to true in krb5.conf(5)), this .k5login file would not let \fBalice\fP use those network applications to access her account, since she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP set to false, a default rule would permit the principal \fBalice\fP in the diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index 98f097f..21c86fa 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -45,11 +45,11 @@ or to delete non\-current keys from a keytab. \fIoperation\fP must be one of the following: .INDENT 0.0 .TP -.B \fBlist\fP +\fBlist\fP Lists the keys in a keytab, showing version number and principal name. .TP -.B \fBchange\fP +\fBchange\fP Uses the kadmin protocol to update the keys in the Kerberos database to new randomly\-generated keys, and updates the keys in the keytab to match. If a key\(aqs version number doesn\(aqt match the @@ -63,14 +63,14 @@ option. Old keys are retained in the keytab so that existing tickets continue to work, but \fBdelold\fP should be used after such tickets expire, to prevent attacks against the old keys. .TP -.B \fBdelold\fP +\fBdelold\fP Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the \fB\-i\fP flag is given, then k5srvutil will prompt for confirmation for each principal. .TP -.B \fBdelete\fP +\fBdelete\fP Deletes particular keys in the keytab, interactively prompting for each key. .UNINDENT @@ -78,11 +78,11 @@ each key. In all cases, the default keytab is used unless this is overridden by the \fB\-f\fP option. .sp -k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in +k5srvutil uses the kadmin(1) program to edit the keytab in place. .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIktutil(1)\fP +kadmin(1), ktutil(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index 15a2c4f..f285013 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -32,14 +32,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .. .SH DESCRIPTION .sp -The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List +The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. .sp The default location of the Kerberos ACL file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .SH SYNTAX .sp Empty lines and lines starting with the sharp sign (\fB#\fP) are @@ -127,7 +127,7 @@ _ T{ p T} T{ -[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP) +[Dis]allows the propagation of the principal database (used in incr_db_prop) T} _ T{ @@ -185,7 +185,7 @@ in which \fB*number\fP matches the corresponding wildcard in .B {+|\-}\fIflagname\fP flag is forced to the indicated value. The permissible flags are the same as those for the \fBdefault_principal_flags\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .TP .B \fI\-clearpolicy\fP policy is forced to be empty. @@ -194,7 +194,7 @@ policy is forced to be empty. policy is forced to be \fIpol\fP\&. .TP .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP -(\fIgetdate\fP string) associated value will be forced to +(getdate string) associated value will be forced to MIN(\fItime\fP, requested value). .UNINDENT .UNINDENT @@ -259,7 +259,7 @@ any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. .SH SEE ALSO .sp -\fIkdc.conf(5)\fP, \fIkadmind(8)\fP +kdc.conf(5), kadmind(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 2fef2f0..41cac15 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using \fIkadmind(8)\fP\&. +database, while kadmin performs operations using kadmind(8)\&. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables @@ -80,30 +80,30 @@ kadmin.local can be run on any host which can access the LDAP server. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Use \fIrealm\fP as the default database realm. .TP -.B \fB\-p\fP \fIprincipal\fP +\fB\-p\fP \fIprincipal\fP Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append \fB/admin\fP to the primary principal name of the default ccache, the value of the \fBUSER\fP environment variable, or the username as obtained with getpwuid, in order of preference. .TP -.B \fB\-k\fP +\fB\-k\fP Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \fBhost/hostname\fP\&. If there is no keytab specified with the \fB\-t\fP option, then the default keytab will be used. .TP -.B \fB\-t\fP \fIkeytab\fP +\fB\-t\fP \fIkeytab\fP Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. .TP -.B \fB\-n\fP +\fB\-n\fP Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure \fBpkinit_anchors\fP in the client\(aqs -\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal +krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is @@ -114,46 +114,46 @@ principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. .TP -.B \fB\-c\fP \fIcredentials_cache\fP +\fB\-c\fP \fIcredentials_cache\fP Use \fIcredentials_cache\fP as the credentials cache. The cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP service; it can be acquired with the -\fIkinit(1)\fP program. If this option is not specified, kadmin +kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. .TP -.B \fB\-w\fP \fIpassword\fP +\fB\-w\fP \fIpassword\fP Use \fIpassword\fP instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. .TP -.B \fB\-q\fP \fIquery\fP +\fB\-q\fP \fIquery\fP Perform the specified query and then exit. .TP -.B \fB\-d\fP \fIdbname\fP +\fB\-d\fP \fIdbname\fP Specifies the name of the KDC database. This option does not apply to the LDAP database module. .TP -.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] +\fB\-s\fP \fIadmin_server\fP[:\fIport\fP] Specifies the admin server which kadmin should contact. .TP -.B \fB\-m\fP +\fB\-m\fP If using kadmin.local, prompt for the database master password instead of reading it from a stash file. .TP -.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." +\fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." Sets the keysalt list to be used for any new keys created. See -\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible +Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-O\fP +\fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor. .TP -.B \fB\-N\fP +\fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor. .TP -.B \fB\-x\fP \fIdb_args\fP +\fB\-x\fP \fIdb_args\fP Specifies the database specific arguments. See the next section for supported options. .UNINDENT @@ -188,10 +188,10 @@ Supported options for the DB2 module are: .INDENT 3.5 .INDENT 0.0 .TP -.B \fB\-x dbname=\fP*filename* +\fB\-x dbname=\fP*filename* Specifies the base filename of the DB2 database. .TP -.B \fB\-x lockiter\fP +\fB\-x lockiter\fP Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default @@ -199,7 +199,7 @@ behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. .TP -.B \fB\-x unlockiter\fP +\fB\-x unlockiter\fP Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. @@ -212,39 +212,39 @@ Supported options for the LDAP module are: .INDENT 3.5 .INDENT 0.0 .TP -.B \fB\-x host=\fP\fIldapuri\fP +\fB\-x host=\fP\fIldapuri\fP Specifies the LDAP server to connect to by a LDAP URI. .TP -.B \fB\-x binddn=\fP\fIbind_dn\fP +\fB\-x binddn=\fP\fIbind_dn\fP Specifies the DN used to bind to the LDAP server. .TP -.B \fB\-x bindpwd=\fP\fIpassword\fP +\fB\-x bindpwd=\fP\fIpassword\fP Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the \fBstashsrvpw\fP command of -\fIkdb5_ldap_util(8)\fP\&. +kdb5_ldap_util(8)\&. .TP -.B \fB\-x sasl_mech=\fP\fImechanism\fP +\fB\-x sasl_mech=\fP\fImechanism\fP Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. .TP -.B \fB\-x sasl_authcid=\fP\fIname\fP +\fB\-x sasl_authcid=\fP\fIname\fP Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. .TP -.B \fB\-x sasl_authzid=\fP\fIname\fP +\fB\-x sasl_authzid=\fP\fIname\fP Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. .TP -.B \fB\-x sasl_realm=\fP\fIrealm\fP +\fB\-x sasl_realm=\fP\fIrealm\fP Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. .TP -.B \fB\-x debug=\fP\fIlevel\fP +\fB\-x debug=\fP\fIlevel\fP sets the OpenLDAP client library debug level. \fIlevel\fP is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. @@ -254,7 +254,7 @@ are printed to standard error. New in release 1.12. .SH COMMANDS .sp When using the remote client, available commands may be restricted -according to the privileges specified in the \fIkadm5.acl(5)\fP file +according to the privileges specified in the kadm5.acl(5) file on the admin server. .SS add_principal .INDENT 0.0 @@ -277,54 +277,54 @@ Aliases: \fBaddprinc\fP, \fBank\fP Options: .INDENT 0.0 .TP -.B \fB\-expire\fP \fIexpdate\fP -(\fIgetdate\fP string) The expiration date of the principal. +\fB\-expire\fP \fIexpdate\fP +(getdate string) The expiration date of the principal. .TP -.B \fB\-pwexpire\fP \fIpwexpdate\fP -(\fIgetdate\fP string) The password expiration date. +\fB\-pwexpire\fP \fIpwexpdate\fP +(getdate string) The password expiration date. .TP -.B \fB\-maxlife\fP \fImaxlife\fP -(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life +\fB\-maxlife\fP \fImaxlife\fP +(duration or getdate string) The maximum ticket life for the principal. .TP -.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP -(\fIduration\fP or \fIgetdate\fP string) The maximum renewable +\fB\-maxrenewlife\fP \fImaxrenewlife\fP +(duration or getdate string) The maximum renewable life of tickets for the principal. .TP -.B \fB\-kvno\fP \fIkvno\fP +\fB\-kvno\fP \fIkvno\fP The initial key version number. .TP -.B \fB\-policy\fP \fIpolicy\fP +\fB\-policy\fP \fIpolicy\fP The password policy used by this principal. If not specified, the policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP is specified). .TP -.B \fB\-clearpolicy\fP +\fB\-clearpolicy\fP Prevents any policy from being assigned when \fB\-policy\fP is not specified. .TP -.B {\-|+}\fBallow_postdated\fP +{\-|+}\fBallow_postdated\fP \fB\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. \fB+allow_postdated\fP clears this flag. .TP -.B {\-|+}\fBallow_forwardable\fP +{\-|+}\fBallow_forwardable\fP \fB\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. \fB+allow_forwardable\fP clears this flag. .TP -.B {\-|+}\fBallow_renewable\fP +{\-|+}\fBallow_renewable\fP \fB\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. \fB+allow_renewable\fP clears this flag. .TP -.B {\-|+}\fBallow_proxiable\fP +{\-|+}\fBallow_proxiable\fP \fB\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. \fB+allow_proxiable\fP clears this flag. .TP -.B {\-|+}\fBallow_dup_skey\fP +{\-|+}\fBallow_dup_skey\fP \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a session key for another user. \fB+allow_dup_skey\fP clears this flag. .TP -.B {\-|+}\fBrequires_preauth\fP +{\-|+}\fBrequires_preauth\fP \fB+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. \fB\-requires_preauth\fP clears this flag. When \fB+requires_preauth\fP is set on a service principal, @@ -332,7 +332,7 @@ the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using preauthentication. .TP -.B {\-|+}\fBrequires_hwauth\fP +{\-|+}\fBrequires_hwauth\fP \fB+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is @@ -340,45 +340,45 @@ set on a service principal, the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using a hardware device to preauthenticate. .TP -.B {\-|+}\fBok_as_delegate\fP +{\-|+}\fBok_as_delegate\fP \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. \fB\-ok_as_delegate\fP clears this flag. .TP -.B {\-|+}\fBallow_svr\fP +{\-|+}\fBallow_svr\fP \fB\-allow_svr\fP prohibits the issuance of service tickets for this principal. \fB+allow_svr\fP clears this flag. .TP -.B {\-|+}\fBallow_tgs_req\fP +{\-|+}\fBallow_tgs_req\fP \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. \fB+allow_tgs_req\fP clears this flag. .TP -.B {\-|+}\fBallow_tix\fP +{\-|+}\fBallow_tix\fP \fB\-allow_tix\fP forbids the issuance of any tickets for this principal. \fB+allow_tix\fP clears this flag. .TP -.B {\-|+}\fBneedchange\fP +{\-|+}\fBneedchange\fP \fB+needchange\fP forces a password change on the next initial authentication to this principal. \fB\-needchange\fP clears this flag. .TP -.B {\-|+}\fBpassword_changing_service\fP +{\-|+}\fBpassword_changing_service\fP \fB+password_changing_service\fP marks this principal as a password change service principal. .TP -.B {\-|+}\fBok_to_auth_as_delegate\fP +{\-|+}\fBok_to_auth_as_delegate\fP \fB+ok_to_auth_as_delegate\fP allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. .TP -.B {\-|+}\fBno_auth_data_required\fP +{\-|+}\fBno_auth_data_required\fP \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from being added to service tickets for the principal. .TP -.B {\-|+}\fBlockdown_keys\fP +{\-|+}\fBlockdown_keys\fP \fB+lockdown_keys\fP prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is @@ -389,42 +389,42 @@ krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. .TP -.B \fB\-randkey\fP +\fB\-randkey\fP Sets the key of the principal to a random value. .TP -.B \fB\-nokey\fP +\fB\-nokey\fP