From: Zhanna Tsitkov Date: Tue, 16 Aug 2011 14:31:06 +0000 (+0000) Subject: Generate man pages for krb5.conf and kdc.conf. For clearer reference in the man pages... X-Git-Tag: krb5-1.10-alpha1~273 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=535bf02e8e9ce7ed67450a528ee6b2a80d395787;p=krb5.git Generate man pages for krb5.conf and kdc.conf. For clearer reference in the man pages, rename the x-ref label name in Supported Enc Types git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25102 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py index 8ab7a2c0f..6ea2c6d33 100644 --- a/doc/rst_source/conf.py +++ b/doc/rst_source/conf.py @@ -235,5 +235,7 @@ man_pages = [ ('krb_admins/admin_commands/ktutil', 'ktutil', u'Kerberos keytab file maintenance utility', [u'MIT'], 1), ('krb_admins/admin_commands/k5srvutil', 'k5srvutil', u'host key table (keytab) manipulation utility', [u'MIT'], 1), ('krb_admins/admin_commands/kadmind', 'kadmind', u'KADM5 administration server', [u'MIT'], 8), - ('krb_admins/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'kdb5_ldap_util - Kerberos configuration utility', [u'MIT'], 8), + ('krb_admins/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'Kerberos configuration utility', [u'MIT'], 8), + ('krb_admins/conf_files/krb5_conf', 'krb5.conf', u'Kerberos configuration file', [u'MIT'], 5), + ('krb_admins/conf_files/kdc_conf', 'kdc.conf', u'Kerberos V5 KDC configuration file', [u'MIT'], 5), ] diff --git a/doc/rst_source/krb_admins/appl_servers/keytabs.rst b/doc/rst_source/krb_admins/appl_servers/keytabs.rst index d7188b55c..5ea25e7da 100644 --- a/doc/rst_source/krb_admins/appl_servers/keytabs.rst +++ b/doc/rst_source/krb_admins/appl_servers/keytabs.rst @@ -18,7 +18,7 @@ The *ktadd* command takes the following switches ============================================= ================================================================= -k[eytab] *keytab* Use keytab as the keytab file. Otherwise, *ktadd* will use the default keytab file (*/etc/krb5.keytab*). --e *"enc:salt..."* Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`senct_label` and :ref:`salts_label` for all possible values. +-e *"enc:salt..."* Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`Supported_Encryption_Types_and_Salts` for all possible values. -q Run in quiet mode. This causes *ktadd* to display less verbose information. principal | -glob *principal expression* Add principal, or all principals matching principal expression to the keytab. The rules for principal expression are the same as for the kadmin list_principals (see :ref:`get_list_princs`) command. ============================================= ================================================================= diff --git a/doc/rst_source/krb_admins/conf_files/enc_types.rst b/doc/rst_source/krb_admins/conf_files/enc_types.rst index b3e5aa6f1..3e29a5844 100644 --- a/doc/rst_source/krb_admins/conf_files/enc_types.rst +++ b/doc/rst_source/krb_admins/conf_files/enc_types.rst @@ -1,8 +1,10 @@ -.. _senct_label: +.. _Supported_Encryption_Types_and_Salts: -Supported Encryption Types -=============================== +Supported encryption types and salts +====================================== +Supported encryption types +------------------------------------- Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as "weak" are available for compatibility but not recommended for use. @@ -32,6 +34,21 @@ By default, AES is enabled in 1.9 release. Sites wishing to use AES encryption t If all GSSAPI-based services have been updated before or with the KDC, this is not an issue. +Salts +------------- + +Your Kerberos key is derived from your password. To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported values for salts are as follows. + +================= ============================================ +normal default for Kerberos Version 5 +v4 the only type used by Kerberos Version 4, no salt +norealm same as the default, without using realm information +onlyrealm uses only realm information as the salt +afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS +special only used in very special cases; not fully supported +================= ============================================ + + -------------- Feedback: diff --git a/doc/rst_source/krb_admins/conf_files/index.rst b/doc/rst_source/krb_admins/conf_files/index.rst index a8f67565d..029b782e5 100644 --- a/doc/rst_source/krb_admins/conf_files/index.rst +++ b/doc/rst_source/krb_admins/conf_files/index.rst @@ -8,7 +8,6 @@ Configuration Files :maxdepth: 2 enc_types.rst - salts.rst krb5_conf.rst kdc_conf.rst diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index 