From: Sam Hartman Date: Mon, 4 Jan 2010 19:59:25 +0000 (+0000) Subject: Anonymous documentation X-Git-Tag: krb5-1.8-alpha1~7 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5cc1fcb345d57e7ac9203ab1d92a0a509de9193f;p=krb5.git Anonymous documentation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23583 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M index f50ca3ac3..1d434c0fb 100644 --- a/src/clients/kinit/kinit.M +++ b/src/clients/kinit/kinit.M @@ -39,6 +39,7 @@ kinit \- obtain and cache Kerberos ticket-granting ticket [\fB\-E\fP] [\fB\-v\fP] [\fB\-R\fP] [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP] +[\fB\-n\fP] [\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] [\fIprincipal\fP] @@ -138,6 +139,26 @@ the .I keytab_file option; otherwise the default name and location will be used. .TP +\fB-n\fP +Requests anonymous processing. Two types of anonymous principals are +supported. For fully anonymous Kerberos, configure pkinit on the KDC +and configure +.I pkinit_anchors +in the client's krb5.conf. Then use the +.B -n +option with a principal of the form +.I @REALM +(an empty principal name followed by the at-sign and a realm name). +If permitted by the KDC, an anonymous ticket will be returned. +A second form of anonymous tickets is supported; these realm-exposed +tickets hide the identity of the client but not the client's realm. +For this mode, use +.B kinit -n +with a normal principal name. If supported by the KDC, the principal +(but not realm) will be replaced by the anonymous principal. +As of release 1.8, the MIT Kerberos KDC only supports fully anonymous +operation. +.TP \fB\-T\fP \fIarmor_ccache\fP Specifies the name of a credential cache that already contains a ticket. If supported by the KDC, This ccache will be used to armor diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index f7109ceb9..d6f2df522 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -9,7 +9,7 @@ kadmin \- Kerberos V5 database administration program [\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP] .br [[\fB-c\fP \fIcache_name\fP] | [\fB-k\fP [\fB-t\fP -\fIkeytab\fP]]] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP +\fIkeytab\fP]] | \fB-n\fP] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP \fIadmin_server\fP[\fI:port\fP] .TP "\w'.B kadmin.local\ 'u" .B kadmin.local @@ -114,6 +114,25 @@ Use to decrypt the KDC response. This can only be used with the .B \-k option. +\fB-n\fP +Requests anonymous processing. Two types of anonymous principals are +supported. For fully anonymous Kerberos, configure pkinit on the KDC +and configure +.I pkinit_anchors +in the client's krb5.conf. Then use the +.B -n +option with a principal of the form +.I @REALM +(an empty principal name followed by the at-sign and a realm name). +If permitted by the KDC, an anonymous ticket will be returned. +A second form of anonymous tickets is supported; these realm-exposed +tickets hide the identity of the client but not the client's realm. +For this mode, use +.B kinit -n +with a normal principal name. If supported by the KDC, the principal +(but not realm) will be replaced by the anonymous principal. +As of release 1.8, the MIT Kerberos KDC only supports fully anonymous +operation. .TP \fB\-c\fP \fIcredentials_cache\fP Use