Causes the principal to be created with no key. New in release 1.12. .TP -.B \fB\-pw\fP \fIpassword\fP +\fB\-pw\fP \fIpassword\fP Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-x\fP \fIdb_princ_args\fP +\fB\-x\fP \fIdb_princ_args\fP Indicates database\-specific options. The options for the LDAP database module are: .INDENT 7.0 .TP -.B \fB\-x dn=\fP\fIdn\fP +\fB\-x dn=\fP\fIdn\fP Specifies the LDAP object that will contain the Kerberos principal being created. .TP -.B \fB\-x linkdn=\fP\fIdn\fP +\fB\-x linkdn=\fP\fIdn\fP Specifies the LDAP object to which the newly created Kerberos principal object will point. .TP -.B \fB\-x containerdn=\fP\fIcontainer_dn\fP +\fB\-x containerdn=\fP\fIcontainer_dn\fP Specifies the container object under which the Kerberos principal is to be created. .TP -.B \fB\-x tktpolicy=\fP\fIpolicy\fP +\fB\-x tktpolicy=\fP\fIpolicy\fP Associates a ticket policy to the Kerberos principal. .UNINDENT .sp @@ -484,7 +484,7 @@ Alias: \fBmodprinc\fP Options (in addition to the \fBaddprinc\fP options): .INDENT 0.0 .TP -.B \fB\-unlock\fP +\fB\-unlock\fP Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. @@ -535,20 +535,20 @@ Alias: \fBcpw\fP The following options are available: .INDENT 0.0 .TP -.B \fB\-randkey\fP +\fB\-randkey\fP Sets the key of the principal to a random value. .TP -.B \fB\-pw\fP \fIpassword\fP +\fB\-pw\fP \fIpassword\fP Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-keepold\fP +\fB\-keepold\fP Keeps the existing keys in the database. This flag is usually not necessary except perhaps for \fBkrbtgt\fP principals. .UNINDENT @@ -689,19 +689,19 @@ modules. The following string attribute names are recognized by the KDC: .INDENT 0.0 .TP -.B \fBrequire_auth\fP +\fBrequire_auth\fP Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) .TP -.B \fBsession_enctypes\fP +\fBsession_enctypes\fP Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See -\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the +Encryption_types in kdc.conf(5) for a list of the accepted values. .TP -.B \fBotp\fP +\fBotp\fP Enables One Time Passwords (OTP) preauthentication for a client \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array of objects, each having optional \fBtype\fP and \fBusername\fP fields. @@ -751,29 +751,29 @@ Alias: \fBaddpol\fP The following options are available: .INDENT 0.0 .TP -.B \fB\-maxlife\fP \fItime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the maximum +\fB\-maxlife\fP \fItime\fP +(duration or getdate string) Sets the maximum lifetime of a password. .TP -.B \fB\-minlife\fP \fItime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the minimum +\fB\-minlife\fP \fItime\fP +(duration or getdate string) Sets the minimum lifetime of a password. .TP -.B \fB\-minlength\fP \fIlength\fP +\fB\-minlength\fP \fIlength\fP Sets the minimum length of a password. .TP -.B \fB\-minclasses\fP \fInumber\fP +\fB\-minclasses\fP \fInumber\fP Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. .TP -.B \fB\-history\fP \fInumber\fP +\fB\-history\fP \fInumber\fP Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .UNINDENT .INDENT 0.0 .TP -.B \fB\-maxfailure\fP \fImaxnumber\fP +\fB\-maxfailure\fP \fImaxnumber\fP Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts @@ -782,8 +782,8 @@ resets to 0 after a successful attempt to authenticate. A .UNINDENT .INDENT 0.0 .TP -.B \fB\-failurecountinterval\fP \fIfailuretime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time +\fB\-failurecountinterval\fP \fIfailuretime\fP +(duration or getdate string) Sets the allowable time between authentication failures. If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, the number of authentication failures is reset to 1. A @@ -791,18 +791,18 @@ failure, the number of authentication failures is reset to 1. A .UNINDENT .INDENT 0.0 .TP -.B \fB\-lockoutduration\fP \fIlockouttime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the duration for +\fB\-lockoutduration\fP \fIlockouttime\fP +(duration or getdate string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with \fBmodprinc \-unlock\fP\&. .TP -.B \fB\-allowedkeysalts\fP +\fB\-allowedkeysalts\fP Specifies the key/salt tuples supported for long\-term keys when setting or changing a principal\(aqs password/keys. See -\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the +Keysalt_lists in kdc.conf(5) for a list of the accepted values, but note that key/salt tuples must be separated with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use a value of \(aq\-\(aq. @@ -962,19 +962,19 @@ With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege. The options are: .INDENT 0.0 .TP -.B \fB\-k[eytab]\fP \fIkeytab\fP +\fB\-k[eytab]\fP \fIkeytab\fP Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the new keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-q\fP +\fB\-q\fP Display less verbose information. .TP -.B \fB\-norandkey\fP +\fB\-norandkey\fP Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the \fB\-e\fP option. @@ -1018,11 +1018,11 @@ kvno match that integer are removed. The options are: .INDENT 0.0 .TP -.B \fB\-k[eytab]\fP \fIkeytab\fP +\fB\-k[eytab]\fP \fIkeytab\fP Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP -.B \fB\-q\fP +\fB\-q\fP Display less verbose information. .UNINDENT .sp @@ -1063,7 +1063,7 @@ The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. .SH SEE ALSO .sp -\fIkpasswd(1)\fP, \fIkadmind(8)\fP +kpasswd(1), kadmind(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kadmind.man b/src/man/kadmind.man index 3364e4a..85af672 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -50,24 +50,24 @@ kadmind starts the Kerberos administration server. kadmind typically runs on the master Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as \fIkadmin(1)\fP and -\fIkpasswd(1)\fP to administer the information in these database. +remote requests from programs such as kadmin(1) and +kpasswd(1) to administer the information in these database. .sp kadmind requires a number of configuration files to be set up in order for it to work: .INDENT 0.0 .TP -.B \fIkdc.conf(5)\fP +.B kdc.conf(5) The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related settings. .TP -.B \fIkadm5.acl(5)\fP +.B kadm5.acl(5) kadmind\(aqs ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the -ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP +ACL file can be specified with the \fBacl_file\fP kdc.conf(5) variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. .UNINDENT .sp @@ -77,7 +77,7 @@ disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the \fIkdc.conf(5)\fP +the database. This facility can be enabled in the kdc.conf(5) file with the \fBiprop_enable\fP option. Incremental propagation requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the master KDC\(aqs canonical host name, and REALM the realm name). In @@ -86,62 +86,62 @@ into the datebase. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. .TP -.B \fB\-m\fP +\fB\-m\fP causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the \fB\-nofork\fP option) rather than from a file on disk. .TP -.B \fB\-nofork\fP +\fB\-nofork\fP causes the server to remain in the foreground and remain associated to the terminal. In normal operation, you should allow the server to place itself in the background. .TP -.B \fB\-proponly\fP +\fB\-proponly\fP causes the server to only listen and respond to Kerberos slave incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a slave KDC provides incremental updates to other Kerberos slaves. .TP -.B \fB\-port\fP \fIport\-number\fP +\fB\-port\fP \fIport\-number\fP specifies the port on which the administration server listens for connections. The default port is determined by the -\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&. +\fBkadmind_port\fP configuration variable in kdc.conf(5)\&. .TP -.B \fB\-P\fP \fIpid_file\fP +\fB\-P\fP \fIpid_file\fP specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. .TP -.B \fB\-p\fP \fIkdb5_util_path\fP +\fB\-p\fP \fIkdb5_util_path\fP specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. .TP -.B \fB\-K\fP \fIkprop_path\fP +\fB\-K\fP \fIkprop_path\fP specifies the path to the kprop command to use to send full dumps to slaves in response to full resync requests. .TP -.B \fB\-k\fP \fIkprop_port\fP +\fB\-k\fP \fIkprop_port\fP specifies the port by which the kprop process that is spawned by kadmind connects to the slave kpropd, in order to transfer the dump file during an iprop full resync request. .TP -.B \fB\-F\fP \fIdump_file\fP +\fB\-F\fP \fIdump_file\fP specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. .TP -.B \fB\-x\fP \fIdb_args\fP -specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments. +\fB\-x\fP \fIdb_args\fP +specifies database\-specific arguments. See Database Options in kadmin(1) for supported arguments. .UNINDENT .SH SEE ALSO .sp -\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP, -\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP +kpasswd(1), kadmin(1), kdb5_util(8), +kdb5_ldap_util(8), kadm5.acl(5) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index c3733aa..65dd799 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -44,15 +44,15 @@ services and ticket policies. .SH COMMAND-LINE OPTIONS .INDENT 0.0 .TP -.B \fB\-D\fP \fIuser_dn\fP +\fB\-D\fP \fIuser_dn\fP Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. .TP -.B \fB\-w\fP \fIpasswd\fP +\fB\-w\fP \fIpasswd\fP Specifies the password of \fIuser_dn\fP\&. This option is not recommended. .TP -.B \fB\-H\fP \fIldapuri\fP +\fB\-H\fP \fIldapuri\fP Specifies the URI of the LDAP server. It is recommended to use \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. .UNINDENT @@ -78,60 +78,60 @@ Specifies the URI of the LDAP server. It is recommended to use Creates realm in directory. Options: .INDENT 0.0 .TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +\fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). .TP -.B \fB\-sscope\fP \fIsearch_scope\fP +\fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. .TP -.B \fB\-k\fP \fImkeytype\fP +\fB\-k\fP \fImkeytype\fP Specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .TP -.B \fB\-kv\fP \fImkeyVNO\fP +\fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP -.B \fB\-m\fP +\fB\-m\fP Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. .TP -.B \fB\-P\fP \fIpassword\fP +\fB\-P\fP \fIpassword\fP Specifies the master database password. This option is not recommended. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-sf\fP \fIstashfilename\fP +\fB\-sf\fP \fIstashfilename\fP Specifies the stash file of the master database password. .TP -.B \fB\-s\fP +\fB\-s\fP Specifies that the stash file is to be created. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals in this realm. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP\&. +kadmin(1)\&. .UNINDENT .sp Example: @@ -169,35 +169,35 @@ Re\-enter KDC database master key to verify: Modifies the attributes of a realm. Options: .INDENT 0.0 .TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +\fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). This list replaces the existing list. .TP -.B \fB\-sscope\fP \fIsearch_scope\fP +\fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the +\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals in this realm. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP\&. +kadmin(1)\&. .UNINDENT .sp Example: @@ -225,7 +225,7 @@ shell% Displays the attributes of a realm. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -259,10 +259,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE Destroys an existing realm. Options: .INDENT 0.0 .TP -.B \fB\-f\fP +\fB\-f\fP If specified, will not prompt the user for confirmation. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -323,16 +323,16 @@ file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: .INDENT 0.0 .TP -.B \fB\-f\fP \fIfilename\fP +\fB\-f\fP \fIfilename\fP Specifies the complete path of the service password file. By default, \fB/usr/local/var/service_passwd\fP is used. .TP .B \fIname\fP Specifies the name of the object whose password is to be stored. -If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for +If krb5kdc(8) or kadmind(8) are configured for simple binding, this should be the distinguished name it will use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP -variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is +variable in kdc.conf(5)\&. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP variable. @@ -367,22 +367,22 @@ Re\-enter password for "cn=service\-kdc,o=org": Creates a ticket policy in the directory. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals. .TP .B \fIticket_flags\fP Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \fBadd_principal\fP -command in \fIkadmin(1)\fP\&. +command in kadmin(1)\&. .