410c7e5a6..8949937bd 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -121,7 +121,7 @@ For each realm, the following tags may be specified in the [realms] subsection: **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is K/M. **master_key_type** - (Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see:ref:`senct_label`. + (Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see :ref:`Supported_Encryption_Types_and_Salts`. **max_life** (Delta time string.) Specifes the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. **max_renewable_life** @@ -144,7 +144,7 @@ For each realm, the following tags may be specified in the [realms] subsection: A boolean value (true, false). If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. By default, the value of restrict_anonymous_to_tgt as specified in the [kdcdefaults] section is used. **supported_enctypes** - List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. For lists of possible values, see :ref:`senct_label` and :ref:`salts_label` + List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. For lists of possible values, see :ref:`Supported_Encryption_Types_and_Salts` diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst index dd96f023e..5351ae1a6 100644 --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst @@ -69,7 +69,7 @@ Sections The libdefaults section may contain any of the following relations: **allow_weak_crypto** - If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in :ref:`senct_label`). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. + If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in :ref:`Supported_Encryption_Types_and_Salts`). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. **ap_req_checksum_type** An integer which specifies the type of AP-REQ checksum to use in authenticators. @@ -96,7 +96,7 @@ The libdefaults section may contain any of the following relations: Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see :ref:`udns_label`), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned. **default_tgs_enctypes** - Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see :ref:`senct_label` for a list of the accepted values for this tag). The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. + Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see :ref:`Supported_Encryption_Types_and_Salts` for a list of the accepted values for this tag). The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. **default_tkt_enctypes** Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. diff --git a/doc/rst_source/krb_admins/database/db_princs/modify_princ.rst b/doc/rst_source/krb_admins/database/db_princs/modify_princ.rst index fa0371cb5..abf33ec22 100644 --- a/doc/rst_source/krb_admins/database/db_princs/modify_princ.rst +++ b/doc/rst_source/krb_admins/database/db_princs/modify_princ.rst @@ -114,7 +114,7 @@ Sets the key for the principal to a random value (*add_principal* only). MIT rec Sets the key of the principal to the specified string and does not prompt for a password (*add_principal* only). MIT does not recommend using this option. *-e enc:salt...* -Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`senct_label` and :ref:`salts_label` for available types. +Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`Supported_Encryption_Types_and_Salts` for available types. If you want to just use the default values, all you need to do is:: diff --git a/doc/rst_source/krb_admins/database/db_princs/pass_princ.rst b/doc/rst_source/krb_admins/database/db_princs/pass_princ.rst index 1c76860d0..024740527 100644 --- a/doc/rst_source/krb_admins/database/db_princs/pass_princ.rst +++ b/doc/rst_source/krb_admins/database/db_princs/pass_princ.rst @@ -10,7 +10,7 @@ The *change_password* option has the alias cpw. *change_password* takes the foll ========================= ============================================================ -randkey Sets the key of the principal to a random value. -pw *password* Sets the password to the string password. MIT does not recommend using this option. - -e *enc:salt...* Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`senct_label` and :ref:`salts_label` for possible values. + -e *enc:salt...* Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See :ref:`Supported_Encryption_Types_and_Salts` for possible values. -keepold Keeps the previous kvno's keys around. This flag is usually not necessary except perhaps for TGS keys. Don't use this flag unless you know what you're doing. This option is not supported for the LDAP database ========================= ============================================================