# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
- ('krb_users/user_commands/kinit', 'kinit', u'obtain and cache Kerberos ticket-granting ticket', [u'MIT'], 1)
+ ('krb_users/user_commands/kinit', 'kinit', u'obtain and cache Kerberos ticket-granting ticket', [u'MIT'], 1),
+ ('krb_users/user_commands/klist', 'klist', u'list cached Kerberos tickets', [u'MIT'], 1),
+ ('krb_users/user_commands/kdestroy', 'kdestroy', u'destroy Kerberos tickets', [u'MIT'], 1),
+ ('krb_users/user_commands/kpasswd', 'kpasswd', u'change a user\'s Kerberos password', [u'MIT'], 1),
]
--- /dev/null
+kdestroy - destroy Kerberos tickets
+=======================================
+
+SYNOPSIS
+~~~~~~~~~~~~~
+
+*kdestroy*
+ [**-q**]
+ [**-c** *cache_name*]
+
+
+DESCRIPTION
+~~~~~~~~~~~~~
+
+The *kdestroy* utility destroys the user's active Kerberos
+authorization tickets by writing zeros to the specified
+credentials cache that contains them. If the credentials
+cache is not specified, the default credentials cache is destroyed.
+
+
+OPTIONS
+~~~~~~~~~~~~~
+
+ **-q**
+ Run quietly. Normally *kdestroy* beeps if it fails to destroy the user's tickets. The *-q* flag suppresses this behavior.
+
+ **-c** *cache_name*
+ Use *cache_name* as the credentials (ticket) cache name and location;
+ if this option is not used, the default cache name and location are used.
+
+ The default credentials cache may vary between systems.
+ If the **KRB5CCNAME** environment variable is set, its
+ value is used to name the default ticket cache.
+
+
+NOTE
+~~~~~
+
+Most installations recommend that you place the *kdestroy* command in your *.logout* file,
+so that your tickets are destroyed automatically when you log out.
+
+
+ENVIRONMENT
+~~~~~~~~~~~~~
+
+*kdestroy* uses the following environment variables:
+
+ **KRB5CCNAME** - Location of the Kerberos 5 credentials (ticket) cache.
+
+
+FILES
+~~~~~~~~~~~~~
+
+/tmp/krb5cc_[uid] - Default location of Kerberos 5 credentials cache ([*uid*] is the decimal UID of the user).
+
+
+SEE ALSO
+~~~~~~~~~
+
+kinit(1), klist(1), krb5(3)
+
+
+BUGS
+~~~~~
+
+Only the tickets in the specified credentials cache are destroyed.
+Separate ticket caches are used to hold root instance and password changing tickets.
+These should probably be destroyed too, or all of a user's tickets kept in a single credentials cache.
+
--- /dev/null
+klist - list cached Kerberos tickets
+======================================
+
+
+SYNOPSIS
+~~~~~~~~
+
+*klist*
+ [**-e**]
+ [[**-c**] [**-f**] [**-s**] [**-a** [**-n**]]]
+ [**-k** [**-t**] [**-K**]]
+ [*cache_name* | *keytab_name*]
+
+
+DESCRIPTION
+~~~~~~~~~~~~
+
+*klist* lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a *keytab* file.
+
+
+OPTIONS
+~~~~~~~~
+
+ **-e**
+ Displays the encryption types of the session key and the ticket for each credential in the credential cache,
+ or each key in the keytab file.
+
+ **-c**
+ List tickets held in a credentials cache. This is the default if neither *-c* nor *-k* is specified.
+
+ **-f**
+ Shows the flags present in the credentials, using the following abbreviations::
+
+ F Forwardable
+ f forwarded
+ P Proxiable
+ p proxy
+ D postDateable
+ d postdated
+ R Renewable
+ I Initial
+ i invalid
+ H Hardware authenticated
+ A preAuthenticated
+ T Transit policy checked
+ O Okay as delegate
+ a anonymous
+
+ **-s**
+ Causes *klist* to run silently (produce no output), but to still set the exit status according to whether it
+ finds the credentials cache. The exit status is '0' if *klist* finds a credentials cache, and '1' if it does not
+ or if the tickets are expired.
+
+ **-a**
+ Display list of addresses in credentials.
+
+ **-n**
+ Show numeric addresses instead of reverse-resolving addresses.
+
+ **-k**
+ List keys held in a keytab file.
+
+ **-t**
+ Display the time entry timestamps for each keytab entry in the keytab file.
+
+ **-K**
+ Display the value of the encryption key in each *keytab* entry in the *keytab* file.
+
+ If **cache_name** or **keytab_name** is not specified, *klist* will display the credentials in the default credentials cache or
+ *keytab* file as appropriate. If the *KRB5CCNAME* environment variable is set, its value is used to name the default ticket cache.
+
+
+ENVIRONMENT
+~~~~~~~~~~~~~
+
+*klist* uses the following environment variables:
+
+ **KRB5CCNAME** - Location of the Kerberos 5 credentials (ticket) cache.
+
+
+FILES
+~~~~~~~~~
+
+/tmp/krb5cc_[uid] - Default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user).
+
+/etc/krb5.keytab - Default location for the local host's keytab file.
+
+
+SEE ALSO
+~~~~~~~~~
+
+kinit(1), kdestroy(1), krb5(3)
+
+
--- /dev/null
+kpasswd - change a user's Kerberos password
+===============================================
+
+
+SYNOPSIS
+~~~~~~~~~~~~~
+
+*kpasswd* [ *principal* ]
+
+
+DESCRIPTION
+~~~~~~~~~~~~~
+
+The *kpasswd* command is used to change a Kerberos principal's password.
+*kpasswd* prompts for the current Kerberos password, which is used to obtain a
+*changepw* ticket from the KDC for the user's Kerberos realm.
+If *kpasswd* successfully obtains the *changepw* ticket, the user is prompted twice for
+the new password, and the password is changed.
+
+If the principal is governed by a policy that specifies the length and/or number of
+character classes required in the new password, the new password must conform to the policy.
+(The five character classes are lower case, upper case, numbers, punctuation, and all other characters.)
+
+
+OPTIONS
+~~~~~~~~~~~~~
+
+*principal*
+ Change the password for the Kerberos principal principal.
+ Otherwise, *kpasswd* uses the principal name from an existing ccache if there is one;
+ if not, the principal is derived from the identity of the user invoking the *kpasswd* command.
+
+
+PORTS
+~~~~~~~~~~~~~
+
+*kpasswd* looks first for::
+
+ kpasswd_server = host:port
+
+in the [*realms*] section of the *krb5.conf* file under the current realm.
+If that is missing, *kpasswd* looks for the *admin_server* entry, but substitutes 464 for the port.
+
+
+SEE ALSO
+~~~~~~~~~~~~~
+
+kadmin(8), kadmind(8)
+
+
+BUGS
+~~~~~
+
+*kpasswd* may not work with multi-homed hosts running on the Solaris platform.
+