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. @@ -479,10 +479,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE Destroys an existing ticket policy. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-force\fP +\fB\-force\fP Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. .TP @@ -518,7 +518,7 @@ Lists the ticket policies in realm if specified or in the default realm. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -540,7 +540,7 @@ userpolicy .UNINDENT .SH SEE ALSO .sp -\fIkadmin(1)\fP +kadmin(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index f4ee62f..7d14e856 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -58,39 +58,39 @@ commands. .SH COMMAND-LINE OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP specifies the Kerberos realm of the database. .TP -.B \fB\-d\fP \fIdbname\fP +\fB\-d\fP \fIdbname\fP specifies the name under which the principal database is stored; -by default the database is that listed in \fIkdc.conf(5)\fP\&. The +by default the database is that listed in kdc.conf(5)\&. The password policy database and lock files are also derived from this value. .TP -.B \fB\-k\fP \fImkeytype\fP +\fB\-k\fP \fImkeytype\fP specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .TP -.B \fB\-kv\fP \fImkeyVNO\fP +\fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP -.B \fB\-M\fP \fImkeyname\fP +\fB\-M\fP \fImkeyname\fP principal name for the master key in the database. If not specified, the name is determined by the \fBmaster_key_name\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .TP -.B \fB\-m\fP +\fB\-m\fP specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. .TP -.B \fB\-sf\fP \fIstash_file\fP +\fB\-sf\fP \fIstash_file\fP specifies the stash filename of the master database password. If not specified, the filename is determined by the -\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&. +\fBkey_stash_file\fP variable in kdc.conf(5)\&. .TP -.B \fB\-P\fP \fIpassword\fP +\fB\-P\fP \fIpassword\fP specifies the master database password. Using this option may expose the password to other users on the system via the process list. @@ -126,7 +126,7 @@ the \fB\-f\fP argument, does not prompt the user. .sp Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP argument can be used to override the \fIkeyfile\fP specified in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .SS dump .INDENT 0.0 .INDENT 3.5 @@ -142,43 +142,43 @@ load_dump version 7". If filename is not specified, or is the string "\-", the dump is sent to standard output. Options: .INDENT 0.0 .TP -.B \fB\-b7\fP +\fB\-b7\fP causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -.B \fB\-ov\fP +\fB\-ov\fP causes the dump to be in "ovsec_adm_export" format. .TP -.B \fB\-r13\fP +\fB\-r13\fP causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. .TP -.B \fB\-r18\fP +\fB\-r18\fP causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. .TP -.B \fB\-verbose\fP +\fB\-verbose\fP causes the name of each principal and policy to be printed as it is dumped. .TP -.B \fB\-mkey_convert\fP +\fB\-mkey_convert\fP prompts for a new master key. This new master key will be used to re\-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. .TP -.B \fB\-new_mkey_file\fP \fImkey_file\fP +\fB\-new_mkey_file\fP \fImkey_file\fP the filename of a stash file. The master key in this stash file will be used to re\-encrypt the key data in the dumpfile. The key data in the database will not be changed. .TP -.B \fB\-rev\fP +\fB\-rev\fP dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. .TP -.B \fB\-recurse\fP +\fB\-recurse\fP causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such @@ -212,36 +212,36 @@ database module, the \fB\-update\fP flag is required. Options: .INDENT 0.0 .TP -.B \fB\-b7\fP +\fB\-b7\fP requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -.B \fB\-ov\fP +\fB\-ov\fP requires the database to be in "ovsec_adm_import" format. Must be used with the \fB\-update\fP option. .TP -.B \fB\-r13\fP +\fB\-r13\fP requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. .TP -.B \fB\-r18\fP +\fB\-r18\fP requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. .TP -.B \fB\-hash\fP +\fB\-hash\fP requires the database to be stored as a hash. If this option is not specified, the database will be stored as a btree. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. .TP -.B \fB\-verbose\fP +\fB\-verbose\fP causes the name of each principal and policy to be printed as it is dumped. .TP -.B \fB\-update\fP +\fB\-update\fP records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful @@ -271,12 +271,12 @@ salt types to be used for the new keys. Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The \fB\-e\fP option specifies the encryption type of the new master key; see -\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible +Encryption_types in kdc.conf(5) for a list of possible values. The \fB\-s\fP option stashes the new master key in the stash file, which will be created if it doesn\(aqt already exist. .sp After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then, +servers via a manual or periodic invocation of kprop(8)\&. Then, the stash files on the slave servers should be updated with the kdb5_util \fBstash\fP command. Once those steps are complete, the key is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. @@ -291,7 +291,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP\&. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no \fItime\fP argument is given, the current time is used, causing the specified master key version to become -active immediately. The format for \fItime\fP is \fIgetdate\fP string. +active immediately. The format for \fItime\fP is getdate string. .sp After a new master key becomes active, the kdb5_util \fBupdate_princ_encryption\fP command can be used to update all @@ -305,7 +305,7 @@ principal keys to be encrypted in the new master key. .sp List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A +each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&. A \fB*\fP following an mkey denotes the currently active master key. .SS purge_mkeys .INDENT 0.0 @@ -319,14 +319,14 @@ protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. .INDENT 0.0 .TP -.B \fB\-f\fP +\fB\-f\fP does not prompt for confirmation. .TP -.B \fB\-n\fP +\fB\-n\fP performs a dry run, showing master keys that would be purged, but not actually purging any keys. .TP -.B \fB\-v\fP +\fB\-v\fP gives more verbose output. .UNINDENT .SS update_princ_encryption @@ -367,23 +367,23 @@ below). Options: .INDENT 0.0 .TP -.B \fB\-H\fP +\fB\-H\fP suppress writing the field names in a header line .TP -.B \fB\-c\fP +\fB\-c\fP use comma separated values (CSV) format, with minimal quoting, instead of the default tab\-separated (unquoted, unescaped) format .TP -.B \fB\-e\fP +\fB\-e\fP write empty hexadecimal string fields as empty fields instead of as "\-1". .TP -.B \fB\-n\fP +\fB\-n\fP produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. .TP -.B \fB\-o\fP \fIoutfile\fP +\fB\-o\fP \fIoutfile\fP write the dump to the specified output file instead of to standard output .UNINDENT @@ -391,38 +391,38 @@ output Dump types: .INDENT 0.0 .TP -.B \fBkeydata\fP +\fBkeydata\fP principal encryption key information, including actual key data (which is still encrypted in the master key) .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBkeyindex\fP +\fBkeyindex\fP index of this key in the principal\(aqs key list .TP -.B \fBkvno\fP +\fBkvno\fP key version number .TP -.B \fBenctype\fP +\fBenctype\fP encryption type .TP -.B \fBkey\fP +\fBkey\fP key data as a hexadecimal string .TP -.B \fBsalttype\fP +\fBsalttype\fP salt type .TP -.B \fBsalt\fP +\fBsalt\fP salt data as a hexadecimal string .UNINDENT .TP -.B \fBkeyinfo\fP +\fBkeyinfo\fP principal encryption key information (as in \fBkeydata\fP above), excluding actual key data .TP -.B \fBprinc_flags\fP +\fBprinc_flags\fP principal boolean attributes. Flag names print as hexadecimal numbers if the \fB\-n\fP option is specified, and all flag positions are printed regardless of whether or not they are set. If \fB\-n\fP @@ -431,93 +431,93 @@ but only print hexadecimal flag names if the corresponding flag is set. .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBflag\fP +\fBflag\fP flag name .TP -.B \fBvalue\fP +\fBvalue\fP boolean value (0 for clear, or 1 for set) .UNINDENT .TP -.B \fBprinc_lockout\fP +\fBprinc_lockout\fP state information used for tracking repeated password failures .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBlast_success\fP +\fBlast_success\fP time stamp of most recent successful authentication .TP -.B \fBlast_failed\fP +\fBlast_failed\fP time stamp of most recent failed authentication .TP -.B \fBfail_count\fP +\fBfail_count\fP count of failed attempts .UNINDENT .TP -.B \fBprinc_meta\fP +\fBprinc_meta\fP principal metadata .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBmodby\fP +\fBmodby\fP name of last principal to modify this principal .TP -.B \fBmodtime\fP +\fBmodtime\fP timestamp of last modification .TP -.B \fBlastpwd\fP +\fBlastpwd\fP timestamp of last password change .TP -.B \fBpolicy\fP +\fBpolicy\fP policy object name .TP -.B \fBmkvno\fP +\fBmkvno\fP key version number of the master key that encrypts this principal\(aqs key data .TP -.B \fBhist_kvno\fP +\fBhist_kvno\fP key version number of the history key that encrypts the key history data for this principal .UNINDENT .TP -.B \fBprinc_stringattrs\fP +\fBprinc_stringattrs\fP string attributes (key/value pairs) .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBkey\fP +\fBkey\fP attribute name .TP -.B \fBvalue\fP +\fBvalue\fP attribute value .UNINDENT .TP -.B \fBprinc_tktpolicy\fP +\fBprinc_tktpolicy\fP per\-principal ticket policy data, including maximum ticket lifetimes .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBexpiration\fP +\fBexpiration\fP principal expiration date .TP -.B \fBpw_expiration\fP +\fBpw_expiration\fP password expiration date .TP -.B \fBmax_life\fP +\fBmax_life\fP maximum ticket lifetime .TP -.B \fBmax_renew_life\fP +\fBmax_renew_life\fP maximum renewable ticket lifetime .UNINDENT .UNINDENT @@ -548,7 +548,7 @@ bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 .UNINDENT .SH SEE ALSO .sp -\fIkadmin(1)\fP +kadmin(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index b6a9476..3420527 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -31,9 +31,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .sp -The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which -are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program. +The kdc.conf file supplements krb5.conf(5) for programs which +are typically only used on a KDC, such as the krb5kdc(8) and +kadmind(8) daemons and the kdb5_util(8) program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. @@ -47,7 +47,7 @@ changes to take effect. .SH STRUCTURE .sp The kdc.conf file is set up in the same format as the -\fIkrb5.conf(5)\fP file. +krb5.conf(5) file. .SH SECTIONS .sp The kdc.conf file may contain the following sections: @@ -110,11 +110,11 @@ subsection does not contain a relation for the tag. See the .UNINDENT .INDENT 0.0 .TP -.B \fBkdc_max_dgram_reply_size\fP +\fBkdc_max_dgram_reply_size\fP Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. .TP -.B \fBkdc_tcp_listen_backlog\fP +\fBkdc_tcp_listen_backlog\fP (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. @@ -142,32 +142,32 @@ to define one parameter for the ATHENA.MIT.EDU realm: The following tags may be specified in a [realms] subsection: .INDENT 0.0 .TP -.B \fBacl_file\fP +\fBacl_file\fP (String.) Location of the access control list file that -\fIkadmind(8)\fP uses to determine which principals are allowed +kadmind(8) uses to determine which principals are allowed which permissions on the Kerberos database. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL -file see \fIkadm5.acl(5)\fP\&. +file see kadm5.acl(5)\&. .TP -.B \fBdatabase_module\fP +\fBdatabase_module\fP (String.) This relation indicates the name of the configuration section under \fI\%[dbmodules]\fP for database\-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. .TP -.B \fBdatabase_name\fP +\fBdatabase_name\fP (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the \fI\%[dbmodules]\fP configuration section does not specify a database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP -.B \fBdefault_principal_expiration\fP -(\fIabstime\fP string.) Specifies the default expiration date of +\fBdefault_principal_expiration\fP +(abstime string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. .TP -.B \fBdefault_principal_flags\fP +\fBdefault_principal_flags\fP (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\-separated list of flags, with \(aq+\(aq before each flag that @@ -179,42 +179,42 @@ disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP, There are a number of possible flags: .INDENT 7.0 .TP -.B \fBallow\-tickets\fP +\fBallow\-tickets\fP Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. .TP -.B \fBdup\-skey\fP +\fBdup\-skey\fP Enabling this flag allows the principal to obtain a session key for another user, permitting user\-to\-user authentication for this principal. .TP -.B \fBforwardable\fP +\fBforwardable\fP Enabling this flag allows the principal to obtain forwardable tickets. .TP -.B \fBhwauth\fP +\fBhwauth\fP If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. .TP -.B \fBno\-auth\-data\-required\fP +\fBno\-auth\-data\-required\fP Enabling this flag prevents PAC or AD\-SIGNEDPATH data from being added to service tickets for the principal. .TP -.B \fBok\-as\-delegate\fP +\fBok\-as\-delegate\fP If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. .TP -.B \fBok\-to\-auth\-as\-delegate\fP +\fBok\-to\-auth\-as\-delegate\fP Enabling this flag allows the principal to use S4USelf tickets. .TP -.B \fBpostdateable\fP +\fBpostdateable\fP Enabling this flag allows the principal to obtain postdateable tickets. .TP -.B \fBpreauth\fP +\fBpreauth\fP If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this @@ -222,15 +222,15 @@ flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. .TP -.B \fBproxiable\fP +\fBproxiable\fP Enabling this flag allows the principal to obtain proxy tickets. .TP -.B \fBpwchange\fP +\fBpwchange\fP Enabling this flag forces a password change for this principal. .TP -.B \fBpwservice\fP +\fBpwservice\fP If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user\(aqs password has expired, then the user @@ -238,49 +238,49 @@ has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. .TP -.B \fBrenewable\fP +\fBrenewable\fP Enabling this flag allows the principal to obtain renewable tickets. .TP -.B \fBservice\fP +\fBservice\fP Enabling this flag allows the the KDC to issue service tickets for this principal. .TP -.B \fBtgt\-based\fP +\fBtgt\-based\fP Enabling this flag allows a principal to obtain tickets based on a ticket\-granting\-ticket, rather than repeating the authentication process that was used to obtain the TGT. .UNINDENT .TP -.B \fBdict_file\fP +\fBdict_file\fP (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. .TP -.B \fBhost_based_services\fP +\fBhost_based_services\fP (Whitespace\- or comma\-separated list.) Lists services which will get host\-based referral processing even if the server principal is not marked as host\-based by the client. .TP -.B \fBiprop_enable\fP +\fBiprop_enable\fP (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. .TP -.B \fBiprop_master_ulogsize\fP +\fBiprop_master_ulogsize\fP (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. .TP -.B \fBiprop_slave_poll\fP +\fBiprop_slave_poll\fP (Delta time string.) Specifies how often the slave KDC polls for new updates from the master. The default value is \fB2m\fP (that is, two minutes). .TP -.B \fBiprop_listen\fP +\fBiprop_listen\fP (Whitespace\- or comma\-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +listening addresses and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -290,22 +290,22 @@ default (when \fBiprop_enable\fP is true) is to bind to the wildcard address at the port specified in \fBiprop_port\fP\&. New in release 1.15. .TP -.B \fBiprop_port\fP +\fBiprop_port\fP (Port number.) Specifies the port number to be used for incremental propagation. When \fBiprop_enable\fP is true, this relation is required in the slave configuration file, and this relation or \fBiprop_listen\fP is required in the master configuration file, as there is no default port number. Port numbers specified in \fBiprop_listen\fP entries will override this -port number for the \fIkadmind(8)\fP daemon. +port number for the kadmind(8) daemon. .TP -.B \fBiprop_resync_timeout\fP +\fBiprop_resync_timeout\fP (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by slave KDCs only. The default value is 5 minutes (\fB5m\fP). New in release 1.11. .TP -.B \fBiprop_logfile\fP +\fBiprop_logfile\fP (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the \fBdatabase_name\fP entry from the realms section of the krb5 config @@ -316,9 +316,9 @@ back end is being used, or the file name is specified in the \fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP default value will not use values from the [dbmodules] section.) .TP -.B \fBkadmind_listen\fP +\fBkadmind_listen\fP (Whitespace\- or comma\-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +listening addresses and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -328,19 +328,19 @@ default is to bind to the wildcard address at the port specified in \fBkadmind_port\fP, or the standard kadmin port (749). New in release 1.15. .TP -.B \fBkadmind_port\fP -(Port number.) Specifies the port on which the \fIkadmind(8)\fP +\fBkadmind_port\fP +(Port number.) Specifies the port on which the kadmind(8) daemon is to listen for this realm. Port numbers specified in \fBkadmind_listen\fP entries will override this port number. The assigned port for kadmind is 749, which is used by default. .TP -.B \fBkey_stash_file\fP +\fBkey_stash_file\fP (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. .TP -.B \fBkdc_listen\fP +\fBkdc_listen\fP (Whitespace\- or comma\-separated list.) Specifies the UDP -listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +listening addresses and/or ports for the krb5kdc(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -350,16 +350,16 @@ to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. .TP -.B \fBkdc_ports\fP +\fBkdc_ports\fP (Whitespace\- or comma\-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +krb5kdc(8) daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \fBkdc_listen\fP if that relation is not defined. .TP -.B \fBkdc_tcp_listen\fP +\fBkdc_tcp_listen\fP (Whitespace\- or comma\-separated list.) Specifies the TCP -listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +listening addresses and/or ports for the krb5kdc(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -370,16 +370,16 @@ If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. .TP -.B \fBkdc_tcp_ports\fP +\fBkdc_tcp_ports\fP (Whitespace\- or comma\-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +krb5kdc(8) daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \fBkdc_tcp_listen\fP if that relation is not defined. .TP -.B \fBkpasswd_listen\fP +\fBkpasswd_listen\fP (Comma\-separated list.) Specifies the kpasswd listening addresses -and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be +and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard @@ -388,51 +388,51 @@ addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in \fBkpasswd_port\fP, or the standard kpasswd port (464). New in release 1.15. .TP -.B \fBkpasswd_port\fP -(Port number.) Specifies the port on which the \fIkadmind(8)\fP +\fBkpasswd_port\fP +(Port number.) Specifies the port on which the kadmind(8) daemon is to listen for password change requests for this realm. Port numbers specified in \fBkpasswd_listen\fP entries will override this port number. The assigned port for password change requests is 464, which is used by default. .TP -.B \fBmaster_key_name\fP +\fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the master key. The default is \fBK/M\fP\&. .TP -.B \fBmaster_key_type\fP +\fBmaster_key_type\fP (Key type string.) Specifies the master key\(aqs key type. The default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible values, see \fI\%Encryption types\fP\&. .TP -.B \fBmax_life\fP -(\fIduration\fP string.) Specifies the maximum time period for +\fBmax_life\fP +(duration string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. .TP -.B \fBmax_renewable_life\fP -(\fIduration\fP string.) Specifies the maximum time period +\fBmax_renewable_life\fP +(duration string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. .TP -.B \fBno_host_referral\fP +\fBno_host_referral\fP (Whitespace\- or comma\-separated list.) Lists services to block from getting host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will disable referral processing altogether. .TP -.B \fBdes_crc_session_supported\fP +\fBdes_crc_session_supported\fP (Boolean value). If set to true, the KDC will assume that service principals support des\-cbc\-crc for session key enctype negotiation -purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is +purposes. If \fBallow_weak_crypto\fP in libdefaults is false, or if des\-cbc\-crc is not a permitted enctype, then this variable has no effect. Defaults to true. New in release 1.11. .TP -.B \fBreject_bad_transit\fP +\fBreject_bad_transit\fP (Boolean value.) If set to true, the KDC will check the list of transited realms for cross\-realm tickets against the transit path computed from the realm names and the capaths section of its -\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued +krb5.conf(5) file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued @@ -449,7 +449,7 @@ only to TGS requests. .sp The default value is true. .TP -.B \fBrestrict_anonymous_to_tgt\fP +\fBrestrict_anonymous_to_tgt\fP (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm\(aqs ticket\-granting service. This option allows @@ -457,10 +457,10 @@ anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. .TP -.B \fBsupported_enctypes\fP +\fBsupported_enctypes\fP (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created -through \fIkadmin(1)\fP will have keys of these types. The +through kadmin(1) will have keys of these types. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of possible values, see \fI\%Keysalt lists\fP\&. .UNINDENT @@ -524,16 +524,16 @@ define one database parameter for the ATHENA.MIT.EDU realm: The following tags may be specified in a [dbmodules] subsection: .INDENT 0.0 .TP -.B \fBdatabase_name\fP +\fBdatabase_name\fP This DB2\-specific tag indicates the location of the database in the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP -.B \fBdb_library\fP +\fBdb_library\fP This tag indicates the name of the loadable database module. The value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the LDAP module. .TP -.B \fBdisable_last_success\fP +\fBdisable_last_success\fP If set to \fBtrue\fP, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. @@ -541,21 +541,21 @@ preauthentication. Setting this flag may improve performance. update the "Last successful authentication" field.). First introduced in release 1.9. .TP -.B \fBdisable_lockout\fP +\fBdisable_lockout\fP If set to \fBtrue\fP, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. .TP -.B \fBldap_conns_per_server\fP +\fBldap_conns_per_server\fP This LDAP\-specific tag indicates the number of connections to be maintained per LDAP server. .TP -.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP +\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP These LDAP\-specific tags indicate the default DN for binding to -the LDAP server. The \fIkrb5kdc(8)\fP daemon uses -\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other +the LDAP server. The krb5kdc(8) daemon uses +\fBldap_kdc_dn\fP, while the kadmind(8) daemon and other administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless @@ -564,12 +564,12 @@ which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with \fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&. .TP -.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP +\fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP These LDAP\-specific tags specify the SASL mechanism (such as \fBEXTERNAL\fP) to use when binding to the LDAP server. New in release 1.13. .TP -.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP +\fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP These LDAP\-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism @@ -578,35 +578,35 @@ tags also determine the name within the \fBldap_service_password_file\fP where the secret is stashed. New in release 1.13. .TP -.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP +\fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP These LDAP\-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. .TP -.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP +\fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP These LDAP\-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. .TP -.B \fBldap_kerberos_container_dn\fP +\fBldap_kerberos_container_dn\fP This LDAP\-specific tag indicates the DN of the container object where the realm objects will be located. .TP -.B \fBldap_servers\fP +\fBldap_servers\fP This LDAP\-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect to the LDAP server. .TP -.B \fBldap_service_password_file\fP +\fBldap_service_password_file\fP This LDAP\-specific tag indicates the file containing the stashed passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names for SASL authentication. This file must be kept secure. .TP -.B \fBunlockiter\fP +\fBunlockiter\fP If set to \fBtrue\fP, this DB2\-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to \fBtrue\fP can prevent extended @@ -618,28 +618,28 @@ The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: .INDENT 0.0 .TP -.B \fBdb_module_dir\fP +\fBdb_module_dir\fP This tag controls where the plugin system looks for database modules. The value should be an absolute path. .UNINDENT .SS [logging] .sp -The [logging] section indicates how \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP perform logging. It may contain the following +The [logging] section indicates how krb5kdc(8) and +kadmind(8) perform logging. It may contain the following relations: .INDENT 0.0 .TP -.B \fBadmin_server\fP -Specifies how \fIkadmind(8)\fP performs logging. +\fBadmin_server\fP +Specifies how kadmind(8) performs logging. .TP -.B \fBkdc\fP -Specifies how \fIkrb5kdc(8)\fP performs logging. +\fBkdc\fP +Specifies how krb5kdc(8) performs logging. .TP -.B \fBdefault\fP +\fBdefault\fP Specifies how either daemon performs logging in the absence of relations specific to the daemon. .TP -.B \fBdebug\fP +\fBdebug\fP (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs @@ -650,24 +650,24 @@ release 1.15. Logging specifications may have the following forms: .INDENT 0.0 .TP -.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP +\fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP This value causes the daemon\(aqs logging messages to go to the \fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten. If the \fB:\fP form is used, the file is appended to. .TP -.B \fBSTDERR\fP +\fBSTDERR\fP This value causes the daemon\(aqs logging messages to go to its standard error stream. .TP -.B \fBCONSOLE\fP +\fBCONSOLE\fP This value causes the daemon\(aqs logging messages to go to the console, if the system supports it. .TP -.B \fBDEVICE=\fP\fI<devicename>\fP +\fBDEVICE=\fP\fI<devicename>\fP This causes the daemon\(aqs logging messages to go to the specified device. .TP -.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] +\fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] This causes the daemon\(aqs logging messages to go to the system log. .sp The severity argument specifies the default severity of system log @@ -714,13 +714,13 @@ One Time Password request to a RADIUS server. For each token type, the following tags may be specified: .INDENT 0.0 .TP -.B \fBserver\fP +\fBserver\fP This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&. .TP -.B \fBsecret\fP +\fBsecret\fP This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; @@ -729,22 +729,22 @@ the value of \fBserver\fP is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. .TP -.B \fBtimeout\fP +\fBtimeout\fP An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. .TP -.B \fBretries\fP +\fBretries\fP This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). .TP -.B \fBstrip_realm\fP +\fBstrip_realm\fP If this tag is \fBtrue\fP, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is \fBtrue\fP\&. .TP -.B \fBindicator\fP +\fBindicator\fP This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) @@ -830,21 +830,21 @@ generic value in the [kdcdefaults] section: .UNINDENT .sp For information about the syntax of some of these options, see -\fISpecifying PKINIT identity information\fP in -\fIkrb5.conf(5)\fP\&. +Specifying PKINIT identity information in +krb5.conf(5)\&. .INDENT 0.0 .TP -.B \fBpkinit_anchors\fP +\fBpkinit_anchors\fP Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. .TP -.B \fBpkinit_dh_min_bits\fP +\fBpkinit_dh_min_bits\fP Specifies the minimum number of bits the KDC is willing to accept for a client\(aqs Diffie\-Hellman key. The default is 2048. .TP -.B \fBpkinit_allow_upn\fP +\fBpkinit_allow_upn\fP Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in @@ -855,52 +855,52 @@ Without this option, the KDC will only accept certificates with the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently no option to disable SAN checking in the KDC. .TP -.B \fBpkinit_eku_checking\fP +\fBpkinit_eku_checking\fP This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: .INDENT 7.0 .TP -.B \fBkpClientAuth\fP +\fBkpClientAuth\fP This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as defined in \fI\%RFC 4556\fP\&. .TP -.B \fBscLogin\fP +\fBscLogin\fP If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be accepted. .TP -.B \fBnone\fP +\fBnone\fP If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP -.B \fBpkinit_identity\fP +\fBpkinit_identity\fP Specifies the location of the KDC\(aqs X.509 identity information. This option is required if pkinit is to be supported by the KDC. .TP -.B \fBpkinit_indicator\fP +\fBpkinit_indicator\fP Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) .TP -.B \fBpkinit_kdc_ocsp\fP +\fBpkinit_kdc_ocsp\fP Specifies the location of the KDC\(aqs OCSP. .TP -.B \fBpkinit_pool\fP +\fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs certificate and a trusted anchor. This option may be specified multiple times. .TP -.B \fBpkinit_revoke\fP +\fBpkinit_revoke\fP Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. .TP -.B \fBpkinit_require_crl_checking\fP +\fBpkinit_require_crl_checking\fP The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -1187,7 +1187,7 @@ Here\(aqs an example of a kdc.conf file: \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP .SH SEE ALSO .sp -\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP +krb5.conf(5), krb5kdc(8), kadm5.acl(5) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index 7632e79..0ee8e94 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -45,15 +45,15 @@ credentials cache is destroyed. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-A\fP +\fB\-A\fP Destroys all caches in the collection, if a cache collection is available. .TP -.B \fB\-q\fP +\fB\-q\fP Run quietly. Normally kdestroy beeps if it fails to destroy the user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior. .TP -.B \fB\-c\fP \fIcache_name\fP +\fB\-c\fP \fIcache_name\fP Use \fIcache_name\fP as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. @@ -72,7 +72,7 @@ when you log out. kdestroy uses the following environment variable: .INDENT 0.0 .TP -.B \fBKRB5CCNAME\fP +\fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -88,7 +88,7 @@ Default location of Kerberos 5 credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIklist(1)\fP +kinit(1), klist(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kinit.man b/src/man/kinit.man index 4929802..8fcc9eb 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -63,11 +63,11 @@ choice of principal name. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-V\fP +\fB\-V\fP display verbose output. .TP -.B \fB\-l\fP \fIlifetime\fP -(\fIduration\fP string.) Requests a ticket with the lifetime +\fB\-l\fP \fIlifetime\fP +(duration string.) Requests a ticket with the lifetime \fIlifetime\fP\&. .sp For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&. @@ -77,62 +77,62 @@ If the \fB\-l\fP option is not specified, the default ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. .TP -.B \fB\-s\fP \fIstart_time\fP -(\fIduration\fP string.) Requests a postdated ticket. Postdated +\fB\-s\fP \fIstart_time\fP +(duration string.) Requests a postdated ticket. Postdated tickets are issued with the \fBinvalid\fP flag set, and need to be resubmitted to the KDC for validation before use. .sp \fIstart_time\fP specifies the duration of the delay before the ticket can become valid. .TP -.B \fB\-r\fP \fIrenewable_life\fP -(\fIduration\fP string.) Requests renewable tickets, with a total +\fB\-r\fP \fIrenewable_life\fP +(duration string.) Requests renewable tickets, with a total lifetime of \fIrenewable_life\fP\&. .TP -.B \fB\-f\fP +\fB\-f\fP requests forwardable tickets. .TP -.B \fB\-F\fP +\fB\-F\fP requests non\-forwardable tickets. .TP -.B \fB\-p\fP +\fB\-p\fP requests proxiable tickets. .TP -.B \fB\-P\fP +\fB\-P\fP requests non\-proxiable tickets. .TP -.B \fB\-a\fP +\fB\-a\fP requests tickets restricted to the host\(aqs local address[es]. .TP -.B \fB\-A\fP +\fB\-A\fP requests tickets not restricted by address. .TP -.B \fB\-C\fP +\fB\-C\fP requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. .TP -.B \fB\-E\fP +\fB\-E\fP treats the principal name as an enterprise name (implies the \fB\-C\fP option). .TP -.B \fB\-v\fP +\fB\-v\fP requests that the ticket\-granting ticket in the cache (with the \fBinvalid\fP flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. .TP -.B \fB\-R\fP +\fB\-R\fP requests renewal of the ticket\-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. .sp Note that renewable tickets that have expired as reported by -\fIklist(1)\fP may sometimes be renewed using this option, +klist(1) may sometimes be renewed using this option, because the KDC applies a grace period to account for client\-KDC -clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting. +clock skew. See krb5.conf(5) \fBclockskew\fP setting. .TP -.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] +\fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] requests a ticket, obtained from a key in the local host\(aqs keytab. The location of the keytab may be specified with the \fB\-t\fP \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use @@ -144,12 +144,12 @@ the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. .TP -.B \fB\-n\fP +\fB\-n\fP Requests anonymous processing. Two types of anonymous principals are supported. .sp For fully anonymous Kerberos, configure pkinit on the KDC and -configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&. +configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be @@ -177,7 +177,7 @@ preselecting the same methods of authenticating to the KDC. .UNINDENT .INDENT 0.0 .TP -.B \fB\-T\fP \fIarmor_ccache\fP +\fB\-T\fP \fIarmor_ccache\fP Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing @@ -185,7 +185,7 @@ the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. .TP -.B \fB\-c\fP \fIcache_name\fP +\fB\-c\fP \fIcache_name\fP use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. @@ -199,11 +199,11 @@ principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. .TP -.B \fB\-S\fP \fIservice_name\fP +\fB\-S\fP \fIservice_name\fP specify an alternate service name to use when getting initial tickets. .TP -.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] +\fB\-X\fP \fIattribute\fP[=\fIvalue\fP] specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be interpreted by pre\-authentication modules. The acceptable attribute and value values vary from module to module. This @@ -214,13 +214,13 @@ The following attributes are recognized by the PKINIT pre\-authentication mechanism: .INDENT 7.0 .TP -.B \fBX509_user_identity\fP=\fIvalue\fP +\fBX509_user_identity\fP=\fIvalue\fP specify where to find user\(aqs X509 identity information .TP -.B \fBX509_anchors\fP=\fIvalue\fP +\fBX509_anchors\fP=\fIvalue\fP specify where to find trusted X509 anchor information .TP -.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] +\fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] specify use of RSA, rather than the default Diffie\-Hellman protocol .UNINDENT @@ -230,7 +230,7 @@ protocol kinit uses the following environment variables: .INDENT 0.0 .TP -.B \fBKRB5CCNAME\fP +\fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials cache, in the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the @@ -249,7 +249,7 @@ default location for the local host\(aqs keytab. .UNINDENT .SH SEE ALSO .sp -\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1) +klist(1), kdestroy(1), kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/klist.man b/src/man/klist.man index 863d221..edde6ce 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -46,24 +46,24 @@ credentials cache, or the keys held in a keytab file. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-e\fP +\fB\-e\fP Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. .TP -.B \fB\-l\fP +\fB\-l\fP If a cache collection is available, displays a table summarizing the caches present in the collection. .TP -.B \fB\-A\fP +\fB\-A\fP If a cache collection is available, displays the contents of all of the caches in the collection. .TP -.B \fB\-c\fP +\fB\-c\fP List tickets held in a credentials cache. This is the default if neither \fB\-c\fP nor \fB\-k\fP is specified. .TP -.B \fB\-f\fP +\fB\-f\fP Shows the flags present in the credentials, using the following abbreviations: .INDENT 7.0 @@ -90,39 +90,39 @@ a anonymous .UNINDENT .UNINDENT .TP -.B \fB\-s\fP +\fB\-s\fP Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. .TP -.B \fB\-a\fP +\fB\-a\fP Display list of addresses in credentials. .TP -.B \fB\-n\fP +\fB\-n\fP Show numeric addresses instead of reverse\-resolving addresses. .TP -.B \fB\-C\fP +\fB\-C\fP List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. .TP -.B \fB\-k\fP +\fB\-k\fP List keys held in a keytab file. .TP -.B \fB\-i\fP +\fB\-i\fP In combination with \fB\-k\fP, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. .TP -.B \fB\-t\fP +\fB\-t\fP Display the time entry timestamps for each keytab entry in the keytab file. .TP -.B \fB\-K\fP +\fB\-K\fP Display the value of the encryption key in each keytab entry in the keytab file. .TP -.B \fB\-V\fP +\fB\-V\fP Display the Kerberos version number and exit. .UNINDENT .sp @@ -135,7 +135,7 @@ value is used to locate the default ticket cache. klist uses the following environment variable: .INDENT 0.0 .TP -.B \fBKRB5CCNAME\fP +\fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -154,7 +154,7 @@ Default location for the local host\(aqs keytab file. .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP +kinit(1), kdestroy(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index 63c986e..a0895fc 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -55,7 +55,7 @@ identity of the user invoking the kpasswd command. .UNINDENT .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIkadmind(8)\fP +kadmin(1), kadmind(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kprop.man b/src/man/kprop.man index 1e960db..9e161f4 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -44,26 +44,26 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] kprop is used to securely propagate a Kerberos V5 database dump file from the master Kerberos server to a slave Kerberos server, which is specified by \fIslave_host\fP\&. The dump file must be created by -\fIkdb5_util(8)\fP\&. +kdb5_util(8)\&. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the realm of the master server. .TP -.B \fB\-f\fP \fIfile\fP +\fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&. .TP -.B \fB\-P\fP \fIport\fP -Specifies the port to use to contact the \fIkpropd(8)\fP server +\fB\-P\fP \fIport\fP +Specifies the port to use to contact the kpropd(8) server on the remote host. .TP -.B \fB\-d\fP +\fB\-d\fP Prints debugging information. .TP -.B \fB\-s\fP \fIkeytab\fP +\fB\-s\fP \fIkeytab\fP Specifies the location of the keytab file. .UNINDENT .SH ENVIRONMENT @@ -75,7 +75,7 @@ Specifies the location of the keytab file. .UNINDENT .SH SEE ALSO .sp -\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP +kpropd(8), kdb5_util(8), krb5kdc(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kpropd.man b/src/man/kpropd.man index af9a676..36aa9f7 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -45,15 +45,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .SH DESCRIPTION .sp The \fIkpropd\fP command runs on the slave KDC server. It listens for -update requests made by the \fIkprop(8)\fP program. If incremental +update requests made by the kprop(8) program. If incremental propagation is enabled, it periodically requests incremental updates from the master KDC. .sp When the slave receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs -\fIkdb5_util(8)\fP to load the dumped database into the active -database which is used by \fIkrb5kdc(8)\fP\&. This allows the master -Kerberos server to use \fIkprop(8)\fP to propagate its database to +kdb5_util(8) to load the dumped database into the active +database which is used by krb5kdc(8)\&. This allows the master +Kerberos server to use kprop(8) to propagate its database to the slave servers. Upon a successful download of the KDC database file, the slave Kerberos server will have an up\-to\-date KDC database. .sp @@ -81,54 +81,54 @@ kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. .sp Incremental propagation may be enabled with the \fBiprop_enable\fP -variable in \fIkdc.conf(5)\fP\&. If incremental propagation is +variable in kdc.conf(5)\&. If incremental propagation is enabled, the slave periodically polls the master KDC for updates, at an interval determined by the \fBiprop_slave_poll\fP variable. If the slave receives updates, kpropd updates its log file with any updates -from the master. \fIkproplog(8)\fP can be used to view a summary of +from the master. kproplog(8) can be used to view a summary of the update entry log on the slave KDC. If incremental propagation is enabled, the principal \fBkiprop/slavehostname@REALM\fP (where \fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the name of the Kerberos realm) must be present in the slave\(aqs keytab file. .sp -\fIkproplog(8)\fP can be used to force full replication when iprop is +kproplog(8) can be used to force full replication when iprop is enabled. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the realm of the master server. .TP -.B \fB\-A\fP \fIadmin_server\fP +\fB\-A\fP \fIadmin_server\fP Specifies the server to be contacted for incremental updates; by default, the master admin server is contacted. .TP -.B \fB\-f\fP \fIfile\fP +\fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&. .TP -.B \fB\-p\fP -Allows the user to specify the pathname to the \fIkdb5_util(8)\fP +\fB\-p\fP +Allows the user to specify the pathname to the kdb5_util(8) program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&. .TP -.B \fB\-d\fP +\fB\-d\fP Turn on debug mode. In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages during the database propagation. .TP -.B \fB\-t\fP +\fB\-t\fP In standalone mode without incremental propagation, exit after one dump file is received. In incremental propagation mode, exit as soon as the database is up to date, or if the master returns an error. .TP -.B \fB\-P\fP +\fB\-P\fP Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the \fB\-S\fP option. .TP -.B \fB\-a\fP \fIacl_file\fP +\fB\-a\fP \fIacl_file\fP Allows the user to specify the path to the kpropd.acl file; by default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&. .UNINDENT @@ -148,11 +148,11 @@ kpropd uses the following environment variables: Access file for kpropd; the default location is \fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line containing the principal of a host from which the local machine -will allow Kerberos database propagation via \fIkprop(8)\fP\&. +will allow Kerberos database propagation via kprop(8)\&. .UNINDENT .SH SEE ALSO .sp -\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8) +kprop(8), kdb5_util(8), krb5kdc(8), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kproplog.man b/src/man/kproplog.man index 6341b5f..e0b200b 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -39,8 +39,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the -update log maintained by the \fIkadmind(8)\fP process on the master -KDC server and the \fIkpropd(8)\fP process on the slave KDC servers. +update log maintained by the kadmind(8) process on the master +KDC server and the kpropd(8) process on the slave KDC servers. When updates occur, they are logged to this file. Subsequently any KDC slave configured for incremental updates will request the current data from the master KDC and update their log file with any updates @@ -57,22 +57,22 @@ last update received and the associated time stamp of the last update. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-R\fP +\fB\-R\fP Reset the update log. This forces full resynchronization. If used on a slave then that slave will request a full resync. If used on the master then all slaves will request full resyncs. .TP -.B \fB\-h\fP +\fB\-h\fP Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. .TP -.B \fB\-e\fP \fInum\fP +\fB\-e\fP \fInum\fP Display the last \fInum\fP update entries in the log. This is useful when debugging synchronization between KDC servers. .TP -.B \fB\-v\fP +\fB\-v\fP Display individual attributes per update. An example of the output generated for one entry: .INDENT 7.0 @@ -108,7 +108,7 @@ kproplog uses the following environment variables: .UNINDENT .SH SEE ALSO .sp -\fIkpropd(8)\fP +kpropd(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man index a40ba3e..370cbd1 100644 --- a/src/man/krb5-config.man +++ b/src/man/krb5-config.man @@ -41,39 +41,39 @@ and link programs against the installed Kerberos libraries. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-\fP\fB\-help\fP +\fB\-\fP\fB\-help\fP prints a usage message. This is the default behavior when no options are specified. .TP -.B \fB\-\fP\fB\-all\fP +\fB\-\fP\fB\-all\fP prints the version, vendor, prefix, and exec\-prefix. .TP -.B \fB\-\fP\fB\-version\fP +\fB\-\fP\fB\-version\fP prints the version number of the Kerberos installation. .TP -.B \fB\-\fP\fB\-vendor\fP +\fB\-\fP\fB\-vendor\fP prints the name of the vendor of the Kerberos installation. .TP -.B \fB\-\fP\fB\-prefix\fP +\fB\-\fP\fB\-prefix\fP prints the prefix for which the Kerberos installation was built. .TP -.B \fB\-\fP\fB\-exec\-prefix\fP +\fB\-\fP\fB\-exec\-prefix\fP prints the prefix for executables for which the Kerberos installation was built. .TP -.B \fB\-\fP\fB\-defccname\fP +\fB\-\fP\fB\-defccname\fP prints the built\-in default credentials cache location. .TP -.B \fB\-\fP\fB\-defktname\fP +\fB\-\fP\fB\-defktname\fP prints the built\-in default keytab location. .TP -.B \fB\-\fP\fB\-defcktname\fP +\fB\-\fP\fB\-defcktname\fP prints the built\-in default client (initiator) keytab location. .TP -.B \fB\-\fP\fB\-cflags\fP +\fB\-\fP\fB\-cflags\fP prints the compilation flags used to build the Kerberos installation. .TP -.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP] +\fB\-\fP\fB\-libs\fP [\fIlibrary\fP] prints the compiler options needed to link against \fIlibrary\fP\&. Allowed values for \fIlibrary\fP are: .TS diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index b240885..e7f1b46 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -135,7 +135,7 @@ module MODULEPATH:RESIDUAL \fIMODULEPATH\fP may be relative to the library path of the krb5 installation, or it may be an absolute path. \fIRESIDUAL\fP is provided to the module at initialization time. If krb5.conf uses a module -directive, \fIkdc.conf(5)\fP should also use one if it exists. +directive, kdc.conf(5) should also use one if it exists. .SH SECTIONS .sp The krb5.conf file may contain the following sections: @@ -182,15 +182,15 @@ _ .TE .sp Additionally, krb5.conf may include any of the relations described in -\fIkdc.conf(5)\fP, but it is not a recommended practice. +kdc.conf(5), but it is not a recommended practice. .SS [libdefaults] .sp The libdefaults section may contain any of the following relations: .INDENT 0.0 .TP -.B \fBallow_weak_crypto\fP +\fBallow_weak_crypto\fP If this flag is set to false, then weak encryption types (as noted -in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered +in Encryption_types in kdc.conf(5)) will be filtered out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default value for this tag is false, which may cause authentication @@ -198,7 +198,7 @@ failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. .TP -.B \fBap_req_checksum_type\fP +\fBap_req_checksum_type\fP An integer which specifies the type of AP\-REQ checksum to use in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be @@ -206,20 +206,20 @@ set if backward compatibility requires a specific checksum type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP -.B \fBcanonicalize\fP +\fBcanonicalize\fP If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. .TP -.B \fBccache_type\fP +\fBccache_type\fP This parameter determines the format of credential cache types -created by \fIkinit(1)\fP or other programs. The default value +created by kinit(1) or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. .TP -.B \fBclockskew\fP +\fBclockskew\fP Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. @@ -230,34 +230,34 @@ their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the \fBclockskew\fP setting. .TP -.B \fBdefault_ccache_name\fP +\fBdefault_ccache_name\fP This relation specifies the name of the default credential cache. The default is \fB@CCNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP -.B \fBdefault_client_keytab_name\fP +\fBdefault_client_keytab_name\fP This relation specifies the name of the default keytab for obtaining client credentials. The default is \fB@CKTNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP -.B \fBdefault_keytab_name\fP +\fBdefault_keytab_name\fP This relation specifies the default keytab name to be used by application servers such as sshd. The default is \fB@KTNAME@\fP\&. This relation is subject to parameter expansion (see below). .TP -.B \fBdefault_realm\fP +\fBdefault_realm\fP Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when -invoking programs such as \fIkinit(1)\fP\&. +invoking programs such as kinit(1)\&. .TP -.B \fBdefault_tgs_enctypes\fP +\fBdefault_tgs_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making a TGS\-REQ, in order of preference from highest to lowest. The list may be delimited with -commas or whitespace. See \fIEncryption_types\fP in -\fIkdc.conf(5)\fP for a list of the accepted values for this tag. +commas or whitespace. See Encryption_types in +kdc.conf(5) for a list of the accepted values for this tag. The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. @@ -267,7 +267,7 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP -.B \fBdefault_tkt_enctypes\fP +\fBdefault_tkt_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making an AS\-REQ, in order of preference from highest to lowest. The format is the same as for @@ -281,14 +281,14 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP -.B \fBdns_canonicalize_hostname\fP +\fBdns_canonicalize_hostname\fP Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully\-qualified hostnames. The default value is true. .TP -.B \fBdns_lookup_kdc\fP +\fBdns_lookup_kdc\fP Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server @@ -304,30 +304,30 @@ it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. .TP -.B \fBdns_uri_lookup\fP +\fBdns_uri_lookup\fP Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. .TP -.B \fBerr_fmt\fP +\fBerr_fmt\fP This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. .TP -.B \fBextra_addresses\fP +\fBextra_addresses\fP This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\-restricted tickets. The addresses should be in a comma\-separated list. This option has no effect if \fBnoaddresses\fP is true. .TP -.B \fBforwardable\fP +\fBforwardable\fP If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. .TP -.B \fBignore_acceptor_hostname\fP +\fBignore_acceptor_hostname\fP When accepting GSSAPI or krb5 security contexts for host\-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service @@ -337,15 +337,15 @@ flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. .TP -.B \fBk5login_authoritative\fP +\fBk5login_authoritative\fP If this flag is true, principals must be listed in a local user\(aqs -k5login file to be granted login access, if a \fI\&.k5login(5)\fP +k5login file to be granted login access, if a \&.k5login(5) file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. .TP -.B \fBk5login_directory\fP +\fBk5login_directory\fP If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login @@ -353,25 +353,25 @@ files in the user\(aqs home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. .TP -.B \fBkcm_mach_service\fP +\fBkcm_mach_service\fP On OS X only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Mach RPC will not be used to contact the KCM daemon. The default value is \fBorg.h5l.kcm\fP\&. .TP -.B \fBkcm_socket\fP +\fBkcm_socket\fP Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Unix domain sockets will not be used to contact the KCM daemon. The default value is \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&. .TP -.B \fBkdc_default_options\fP +\fBkdc_default_options\fP Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). .TP -.B \fBkdc_timesync\fP +\fBkdc_timesync\fP Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and @@ -380,7 +380,7 @@ requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. .TP -.B \fBkdc_req_checksum_type\fP +\fBkdc_req_checksum_type\fP An integer which specifies the type of checksum to use for the KDC requests, for compatibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred @@ -447,40 +447,40 @@ T} _ .TE .TP -.B \fBnoaddresses\fP +\fBnoaddresses\fP If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. .TP -.B \fBpermitted_enctypes\fP +\fBpermitted_enctypes\fP Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP -.B \fBplugin_base_dir\fP +\fBplugin_base_dir\fP If set, determines the base directory where krb5 plugins are located. The default value is the \fBkrb5/plugins\fP subdirectory of the krb5 library directory. .TP -.B \fBpreferred_preauth_types\fP +\fBpreferred_preauth_types\fP This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. .TP -.B \fBproxiable\fP +\fBproxiable\fP If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. .TP -.B \fBrdns\fP +\fBrdns\fP If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If \fBdns_canonicalize_hostname\fP is set to false, this flag has no effect. The default value is true. .TP -.B \fBrealm_try_domains\fP +\fBrealm_try_domains\fP Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the @@ -490,11 +490,11 @@ Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is set. The default is not to search domain components. .TP -.B \fBrenew_lifetime\fP -(\fIduration\fP string.) Sets the default renewable lifetime +\fBrenew_lifetime\fP +(duration string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. .TP -.B \fBsafe_checksum_type\fP +\fBsafe_checksum_type\fP An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For compatibility with applications linked against DCE version 1.1 or @@ -503,11 +503,11 @@ DES instead. This field is ignored when its value is incompatible with the session key type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP -.B \fBticket_lifetime\fP -(\fIduration\fP string.) Sets the default lifetime for initial +\fBticket_lifetime\fP +(duration string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. .TP -.B \fBudp_preference_limit\fP +\fBudp_preference_limit\fP When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fBudp_preference_limit\fP\&. If the message is smaller than @@ -515,7 +515,7 @@ before UDP if the size of the message is above Regardless of the size, both protocols will be tried if the first attempt fails. .TP -.B \fBverify_ap_req_nofail\fP +\fBverify_ap_req_nofail\fP If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. @@ -528,20 +528,20 @@ define the properties of that particular realm. For each realm, the following tags may be specified in the realm\(aqs subsection: .INDENT 0.0 .TP -.B \fBadmin_server\fP +\fBadmin_server\fP Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be -given a value in order to communicate with the \fIkadmind(8)\fP +given a value in order to communicate with the kadmind(8) server for the realm. .TP -.B \fBauth_to_local\fP +\fBauth_to_local\fP This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: .INDENT 7.0 .TP -.B \fBRULE:\fP\fIexp\fP +\fBRULE:\fP\fIexp\fP The local name will be formulated from \fIexp\fP\&. .sp The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. @@ -557,7 +557,7 @@ string. The optional \fBg\fP will cause the substitution to be global over the \fIstring\fP, instead of replacing only the first match in the \fIstring\fP\&. .TP -.B \fBDEFAULT\fP +\fBDEFAULT\fP The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion @@ -590,18 +590,18 @@ principal with a second component of \fBroot\fP\&. The exception to these two rules are any principals \fBjohndoe/*\fP, which will always get the local name \fBguest\fP\&. .TP -.B \fBauth_to_local_names\fP +\fBauth_to_local_names\fP This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. .TP -.B \fBdefault_domain\fP +\fBdefault_domain\fP This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \fBrcmd.hostname\fP to \fBhost/hostname.domain\fP). .TP -.B \fBhttp_anchors\fP +\fBhttp_anchors\fP When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, @@ -627,7 +627,7 @@ to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. .TP -.B \fBkdc\fP +\fBkdc\fP The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, @@ -637,12 +637,12 @@ be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. .TP -.B \fBkpasswd_server\fP +\fBkpasswd_server\fP Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the \fBadmin_server\fP host will be tried. .TP -.B \fBmaster_kdc\fP +\fBmaster_kdc\fP Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the @@ -650,14 +650,14 @@ master KDC, in case the user\(aqs password has just been changed, and the updated database has not been propagated to the slave servers yet. .TP -.B \fBv4_instance_convert\fP +\fBv4_instance_convert\fP This subsection allows the administrator to configure exceptions to the \fBdefault_domain\fP mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. .TP -.B \fBv4_realm\fP +\fBv4_realm\fP This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but @@ -867,17 +867,17 @@ Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: .INDENT 0.0 .TP -.B \fBdisable\fP +\fBdisable\fP This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. .TP -.B \fBenable_only\fP +\fBenable_only\fP This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. .TP -.B \fBmodule\fP +\fBmodule\fP This tag may have multiple values. Each value is a string of the form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named @@ -902,11 +902,11 @@ dynamic modules, the following built\-in modules exist (and may be disabled with the disable tag): .INDENT 0.0 .TP -.B \fBk5identity\fP +\fBk5identity\fP Uses a .k5identity file in the user\(aqs home directory to select a client principal .TP -.B \fBrealm\fP +\fBrealm\fP Uses the service realm to guess an appropriate cache from the collection .UNINDENT @@ -917,17 +917,17 @@ interface, which is used to reject weak passwords when passwords are changed. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBdict\fP +\fBdict\fP Checks against the realm dictionary file .TP -.B \fBempty\fP +\fBempty\fP Rejects empty passwords .TP -.B \fBhesiod\fP +\fBhesiod\fP Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) .TP -.B \fBprinc\fP +\fBprinc\fP Checks against components of the principal name .UNINDENT .SS kadm5_hook interface @@ -944,13 +944,13 @@ provide client and KDC preauthentication mechanisms. The following built\-in modules exist for these interfaces: .INDENT 0.0 .TP -.B \fBpkinit\fP +\fBpkinit\fP This module implements the PKINIT preauthentication mechanism. .TP -.B \fBencrypted_challenge\fP +\fBencrypted_challenge\fP This module implements the encrypted challenge FAST factor. .TP -.B \fBencrypted_timestamp\fP +\fBencrypted_timestamp\fP This module implements the encrypted timestamp mechanism. .UNINDENT .SS hostrealm interface @@ -961,17 +961,17 @@ hostnames to realm names and the choice of default realm. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBprofile\fP +\fBprofile\fP This module consults the [domain_realm] section of the profile for authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP variable for the default realm. .TP -.B \fBdns\fP +\fBdns\fP This module looks for DNS records for fallback host\-to\-realm mappings and the default realm. It only operates if the \fBdns_lookup_realm\fP variable is set to true. .TP -.B \fBdomain\fP +\fBdomain\fP This module applies heuristics for fallback host\-to\-realm mappings. It implements the \fBrealm_try_domains\fP variable, and uses the uppercased parent domain of the hostname if that does not @@ -985,28 +985,28 @@ between Kerberos principals and local system accounts. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBdefault\fP +\fBdefault\fP This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP values. .TP -.B \fBrule\fP +\fBrule\fP This module implements the \fBRULE\fP type for \fBauth_to_local\fP values. .TP -.B \fBnames\fP +\fBnames\fP This module looks for an \fBauth_to_local_names\fP mapping for the principal name. .TP -.B \fBauth_to_local\fP +\fBauth_to_local\fP This module processes \fBauth_to_local\fP values in the default realm\(aqs section, and applies the default method if no \fBauth_to_local\fP values exist. .TP -.B \fBk5login\fP +\fBk5login\fP This module authorizes a principal to a local account according to -the account\(aqs \fI\&.k5login(5)\fP file. +the account\(aqs \&.k5login(5) file. .TP -.B \fBan2ln\fP +\fBan2ln\fP This module authorizes a principal to a local account if the principal name maps to the local account name. .UNINDENT @@ -1074,7 +1074,7 @@ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: .INDENT 0.0 .TP -.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] +\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP @@ -1086,7 +1086,7 @@ private key is expected to be in \fIfilename\fP as well. Otherwise, In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .TP -.B \fBDIR:\fP\fIdirname\fP +\fBDIR:\fP\fIdirname\fP This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP @@ -1109,11 +1109,11 @@ named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP -.B \fBPKCS12:\fP\fIfilename\fP +\fBPKCS12:\fP\fIfilename\fP \fIfilename\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. .TP -.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] +\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodname\fP\&. If no @@ -1125,7 +1125,7 @@ force the selection of a particular certificate on the device. See the \fBpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for PKINIT. .TP -.B \fBENV:\fP\fIenvvar\fP +\fBENV:\fP\fIenvvar\fP \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable @@ -1134,13 +1134,13 @@ example, \fBENV:X509_PROXY\fP, where environment variable .SS PKINIT krb5.conf options .INDENT 0.0 .TP -.B \fBpkinit_anchors\fP +\fBpkinit_anchors\fP Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. .TP -.B \fBpkinit_cert_match\fP +\fBpkinit_cert_match\fP Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other @@ -1225,7 +1225,7 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature .UNINDENT .UNINDENT .TP -.B \fBpkinit_eku_checking\fP +\fBpkinit_eku_checking\fP This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded @@ -1234,27 +1234,27 @@ issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: .INDENT 7.0 .TP -.B \fBkpKDC\fP +\fBkpKDC\fP This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. .TP -.B \fBkpServerAuth\fP +\fBkpServerAuth\fP If \fBkpServerAuth\fP is specified, a KDC certificate with the id\-kp\-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. .TP -.B \fBnone\fP +\fBnone\fP If \fBnone\fP is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP -.B \fBpkinit_dh_min_bits\fP +\fBpkinit_dh_min_bits\fP Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. .TP -.B \fBpkinit_identities\fP +\fBpkinit_identities\fP Specifies the location(s) to be used to find the user\(aqs X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity @@ -1262,7 +1262,7 @@ information is found and authentication is attempted. Note that these values are not used if the user specifies \fBX509_user_identity\fP on the command line. .TP -.B \fBpkinit_kdc_hostname\fP +\fBpkinit_kdc_hostname\fP The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as @@ -1270,13 +1270,13 @@ defined in \fI\%RFC 4556\fP\&. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP -.B \fBpkinit_pool\fP +\fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. .TP -.B \fBpkinit_require_crl_checking\fP +\fBpkinit_require_crl_checking\fP The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -1292,7 +1292,7 @@ fails. \fBpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. .TP -.B \fBpkinit_revoke\fP +\fBpkinit_revoke\fP Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index cff7cd2..1f69491 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -80,7 +80,7 @@ process. The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma\-separated list. This value overrides the UDP port numbers -specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but +specified in the kdcdefaults section of kdc.conf(5), but may be overridden by realm\-specific values. If no value is given from any source, the default port is 88. .sp @@ -103,7 +103,7 @@ starts. .UNINDENT .sp The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. -See \fIDatabase Options\fP in \fIkadmin(1)\fP for +See Database Options in kadmin(1) for supported arguments. .sp The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which @@ -129,10 +129,10 @@ krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3 .sp specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per\-realm parameters may be -specified in the \fIkdc.conf(5)\fP file. The location of this file +specified in the kdc.conf(5) file. The location of this file may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable. Per\-realm parameters specified in this file take precedence over -options specified on the command line. See the \fIkdc.conf(5)\fP +options specified on the command line. See the kdc.conf(5) description for further details. .SH ENVIRONMENT .sp @@ -145,8 +145,8 @@ krb5kdc uses the following environment variables: .UNINDENT .SH SEE ALSO .sp -\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP, -\fIkdb5_ldap_util(8)\fP +kdb5_util(8), kdc.conf(5), krb5.conf(5), +kdb5_ldap_util(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/ksu.man b/src/man/ksu.man index 42d9f9f..05549f4 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -99,7 +99,7 @@ option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user\(aqs home directory, ksu attempts to access two authorization files: -\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line +\&.k5login(5) and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. .sp @@ -182,7 +182,7 @@ source cache. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-n\fP \fItarget_principal_name\fP +\fB\-n\fP \fItarget_principal_name\fP Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. .sp @@ -263,33 +263,33 @@ krb5cc_1984.2 .UNINDENT .INDENT 0.0 .TP -.B \fB\-k\fP +\fB\-k\fP Do not delete the target cache upon termination of the target shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes the target cache. .TP -.B \fB\-z\fP +\fB\-z\fP Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the \fB\-n\fP option if you want the tickets for other then the default principal. Note that the \fB\-z\fP option is mutually exclusive with the \fB\-Z\fP option. .TP -.B \fB\-Z\fP +\fB\-Z\fP Don\(aqt copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP option. .TP -.B \fB\-q\fP +\fB\-q\fP Suppress the printing of status messages. .UNINDENT .sp Ticket granting ticket options: .INDENT 0.0 .TP -.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP +\fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users @@ -297,25 +297,25 @@ for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. .TP -.B \fB\-l\fP \fIlifetime\fP -(\fIduration\fP string.) Specifies the lifetime to be requested +\fB\-l\fP \fIlifetime\fP +(duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. .TP -.B \fB\-r\fP \fItime\fP -(\fIduration\fP string.) Specifies that the \fBrenewable\fP option +\fB\-r\fP \fItime\fP +(duration string.) Specifies that the \fBrenewable\fP option should be requested for the ticket, and specifies the desired total lifetime of the ticket. .TP -.B \fB\-p\fP +\fB\-p\fP specifies that the \fBproxiable\fP option should be requested for the ticket. .TP -.B \fB\-f\fP +\fB\-f\fP option specifies that the \fBforwardable\fP option should be requested for the ticket. .TP -.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...] +\fB\-e\fP \fIcommand\fP [\fIargs\fP ...] ksu proceeds exactly the same as if it was invoked without the \fB\-e\fP option, except instead of executing the target shell, ksu executes the specified command. Example of usage: @@ -379,7 +379,7 @@ then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. .TP -.B \fB\-a\fP \fIargs\fP +\fB\-a\fP \fIargs\fP Specify arguments to be passed to the target shell. Note that all flags and parameters following \-a will be passed to the shell, thus all options intended for ksu must precede \fB\-a\fP\&. @@ -404,7 +404,7 @@ used as follows: ksu can be compiled with the following four flags: .INDENT 0.0 .TP -.B \fBGET_TGT_VIA_PASSWD\fP +\fBGET_TGT_VIA_PASSWD\fP In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos @@ -412,17 +412,17 @@ server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. .TP -.B \fBPRINC_LOOK_AHEAD\fP +\fBPRINC_LOOK_AHEAD\fP During the resolution of the default principal name, \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see \fB\-n\fP option). .TP -.B \fBCMD_PATH\fP +\fBCMD_PATH\fP Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). .TP -.B \fBHAVE_GETUSERSHELL\fP +\fBHAVE_GETUSERSHELL\fP If the source user is non\-root, ksu insists that the target user\(aqs shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is called to obtain the names of "legal shells". Note that the diff --git a/src/man/kswitch.man b/src/man/kswitch.man index b762789..75fe17d 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -41,10 +41,10 @@ collection, if a cache collection is available. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-c\fP \fIcachename\fP +\fB\-c\fP \fIcachename\fP Directly specifies the credential cache to be made primary. .TP -.B \fB\-p\fP \fIprincipal\fP +\fB\-p\fP \fIprincipal\fP Causes the cache collection to be searched for a cache containing credentials for \fIprincipal\fP\&. If one is found, that collection is made primary. @@ -54,7 +54,7 @@ made primary. kswitch uses the following environment variables: .INDENT 0.0 .TP -.B \fBKRB5CCNAME\fP +\fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may @@ -70,7 +70,7 @@ Default location of Kerberos 5 credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1) +kinit(1), kdestroy(1), klist(1)), kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/ktutil.man b/src/man/ktutil.man index 97ff6a5..d0a040b 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -164,7 +164,7 @@ ktutil: .UNINDENT .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIkdb5_util(8)\fP +kadmin(1), kdb5_util(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kvno.man b/src/man/kvno.man index 7bbc10f..57be7da 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -48,37 +48,37 @@ and prints out the key version numbers of each. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-c\fP \fIccache\fP +\fB\-c\fP \fIccache\fP Specifies the name of a credentials cache to use (if not the default) .TP -.B \fB\-e\fP \fIetype\fP +\fB\-e\fP \fIetype\fP Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. .TP -.B \fB\-q\fP +\fB\-q\fP Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. .TP -.B \fB\-h\fP +\fB\-h\fP Prints a usage statement and exits. .TP -.B \fB\-P\fP +\fB\-P\fP Specifies that the \fIservice1 service2\fP ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. .TP -.B \fB\-S\fP \fIsname\fP +\fB\-S\fP \fIsname\fP Specifies that the \fIservice1 service2\fP ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name \fIsname\fP\&. The service hostnames will be canonicalized according to the usual rules for constructing service principals. .TP -.B \fB\-U\fP \fIfor_user\fP +\fB\-U\fP \fIfor_user\fP Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of \fIfor_user\fP\&. If constrained delegation is not requested, the service name must match the @@ -89,7 +89,7 @@ credentials cache client principal. kvno uses the following environment variable: .INDENT 0.0 .TP -.B \fBKRB5CCNAME\fP +\fBKRB5CCNAME\fP Location of the credentials (ticket) cache. .UNINDENT .SH FILES @@ -100,7 +100,7 @@ Default location of the credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP +kinit(1), kdestroy(1) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/sclient.man b/src/man/sclient.man index a5c7066..2f4fb6e 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -36,12 +36,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .SH DESCRIPTION .sp sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server \fIsserver(8)\fP and +purposes. It contacts a sample server sserver(8) and authenticates to it using Kerberos version 5 tickets, then displays the server\(aqs response. .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIsserver(8)\fP +kinit(1), sserver(8) .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/sserver.man b/src/man/sserver.man index 350550f..f6f4562 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -38,7 +38,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [ \fIserver_port\fP ] .SH DESCRIPTION .sp -sserver and \fIsclient(1)\fP are a simple demonstration client/server +sserver and sclient(1) are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a @@ -47,7 +47,7 @@ good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service \fBsample/hostname.domain.name@REALM.NAME\fP\&. This keytab is generated -using the \fIkadmin(1)\fP program. The keytab file is usually +using the kadmin(1) program. The keytab file is usually installed as \fB@KTNAME@\fP\&. .sp The \fB\-S\fP option allows for a different keytab than the default. @@ -80,8 +80,8 @@ sample 13135/tcp .UNINDENT .sp When using sclient, you will first have to have an entry in the -Kerberos database, by using \fIkadmin(1)\fP, and then you have to get -Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running +Kerberos database, by using kadmin(1), and then you have to get +Kerberos tickets, by using kinit(1)\&. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both @@ -164,7 +164,7 @@ sclient: Server not found in Kerberos database while using .sp This means that the \fBsample/hostname@LOCAL.REALM\fP service was not defined in the Kerberos database; it should be created using -\fIkadmin(1)\fP, and a keytab file needs to be generated to make +kadmin(1), and a keytab file needs to be generated to make the key for that service principal available for sclient. .IP 5. 3 sclient returns the error: @@ -185,7 +185,7 @@ probably not installed in the proper directory. .UNINDENT .SH SEE ALSO .sp -\fIsclient(1)\fP, services(5), inetd(8) +sclient(1), services(5), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT |