From: Greg Hudson Date: Fri, 23 Mar 2012 16:27:05 +0000 (+0000) Subject: Install path-substituted man pages X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f309175aeb7cee90bc1537ccc871e5b2221dac87;p=krb5.git Install path-substituted man pages Introduce src/doc/Makefile.in, which will eventually subsume doc/Makefile (but will still pull sources from doc). In the rstman target there, create man pages with symbolic path references (like @SBINDIR@). In man/Makefile.in, substitute the path references with the configured paths before installing. Man pages generated from RST source are now checked into the source tree under the name filename.man. This lets us use a single implicit .man.sub rule for the path substitutions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25786 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py index 7afbddb36..5a2e624aa 100644 --- a/doc/rst_source/conf.py +++ b/doc/rst_source/conf.py @@ -212,11 +212,23 @@ latex_documents = [ # If false, no module index is generated. #latex_domain_indices = True -rst_epilog=''' -.. |bindir| replace:: ``/usr/local/bin`` -.. |sbindir| replace:: ``/usr/local/sbin`` -.. |libdir| replace:: ``/usr/local/lib`` -.. |kdcdir| replace:: ``/usr/local/var/krb5kdc`` +if 'mansubs' in tags: + bindir = '@BINDIR@' + sbindir = '@SBINDIR@' + libdir = '@LIBDIR@' + localstatedir = '@LOCALSTATEDIR@' +else: + bindir = '/usr/local/bin' + sbindir = '/usr/local/sbin' + libdir = '/usr/local/lib' + localstatedir = '/usr/local/var' + +rst_epilog = '\n' +rst_epilog += '.. |bindir| replace:: ``%s``\n' % bindir +rst_epilog += '.. |sbindir| replace:: ``%s``\n' % sbindir +rst_epilog += '.. |libdir| replace:: ``%s``\n' % libdir +rst_epilog += '.. |kdcdir| replace:: ``%s/krb5kdc``\n' % localstatedir +rst_epilog += ''' .. |keytab| replace:: ``/etc/krb5.keytab`` .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal`` diff --git a/src/Makefile.in b/src/Makefile.in index ebf95c1e0..91b86212e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -14,7 +14,7 @@ SUBDIRS=util include lib \ @ldap_plugin_dir@ \ plugins/preauth/pkinit \ kdc kadmin slave clients appl tests \ - config-files gen-manpages man @po@ + config-files gen-manpages man doc @po@ WINSUBDIRS=include util lib ccapi windows clients appl BUILDTOP=$(REL). LOCALINCLUDES = -I$(srcdir) diff --git a/src/configure.in b/src/configure.in index 0a7ec6b18..b1661f08b 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1284,7 +1284,7 @@ dnl lib/krb5/ccache/ccapi dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test - kdc slave config-files gen-manpages man include + kdc slave config-files gen-manpages man doc include plugins/locate/python plugins/kadm5_hook/test diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in new file mode 100644 index 000000000..6222e2197 --- /dev/null +++ b/src/doc/Makefile.in @@ -0,0 +1,20 @@ +mydir=doc +BUILDTOP=$(REL).. + +SPHINX_BUILD=sphinx-build + +docsrc=$(top_srcdir)/../doc +mansrc=$(top_srcdir)/man + +# The file editing loop deletes some trailing whitespace that the +# docutils manpage writer outputs near the end of its output files. +rstman:: + $(RM) -r mantmp && mkdir mantmp + $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc)/rst_source mantmp + for f in mantmp/*.[0-9]; do \ + name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \ + sed -e '/^\.\\" $$/d' $$f > $(mansrc)/$$name.man; \ + done + +clean:: + $(RM) -r mantmp diff --git a/src/doc/deps b/src/doc/deps new file mode 100644 index 000000000..2feac3c9d --- /dev/null +++ b/src/doc/deps @@ -0,0 +1 @@ +# No dependencies here. diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 085d44be6..2ba1e3a59 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in @@ -3,71 +3,96 @@ BUILDTOP=$(REL).. GROFF=@GROFF@ GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c +localstatedir=@localstatedir@ -all:: +MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadmin.sub kadmind.sub \ + kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub kdestroy.sub kinit.sub \ + klist.sub kpasswd.sub kprop.sub kpropd.sub kproplog.sub krb5.conf.sub \ + krb5kdc.sub ksu.sub kswitch.sub ktutil.sub kvno.sub + +.SUFFIXES: .man .sub + +.man.sub: + sed -e 's|@BINDIR@|$(CLIENT_BINDIR)|g' \ + -e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \ + -e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \ + -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' $? > $@ + +all:: $(MANSUBS) + +clean:: + $(RM) $(MANSUBS) install:: install-clientman install-fileman install-adminman install-serverman install-catman:: install-clientcat install-filecat install-admincat install-servercat install-clientman:: - $(INSTALL_DATA) $(srcdir)/k5srvutil.1 ${DESTDIR}$(CLIENT_MANDIR)/k5srvutil.1 - $(INSTALL_DATA) $(srcdir)/kadmin.1 ${DESTDIR}$(CLIENT_MANDIR)/kadmin.1 - $(INSTALL_DATA) $(srcdir)/kdestroy.1 ${DESTDIR}$(CLIENT_MANDIR)/kdestroy.1 - $(INSTALL_DATA) $(srcdir)/kinit.1 ${DESTDIR}$(CLIENT_MANDIR)/kinit.1 - $(INSTALL_DATA) $(srcdir)/klist.1 ${DESTDIR}$(CLIENT_MANDIR)/klist.1 - $(INSTALL_DATA) $(srcdir)/kpasswd.1 ${DESTDIR}$(CLIENT_MANDIR)/kpasswd.1 - $(INSTALL_DATA) $(srcdir)/ksu.1 ${DESTDIR}$(CLIENT_MANDIR)/ksu.1 - $(INSTALL_DATA) $(srcdir)/kswitch.1 ${DESTDIR}$(CLIENT_MANDIR)/kswitch.1 - $(INSTALL_DATA) $(srcdir)/ktutil.1 ${DESTDIR}$(CLIENT_MANDIR)/ktutil.1 - $(INSTALL_DATA) $(srcdir)/kvno.1 ${DESTDIR}$(CLIENT_MANDIR)/kvno.1 + $(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1 + $(INSTALL_DATA) kadmin.sub $(DESTDIR)$(CLIENT_MANDIR)/kadmin.1 + $(INSTALL_DATA) kdestroy.sub $(DESTDIR)$(CLIENT_MANDIR)/kdestroy.1 + $(INSTALL_DATA) kinit.sub $(DESTDIR)$(CLIENT_MANDIR)/kinit.1 + $(INSTALL_DATA) klist.sub $(DESTDIR)$(CLIENT_MANDIR)/klist.1 + $(INSTALL_DATA) kpasswd.sub $(DESTDIR)$(CLIENT_MANDIR)/kpasswd.1 + $(INSTALL_DATA) ksu.sub $(DESTDIR)$(CLIENT_MANDIR)/ksu.1 + $(INSTALL_DATA) kswitch.sub $(DESTDIR)$(CLIENT_MANDIR)/kswitch.1 + $(INSTALL_DATA) ktutil.sub $(DESTDIR)$(CLIENT_MANDIR)/ktutil.1 + $(INSTALL_DATA) kvno.sub $(DESTDIR)$(CLIENT_MANDIR)/kvno.1 install-fileman:: - $(INSTALL_DATA) $(srcdir)/dot.k5identity.5 ${DESTDIR}$(FILE_MANDIR)/.k5identity.5 - $(INSTALL_DATA) $(srcdir)/k5identity.5 ${DESTDIR}$(FILE_MANDIR)/k5identity.5 - $(INSTALL_DATA) $(srcdir)/dot.k5login.5 ${DESTDIR}$(FILE_MANDIR)/.k5login.5 - $(INSTALL_DATA) $(srcdir)/k5login.5 ${DESTDIR}$(FILE_MANDIR)/k5login.5 - $(INSTALL_DATA) $(srcdir)/kdc.conf.5 ${DESTDIR}$(FILE_MANDIR)/kdc.conf.5 - $(INSTALL_DATA) $(srcdir)/krb5.conf.5 ${DESTDIR}$(FILE_MANDIR)/krb5.conf.5 + $(INSTALL_DATA) $(srcdir)/dot.k5identity.5 \ + $(DESTDIR)$(FILE_MANDIR)/.k5identity.5 + $(INSTALL_DATA) k5identity.sub $(DESTDIR)$(FILE_MANDIR)/k5identity.5 + $(INSTALL_DATA) $(srcdir)/dot.k5login.5 \ + $(DESTDIR)$(FILE_MANDIR)/.k5login.5 + $(INSTALL_DATA) k5login.sub $(DESTDIR)$(FILE_MANDIR)/k5login.5 + $(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5 + $(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5 install-adminman:: - $(INSTALL_DATA) $(srcdir)/kadmin.local.8 ${DESTDIR}$(ADMIN_MANDIR)/kadmin.local.8 - $(INSTALL_DATA) $(srcdir)/kdb5_ldap_util.8 ${DESTDIR}$(ADMIN_MANDIR)/kdb5_ldap_util.8 - $(INSTALL_DATA) $(srcdir)/kdb5_util.8 ${DESTDIR}$(ADMIN_MANDIR)/kdb5_util.8 - $(INSTALL_DATA) $(srcdir)/kprop.8 ${DESTDIR}$(ADMIN_MANDIR)/kprop.8 - $(INSTALL_DATA) $(srcdir)/kproplog.8 ${DESTDIR}$(ADMIN_MANDIR)/kproplog.8 + $(INSTALL_DATA) $(srcdir)/kadmin.local.8 \ + $(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8 + $(INSTALL_DATA) kdb5_ldap_util.sub \ + $(DESTDIR)$(ADMIN_MANDIR)/kdb5_ldap_util.8 + $(INSTALL_DATA) kdb5_util.sub $(DESTDIR)$(ADMIN_MANDIR)/kdb5_util.8 + $(INSTALL_DATA) kprop.sub $(DESTDIR)$(ADMIN_MANDIR)/kprop.8 + $(INSTALL_DATA) kproplog.sub $(DESTDIR)$(ADMIN_MANDIR)/kproplog.8 install-serverman:: - $(INSTALL_DATA) $(srcdir)/kadmind.8 ${DESTDIR}$(SERVER_MANDIR)/kadmind.8 - $(INSTALL_DATA) $(srcdir)/kpropd.8 ${DESTDIR}$(SERVER_MANDIR)/kpropd.8 - $(INSTALL_DATA) $(srcdir)/krb5kdc.8 ${DESTDIR}$(SERVER_MANDIR)/krb5kdc.8 + $(INSTALL_DATA) kadmind.sub $(DESTDIR)$(SERVER_MANDIR)/kadmind.8 + $(INSTALL_DATA) kpropd.sub $(DESTDIR)$(SERVER_MANDIR)/kpropd.8 + $(INSTALL_DATA) krb5kdc.sub $(DESTDIR)$(SERVER_MANDIR)/krb5kdc.8 install-clientcat:: - $(GROFF_MAN) $(srcdir)/k5srvutil.1 > ${DESTDIR}$(CLIENT_CATDIR)/k5srvutil.1 - $(GROFF_MAN) $(srcdir)/kadmin.1 > ${DESTDIR}$(CLIENT_CATDIR)/kadmin.1 - $(GROFF_MAN) $(srcdir)/kdestroy.1 > ${DESTDIR}$(CLIENT_CATDIR)/kdestroy.1 - $(GROFF_MAN) $(srcdir)/kinit.1 > ${DESTDIR}$(CLIENT_CATDIR)/kinit.1 - $(GROFF_MAN) $(srcdir)/klist.1 > ${DESTDIR}$(CLIENT_CATDIR)/klist.1 - $(GROFF_MAN) $(srcdir)/kpasswd.1 > ${DESTDIR}$(CLIENT_CATDIR)/kpasswd.1 - $(GROFF_MAN) $(srcdir)/ksu.1 > ${DESTDIR}$(CLIENT_CATDIR)/ksu.1 - $(GROFF_MAN) $(srcdir)/kswitch.1 > ${DESTDIR}$(CLIENT_CATDIR)/kswitch.1 - $(GROFF_MAN) $(srcdir)/ktutil.1 > ${DESTDIR}$(CLIENT_CATDIR)/ktutil.1 - $(GROFF_MAN) $(srcdir)/kvno.1 > ${DESTDIR}$(CLIENT_CATDIR)/kvno.1 + $(GROFF_MAN) k5srvutil.sub > $(DESTDIR)$(CLIENT_CATDIR)/k5srvutil.1 + $(GROFF_MAN) kadmin.sub > $(DESTDIR)$(CLIENT_CATDIR)/kadmin.1 + $(GROFF_MAN) kdestroy.sub > $(DESTDIR)$(CLIENT_CATDIR)/kdestroy.1 + $(GROFF_MAN) kinit.sub > $(DESTDIR)$(CLIENT_CATDIR)/kinit.1 + $(GROFF_MAN) klist.sub > $(DESTDIR)$(CLIENT_CATDIR)/klist.1 + $(GROFF_MAN) kpasswd.sub > $(DESTDIR)$(CLIENT_CATDIR)/kpasswd.1 + $(GROFF_MAN) ksu.sub > $(DESTDIR)$(CLIENT_CATDIR)/ksu.1 + $(GROFF_MAN) kswitch.sub > $(DESTDIR)$(CLIENT_CATDIR)/kswitch.1 + $(GROFF_MAN) ktutil.sub > $(DESTDIR)$(CLIENT_CATDIR)/ktutil.1 + $(GROFF_MAN) kvno.sub > $(DESTDIR)$(CLIENT_CATDIR)/kvno.1 install-filecat:: - $(GROFF_MAN) $(srcdir)/k5identity.5 > ${DESTDIR}$(FILE_CATDIR)/k5identity.5 - ($(RM) ${DESTDIR}$(FILE_CATDIR)/.k5identity.5; \ - $(LN_S) $(FILE_CATDIR)/k5identity.5 ${DESTDIR}$(FILE_CATDIR)/.k5identity.5) - $(GROFF_MAN) $(srcdir)/k5login.5 > ${DESTDIR}$(FILE_CATDIR)/k5login.5 - ($(RM) ${DESTDIR}$(FILE_CATDIR)/.k5login.5; \ - $(LN_S) $(FILE_CATDIR)/k5login.5 ${DESTDIR}$(FILE_CATDIR)/.k5login.5) - $(GROFF_MAN) $(srcdir)/kdc.conf.5 > ${DESTDIR}$(FILE_CATDIR)/kdc.conf.5 - $(GROFF_MAN) $(srcdir)/krb5.conf.5 > ${DESTDIR}$(FILE_CATDIR)/krb5.conf.5 + $(GROFF_MAN) k5identity.sub > $(DESTDIR)$(FILE_CATDIR)/k5identity.5 + ($(RM) $(DESTDIR)$(FILE_CATDIR)/.k5identity.5; \ + $(LN_S) $(FILE_CATDIR)/k5identity.5 \ + $(DESTDIR)$(FILE_CATDIR)/.k5identity.5) + $(GROFF_MAN) k5login.sub > $(DESTDIR)$(FILE_CATDIR)/k5login.5 + ($(RM) $(DESTDIR)$(FILE_CATDIR)/.k5login.5; \ + $(LN_S) $(FILE_CATDIR)/k5login.5 \ + $(DESTDIR)$(FILE_CATDIR)/.k5login.5) + $(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5 + $(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5 install-admincat:: - ($(RM) ${DESTDIR}$(ADMIN_CATDIR)/kadmin.local.8; \ - $(LN_S) $(CLIENT_CATDIR)/kadmin.1 ${DESTDIR}$(ADMIN_CATDIR)/kadmin.local.8) - $(GROFF_MAN) $(srcdir)/kdb5_ldap_util.8 > ${DESTDIR}$(ADMIN_CATDIR)/kdb5_ldap_util.8 - $(GROFF_MAN) $(srcdir)/kdb5_util.8 > ${DESTDIR}$(ADMIN_CATDIR)/kdb5_util.8 - $(GROFF_MAN) $(srcdir)/kprop.8 > ${DESTDIR}$(ADMIN_CATDIR)/kprop.8 - $(GROFF_MAN) $(srcdir)/kproplog.8 > ${DESTDIR}$(ADMIN_CATDIR)/kproplog.8 + ($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \ + $(LN_S) $(CLIENT_CATDIR)/kadmin.1 \ + $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8) + $(GROFF_MAN) kdb5_ldap_util.sub > \ + $(DESTDIR)$(ADMIN_CATDIR)/kdb5_ldap_util.8 + $(GROFF_MAN) kdb5_util.sub > $(DESTDIR)$(ADMIN_CATDIR)/kdb5_util.8 + $(GROFF_MAN) kprop.sub > $(DESTDIR)$(ADMIN_CATDIR)/kprop.8 + $(GROFF_MAN) kproplog.sub > $(DESTDIR)$(ADMIN_CATDIR)/kproplog.8 diff --git a/src/man/k5identity.5 b/src/man/k5identity.man similarity index 52% rename from src/man/k5identity.5 rename to src/man/k5identity.man index 677fa5889..c4f588a08 100644 --- a/src/man/k5identity.5 +++ b/src/man/k5identity.man @@ -1,4 +1,4 @@ -.TH "K5IDENTITY" "5" "January 13, 2012" "0.0.1" "MIT Kerberos" +.TH "K5IDENTITY" "5" " " "0.0.1" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules . @@ -35,55 +35,60 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] \fB~/.k5identity\fP .SH DESCRIPTION .sp -The \fI.k5identity\fP file, which resides in a user\(aqs home directory, +The .k5identity file, which resides in a user\(aqs home directory, contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a credential -cache within the cache collection when possible. +the server being accessed. These rules are used to choose a +credential cache within the cache collection when possible. .sp -Blank lines and lines beginning with \(aq#\(aq are ignored. Each line has the form: +Blank lines and lines beginning with \fB#\fP are ignored. Each line has +the form: .INDENT 0.0 .INDENT 3.5 .sp -principal field=value ... +\fIprincipal\fP \fIfield\fP=\fIvalue\fP ... .UNINDENT .UNINDENT .sp -If the server principal meets all of the field constraints, then principal -is chosen as the client principal. The following fields are recognized: +If the server principal meets all of the field constraints, then +principal is chosen as the client principal. The following fields are +recognized: .INDENT 0.0 .TP .B \fBrealm\fP .sp If the realm of the server principal is known, it is matched against \fIvalue\fP, which may be a pattern using shell wildcards. -For host\-based server principals, the realm will generally only -be known if there is a \fIdomain_realm\fP section -in \fIkrb5.conf\fP with a mapping for the hostname. +For host\-based server principals, the realm will generally only be +known if there is a \fIdomain_realm\fP section in +\fIkrb5.conf(5)\fP with a mapping for the hostname. .TP .B \fBservice\fP .sp -If the server principal is a host\-based principal, -its service component is matched against \fIvalue\fP, which may be -a pattern using shell wildcards. +If the server principal is a host\-based principal, its service +component is matched against \fIvalue\fP, which may be a pattern using +shell wildcards. .TP .B \fBhost\fP .sp -If the server principal is a host\-based principal, -its hostname component is converted to lower case and matched -against \fIvalue\fP, which may be a pattern using shell wildcards. +If the server principal is a host\-based principal, its hostname +component is converted to lower case and matched against \fIvalue\fP, +which may be a pattern using shell wildcards. .sp -If the server principal matches the constraints of multiple lines -in the .k5identity file, the principal from the first matching line is used. -If no line matches, credentials will be selected some other way, -such as the realm heuristic or the current primary cache. +If the server principal matches the constraints of multiple lines +in the .k5identity file, the principal from the first matching +line is used. If no line matches, credentials will be selected +some other way, such as the realm heuristic or the current primary +cache. .UNINDENT .SH EXAMPLE .sp The following example .k5identity file selects the client principal -alice@KRBTEST.COM if the server principal is within that realm, -the principal alice/root@EXAMPLE.COM if the server host is within -a servers subdomain, and the principal alice/mail@EXAMPLE.COM -when accessing the IMAP service on mail.example.com: +\fBalice@KRBTEST.COM\fP if the server principal is within that realm, +the principal \fBalice/root@EXAMPLE.COM\fP if the server host is within +a servers subdomain, and the principal \fBalice/mail@EXAMPLE.COM\fP when +accessing the IMAP service on \fBmail.example.com\fP: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C @@ -92,9 +97,11 @@ alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap .ft P .fi +.UNINDENT +.UNINDENT .SH SEE ALSO .sp -kerberos(1), krb5.conf(5) +kerberos(1), \fIkrb5.conf(5)\fP .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/k5login.5 b/src/man/k5login.5 deleted file mode 100644 index 76aba1add..000000000 --- a/src/man/k5login.5 +++ /dev/null @@ -1,84 +0,0 @@ -.TH "K5LOGIN" "5" "January 13, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -k5login \- Kerberos V5 acl file for host access -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fB~/.k5login\fP -.SH DESCRIPTION -.sp -The \fI.k5login\fP file, which resides in a user\(aqs home directory, -contains a list of the Kerberos principals. -Anyone with valid tickets for a principal in the file is allowed host access -with the UID of the user in whose home directory the file resides. -One common use is to place a \fI.k5login\fP file in root\(aqs home directory, -thereby granting system administrators remote root access to the host via Kerberos. -.SH EXAMPLES -.sp -Suppose the user \fIalice\fP had a \fI.k5login\fP file in her home directory containing the following line: -.INDENT 0.0 -.INDENT 3.5 -.sp -bob@FOOBAR.ORG -.UNINDENT -.UNINDENT -.sp -This would allow \fIbob\fP to use any of the Kerberos network applications, -such as telnet(1), rlogin(1), rsh(1), and rcp(1), -to access \fIalice\fP\(aqs account, using \fIbob\fP\(aqs Kerberos tickets. -.sp -Let us further suppose that \fIalice\fP is a system administrator. -Alice and the other system administrators would have their principals -in root\(aqs \fI.k5login\fP file on each host: -.INDENT 0.0 -.INDENT 3.5 -.sp -alice@BLEEP.COM -.sp -joeadmin/root@BLEEP.COM -.UNINDENT -.UNINDENT -.sp -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root password. -Note that because \fIbob\fP retains the Kerberos tickets for his own principal, -"bob@FOOBAR.ORG", he would not have any of the privileges that require \fIalice\fP\(aqs tickets, -such as root access to any of the site\(aqs hosts, -or the ability to change \fIalice\fP\(aqs password. -.SH SEE ALSO -.sp -telnet(1), rlogin(1), rsh(1), rcp(1), ksu(1), telnetd(8), klogind(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/k5login.man b/src/man/k5login.man new file mode 100644 index 000000000..9f82dc8db --- /dev/null +++ b/src/man/k5login.man @@ -0,0 +1,94 @@ +.TH "K5LOGIN" "5" " " "0.0.1" "MIT Kerberos" +.SH NAME +k5login \- Kerberos V5 acl file for host access +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fB~/.k5login\fP +.SH DESCRIPTION +.sp +The .k5login file, which resides in a user\(aqs home directory, contains +a list of the Kerberos principals. Anyone with valid tickets for a +principal in the file is allowed host access with the UID of the user +in whose home directory the file resides. One common use is to place +a .k5login file in root\(aqs home directory, thereby granting system +administrators remote root access to the host via Kerberos. +.SH EXAMPLES +.sp +Suppose the user \fBalice\fP had a .k5login file in her home directory +containing the following line: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +bob@FOOBAR.ORG +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This would allow \fBbob\fP to use Kerberos network applications, such as +ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos +tickets. +.sp +Let us further suppose that \fBalice\fP is a system administrator. +Alice and the other system administrators would have their principals +in root\(aqs .k5login file on each host: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +alice@BLEEP.COM + +joeadmin/root@BLEEP.COM +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This would allow either system administrator to log in to these hosts +using their Kerberos tickets instead of having to type the root +password. Note that because \fBbob\fP retains the Kerberos tickets for +his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the +privileges that require \fBalice\fP\(aqs tickets, such as root access to +any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs +password. +.SH SEE ALSO +.sp +kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/k5srvutil.1 b/src/man/k5srvutil.1 deleted file mode 100644 index 567e82a81..000000000 --- a/src/man/k5srvutil.1 +++ /dev/null @@ -1,84 +0,0 @@ -.TH "K5SRVUTIL" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -k5srvutil \- host key table (keytab) manipulation utility -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fBk5srvutil\fP \fIoperation\fP [ \fB\-i\fP ] [ \fB\-f\fP \fIfilename\fP ] -.SH DESCRIPTION -.sp -\fIk5srvutil\fP allows a system manager to list or change keys currently in his keytab or to add new keys to the keytab. -.sp -Operation must be one of the following: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist\fP -.sp -Lists the keys in a keytab showing version number and principal name. -.TP -.B \fBchange\fP -.sp -Changes all the keys in the keytab to new randomly\-generated keys, -updating the keys in the Kerberos server\(aqs database to match by using the kadmin protocol. -If a key\(aqs version number doesn\(aqt match the version number stored in the Kerberos server\(aqs database, -then the operation will fail. The old keys are retained so that existing tickets continue to work. -If the \fI\-i\fP flag is given, \fIk5srvutil\fP will prompt for yes or no before changing each key. -If the \fI\-k\fP option is used, the old and new keys will be displayed. -.TP -.B \fBdelold\fP -.sp -Deletes keys that are not the most recent version from the keytab. -This operation should be used some time after a change operation to remove old keys. -If the \fI\-i\fP flag is used, then the program prompts the user whether the old keys associated -with each principal should be removed. -.TP -.B \fBdelete\fP -.sp -Deletes particular keys in the keytab, interactively prompting for each key. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -In all cases, the default file used is /etc/krb5.keytab file unless this is overridden by the \fB\-f\fP option. -.sp -\fIk5srvutil\fP uses the kadmin program to edit the keytab in place. -However, old keys are retained, so they are available in case of failure. -.SH SEE ALSO -.sp -kadmin(8), ktutil(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man new file mode 100644 index 000000000..e20d7758f --- /dev/null +++ b/src/man/k5srvutil.man @@ -0,0 +1,90 @@ +.TH "K5SRVUTIL" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +k5srvutil \- host key table (keytab) manipulation utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBk5srvutil\fP \fIoperation\fP +[\fB\-i\fP] +[\fB\-f\fP \fIfilename\fP] +.SH DESCRIPTION +.sp +k5srvutil allows an administrator to list or change keys currently in +a keytab or to add new keys to the keytab. +.sp +\fIoperation\fP must be one of the following: +.INDENT 0.0 +.TP +.B \fBlist\fP +.sp +Lists the keys in a keytab showing version number and principal +name. +.TP +.B \fBchange\fP +.sp +Uses the kadmin protocol to update the keys in the Kerberos +database to new randomly\-generated keys, and updates the keys in +the keytab to match. If a key\(aqs version number doesn\(aqt match the +version number stored in the Kerberos server\(aqs database, then the +operation will fail. Old keys are retained in the keytab so that +existing tickets continue to work. If the \fB\-i\fP flag is given, +k5srvutil will prompt for confirmation before changing each key. +If the \fB\-k\fP option is given, the old and new keys will be +displayed. +.TP +.B \fBdelold\fP +.sp +Deletes keys that are not the most recent version from the keytab. +This operation should be used some time after a change operation +to remove old keys, after existing tickets issued for the service +have expired. If the \fB\-i\fP flag is given, then k5srvutil will +prompt for confirmation for each principal. +.TP +.B \fBdelete\fP +.sp +Deletes particular keys in the keytab, interactively prompting for +each key. +.UNINDENT +.sp +In all cases, the default keytab is used unless this is overridden by +the \fB\-f\fP option. +.sp +k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in +place. +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIktutil(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kadmin.1 b/src/man/kadmin.1 deleted file mode 100644 index 1a0d22a8f..000000000 --- a/src/man/kadmin.1 +++ /dev/null @@ -1,1278 +0,0 @@ -.TH "KADMIN" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kadmin \- Kerberos V5 database administration program -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkadmin\fP -.sp -[ \fB\-O\fP | \fB\-N\fP ] -[\fB\-r\fP \fIrealm\fP] -[\fB\-p\fP \fIprincipal\fP] -[\fB\-q\fP \fIquery\fP] -[[\fB\-c\fP \fIcache_name\fP] | [\fB\-k\fP [\fB\-t\fP \fIkeytab\fP ]] | \fB\-n\fP] -[\fB\-w\fP \fIpassword\fP] -[\fB\-s\fP \fIadmin_server\fP [:\fIport\fP]] -.TP -.B \fBkadmin.local\fP -.sp -[\fB\-r\fP \fIrealm\fP] -[\fB\-p\fP \fIprincipal\fP] -[\fB\-q\fP \fIquery\fP] -[\fB\-d\fP \fIdbname\fP] -[\fB\-e\fP "enc:salt ..."] -[\fB\-m\fP] -[\fB\-x\fP \fIdb_args\fP] -.UNINDENT -.SH DESCRIPTION -.sp -\fIkadmin\fP and \fIkadmin.local\fP are command\-line interfaces to the Kerberos V5 KADM5 administration system. -Both \fIkadmin\fP and \fIkadmin.local\fP provide identical functionalities; -the difference is that \fIkadmin.local\fP runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database. -Except as explicitly noted otherwise, this man page will use \fIkadmin\fP to refer to both versions. -\fIkadmin\fP provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs). -.sp -The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network. -It authenticates to the KADM5 server using the service principal \fIkadmin/admin\fP. -If the credentials cache contains a ticket for the \fIkadmin/admin\fP principal, and the \fI\-c\fP credentials_cache option is specified, -that ticket is used to authenticate to KADM5. -Otherwise, the \fI\-p\fP and \fI\-k\fP options are used to specify the client Kerberos principal name used to authenticate. -Once \fIkadmin\fP has determined the principal name, it requests a \fIkadmin/admin\fP Kerberos service ticket from the KDC, -and uses that service ticket to authenticate to KADM5. -.sp -If the database is db2, the local client \fIkadmin.local\fP is intended to run directly on the master KDC without Kerberos authentication. -The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load, -which is now provided by the \fIkdb5_util(8)\fP utility. -.sp -If the database is LDAP, \fIkadmin.local\fP need not be run on the KDC. -.sp -\fIkadmin.local\fP can be configured to log updates for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. -This facility can be enabled in the \fIkdc.conf\fP file with the \fIiprop_enable\fP option. -See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Use \fIrealm\fP as the default database realm. -.TP -.B \fB\-p\fP \fIprincipal\fP -.sp -Use \fIprincipal\fP to authenticate. Otherwise, \fIkadmin\fP will append "/admin" to the primary principal name of the default ccache, the -value of the \fIUSER\fP environment variable, or the username as obtained with \fIgetpwuid\fP, in order of preference. -.TP -.B \fB\-k\fP -.sp -Use a \fIkeytab\fP to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the default principal -will be \fIhost/hostname\fP. If there is not a \fIkeytab\fP specified with the \fB\-t\fP option, then the default \fIkeytab\fP will be used. -.TP -.B \fB\-t\fP \fIkeytab\fP -.sp -Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. -.TP -.B \fB\-n\fP -.sp -Requests anonymous processing. Two types of anonymous principals are supported. -For fully anonymous Kerberos, configure pkinit on the KDC and configure \fIpkinit_anchors\fP in the client\(aqs \fIkrb5.conf\fP. -Then use the \fI\-n\fP option with a principal of the form \fI@REALM\fP (an empty principal name followed by the at\-sign and a realm name). -If permitted by the KDC, an anonymous ticket will be returned. -A second form of anonymous tickets is supported; these realm\-exposed tickets hide the identity of the client but not the client\(aqs realm. -For this mode, use \fIkinit \-n\fP with a normal principal name. -If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. -As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. -.TP -.B \fB\-c\fP \fIcredentials_cache\fP -.sp -Use \fIcredentials_cache\fP as the credentials cache. The \fIcredentials_cache\fP should contain a service ticket for the \fIkadmin/admin\fP service; -it can be acquired with the \fIkinit(1)\fP program. If this option is not specified, \fIkadmin\fP requests a new service ticket from -the KDC, and stores it in its own temporary ccache. -.TP -.B \fB\-w\fP \fIpassword\fP -.sp -Use \fIpassword\fP instead of prompting for one on the TTY. -.IP Note -. -Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if -unauthorized users gain read access to the script. -.RE -.TP -.B \fB\-q\fP \fIquery\fP -.sp -pass query directly to kadmin, which will perform query and then exit. This can be useful for writing scripts. -.TP -.B \fB\-d\fP \fIdbname\fP -.sp -Specifies the name of the Kerberos database. This option does not apply to the LDAP database. -.TP -.B \fB\-s\fP \fIadmin_server\fP [:port] -.sp -Specifies the admin server which \fIkadmin\fP should contact. -.UNINDENT -.sp -\fB\-m\fP Do not authenticate using a \fIkeytab\fP. This option will cause \fIkadmin\fP to prompt for the master database password. -.INDENT 0.0 -.TP -.B \fB\-e\fP enc:salt_list -.sp -Sets the list of encryption types and salt types to be used for any new keys created. -.UNINDENT -.sp -\fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor. -.sp -\fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor. -.INDENT 0.0 -.TP -.B \fB\-x\fP \fIdb_args\fP -.sp -Specifies the database specific arguments. -.sp -Options supported for LDAP database are: -.INDENT 7.0 -.TP -.B \fB\-x\fP host= -.sp -specifies the LDAP server to connect to by a LDAP URI. -.TP -.B \fB\-x\fP binddn= -.sp -specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the -read and write rights on the realm container, principal container and the subtree that is referenced by the realm. -.TP -.B \fB\-x\fP bindpwd= -.sp -specifies the password for the above mentioned binddn. It is recommended not to use this option. -Instead, the password can be stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.SH DATE FORMAT -.sp -Many of the \fIkadmin\fP commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as: -.sp -.nf -.ft C -1 month ago -2 hours ago -400000 seconds ago -last year -this Monday -next Monday -yesterday -tomorrow -now -second Monday -fortnight ago -3/31/92 10:00:07 PST -January 23, 1987 10:05pm -22:00 GMT -.ft P -.fi -.sp -Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected. -In that case the time specifier will be interpreted as relative. -Specifying "ago" in a duration may result in unexpected behavior. -.sp -The following is a list of all of the allowable keywords. -.TS -center; -|l|l|. -_ -T{ -Months -T} T{ -january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec -T} -_ -T{ -Days -T} T{ -sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat -T} -_ -T{ -Units -T} T{ -year, month, fortnight, week, day, hour, minute, min, second, sec -T} -_ -T{ -Relative -T} T{ -tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago -T} -_ -T{ -Time Zones -T} T{ -kadmin recognizes abbreviations for most of the world\(aqs time zones. A complete listing appears in kadmin Time Zones. -T} -_ -T{ -12\-hour Time Delimiters -T} T{ -am, pm -T} -_ -.TE -.SH COMMANDS -.SS add_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBadd_principal\fP [options] \fInewprinc\fP -.sp -creates the principal \fInewprinc\fP, prompting twice for a password. If no policy is specified with the \fI\-policy\fP option, -and the policy named "default" exists, then that policy is assigned to the principal; -note that the assignment of the policy "default" only occurs automatically when a principal is first created, -so the policy "default" must already exist for the assignment to occur. -This assignment of "default" can be suppressed with the \fI\-clearpolicy\fP option. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fIadd\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Aliases: -.sp -.nf -.ft C -addprinc ank -.ft P -.fi -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-x\fP \fIdb_princ_args\fP -.INDENT 7.0 -.INDENT 3.5 -.sp -Denotes the database specific options. -.sp -The options for LDAP database are: -.INDENT 0.0 -.TP -.B \fB\-x\fP dn= -.sp -Specifies the LDAP object that will contain the Kerberos principal being created. -.TP -.B \fB\-x\fP linkdn= -.sp -Specifies the LDAP object to which the newly created Kerberos principal object will point to. -.TP -.B \fB\-x\fP containerdn= -.sp -Specifies the container object under which the Kerberos principal is to be created. -.TP -.B \fB\-x\fP tktpolicy= -.sp -Associates a ticket policy to the Kerberos principal. -.UNINDENT -.UNINDENT -.UNINDENT -.IP Note -.INDENT 7.0 -.IP \(bu 2 -. -\fIcontainerdn\fP and \fIlinkdn\fP options cannot be specified with dn option. -.IP \(bu 2 -. -If \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container. -.IP \(bu 2 -. -\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm. -.UNINDENT -.RE -.TP -.B \fB\-expire\fP \fIexpdate\fP -.sp -expiration date of the principal -.TP -.B \fB\-pwexpire\fP \fIpwexpdate\fP -.sp -password expiration date -.TP -.B \fB\-maxlife\fP \fImaxlife\fP -.sp -maximum ticket life for the principal -.TP -.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP -.sp -maximum renewable life of tickets for the principal -.TP -.B \fB\-kvno\fP \fIkvno\fP -.sp -explicitly set the key version number. -.TP -.B \fB\-policy\fP \fIpolicy\fP -.sp -policy used by this principal. -If no policy is supplied, then if the policy "default" exists and the \fI\-clearpolicy\fP is not also specified, -then the policy "default" is used; -otherwise, the principal will have no policy, and a warning message will be printed. -.TP -.B \fB\-clearpolicy\fP -.sp -\fI\-clearpolicy\fP prevents the policy "default" from being assigned when \fI\-policy\fP is not specified. -This option has no effect if the policy "default" does not exist. -.TP -.B {\- | +} \fBallow_postdated\fP -.sp -\fI\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. -(Sets the \fIKRB5_KDB_DISALLOW_POSTDATED\fP flag.) \fI+allow_postdated\fP clears this flag. -.TP -.B {\- | +} \fBallow_forwardable\fP -.sp -\fI\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_FORWARDABLE\fP flag.) -\fI+allow_forwardable\fP clears this flag. -.TP -.B {\- | +} \fBallow_renewable\fP -.sp -\fI\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_RENEWABLE\fP flag.) -\fI+allow_renewable\fP clears this flag. -.TP -.B {\- | +} \fBallow_proxiable\fP -.sp -\fI\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_PROXIABLE\fP flag.) -\fI+allow_proxiable\fP clears this flag. -.TP -.B {\- | +} \fBallow_dup_skey\fP -.sp -\fI\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a -session key for another user. -(Sets the \fIKRB5_KDB_DISALLOW_DUP_SKEY\fP flag.) -\fI+allow_dup_skey\fP clears this flag. -.TP -.B {\- | +} \fBrequires_preauth\fP -.sp -\fI+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. -(Sets the \fIKRB5_KDB_REQUIRES_PRE_AUTH\fP flag.) -\fI\-requires_preauth\fP clears this flag. -.TP -.B {\- | +} \fBrequires_hwauth\fP -.sp -\fI+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. -(Sets the \fIKRB5_KDB_REQUIRES_HW_AUTH\fP flag.) -\fI\-requires_hwauth\fP clears this flag. -.TP -.B {\- | +} \fBok_as_delegate\fP -.sp -\fI+ok_as_delegate\fP sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service, -which clients may use as a hint that credentials can and should be delegated when authenticating to the service. -(Sets the \fIKRB5_KDB_OK_AS_DELEGATE\fP flag.) -\fI\-ok_as_delegate\fP clears this flag. -.TP -.B {\- | +} \fBallow_svr\fP -.sp -\fI\-allow_svr\fP prohibits the issuance of service tickets for this principal. -(Sets the \fIKRB5_KDB_DISALLOW_SVR\fP flag.) -\fI+allow_svr\fP clears this flag. -.TP -.B {\- | +} \fBallow_tgs_req\fP -.sp -\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. -This option is useless for most things. -\fI+allow_tgs_req\fP clears this flag. -The default is +allow_tgs_req. -In effect, \fI\-allow_tgs_req sets\fP the \fIKRB5_KDB_DISALLOW_TGT_BASED\fP flag on the principal in the database. -.TP -.B {\- | +} \fBallow_tix\fP -.sp -\fI\-allow_tix\fP forbids the issuance of any tickets for this principal. -\fI+allow_tix\fP clears this flag. -The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix\fP sets the \fIKRB5_KDB_DISALLOW_ALL_TIX\fP flag on the principal in the database. -.TP -.B {\- | +} \fBneedchange\fP -.sp -\fI+needchange\fP sets a flag in attributes field to force a password change; -\fI\-needchange\fP clears it. -The default is \fI\-needchange\fP. -In effect, \fI+needchange\fP sets the \fIKRB5_KDB_REQUIRES_PWCHANGE\fP flag on the principal in the database. -.TP -.B {\- | +} \fBpassword_changing_service\fP -.sp -\fI+password_changing_service\fP sets a flag in the attributes field marking this as a password change service principal -(useless for most things). -\fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. -The default is \fI\-password_changing_service\fP. -In effect, \fI+password_changing_service\fP sets the \fIKRB5_KDB_PWCHANGE_SERVICE\fP flag on the principal in the database. -.TP -.B \fB\-randkey\fP -.sp -sets the key of the principal to a random value -.TP -.B \fB\-pw\fP \fIpassword\fP -.sp -sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a -shell script can be dangerous if unauthorized users gain read access to the script. -.TP -.B \fB\-e\fP "enc:salt ..." -.sp -uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if -there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. -Re\-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_ADD (requires "add" privilege) -KADM5_BAD_MASK (shouldn\(aqt happen) -KADM5_DUP (principal exists already) -KADM5_UNK_POLICY (policy does not exist) -KADM5_PASS_Q_* (password quality violations) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS modify_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBmodify_principal\fP [options] \fIprincipal\fP -.sp -Modifies the specified principal, changing the fields as specified. The options are as above for \fIadd_principal\fP, except that -password changing and flags related to password changing are forbidden by this command. -In addition, the option \fI\-clearpolicy\fP will clear the current policy of a principal. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fImodify\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -modprinc -.ft P -.fi -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-x\fP \fIdb_princ_args\fP -.sp -Denotes the database specific options. -.sp -The options for LDAP database are: -.INDENT 7.0 -.TP -.B \fB\-x\fP tktpolicy= -.sp -Associates a ticket policy to the Kerberos principal. -.TP -.B \fB\-x\fP linkdn= -.sp -Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not -already associated with a LDAP object. -.UNINDENT -.TP -.B \fB\-unlock\fP -.sp -Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between -them according to its password policy) so that it can successfully authenticate. -.UNINDENT -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires "modify" privilege) -KADM5_UNK_PRINC (principal does not exist) -KADM5_UNK_POLICY (policy does not exist) -KADM5_BAD_MASK (shouldn\(aqt happen) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS delete_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdelete_principal\fP [ \fI\-force\fP ] \fIprincipal\fP -.sp -Deletes the specified \fIprincipal\fP from the database. This command prompts for deletion, unless the \fI\-force\fP option is given. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fIdelete\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -delprinc -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_DELETE (requires "delete" privilege) -KADM5_UNK_PRINC (principal does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS change_password -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBchange_password\fP [options] \fIprincipal\fP -.sp -Changes the password of \fIprincipal\fP. Prompts for a new password if neither \fI\-randkey\fP or \fI\-pw\fP is specified. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIchangepw\fP privilege, or that the principal that is running the program to be the same as the one changed. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -cpw -.ft P -.fi -.sp -The following options are available: -.INDENT 7.0 -.TP -.B \fB\-randkey\fP -.sp -Sets the key of the principal to a random value -.TP -.B \fB\-pw\fP \fIpassword\fP -.sp -Set the password to the specified string. Not recommended. -.TP -.B \fB\-e\fP "enc:salt ..." -.sp -Uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if -there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. -See \fISupported_Encryption_Types_and_Salts\fP for possible values. -.TP -.B \fB\-keepold\fP -.sp -Keeps the previous kvno\(aqs keys around. This flag is usually not necessary except perhaps for TGS keys. Don\(aqt use this -flag unless you know what you\(aqre doing. This option is not supported for the LDAP database. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re\-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires the modify privilege) -KADM5_UNK_PRINC (principal does not exist) -KADM5_PASS_Q_* (password policy violation errors) -KADM5_PADD_REUSE (password is in principal\(aqs password -history) -KADM5_PASS_TOOSOON (current password minimum life not -expired) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS purgekeys -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBpurgekeys\fP [\fI\-keepkvno oldest_kvno_to_keep\fP ] \fIprincipal\fP -.sp -Purges previously retained old keys (e.g., from \fIchange_password \-keepold\fP) from \fIprincipal\fP. -If \fB\-keepkvno\fP is specified, then only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_principal\fP [\fI\-terse\fP] \fIprincipal\fP -.sp -Gets the attributes of principal. -With the \fB\-terse\fP option, outputs fields as quoted tab\-separated strings. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP privilege, or that the principal that is running the the program to be the same as the one being listed. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -getprinc -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, DES cbc mode with CRC\-32, no salt -Key: vno 1, DES cbc mode with CRC\-32, Version 4 -Attributes: -Policy: [none] - - -kadmin: getprinc \-terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_GET (requires the get (inquire) privilege) -KADM5_UNK_PRINC (principal does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS list_principals -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_principals\fP [expression] -.sp -Retrieves all or some principal names. -Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. -All principal names matching the expression are printed. -If no expression is provided, all principal names are printed. -If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIlist\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Aliases: -.sp -.nf -.ft C -listprincs get_principals get_princs -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: listprincs test* -test3@SECURE\-TEST.OV.COM -test2@SECURE\-TEST.OV.COM -test1@SECURE\-TEST.OV.COM -testuser@SECURE\-TEST.OV.COM -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_strings -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_strings\fP \fIprincipal\fP -.sp -Displays string attributes on \fIprincipal\fP. -String attributes are used to supply per\-principal configuration to some KDC plugin modules. -.sp -Alias: -.sp -.nf -.ft C -getstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS set_string -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP -.sp -Sets a string attribute on \fIprincipal\fP. -.sp -Alias: -.sp -.nf -.ft C -setstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS del_string -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdel_string\fP \fIprincipal\fP \fIkey\fP -.sp -Deletes a string attribute from \fIprincipal\fP. -.sp -Alias: -.sp -.nf -.ft C -delstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS add_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBadd_policy\fP [options] \fIpolicy\fP -.sp -Adds the named \fIpolicy\fP to the policy database. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIadd\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -addpol -.ft P -.fi -.sp -The following options are available: -.INDENT 7.0 -.TP -.B \fB\-maxlife\fP \fItime\fP -.sp -sets the maximum lifetime of a password -.TP -.B \fB\-minlife\fP \fItime\fP -.sp -sets the minimum lifetime of a password -.TP -.B \fB\-minlength\fP \fIlength\fP -.sp -sets the minimum length of a password -.TP -.B \fB\-minclasses\fP \fInumber\fP -.sp -sets the minimum number of character classes allowed in a password -.TP -.B \fB\-history\fP \fInumber\fP -.sp -sets the number of past keys kept for a principal. This option is not supported for LDAP database -.TP -.B \fB\-maxfailure\fP \fImaxnumber\fP -.sp -sets the maximum number of authentication failures before the principal is locked. -Authentication failures are only tracked for principals which require preauthentication. -.TP -.B \fB\-failurecountinterval\fP \fIfailuretime\fP -.sp -sets the allowable time between authentication failures. -If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, -the number of authentication failures is reset to 1. -.TP -.B \fB\-lockoutduration\fP \fIlockouttime\fP -.sp -sets the duration for which the principal is locked from authenticating if too many authentication failures occur without -the specified failure count interval elapsing. A duration of 0 means forever. -.UNINDENT -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_ADD (requires the add privilege) -KADM5_DUP (policy already exists) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS modify_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBmodify_policy\fP [options] \fIpolicy\fP -.sp -modifies the named \fIpolicy\fP. Options are as above for \fIadd_policy\fP. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fImodify\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -modpol -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires the modify privilege) -KADM5_UNK_POLICY (policy does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS delete_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdelete_policy\fP [ \fI\-force\fP ] \fIpolicy\fP -.sp -deletes the named \fIpolicy\fP. Prompts for confirmation before deletion. -The command will fail if the policy is in use by any principals. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIdelete\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -delpol -.ft P -.fi -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: del_policy guests -Are you sure you want to delete the policy "guests"? -(yes/no): yes -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_DELETE (requires the delete privilege) -KADM5_UNK_POLICY (policy does not exist) -KADM5_POLICY_REF (reference count on policy is not zero) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP -.sp -displays the values of the named \fIpolicy\fP. -With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -getpol -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get_policy \-terse admin -admin 15552000 0 6 2 5 17 -kadmin: -.ft P -.fi -.sp -The \fIReference count\fP is the number of principals using that policy. -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_GET (requires the get privilege) -KADM5_UNK_POLICY (policy does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS list_policies -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_policies\fP [expression] -.sp -Retrieves all or some policy names. Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. -All policy names matching the expression are printed. -If no expression is provided, all existing policy names are printed. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIlist\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -listpols, get_policies, getpols. -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: listpols -test\-pol -dict\-only -once\-a\-min -test\-pol\-nopw - -kadmin: listpols t* -test\-pol -test\-pol\-nopw -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS ktadd -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBktadd\fP [[\fIprincipal\fP | \fB\-glob\fP \fIprinc\-exp\fP] -.sp -Adds a \fIprincipal\fP or all principals matching \fIprinc\-exp\fP to a keytab file. -It randomizes each principal\(aqs key in the process, to prevent a compromised admin account from reading out all of the keys from the database. -The rules for principal expression are the same as for the \fIkadmin\fP \fI\%list_principals\fP command. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP and \fIchangepw\fP privileges. -.sp -If you use the \fI\-glob\fP option, it also requires the \fIlist\fP administrative privilege. -.RE -.UNINDENT -.UNINDENT -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-k[eytab]\fP \fIkeytab\fP -.sp -Use \fIkeytab\fP as the keytab file. Otherwise, \fIktadd\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). -.TP -.B \fB\-e\fP \fI"enc:salt..."\fP -.sp -Use the specified list of enctype\-salttype pairs for setting the key of the principal. -The enctype\-salttype pairs may be delimited with commas or whitespace. -The quotes are necessary for whitespace\-delimited list. -If this option is not specified, then \fIsupported_enctypes\fP from \fIkrb5.conf\fP will be used. -See \fISupported_Encryption_Types_and_Salts\fP for all possible values. -.TP -.B \fB\-q\fP -.sp -Run in quiet mode. This causes \fIktadd\fP to display less verbose information. -.TP -.B \fB\-norandkey\fP -.sp -Do not randomize the keys. The keys and their version numbers stay unchanged. -That allows users to continue to use the passwords they know to login normally, -while simultaneously allowing scripts to login to the same account using a \fIkeytab\fP. -There is no significant security risk added since \fIkadmin.local\fP must be run by root on the KDC anyway. -This option is only available in \fIkadmin.local\fP and cannot be specified in combination with \fI\-e\fP option. -.UNINDENT -.IP Note -. -An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. -.RE -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES\-CBC\-CRC added to keytab - WRFILE:/tmp/foo\-new\-keytab -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS ktremove -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBktremove\fP \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] -.sp -Removes entries for the specified \fIprincipal\fP from a keytab. Requires no permissions, since this does not require database access. -.sp -If the string "all" is specified, all entries for that principal are removed; -if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. -Otherwise, the value specified is parsed as an integer, and all entries whose \fIkvno\fP match that integer are removed. -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-k[eytab]\fP \fIkeytab\fP -.sp -Use keytab as the keytab file. Otherwise, \fIktremove\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). -.TP -.B \fB\-q\fP -.sp -Run in quiet mode. This causes \fIktremove\fP to display less verbose information. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.IP Note -. -The first three files are specific to db2 database. -.RE -.TS -center; -|l|l|. -_ -T{ -principal.db -T} T{ -default name for Kerberos principal database -T} -_ -T{ -.kadm5 -T} T{ -KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. -T} -_ -T{ -.kadm5.lock -T} T{ -Lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., \fIkadmin\fP will exit with an error if this file does not exist. -T} -_ -T{ -kadm5.acl -T} T{ -File containing list of principals and their \fIkadmin\fP administrative privileges. See kadmind(8) for a description. -T} -_ -T{ -kadm5.keytab -T} T{ -\fIkeytab\fP file for \fIkadmin/admin\fP principal. -T} -_ -T{ -kadm5.dict -T} T{ -file containing dictionary of strings explicitly disallowed as passwords. -T} -_ -.TE -.SH HISTORY -.sp -The \fIkadmin\fP program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. -.SH SEE ALSO -.sp -kerberos(1), kpasswd(1), kadmind(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kadmin.man b/src/man/kadmin.man new file mode 100644 index 000000000..6ab1a18a2 --- /dev/null +++ b/src/man/kadmin.man @@ -0,0 +1,1065 @@ +.TH "KADMIN" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kadmin \- Kerberos V5 database administration program +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkadmin\fP +[\fB\-O\fP|\fB\-N\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP] +[\fB\-w\fP \fIpassword\fP] +[\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]] +.sp +\fBkadmin.local\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-e\fP \fIenc\fP:\fIsalt\fP ...] +[\fB\-m\fP] +[\fB\-x\fP \fIdb_args\fP] +.SH DESCRIPTION +.sp +kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 +administration system. They provide nearly identical functionalities; +the difference is that kadmin.local directly accesses the KDC +database, while kadmin performs operations using \fIkadmind(8)\fP. +Except as explicitly noted otherwise, this man page will use "kadmin" +to refer to both versions. kadmin provides for the maintenance of +Kerberos principals, password policies, and service key tables +(keytabs). +.sp +The remote kadmin client uses Kerberos to authenticate to kadmind +using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is +the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP. +If the credentials cache contains a ticket for one of these +principals, and the \fB\-c\fP credentials_cache option is specified, that +ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and +\fB\-k\fP options are used to specify the client Kerberos principal name +used to authenticate. Once kadmin has determined the principal name, +it requests a service ticket from the KDC, and uses that service +ticket to authenticate to kadmind. +.sp +Since kadmin.local directly accesses the KDC database, it usually must +be run directly on the master KDC with sufficient permissions to read +the KDC database. If the KDC database uses the LDAP database module, +kadmin.local can be run on any host which can access the LDAP server. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Use \fIrealm\fP as the default database realm. +.TP +.B \fB\-p\fP \fIprincipal\fP +.sp +Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append +\fB/admin\fP to the primary principal name of the default ccache, +the value of the \fBUSER\fP environment variable, or the username as +obtained with getpwuid, in order of preference. +.TP +.B \fB\-k\fP +.sp +Use a keytab to decrypt the KDC response instead of prompting for +a password. In this case, the default principal will be +\fBhost/hostname\fP. If there is no keytab specified with the +\fB\-t\fP option, then the default keytab will be used. +.TP +.B \fB\-t\fP \fIkeytab\fP +.sp +Use \fIkeytab\fP to decrypt the KDC response. This can only be used +with the \fB\-k\fP option. +.TP +.B \fB\-n\fP +.sp +Requests anonymous processing. Two types of anonymous principals +are supported. For fully anonymous Kerberos, configure PKINIT on +the KDC and configure \fBpkinit_anchors\fP in the client\(aqs +\fIkrb5.conf(5)\fP. Then use the \fB\-n\fP option with a principal +of the form \fB@REALM\fP (an empty principal name followed by the +at\-sign and a realm name). If permitted by the KDC, an anonymous +ticket will be returned. A second form of anonymous tickets is +supported; these realm\-exposed tickets hide the identity of the +client but not the client\(aqs realm. For this mode, use \fBkinit +\-n\fP with a normal principal name. If supported by the KDC, the +principal (but not realm) will be replaced by the anonymous +principal. As of release 1.8, the MIT Kerberos KDC only supports +fully anonymous operation. +.TP +.B \fB\-c\fP \fIcredentials_cache\fP +.sp +Use \fIcredentials_cache\fP as the credentials cache. The +cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP +(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin +server) or \fBkadmin/admin\fP service; it can be acquired with the +\fIkinit(1)\fP program. If this option is not specified, kadmin +requests a new service ticket from the KDC, and stores it in its +own temporary ccache. +.TP +.B \fB\-w\fP \fIpassword\fP +.sp +Use \fIpassword\fP instead of prompting for one. Use this option with +care, as it may expose the password to other users on the system +via the process list. +.TP +.B \fB\-q\fP \fIquery\fP +.sp +Perform the specified query and then exit. This can be useful for +writing scripts. +.TP +.B \fB\-d\fP \fIdbname\fP +.sp +Specifies the name of the KDC database. This option does not +apply to the LDAP database module. +.TP +.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] +.sp +Specifies the admin server which kadmin should contact. +.TP +.B \fB\-m\fP +.sp +If using kadmin.local, prompt for the database master password +instead of reading it from a stash file. +.TP +.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." +.sp +Sets the list of encryption types and salt types to be used for +any new keys created. See \fIEncryption_and_salt_types\fP in +\fIkdc.conf(5)\fP for a list of possible values. +.TP +.B \fB\-O\fP +.sp +Force use of old AUTH_GSSAPI authentication flavor. +.TP +.B \fB\-N\fP +.sp +Prevent fallback to AUTH_GSSAPI authentication flavor. +.TP +.B \fB\-x\fP \fIdb_args\fP +.sp +Specifies the database specific arguments. Options supported for +the LDAP database module are: +.INDENT 7.0 +.TP +.B \fB\-x host=\fP\fIhostname\fP +.sp +specifies the LDAP server to connect to by a LDAP URI. +.TP +.B \fB\-x binddn=\fP\fIbind_dn\fP +.sp +specifies the DN of the object used by the administration +server to bind to the LDAP server. This object should have +the read and write privileges on the realm container, the +principal container, and the subtree that is referenced by the +realm. +.TP +.B \fB\-x bindpwd=\fP\fIbind_password\fP +.sp +specifies the password for the above mentioned binddn. Using +this option may expose the password to other users on the +system via the process list; to avoid this, instead stash the +password using the \fBstashsrvpw\fP command of +\fIkdb5_ldap_util(8)\fP. +.UNINDENT +.UNINDENT +.SH DATE FORMAT +.sp +Many of the kadmin commands take a duration or time as an +argument. The date can appear in a wide variety of formats, such as: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +1 month ago +2 hours ago +400000 seconds ago +last year +this Monday +next Monday +yesterday +tomorrow +now +second Monday +fortnight ago +3/31/92 10:00:07 PST +January 23, 1987 10:05pm +22:00 GMT +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Dates which do not have the "ago" specifier default to being absolute +dates, unless they appear in a field where a duration is expected. In +that case the time specifier will be interpreted as relative. +Specifying "ago" in a duration may result in unexpected behavior. +.sp +The following is a list of all of the allowable keywords. +.TS +center; +|l|l|. +_ +T{ +Months +T} T{ +january, jan, february, feb, march, mar, april, apr, may, +june, jun, july, jul, august, aug, september, sep, sept, +october, oct, november, nov, december, dec +T} +_ +T{ +Days +T} T{ +sunday, sun, monday, mon, tuesday, tues, tue, wednesday, +wednes, wed, thursday, thurs, thur, thu, friday, fri, +saturday, sat +T} +_ +T{ +Units +T} T{ +year, month, fortnight, week, day, hour, minute, min, +second, sec +T} +_ +T{ +Relative +T} T{ +tomorrow, yesterday, today, now, last, this, next, first, +second, third, fourth, fifth, sixth, seventh, eighth, +ninth, tenth, eleventh, twelfth, ago +T} +_ +T{ +Time Zones +T} T{ +kadmin recognizes abbreviations for most of the world\(aqs +time zones. +T} +_ +T{ +Meridians +T} T{ +am, pm +T} +_ +.TE +.SH COMMANDS +.sp +When using the remote client, available commands may be restricted +according to the privileges specified in the kadm5.acl file on the +admin server. +.SS add_principal +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP +.UNINDENT +.UNINDENT +.sp +Creates the principal \fInewprinc\fP, prompting twice for a password. If +no password policy is specified with the \fB\-policy\fP option, and the +policy named \fBdefault\fP is assigned to the principal if it exists. +However, creating a policy named \fBdefault\fP will not automatically +assign this policy to previously existing principals. This policy +assignment can be suppressed with the \fB\-clearpolicy\fP option. +.sp +This command requires the \fBadd\fP privilege. +.sp +Aliases: \fBaddprinc\fP, \fBank\fP +.sp +Options: +.INDENT 0.0 +.TP +.B \fB\-expire\fP \fIexpdate\fP +.sp +expiration date of the principal +.TP +.B \fB\-pwexpire\fP \fIpwexpdate\fP +.sp +password expiration date +.TP +.B \fB\-maxlife\fP \fImaxlife\fP +.sp +maximum ticket life for the principal +.TP +.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP +.sp +maximum renewable life of tickets for the principal +.TP +.B \fB\-kvno\fP \fIkvno\fP +.sp +initial key version number +.TP +.B \fB\-policy\fP \fIpolicy\fP +.sp +password policy used by this principal. If not specified, the +policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP +is specified). +.TP +.B \fB\-clearpolicy\fP +.sp +prevents any policy from being assigned when \fB\-policy\fP is not +specified. +.TP +.B {\-|+}\fBallow_postdated\fP +.sp +\fB\-allow_postdated\fP prohibits this principal from obtaining +postdated tickets. \fB+allow_postdated\fP clears this flag. +.TP +.B {\-|+}\fBallow_forwardable\fP +.sp +\fB\-allow_forwardable\fP prohibits this principal from obtaining +forwardable tickets. \fB+allow_forwardable\fP clears this flag. +.TP +.B {\-|+}\fBallow_renewable\fP +.sp +\fB\-allow_renewable\fP prohibits this principal from obtaining +renewable tickets. \fB+allow_renewable\fP clears this flag. +.TP +.B {\-|+}\fBallow_proxiable\fP +.sp +\fB\-allow_proxiable\fP prohibits this principal from obtaining +proxiable tickets. \fB+allow_proxiable\fP clears this flag. +.TP +.B {\-|+}\fBallow_dup_skey\fP +.sp +\fB\-allow_dup_skey\fP disables user\-to\-user authentication for this +principal by prohibiting this principal from obtaining a session +key for another user. \fB+allow_dup_skey\fP clears this flag. +.TP +.B {\-|+}\fBrequires_preauth\fP +.sp +\fB+requires_preauth\fP requires this principal to preauthenticate +before being allowed to kinit. \fB\-requires_preauth\fP clears this +flag. +.TP +.B {\-|+}\fBrequires_hwauth\fP +.sp +\fB+requires_hwauth\fP requires this principal to preauthenticate +using a hardware device before being allowed to kinit. +\fB\-requires_hwauth\fP clears this flag. +.TP +.B {\-|+}\fBok_as_delegate\fP +.sp +\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets +issued with this principal as the service. Clients may use this +flag as a hint that credentials should be delegated when +authenticating to the service. \fB\-ok_as_delegate\fP clears this +flag. +.TP +.B {\-|+}\fBallow_svr\fP +.sp +\fB\-allow_svr\fP prohibits the issuance of service tickets for this +principal. \fB+allow_svr\fP clears this flag. +.TP +.B {\-|+}\fBallow_tgs_req\fP +.sp +\fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) +request for a service ticket for this principal is not permitted. +\fB+allow_tgs_req\fP clears this flag. +.TP +.B {\-|+}\fBallow_tix\fP +.sp +\fB\-allow_tix\fP forbids the issuance of any tickets for this +principal. \fB+allow_tix\fP clears this flag. +.TP +.B {\-|+}\fBneedchange\fP +.sp +\fB+needchange\fP forces a password change on the next initial +authentication to this principal. \fB\-needchange\fP clears this +flag. +.TP +.B {\-|+}\fBpassword_changing_service\fP +.sp +\fB+password_changing_service\fP marks this principal as a password +change service principal. +.TP +.B \fB\-randkey\fP +.sp +sets the key of the principal to a random value +.TP +.B \fB\-pw\fP \fIpassword\fP +.sp +sets the password of the principal to the specified string and +does not prompt for a password. Note: using this option in a +shell script may expose the password to other users on the system +via the process list. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +.sp +uses the specified list of enctype\-salttype pairs for setting the +key of the principal. +.TP +.B \fB\-x\fP \fIdb_princ_args\fP +.sp +indicates database\-specific options. The options for the LDAP +database module are: +.INDENT 7.0 +.TP +.B \fB\-x dn=\fP\fIdn\fP +.sp +specifies the LDAP object that will contain the Kerberos +principal being created. +.TP +.B \fB\-x linkdn=\fP\fIdn\fP +.sp +specifies the LDAP object to which the newly created Kerberos +principal object will point. +.TP +.B \fB\-x containerdn=\fP\fIcontainer_dn\fP +.sp +specifies the container object under which the Kerberos +principal is to be created. +.TP +.B \fB\-x tktpolicy=\fP\fIpolicy\fP +.sp +associates a ticket policy to the Kerberos principal. +.UNINDENT +.IP Note +.INDENT 7.0 +.IP \(bu 2 +. +The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be +specified with the \fBdn\fP option. +.IP \(bu 2 +. +If the \fIdn\fP or \fIcontainerdn\fP options are not specified while +adding the principal, the principals are created under the +principal container configured in the realm or the realm +container. +.IP \(bu 2 +. +\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or +principal container configured in the realm. +.UNINDENT +.RE +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: addprinc jennifer +WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: +Re\-enter password for principal jennifer@ATHENA.MIT.EDU: +Principal "jennifer@ATHENA.MIT.EDU" created. +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_principal +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Modifies the specified principal, changing the fields as specified. +The options to \fBadd_principal\fP also apply to this command, except +for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the +option \fB\-clearpolicy\fP will clear the current policy of a principal. +.sp +This command requires the \fImodify\fP privilege. +.sp +Alias: \fBmodprinc\fP +.sp +Options (in addition to the \fBaddprinc\fP options): +.INDENT 0.0 +.TP +.B \fB\-unlock\fP +.sp +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according +to its password policy) so that it can successfully authenticate. +.UNINDENT +.SS rename_principal +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP +.UNINDENT +.UNINDENT +.sp +Renames the specified \fIold_principal\fP to \fInew_principal\fP. This +command prompts for confirmation, unless the \fB\-force\fP option is +given. +.sp +This command requires the \fBadd\fP and \fBdelete\fP privileges. +.sp +Alias: \fBrenprinc\fP +.SS delete_principal +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Deletes the specified \fIprincipal\fP from the database. This command +prompts for deletion, unless the \fB\-force\fP option is given. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelprinc\fP +.SS change_password +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Changes the password of \fIprincipal\fP. Prompts for a new password if +neither \fB\-randkey\fP or \fB\-pw\fP is specified. +.sp +This command requires the \fBchangepw\fP privilege, or that the +principal running the program is the same as the principal being +changed. +.sp +Alias: \fBcpw\fP +.sp +The following options are available: +.INDENT 0.0 +.TP +.B \fB\-randkey\fP +.sp +Sets the key of the principal to a random value +.TP +.B \fB\-pw\fP \fIpassword\fP +.sp +Set the password to the specified string. Using this option in a +script may expose the password to other users on the system via +the process list. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +.sp +Uses the specified list of enctype\-salttype pairs for setting the +key of the principal. +.TP +.B \fB\-keepold\fP +.sp +Keeps the existing keys in the database. This flag is usually not +necessary except perhaps for \fBkrbtgt\fP principals. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re\-enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS purgekeys +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Purges previously retained old keys (e.g., from \fBchange_password +\-keepold\fP) from \fIprincipal\fP. If \fB\-keepkvno\fP is specified, then +only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. +.sp +This command requires the \fBmodify\fP privilege. +.SS get_principal +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Gets the attributes of principal. With the \fB\-terse\fP option, outputs +fields as quoted tab\-separated strings. +.sp +This command requires the \fBinquire\fP privilege, or that the principal +running the the program to be the same as the one being listed. +.sp +Alias: \fBgetprinc\fP +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, DES cbc mode with CRC\-32, no salt +Key: vno 1, DES cbc mode with CRC\-32, Version 4 +Attributes: +Policy: [none] + +kadmin: getprinc \-terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list_principals +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist_principals\fP [\fIexpression\fP] +.UNINDENT +.UNINDENT +.sp +Retrieves all or some principal names. \fIexpression\fP is a shell\-style +glob expression that can contain the wild\-card characters \fB?\fP, +\fB*\fP, and \fB[]\fP. All principal names matching the expression are +printed. If no expression is provided, all principal names are +printed. If the expression does not contain an \fB@\fP character, an +\fB@\fP character followed by the local realm is appended to the +expression. +.sp +This command requires the \fBlist\fP privilege. +.sp +Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBget_princs\fP +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: listprincs test* +test3@SECURE\-TEST.OV.COM +test2@SECURE\-TEST.OV.COM +test1@SECURE\-TEST.OV.COM +testuser@SECURE\-TEST.OV.COM +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS get_strings +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBget_strings\fP \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Displays string attributes on \fIprincipal\fP. String attributes are used +to supply per\-principal configuration to some KDC plugin modules. +.sp +This command requires the \fBinquire\fP privilege. +.sp +Alias: \fBgetstr\fP +.SS set_string +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP +.UNINDENT +.UNINDENT +.sp +Sets a string attribute on \fIprincipal\fP. +.sp +This command requires the \fBmodify\fP privilege. +.sp +Alias: \fBsetstr\fP +.SS del_string +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdel_string\fP \fIprincipal\fP \fIkey\fP +.UNINDENT +.UNINDENT +.sp +Deletes a string attribute from \fIprincipal\fP. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelstr\fP +.SS add_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Adds a password policy named \fIpolicy\fP to the database. +.sp +This command requires the \fBadd\fP privilege. +.sp +Alias: \fBaddpol\fP +.sp +The following options are available: +.INDENT 0.0 +.TP +.B \fB\-maxlife\fP \fItime\fP +.sp +sets the maximum lifetime of a password +.TP +.B \fB\-minlife\fP \fItime\fP +.sp +sets the minimum lifetime of a password +.TP +.B \fB\-minlength\fP \fIlength\fP +.sp +sets the minimum length of a password +.TP +.B \fB\-minclasses\fP \fInumber\fP +.sp +sets the minimum number of character classes required in a +password. The five character classes are lower case, upper case, +numbers, punctuation, and whitespace/unprintable characters. +.TP +.B \fB\-history\fP \fInumber\fP +.sp +sets the number of past keys kept for a principal. This option is +not supported with the LDAP KDC database module. +.TP +.B \fB\-maxfailure\fP \fImaxnumber\fP +.sp +sets the maximum number of authentication failures before the +principal is locked. Authentication failures are only tracked for +principals which require preauthentication. +.TP +.B \fB\-failurecountinterval\fP \fIfailuretime\fP +.sp +sets the allowable time between authentication failures. If an +authentication failure happens after \fIfailuretime\fP has elapsed +since the previous failure, the number of authentication failures +is reset to 1. +.TP +.B \fB\-lockoutduration\fP \fIlockouttime\fP +.sp +sets the duration for which the principal is locked from +authenticating if too many authentication failures occur without +the specified failure count interval elapsing. A duration of 0 +means forever. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Modifies the password policy named \fIpolicy\fP. Options are as described +for \fBadd_policy\fP. +.sp +This command requires the \fBmodify\fP privilege. +.sp +Alias: \fBmodpol\fP +.SS delete_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Deletes the password policy named \fIpolicy\fP. Prompts for confirmation +before deletion. The command will fail if the policy is in use by any +principals. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelpol\fP +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: del_policy guests +Are you sure you want to delete the policy "guests"? +(yes/no): yes +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS get_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Displays the values of the password policy named \fIpolicy\fP. With the +\fB\-terse\fP flag, outputs the fields as quoted strings separated by +tabs. +.sp +This command requires the \fBinquire\fP privilege. +.sp +Alias: getpol +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: get_policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get_policy \-terse admin +admin 15552000 0 6 2 5 17 +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The "Reference count" is the number of principals using that policy. +With the LDAP KDC database module, the reference count field is not +meaningful. +.SS list_policies +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist_policies\fP [\fIexpression\fP] +.UNINDENT +.UNINDENT +.sp +Retrieves all or some policy names. \fIexpression\fP is a shell\-style +glob expression that can contain the wild\-card characters \fB?\fP, +\fB*\fP, and \fB[]\fP. All policy names matching the expression are +printed. If no expression is provided, all existing policy names are +printed. +.sp +This command requires the \fBlist\fP privilege. +.sp +Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP. +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: listpols +test\-pol +dict\-only +once\-a\-min +test\-pol\-nopw + +kadmin: listpols t* +test\-pol +test\-pol\-nopw +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS ktadd +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBktadd\fP [[\fIprincipal\fP|\fB\-glob\fP \fIprinc\-exp\fP] +.UNINDENT +.UNINDENT +.sp +Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a +keytab file. Each principal\(aqs keys are randomized in the process. +The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP +command. +.sp +This command requires the \fBinquire\fP and \fBchangepw\fP privileges. +With the \fB\-glob\fP option, it also requires the \fBlist\fP privilege. +.sp +The options are: +.INDENT 0.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +.sp +Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is +used. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +.sp +Use the specified list of enctype\-salttype pairs for setting the +new keys of the principal. +.TP +.B \fB\-q\fP +.sp +Display less verbose information. +.TP +.B \fB\-norandkey\fP +.sp +Do not randomize the keys. The keys and their version numbers stay +unchanged. This option is only available in kadmin.local, and +cannot be specified in combination with the \fB\-e\fP option. +.UNINDENT +.sp +An entry for each of the principal\(aqs unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab + FILE:/tmp/foo\-new\-keytab +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS ktremove +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBktremove\fP \fIprincipal\fP [\fIkvno\fP|\fIall\fP| \fIold\fP] +.UNINDENT +.UNINDENT +.sp +Removes entries for the specified \fIprincipal\fP from a keytab. Requires +no permissions, since this does not require database access. +.sp +If the string "all" is specified, all entries for that principal are +removed; if the string "old" is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed. +.sp +The options are: +.INDENT 0.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +.sp +Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is +used. +.TP +.B \fB\-q\fP +.sp +Display less verbose information. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS lock +.sp +Lock database exclusively. Use with extreme caution! This command +only works with the DB2 KDC database module. +.SS unlock +.sp +Release the exclusive database lock. +.SS list_requests +.sp +Lists available for kadmin requests. +.sp +Aliases: \fBlr\fP, \fB?\fP +.SS quit +.sp +Exit program. If the database was locked, the lock is released. +.sp +Aliases: \fBexit\fP, \fBq\fP +.SH HISTORY +.sp +The kadmin program was originally written by Tom Yu at MIT, as an +interface to the OpenVision Kerberos administration program. +.SH SEE ALSO +.sp +\fIkpasswd(1)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kadmind.8 b/src/man/kadmind.8 deleted file mode 100644 index 5f622d245..000000000 --- a/src/man/kadmind.8 +++ /dev/null @@ -1,276 +0,0 @@ -.TH "KADMIND" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kadmind \- KADM5 administration server -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fBkadmind\fP [\fB\-x\fP \fIdb_args\fP] [\fB\-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP \fIport\-number\fP] [\fB\-P\fP \fIpid_file\fP] -.SH DESCRIPTION -.sp -This command starts the KADM5 administration server. If the database is db2, the administration server runs on the master Kerberos server, -which stores the KDC principal database and the KADM5 policy database. If the database is LDAP, the administration server and -the KDC server need not run on the same machine. \fIkadmind\fP accepts remote requests to administer the information in these databases. -Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of \fIkadmind\fP. -.sp -\fIkadmind\fP requires a number of configuration files to be set up in order for it to work: -.INDENT 0.0 -.TP -.B \fIkdc.conf\fP -.sp -The KDC configuration file contains configuration information for the KDC and the KADM5 system. \fIkadmind\fP understands a number -of variable settings in this file, some of which are mandatory and some of which are optional. -See the CONFIGURATION VALUES section below. -.TP -.B \fIACL\fP file -.sp -\fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions. -The path of the \fIACL\fP file is specified via the acl_file configuration variable (see CONFIGURATION VALUES). -The syntax of the \fIACL\fP file is specified in the \fIACL\fP FILE SYNTAX section below. -.sp -If the \fIkadmind\fP\(aqs ACL file is modified, the \fIkadmind\fP daemon needs to be restarted for changes to take effect. -.UNINDENT -.sp -After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. -.sp -\fIkadmind\fP can be configured for incremental database propagation. Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the \fIkdc.conf\fP file -with the \fIiprop_enable\fP option. See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters. -Incremental propagation requires the principal "kiprop/MASTER@REALM" -(where MASTER is the master KDC\(aqs canonical host name, and REALM the realm name) to be registered in the database. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-x\fP \fIdb_args\fP -.sp -specifies the database specific arguments. -.sp -Options supported for LDAP database are: -.INDENT 7.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-x\fP \fInconns\fP = -.sp -specifies the number of connections to be maintained per LDAP server. -.TP -.B \fB\-x\fP \fIhost\fP = -.sp -specifies the LDAP server to connect to by a LDAP URI. -.TP -.B \fB\-x\fP \fIbinddn\fP = -.sp -specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the -read and write rights on the realm container, principal container and the subtree that is referenced by the realm. -.TP -.B \fB\-x\fP \fIbindpwd\fP = -.sp -specifies the password for the above mentioned binddn. It is recommended not to use this option. -Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util. -.UNINDENT -.UNINDENT -.UNINDENT -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -specifies the default realm that \fIkadmind\fP will serve; if it is not specified, the default realm of the host is used. -\fIkadmind\fP will answer requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab. -.TP -.B \fB\-m\fP -.sp -specifies that the master database password should be fetched from the keyboard rather than from a file on disk. -Note that the server gets the password prior to putting itself in the background; -in combination with the \fI\-nofork\fP option, you must place it in the background by hand. -.TP -.B \fB\-nofork\fP -.sp -specifies that the server does not put itself in the background and does not disassociate itself from the terminal. -In normal operation, you should always allow the server place itself in the background. -.TP -.B \fB\-port\fP \fIport\-number\fP -.sp -specifies the port on which the administration server listens for connections. The default is is controlled by the \fIkadmind_port\fP -configuration variable (see below). -.TP -.B \fB\-P\fP \fIpid_file\fP -.sp -specifies the file to which the PID of \fIkadmind\fP process should be written to after it starts up. This can be used to identify -whether \fIkadmind\fP is still running and to allow init scripts to stop the correct process. -.UNINDENT -.UNINDENT -.UNINDENT -.SH CONFIGURATION VALUES -.sp -In addition to the relations defined in kdc.conf(5), \fIkadmind\fP understands the following relations, -all of which should appear in the [realms] section: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBacl_file\fP -.sp -The path of \fIkadmind\fP\(aqs \fIACL\fP file. \fBMandatory\fP. No default. -.TP -.B \fBdict_file\fP -.sp -The path of \fIkadmind\fP\(aqs password dictionary. A principal with any password policy will not be allowed to select any password in -the dictionary. Optional. No default. -.TP -.B \fBkadmind_port\fP -.sp -The TCP port on which \fIkadmind\fP will listen. The default is 749. -.UNINDENT -.UNINDENT -.UNINDENT -.SH ACL FILE SYNTAX -.sp -The \fIACL\fP file controls which principals can or cannot perform which administrative functions. For operations that affect principals, -the \fIACL\fP file also controls which principals can operate on which other principals. This file can contain comment lines, null lines or -lines which contain \fIACL\fP entries. Comment lines start with the sharp sign (#) and continue until the end of the line. -Lines containing \fIACL\fP entries have the format of principal whitespace \fIoperation\-mask\fP [whitespace \fIoperation\-target\fP] -.sp -Ordering is important. The first matching entry is the one which will control access for a particular principal on a particular principal. -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBprincipal\fP -.sp -may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be wildcarded -using the asterisk ( * ) character. -.TP -.B \fBoperation\-target\fP -.sp -[Optional] may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be -wildcarded using the asterisk ( * ) character. -.TP -.B \fBoperation\-mask\fP -.sp -Specifies what operations may or may not be performed by a principal matching a particular entry. This is a string of one or -more of the following list of characters or their upper\-case counterparts. If the character is upper\-case, then the operation -is disallowed. If the character is lower\-case, then the operation is permitted. -.sp -.nf -.ft C -a [Dis]allows the addition of principals or policies in the database. -d [Dis]allows the deletion of principals or policies in the database. -m [Dis]allows the modification of principals or policies in the database. -c [Dis]allows the changing of passwords for principals in the database. -i [Dis]allows inquiries to the database. -l [Dis]allows the listing of principals or policies in the database. -p [Dis]allows the propagation of the principal database. -x Short for admcil. -* Same as x. -.ft P -.fi -.sp -Some examples of valid entries here are: -.INDENT 7.0 -.TP -.B \fIuser/instance@realm adm\fP -.sp -A standard fully qualified name. -The \fIoperation\-mask\fP only applies to this principal and specifies that [s]he may add, -delete or modify principals and policies, but not change anybody else\(aqs password. -.TP -.B \fIuser/instance@realm cim service/instance@realm\fP -.sp -A standard fully qualified name and a standard fully qualified target. -The \fIoperation\-mask\fP only applies to this principal operating on this target and specifies -that [s]he may change the target\(aqs password, request information about the target and modify it. -.TP -.B \fIuser/*@realm ac\fP -.sp -A wildcarded name. The \fIoperation\-mask\fP applies to all principals in realm "realm" whose first component is "user" and specifies -that [s]he may add principals and change anybody\(aqs password. -.TP -.B \fIuser/*@realm i */instance@realm\fP -.sp -A wildcarded name and target. The \fIoperation\-mask\fP applies to all principals in realm "realm" whose first component is "user" and -specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm". -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.sp -Note: The first three files are specific to db2 database. -.TS -center; -|l|l|. -_ -T{ -principal.db -T} T{ -default name for Kerberos principal database -T} -_ -T{ -.kadm5 -T} T{ -KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. -T} -_ -T{ -.kadm5.lock -T} T{ -lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kadmin will exit with an error if this file does not exist. -T} -_ -T{ -kadm5.acl -T} T{ -file containing list of principals and their kadmin administrative privileges. See above for a description. -T} -_ -T{ -kadm5.keytab -T} T{ -keytab file for \fIkadmin/admin\fP principal. -T} -_ -T{ -kadm5.dict -T} T{ -file containing dictionary of strings explicitly disallowed as passwords. -T} -_ -.TE -.SH SEE ALSO -.sp -kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8), kdb5_ldap_util(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kadmind.man b/src/man/kadmind.man new file mode 100644 index 000000000..5ee569dcd --- /dev/null +++ b/src/man/kadmind.man @@ -0,0 +1,302 @@ +.TH "KADMIND" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +kadmind \- KADM5 administration server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkadmind\fP +[\fB\-x\fP \fIdb_args\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-m\fP] +[\fB\-nofork\fP] +[\fB\-port\fP \fIport\-number\fP] +[\fB\-P\fP \fIpid_file\fP] +.SH DESCRIPTION +.sp +kadmind starts the Kerberos administration server. kadmind typically +runs on the master Kerberos server, which stores the KDC database. If +the KDC database uses the LDAP module, the administration server and +the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as \fIkadmin(1)\fP and +\fIkpasswd(1)\fP to administer the information in these database. +.sp +kadmind requires a number of configuration files to be set up in order +for it to work: +.INDENT 0.0 +.TP +.B \fIkdc.conf(5)\fP +.sp +The KDC configuration file contains configuration information for +the KDC and admin servers. kadmind uses settings in this file to +locate the Kerberos database, and is also affected by the +\fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related +settings. +.TP +.B ACL file +. +kadmind\(aqs ACL (access control list) tells it which principals are +allowed to perform administration actions. The pathname to the +ACL file can be specified with the \fBacl_file\fP kdc.conf variable; +by default, it is \fB@LOCALSTATEDIR@/krb5kdc\fP\fB/kadm5.acl\fP. The syntax of the ACL +file is specified in the ACL FILE SYNTAX section below. +.sp +If the kadmind ACL file is modified, the kadmind daemon needs to +be restarted for changes to take effect. +.UNINDENT +.sp +After the server begins running, it puts itself in the background and +disassociates itself from its controlling terminal. +.sp +kadmind can be configured for incremental database propagation. +Incremental propagation allows slave KDC servers to receive principal +and policy updates incrementally instead of receiving full dumps of +the database. This facility can be enabled in the \fIkdc.conf(5)\fP +file with the \fBiprop_enable\fP option. Incremental propagation +requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the +master KDC\(aqs canonical host name, and REALM the realm name) to be +registered in the database. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +specifies the realm that kadmind will serve; if it is not +specified, the default realm of the host is used. +.TP +.B \fB\-m\fP +.sp +causes the master database password to be fetched from the +keyboard (before the server puts itself in the background, if not +invoked with the \fB\-nofork\fP option) rather than from a file on +disk. +.TP +.B \fB\-nofork\fP +.sp +causes the server to remain in the foreground and remain +associated to the terminal. In normal operation, you should allow +the server to place itself in the background. +.TP +.B \fB\-port\fP \fIport\-number\fP +.sp +specifies the port on which the administration server listens for +connections. The default port is determined by the +\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP. +.TP +.B \fB\-P\fP \fIpid_file\fP +.sp +specifies the file to which the PID of kadmind process should be +written after it starts up. This file can be used to identify +whether kadmind is still running and to allow init scripts to stop +the correct process. +.TP +.B \fB\-x\fP \fIdb_args\fP +.sp +specifies database\-specific arguments. +.sp +Options supported for LDAP database are: +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-x nconns=\fP\fInumber_of_connections\fP +.sp +specifies the number of connections to be maintained per +LDAP server. +.TP +.B \fB\-x host=\fP\fIldapuri\fP +.sp +specifies the LDAP server to connect to by URI. +.TP +.B \fB\-x binddn=\fP\fIbinddn\fP +.sp +specifies the DN of the object used by the administration +server to bind to the LDAP server. This object should +have read and write privileges on the realm container, the +principal container, and the subtree that is referenced by +the realm. +.TP +.B \fB\-x bindpwd=\fP\fIbind_password\fP +.sp +specifies the password for the above mentioned binddn. +Using this option may expose the password to other users +on the system via the process list; to avoid this, instead +stash the password using the \fBstashsrvpw\fP command of +\fIkdb5_ldap_util(8)\fP. +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.SH ACL FILE SYNTAX +.sp +The ACL file controls which principals can or cannot perform which +administrative functions. For operations that affect principals, the +ACL file also controls which principals can operate on which other +principals. Empty lines and lines starting with the sharp sign +(\fB#\fP) are ignored. Lines containing ACL entries have the format: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +principal operation\-mask [operation\-target] +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Ordering is important. The first matching entry will control access +for an actor principal on a target principal. +.INDENT 0.0 +.TP +.B \fIprincipal\fP +.sp +may specify a partially or fully qualified Kerberos version 5 +principal name. Each component of the name may be wildcarded +using the \fB*\fP character. +.TP +.B \fIoperation\-target\fP +.sp +[Optional] may specify a partially or fully qualified Kerberos +version 5 principal name. Each component of the name may be +wildcarded using the \fB*\fP character. +.TP +.B \fIoperation\-mask\fP +.sp +Specifies what operations may or may not be performed by a +principal matching a particular entry. This is a string of one or +more of the following list of characters or their upper\-case +counterparts. If the character is upper\-case, then the operation +is disallowed. If the character is lower\-case, then the operation +is permitted. +.TS +center; +|l|l|. +_ +T{ +a +T} T{ +[Dis]allows the addition of principals or policies +T} +_ +T{ +d +T} T{ +[Dis]allows the deletion of principals or policies +T} +_ +T{ +m +T} T{ +[Dis]allows the modification of principals or policies +T} +_ +T{ +c +T} T{ +[Dis]allows the changing of passwords for principals +T} +_ +T{ +i +T} T{ +[Dis]allows inquiries about principals or policies +T} +_ +T{ +l +T} T{ +[Dis]allows the listing of principals or policies +T} +_ +T{ +p +T} T{ +[Dis]allows the propagation of the principal database +T} +_ +T{ +x +T} T{ +Short for admcil. +T} +_ +T{ +* +T} T{ +Same as x. +T} +_ +.TE +.sp +Some examples of valid entries here are: +.INDENT 7.0 +.TP +.B \fBuser/instance@realm adm\fP +.sp +A standard fully qualified name. The \fIoperation\-mask\fP only +applies to this principal and specifies that [s]he may add, +delete, or modify principals and policies, but not change +anybody else\(aqs password. +.TP +.B \fBuser/instance@realm cim service/instance@realm\fP +.sp +A standard fully qualified name and a standard fully qualified +target. The \fIoperation\-mask\fP only applies to this principal +operating on this target and specifies that [s]he may change +the target\(aqs password, request information about the target, +and modify it. +.TP +.B \fBuser/*@realm ac\fP +.sp +A wildcarded name. The \fIoperation\-mask\fP applies to all +principals in realm \fBrealm\fP whose first component is +\fBuser\fP and specifies that [s]he may add principals and +change anybody\(aqs password. +.TP +.B \fBuser/*@realm i */instance@realm\fP +.sp +A wildcarded name and target. The \fIoperation\-mask\fP applies to +all principals in realm \fBrealm\fP whose first component is +\fBuser\fP and specifies that [s]he may perform inquiries on +principals whose second component is \fBinstance\fP and realm is +\fBrealm\fP. +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP, +\fIkdb5_ldap_util(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdb5_ldap_util.8 b/src/man/kdb5_ldap_util.8 deleted file mode 100644 index 71ae0c8c7..000000000 --- a/src/man/kdb5_ldap_util.8 +++ /dev/null @@ -1,1108 +0,0 @@ -.TH "KDB5_LDAP_UTIL" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kdb5_ldap_util \- Kerberos configuration utility -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fBkdb5_ldap_util\fP [\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] [\fB\-H\fP \fIldapuri\fP] \fBcommand\fP [\fIcommand_options\fP] -.SH DESCRIPTION -.sp -\fIkdb5_ldap_util\fP allows an administrator to manage realms, Kerberos services and ticket policies. -.SH COMMAND-LINE OPTIONS -.INDENT 0.0 -.TP -.B \fB\-D\fP \fIuser_dn\fP -.sp -Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. -.TP -.B \fB\-w\fP \fIpasswd\fP -.sp -Specifies the password of \fIuser_dn\fP. This option is not recommended. -.TP -.B \fB\-H\fP \fIldapuri\fP -.sp -Specifies the URI of the LDAP server. It is recommended to use \fIldapi://\fP or \fIldaps://\fP to connect to the LDAP server. -.UNINDENT -.SH COMMANDS -.SS create -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBcreate\fP -[\fB\-subtrees\fP \fIsubtree_dn_list\fP] -[\fB\-sscope\fP \fIsearch_scope\fP] -[\fB\-containerref\fP \fIcontainer_reference_dn\fP] -[\fB\-k\fP \fImkeytype\fP] -[\fB\-kv\fP \fImkeyVNO\fP] -[\fB\-m|\-P\fP \fIpassword*|*\fP\-sf** \fIstashfilename\fP] -[\fB\-s\fP] -[\fB\-r\fP \fIrealm\fP] -[\fB\-kdcdn\fP \fIkdc_service_list\fP] -[\fB\-admindn\fP \fIadmin_service_list\fP] -[\fB\-maxtktlife\fP \fImax_ticket_life\fP] -[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] -[\fIticket_flags\fP] -.INDENT 0.0 -.INDENT 3.5 -.sp -Creates realm in directory. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP -.sp -Specifies the list of subtrees containing the principals of a realm. -The list contains the DNs of the subtree objects separated by colon(:). -.TP -.B \fB\-sscope\fP \fIsearch_scope\fP -.sp -Specifies the scope for searching the principals under the subtree. -The possible values are 1 or one (one level), 2 or sub (subtrees). -.TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP -.sp -Specifies the DN of the container object in which the principals of a realm will be created. -If the container reference is not configured for a realm, the principals will be created in the realm container. -.TP -.B \fB\-k\fP \fImkeytype\fP -.sp -Specifies the key type of the master key in the database; the default is that given in kdc.conf. -.TP -.B \fB\-kv\fP \fImkeyVNO\fP -.sp -Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. -.TP -.B \fB\-m\fP -.sp -Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. -.TP -.B \fB\-P\fP \fIpassword\fP -.sp -Specifies the master database password. This option is not recommended. -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.TP -.B \fB\-sf\fP \fIstashfilename\fP -.sp -Specifies the stash file of the master database password. -.TP -.B \fB\-s\fP -.sp -Specifies that the stash file is to be created. -.TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals in this realm. -.TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals in this realm. -.TP -.B \fIticket_flags\fP -.INDENT 7.0 -.INDENT 3.5 -.sp -Specifies the ticket flags. -If this option is not specified, by default, none of the flags are set. -This means all the ticket options will be allowed and no restriction will be set. -.UNINDENT -.UNINDENT -.sp -The various flags are: -.INDENT 7.0 -.TP -.B {\-|+}allow_postdated -. -\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. -(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) \fI+allow_postdated\fP clears this flag. -.TP -.B {\-|+}allow_forwardable -. -\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. -(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) -\fI+allow_forwardable\fP clears this flag. -.TP -.B {\-|+}allow_renewable -. -\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. -(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) -\fI+allow_renewable\fP clears this flag. -.TP -.B {\-|+}allow_proxiable -. -\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. -(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) -\fI+allow_proxiable\fP clears this flag. -.TP -.B {\-|+}allow_dup_skey -. -\fI\-allow_dup_skey\fP disables user\-to\-user authentication for principals by prohibiting principals -from obtaining a session key for another user. -(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) -\fI+allow_dup_skey\fP clears this flag. -.TP -.B {\-|+}ok_as_delegate -. -+ok_as_delegate sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service, -which clients may use as a hint that credentials can and should be delegated when authenticating to the service. -(Sets the KRB5_KDB_OK_AS_DELEGATE flag.) -\fI\-ok_as_delegate\fP clears this flag. -.TP -.B {\-|+}requires_preauth -. -\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to \fIkinit\fP. -(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) -\fI\-requires_preauth\fP clears this flag. -.TP -.B {\-|+}requires_hwauth -. -\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit. -(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -\fI\-requires_hwauth\fP clears this flag. -.TP -.B {\-|+}allow_svr -. -\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) -\fI+allow_svr\fP clears this flag. -.TP -.B {\-|+}allow_tgs_req -. -\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted. -This option is useless for most things. -\fI+allow_tgs_req\fP clears this flag. The default is \fI+allow_tgs_req\fP. -In effect, \fI\-allow_tgs_req\fP sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. -.TP -.B {\-|+}allow_tix -. -\fI\-allow_tix\fP forbids the issuance of any tickets for principals. \fI+allow_tix\fP clears this flag. -The default is \fI+allow_tix\fP. -In effect, \fI\-allow_tix\fP sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. -.TP -.B {\-|+}needchange -. -\fI+needchange\fP sets a flag in attributes field to force a password change; \fI\-needchange\fP clears it. -The default is \fI\-needchange\fP. -In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. -.TP -.B {\-|+}password_changing_service -. -\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal -(useless for most things). -\fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. -The default is \fI\-password_changing_service\fP. -In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. -.UNINDENT -.UNINDENT -.sp -Command options specific to eDirectory -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-kdcdn\fP \fIkdc_service_list\fP -.sp -Specifies the list of KDC service objects serving the realm. -The list contains the DNs of the KDC service objects separated by colon(:). -.TP -.B \fB\-admindn\fP \fIadmin_service_list\fP -.sp -Specifies the list of Administration service objects serving the realm. -The list contains the DNs of the Administration service objects separated by colon(:). -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Initializing database for realm \(aqATHENA.MIT.EDU\(aq -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re\-enter KDC database master key to verify: -.ft P -.fi -.SS modify -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBmodify\fP -[\fB\-subtrees\fP \fIsubtree_dn_list\fP] -[\fB\-sscope\fP \fIsearch_scope\fP] -[\fB\-containerref\fP \fIcontainer_reference_dn\fP] -[\fB\-r\fP \fIrealm\fP] -[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]] -[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]] -[\fB\-maxtktlife\fP \fImax_ticket_life\fP] -[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] -[\fIticket_flags\fP] -.INDENT 0.0 -.INDENT 3.5 -.sp -Modifies the attributes of a realm. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP -.sp -Specifies the list of subtrees containing the principals of a realm. -The list contains the DNs of the subtree objects separated by colon(:). This list replaces the existing list. -.TP -.B \fB\-sscope\fP \fIsearch_scope\fP -.sp -Specifies the scope for searching the principals under the subtrees. -The possible values are 1 or one (one level), 2 or sub (subtrees). -.TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP -.sp -Specifies the DN of the container object in which the principals of a realm will be created. -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals in this realm. -.TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals in this realm. -.TP -.B \fIticket_flags\fP -.INDENT 7.0 -.INDENT 3.5 -.sp -Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. -This means all the ticket options will be allowed and no restriction will be set. -.UNINDENT -.UNINDENT -.sp -The various flags are: -.INDENT 7.0 -.TP -.B {\-|+}allow_postdated -. -\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) -\fI+allow_postdated\fP clears this flag. -.TP -.B {\-|+}allow_forwardable -. -\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. -(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) -\fI+allow_forwardable\fP clears this flag. -.TP -.B {\-|+}allow_renewable -. -\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) -\fI+allow_renewable\fP clears this flag. -.TP -.B {\-|+}allow_proxiable -. -\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) -\fI+allow_proxiable\fP clears this flag. -.TP -.B {\-|+}allow_dup_skey -. -\fI\-allow_dup_skey\fP Disables user\-to\-user authentication for principals by prohibiting principals from -obtaining a session key for another user. -(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) -\fI+allow_dup_skey\fP clears this flag. -.TP -.B {\-|+}requires_preauth -. -\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to kinit. -(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) \fI\-requires_preauth\fP clears this flag. -.TP -.B {\-|+}requires_hwauth -. -\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit. -(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -\fI\-requires_hwauth\fP clears this flag. -.TP -.B {\-|+}allow_svr -. -\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) \fI+allow_svr\fP clears this flag. -.TP -.B {\-|+}allow_tgs_req -. -\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted. -This option is useless for most things. -\fI+allow_tgs_req\fP clears this flag. -The default is \fI+allow_tgs_req\fP. In effect, \fI\-allow_tgs_req\fP sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. -.TP -.B {\-|+}allow_tix -. -\fI\-allow_tix\fP forbids the issuance of any tickets for principals. -\fI+allow_tix\fP clears this flag. The default is \fI+allow_tix\fP. -In effect, \fI\-allow_tix\fP sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. -.TP -.B {\-|+}needchange -. -\fI+needchange\fP sets a flag in attributes field to force a password change; -\fI\-needchange\fP clears it. The default is \fI\-needchange\fP. -In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. -.TP -.B {\-|+}password_changing_service -. -\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal -(useless for most things). \fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. -The default is \fI\-password_changing_service\fP. -In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. -.UNINDENT -.UNINDENT -.sp -Command options specific to eDirectory -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-kdcdn\fP \fIkdc_service_list\fP -.sp -Specifies the list of KDC service objects serving the realm. -The list contains the DNs of the KDC service objects separated by a colon (:). -This list replaces the existing list. -.TP -.B \fB\-clearkdcdn\fP \fIkdc_service_list\fP -.sp -Specifies the list of KDC service objects that need to be removed from the existing list. -The list contains the DNs of the KDC service objects separated by a colon (:). -.TP -.B \fB\-addkdcdn\fP \fIkdc_service_list\fP -.sp -Specifies the list of KDC service objects that need to be added to the existing list. -The list contains the DNs of the KDC service objects separated by a colon (:). -.TP -.B \fB\-admindn\fP \fIadmin_service_list\fP -.sp -Specifies the list of Administration service objects serving the realm. -The list contains the DNs of the Administration service objects separated by a colon (:). -This list replaces the existing list. -.TP -.B \fB\-clearadmindn\fP \fIadmin_service_list\fP -.sp -Specifies the list of Administration service objects that need to be removed from the existing list. -The list contains the DNs of the Administration service objects separated by a colon (:). -.TP -.B \fB\-addadmindn\fP \fIadmin_service_list\fP -.sp -Specifies the list of Administration service objects that need to be added to the existing list. -The list contains the DNs of the Administration service objects separated by a colon (:). -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -shell% -.ft P -.fi -.SS view -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBview\fP [\fB\-r\fP \fIrealm\fP] -.sp -Displays the attributes of a realm. Options: -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view \-r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE -.ft P -.fi -.SS destroy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] -.sp -Destroys an existing realm. Options: -.TP -.B \fB\-f\fP -.sp -If specified, will not prompt the user for confirmation. -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? -(type \(aqyes\(aq to confirm)? yes -OK, deleting database of \(aqATHENA.MIT.EDU\(aq... -shell% -.ft P -.fi -.SS list -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist\fP -.sp -Lists the name of realms. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list -Password for "cn=admin,o=org": -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA\-LAB.MIT.EDU -shell% -.ft P -.fi -.SS stashsrvpw -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBstashsrvpw\fP [\fB\-f\fP \fIfilename\fP] \fIservicedn\fP -.sp -Allows an administrator to store the password for service object in a file so that KDC and Administration server -can use it to authenticate to the LDAP server. Options: -.TP -.B \fB\-f\fP \fIfilename\fP -.sp -Specifies the complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used. -.TP -.B \fIservicedn\fP -.sp -Specifies Distinguished Name (DN) of the service object whose password is to be stored in file. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org -Password for "cn=service\-kdc,o=org": -Re\-enter password for "cn=service\-kdc,o=org": -.ft P -.fi -.SS create_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBcreate_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP -.sp -Creates a ticket policy in directory. Options: -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -.sp -Specifies maximum ticket life for principals. -.TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -.sp -Specifies maximum renewable life of tickets for principals. -.TP -.B \fIticket_flags\fP -.sp -Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. -This means all the ticket options will be allowed and no restriction will be set. -.sp -The various flags are: -.INDENT 7.0 -.TP -.B {\-|+}allow_postdated -. -\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. -(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) \fI+allow_postdated\fP clears this flag. -.TP -.B {\-|+}allow_forwardable -. -\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. -(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) \fI+allow_forwardable\fP clears this flag. -.TP -.B {\-|+}allow_renewable -. -\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. -(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) \fI+allow_renewable\fP clears this flag. -.TP -.B {\-|+}allow_proxiable -. -\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. -(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) \fI+allow_proxiable\fP clears this flag. -.TP -.B {\-|+}allow_dup_skey -. -\fI\-allow_dup_skey\fP disables user\-to\-user authentication for principals by prohibiting principals -from obtaining a session key for another user. -(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) \fI+allow_dup_skey\fP clears this flag. -.TP -.B {\-|+}requires_preauth -. -\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to kinit. -(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) \fI\-requires_preauth\fP clears this flag. -.TP -.B {\-|+}requires_hwauth -. -\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to \fIkinit\fP. -(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -\fI\-requires_hwauth\fP clears this flag. -.TP -.B {\-|+}allow_svr -. -\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. -(Sets the KRB5_KDB_DISALLOW_SVR flag.) \fI+allow_svr\fP clears this flag. -.TP -.B {\-|+}allow_tgs_req -. -\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request -for a service ticket for principals is not permitted. -This option is useless for most things. -\fI+allow_tgs_req\fP clears this flag. The default is \fI+allow_tgs_req\fP. -In effect, \fI\-allow_tgs_req sets\fP the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. -.TP -.B {\-|+}allow_tix -. -\fI\-allow_tix\fP forbids the issuance of any tickets for principals. -\fI+allow_tix\fP clears this flag. -The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix sets\fP the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. -.TP -.B {\-|+}needchange -. -\fI+needchange\fP sets a flag in attributes field to force a password change; -\fI\-needchange\fP clears it. The default is \fI\-needchange\fP. -In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. -.TP -.B {\-|+}password_changing_service -. -\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal -(useless for most things). -\fI\-password_changing_service\fP clears the flag. -This flag intentionally has a long name. The default is \-password_changing_service. -In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. -.UNINDENT -.TP -.B \fIpolicy_name\fP -.sp -Specifies the name of the ticket policy. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy -Password for "cn=admin,o=org": -.ft P -.fi -.SS modify_policy -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBmodify_policy\fP -[\fB\-r\fP \fIrealm\fP] -[\fB\-maxtktlife\fP \fImax_ticket_life\fP] -[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] -[\fIticket_flags\fP] -\fIpolicy_name\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -Modifies the attributes of a ticket policy. Options are same as create_policy. -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy -Password for "cn=admin,o=org": -.ft P -.fi -.SS view_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBview_policy\fP [\fB\-r\fP \fIrealm\fP] \fIpolicy_name\fP -.sp -Displays the attributes of a ticket policy. Options: -.TP -.B \fIpolicy_name\fP -.sp -Specifies the name of the ticket policy. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE -.ft P -.fi -.SS destroy_policy -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBdestroy_policy\fP -[\fB\-r\fP \fIrealm\fP] -[\fB\-force\fP] -\fIpolicy_name\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -Destroys an existing ticket policy. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.TP -.B \fB\-force\fP -.sp -Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. -Enter yes to confirm the deletion. -.TP -.B \fIpolicy_name\fP -.sp -Specifies the name of the ticket policy. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -This will delete the policy object \(aqtktpolicy\(aq, are you sure? -(type \(aqyes\(aq to confirm)? yes -** policy object \(aqtktpolicy\(aq deleted. -.ft P -.fi -.SS list_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_policy\fP [\fB\-r\fP \fIrealm\fP] -.sp -Lists the ticket policies in realm if specified or in the default realm. Options: -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the Kerberos realm of the database. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list_policy \-r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -tktpolicy -tmppolicy -userpolicy -.ft P -.fi -.SH COMMANDS SPECIFIC TO EDIRECTORY -.SS setsrvpw -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBsetsrvpw\fP -[\fB\-randpw|\-fileonly\fP] -[\fB\-f\fP \fIfilename\fP] -\fIservice_dn\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. -The \fI\-fileonly\fP option stores the password in a file and not in the eDirectory object. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-randpw\fP -.sp -Generates and sets a random password. -This options can be specified to store the password both in eDirectory and a file. -The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is already specified. -.TP -.B \fB\-fileonly\fP -.sp -Stores the password only in a file and not in eDirectory. -The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP options is specified. -.TP -.B \fB\-f\fP \fIfilename\fP -.sp -Specifies complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used. -.TP -.B \fIservice_dn\fP -.sp -Specifies Distinguished Name (DN) of the service object whose password is to be set. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org -Password for "cn=admin,o=org": -Password for "cn=service\-kdc,o=org": -Re\-enter password for "cn=service\-kdc,o=org": -.ft P -.fi -.SS create_service -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBcreate_service\fP -{\fB\-kdc|\-admin|\-pwd\fP} -[\fB\-servicehost\fP \fIservice_host_list\fP] -[\fB\-realm\fP \fIrealm_list\fP] -[\fB\-randpw|\-fileonly\fP] -[\fB\-f\fP \fIfilename\fP] \fIservice_dn\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -Creates a service in directory and assigns appropriate rights. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-kdc\fP -.sp -Specifies the service is a KDC service -.TP -.B \fB\-admin\fP -.sp -Specifies the service is a Administration service -.TP -.B \fB\-pwd\fP -.sp -Specifies the Password service -.TP -.B \fB\-servicehost\fP \fIservice_host_list\fP -.sp -Specifies the list of entries separated by a colon (:). -Each entry consists of the hostname or IP address of the server hosting the service, -transport protocol, and the port number of the service separated by a pound sign (#). -For example, server1#tcp#88:server2#udp#89. -.TP -.B \fB\-realm\fP \fIrealm_list\fP -.sp -Specifies the list of realms that are to be associated with this service. -The list contains the name of the realms separated by a colon (:). -.TP -.B \fB\-randpw\fP -.sp -Generates and sets a random password. This option is used to set the random password for -the service object in directory and also to store it in the file. -The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is specified. -.TP -.B \fB\-fileonly\fP -.sp -Stores the password only in a file and not in eDirectory. -The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP option is specified. -.TP -.B \fB\-f\fP \fIfilename\fP -.sp -Specifies the complete path of the file where the service object password is stashed. -.TP -.B \fIservice_dn\fP -.sp -Specifies Distinguished Name (DN) of the Kerberos service to be created. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org -Password for "cn=admin,o=org": -File does not exist. Creating the file /home/andrew/conf_keyfile... -shell% -.ft P -.fi -.SS modify_service -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBmodify_service\fP -[\fB\-servicehost\fP \fIservice_host_list\fP | [\fB\-clearservicehost\fP \fIservice_host_list\fP] [\fB\-addservicehost\fP \fIservice_host_list\fP]] -[\fB\-realm\fP \fIrealm_list\fP | [\fB\-clearrealm\fP \fIrealm_list\fP] [\fB\-addrealm\fP \fIrealm_list\fP]] -\fIservice_dn\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -Modifies the attributes of a service and assigns appropriate rights. Options: -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fB\-servicehost\fP \fIservice_host_list\fP -.sp -Specifies the list of entries separated by a colon (:). -Each entry consists of a host name or IP Address of the Server hosting the service, transport protocol, -and port number of the service separated by a pound sign (#). For example: -.sp -.nf -.ft C -server1#tcp#88:server2#udp#89 -.ft P -.fi -.TP -.B \fB\-clearservicehost\fP \fIservice_host_list\fP -.sp -Specifies the list of servicehost entries to be removed from the existing list separated by colon (:). -Each entry consists of a host name or IP Address of -the server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). -.TP -.B \fB\-addservicehost\fP \fIservice_host_list\fP -.sp -Specifies the list of servicehost entries to be added to the existing list separated by colon (:). -Each entry consists of a host name or IP Address of the -server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). -.TP -.B \fB\-realm\fP \fIrealm_list\fP -.sp -Specifies the list of realms that are to be associated with this service. -The list contains the name of the realms separated by a colon (:). -This list replaces the existing list. -.TP -.B \fB\-clearrealm\fP \fIrealm_list\fP -.sp -Specifies the list of realms to be removed from the existing list. -The list contains the name of the realms separated by a colon (:). -.TP -.B \fB\-addrealm\fP \fIrealm_list\fP -.sp -Specifies the list of realms to be added to the existing list. -The list contains the name of the realms separated by a colon (:). -.TP -.B \fIservice_dn\fP -.sp -Specifies Distinguished Name (DN) of the Kerberos service to be modified. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU cn=service\-kdc,o=org -Password for "cn=admin,o=org": -Changing rights for the service object. Please wait ... done -shell% -.ft P -.fi -.SS view_service -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBview_service\fP \fIservice_dn\fP -.sp -Displays the attributes of a service. Options: -.TP -.B \fIservice_dn\fP -.sp -Specifies Distinguished Name (DN) of the Kerberos service to be viewed. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org view_service cn=service\-kdc,o=org -Password for "cn=admin,o=org": -Service dn: cn=service\-kdc,o=org -Service type: kdc -Service host list: -Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security -shell% -.ft P -.fi -.SS destroy_service -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdestroy_service\fP [\fB\-force\fP] [\fB\-f\fP \fIstashfilename\fP] \fIservice_dn\fP -.sp -Destroys an existing service. Options: -.TP -.B \fB\-force\fP -.sp -If specified, will not prompt for user\(aqs confirmation, instead will force destruction of the service. -.TP -.B \fB\-f\fP \fIstashfilename\fP -.sp -Specifies the complete path of the service password file from where the entry corresponding -to the service_dn needs to be removed. -.TP -.B \fIservice_dn\fP -.sp -Specifies Distinguished Name (DN) of the Kerberos service to be destroyed. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service\-kdc,o=org -Password for "cn=admin,o=org": -This will delete the service object \(aqcn=service\-kdc,o=org\(aq, are you sure? -(type \(aqyes\(aq to confirm)? yes -** service object \(aqcn=service\-kdc,o=org\(aq deleted. -shell% -.ft P -.fi -.SS list_service -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_service\fP [\fB\-basedn\fP \fIbase_dn\fP] -.sp -Lists the name of services under a given base in directory. Options: -.TP -.B \fB\-basedn\fP \fIbase_dn\fP -.sp -Specifies the base DN for searching the service objects, limiting the search to a particular subtree. -If this option is not provided, LDAP Server specific search base will be used. -For eg, in the case of OpenLDAP, value of defaultsearchbase from \fIslapd.conf\fP file will be used, -where as in the case of eDirectory, the default value for the base DN is Root. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -shell% kdb5_ldap_util \-D cn=admin,o=org list_service -Password for "cn=admin,o=org": -cn=service\-kdc,o=org -cn=service\-adm,o=org -cn=service\-pwd,o=org -shell% -.ft P -.fi -.SH SEE ALSO -.sp -kadmin(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man new file mode 100644 index 000000000..043d768f6 --- /dev/null +++ b/src/man/kdb5_ldap_util.man @@ -0,0 +1,592 @@ +.TH "KDB5_LDAP_UTIL" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +kdb5_ldap_util \- Kerberos configuration utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkdb5_ldap_util\fP +[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] +[\fB\-H\fP \fIldapuri\fP] +\fBcommand\fP +[\fIcommand_options\fP] +.SH DESCRIPTION +.sp +kdb5_ldap_util allows an administrator to manage realms, Kerberos +services and ticket policies. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-D\fP \fIuser_dn\fP +.sp +Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server. +.TP +.B \fB\-w\fP \fIpasswd\fP +.sp +Specifies the password of \fIuser_dn\fP. This option is not +recommended. +.TP +.B \fB\-H\fP \fIldapuri\fP +.sp +Specifies the URI of the LDAP server. It is recommended to use +\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBcreate\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP] +[\fB\-s\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-kdcdn\fP \fIkdc_service_list\fP] +[\fB\-admindn\fP \fIadmin_service_list\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Creates realm in directory. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +.sp +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +.sp +Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +.sp +Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container. +.TP +.B \fB\-k\fP \fImkeytype\fP +.sp +Specifies the key type of the master key in the database. The +default is given by the \fBmaster_key_type\fP variable in +\fIkdc.conf(5)\fP. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +.sp +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-m\fP +.sp +Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk. +.TP +.B \fB\-P\fP \fIpassword\fP +.sp +Specifies the master database password. This option is not +recommended. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-sf\fP \fIstashfilename\fP +.sp +Specifies the stash file of the master database password. +.TP +.B \fB\-s\fP +.sp +Specifies that the stash file is to be created. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals in this +realm. +.TP +.B \fIticket_flags\fP +.sp +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Initializing database for realm \(aqATHENA.MIT.EDU\(aq +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\-enter KDC database master key to verify: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]] +[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +.sp +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). This list replaces the existing list. +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +.sp +Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the +.sp +container object in which the principals of a realm will be +created. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals in this +realm. +.TP +.B \fIticket_flags\fP +.sp +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r + ATHENA.MIT.EDU +Password for "cn=admin,o=org": +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBview\fP [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Destroys an existing realm. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP +.sp +If specified, will not prompt the user for confirmation. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +OK, deleting database of \(aqATHENA.MIT.EDU\(aq... +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist\fP +.UNINDENT +.UNINDENT +.sp +Lists the name of realms. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu list +Password for "cn=admin,o=org": +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\-LAB.MIT.EDU +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS stashsrvpw +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBstashsrvpw\fP +[\fB\-f\fP \fIfilename\fP] +\fIservicedn\fP +.UNINDENT +.UNINDENT +.sp +Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP \fIfilename\fP +.sp +Specifies the complete path of the service password file. By +default, \fB/usr/local/var/service_passwd\fP is used. +.TP +.B \fIservicedn\fP +.sp +Specifies Distinguished Name (DN) of the service object whose +password is to be stored in file. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile + cn=service\-kdc,o=org +Password for "cn=service\-kdc,o=org": +Re\-enter password for "cn=service\-kdc,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS create_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBcreate_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Creates a ticket policy in the directory. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals. +.TP +.B \fIticket_flags\fP +.sp +Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the \fBadd_principal\fP +command in \fIkadmin(1)\fP. +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" + \-maxrenewlife "1 week" \-allow_postdated +needchange + \-allow_forwardable tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a ticket policy. Options are same as for +\fBcreate_policy\fP. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU + \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" + +allow_postdated \-requires_preauth tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBview_policy\fP +[\fB\-r\fP \fIrealm\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a ticket policy. Options: +.INDENT 0.0 +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdestroy_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-force\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Destroys an existing ticket policy. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-force\fP +.sp +Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy. +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + destroy_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +This will delete the policy object \(aqtktpolicy\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +** policy object \(aqtktpolicy\(aq deleted. +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist_policy\fP +[\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Lists the ticket policies in realm if specified or in the default +realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + list_policy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +tktpolicy +tmppolicy +userpolicy +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdb5_util.8 b/src/man/kdb5_util.8 deleted file mode 100644 index ca0310f36..000000000 --- a/src/man/kdb5_util.8 +++ /dev/null @@ -1,308 +0,0 @@ -.TH "KDB5_UTIL" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kdb5_util \- Kerberos database maintenance utility -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkdb5_util\fP -.sp -[\fB\-r\fP \fIrealm\fP] -[\fB\-d\fP \fIdbname\fP] -[\fB\-k\fP \fImkeytype\fP] -[\fB\-M\fP \fImkeyname\fP] -[\fB\-kv\fP \fImkeyVNO\fP] -[\fB\-sf\fP \fIstashfilename\fP] -[\fB\-m\fP] -\fIcommand\fP [\fIcommand_options\fP] -.UNINDENT -.SH DESCRIPTION -.sp -\fIkdb5_util\fP allows an administrator to perform low\-level maintenance procedures on the Kerberos and KADM5 database. -Databases can be created, destroyed, and dumped to and loaded from ASCII files. -Additionally, \fIkdb5_util\fP can create a Kerberos master key stash file. -\fIkdb5_util\fP subsumes the functionality of and makes obsolete the previous database maintenance programs kdb5_create, kdb5_edit, kdb5_destroy, and kdb5_stash. -.sp -When \fIkdb5_util\fP is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not -\fIkdb5_util\fP successfully opens the database, because the database may not exist yet or the stash file may be corrupt. -.sp -Note that some KDB plugins may not support all \fIkdb5_util\fP commands. -.SH COMMAND-LINE OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -specifies the Kerberos realm of the database. -.TP -.B \fB\-d\fP \fIdbname\fP -.sp -specifies the name under which the principal database is stored; by default the database is that listed in \fIkdc.conf\fP. -The KADM5 policy database and lock file are also derived from this value. -.TP -.B \fB\-k\fP \fImkeytype\fP -.sp -specifies the key type of the master key in the database; the default is that given in \fIkdc.conf\fP. -.TP -.B \fB\-kv\fP \fImkeyVNO\fP -.sp -Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. -.TP -.B \fB\-M\fP \fImkeyname\fP -.sp -principal name for the master key in the database; the default is that given in \fIkdc.conf\fP. -.TP -.B \fB\-m\fP -.sp -specifies that the master database password should be read from the TTY rather than fetched from a file on disk. -.TP -.B \fB\-sf\fP \fIstash_file\fP -.sp -specifies the stash file of the master database password. -.TP -.B \fB\-P\fP \fIpassword\fP -.sp -specifies the master database password. This option is not recommended. -.UNINDENT -.UNINDENT -.UNINDENT -.SH COMMANDS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBcreate\fP [\fB\-s\fP] -.sp -Creates a new database. If the \fI\-s\fP option is specified, the stash file is also created. This command fails if the database already exists. -If the command is successful, the database is opened just as if it had already existed when the program was first run. -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdestroy\fP [\fB\-f\fP] -.sp -Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. -With the \fI\-f\fP argument, does not prompt the user. -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBstash\fP [\fB\-f\fP \fIkeyfile\fP] -.sp -Stores the master principal\(aqs keys in a stash file. The \fI\-f\fP argument can be used to override the \fIkeyfile\fP specified at startup. -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdump\fP [\fB\-old|\-b6|\-b7|\-ov|\-r13\fP] [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]] -.sp -Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "\fIkdb5_util\fP -load_dump version 6". If filename is not specified, or is the string "\-", the dump is sent to standard output. Options: -.INDENT 7.0 -.TP -.B \fB\-old\fP -.sp -causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit load_dump version 2.0"). -.TP -.B \fB\-b6\fP -.sp -causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0"). -.TP -.B \fB\-b7\fP -.sp -causes the dump to be in the Kerberos 5 Beta 7 format ("\fIkdb5_util\fP load_dump version 4"). -This was the dump format produced on releases prior to 1.2.2. -.TP -.B \fB\-ov\fP -.sp -causes the dump to be in \fIovsec_adm_export\fP format. -.TP -.B \fB\-r13\fP -.sp -causes the dump to be in the Kerberos 5 1.3 format ("\fIkdb5_util\fP load_dump version 5"). -This was the dump format produced on releases prior to 1.8. -.TP -.B \fB\-verbose\fP -.sp -causes the name of each principal and policy to be printed as it is dumped. -.TP -.B \fB\-mkey_convert\fP -.sp -prompts for a new master key. This new master key will be used to re\-encrypt the key data in the dumpfile. -The key data in the database will not be changed. -.TP -.B \fB\-new_mkey_file\fP \fImkey_file\fP -.sp -the filename of a stash file. The master key in this stash file will be used to re\-encrypt the key data in the dumpfile. -The key data in the database will not be changed. -.TP -.B \fB\-rev\fP -.sp -dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. -.TP -.B \fB\-recurse\fP -.sp -causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, -in cases where database corruption has occurred. -In cases of such corruption, this option will probably retrieve more principals than the \fI\-rev\fP option will. -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBload\fP [\fB\-old|\-b6|\-b7|\-ov|\-r13\fP] [\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename dbname\fP -.sp -Loads a database dump from the named file into the named database. -Unless the \fI\-old\fP or \fI\-b6\fP option is given, the format of the dump file is detected automatically and handled as appropriate. -Unless the \fI\-update\fP option is given, load creates a new database containing only the principals in the dump file, -overwriting the contents of any previously existing database. -Note that when using the LDAP KDB plugin the \fI\-update\fP must be given. Options: -.INDENT 7.0 -.TP -.B \fB\-old\fP -.sp -requires the database to be in the Kerberos 5 Beta 5 and earlier format ("kdb5_edit load_dump version 2.0"). -.TP -.B \fB\-b6\fP -.sp -requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0"). -.TP -.B \fB\-b7\fP -.sp -requires the database to be in the Kerberos 5 Beta 7 format ("\fIkdb5_util\fP load_dump version 4"). -.TP -.B \fB\-ov\fP -.sp -requires the database to be in ovsec_adm_import format. Must be used with the \fI\-update\fP option. -.TP -.B \fB\-hash\fP -.sp -requires the database to be stored as a hash. If this option is not specified, the database will be stored as a btree. -This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. -.TP -.B \fB\-verbose\fP -.sp -causes the name of each principal and policy to be printed as it is dumped. -.TP -.B \fB\-update\fP -.sp -records from the dump file are added to or updated in the existing database. -(This is useful in conjunction with an \fIovsec_adm_export\fP format dump if you want to preserve per\-principal policy information, -since the current default format does not contain this data.) -Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. -.UNINDENT -.sp -\fIdbname\fP is required and overrides the value specified on the command line or the default. -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBark\fP -.sp -Adds a random key. -.TP -.B \fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP] -.sp -Adds a new master key to the \fIK/M\fP (master key) principal. Existing master keys will remain. -The \fI\-e etype\fP option allows specification of the enctype of the new master key. -The \fI\-s\fP option stashes the new master key in a local stash file which will be created if it doesn\(aqt already exist. -.TP -.B \fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP] -.sp -Sets the activation time of the master key specified by \fImkeyVNO\fP. -Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when -the principal keys change, are newly created or when the \fIupdate_princ_encryption\fP command is run. -If the time argument is provided then that will be the activation time otherwise the current time is used by default. -The format of the optional time argument is that specified in the \fITime Formats\fP section of the kadmin man page. -.TP -.B \fBlist_mkeys\fP -.sp -List all master keys from most recent to earliest in \fIK/M\fP principal. -The output will show the kvno, enctype and salt for each mkey similar to kadmin getprinc output. -A * following an mkey denotes the currently active master key. -.TP -.B \fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] -.sp -Delete master keys from the \fIK/M\fP principal that are not used to protect any principals. -This command can be used to remove old master keys from a \fIK/M\fP principal once all principal keys are protected by a newer master key. -.INDENT 7.0 -.TP -.B \fB\-f\fP -.sp -does not prompt user. -.TP -.B \fB\-n\fP -.sp -do a dry run, shows master keys that would be purged, does not actually purge any keys. -.TP -.B \fB\-v\fP -.sp -verbose output. -.UNINDENT -.TP -.B \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fIprinc\-pattern\fP] -.sp -Update all principal records (or only those matching the princ\-pattern glob pattern) -to re\-encrypt the key data using the active database master key, if they are encrypted using older versions, -and give a count at the end of the number of principals updated. -If the \fI\-f\fP option is not given, ask for confirmation before starting to make changes. -The \fI\-v\fP option causes each principal processed (each one matching the pattern) to be listed, -and an indication given as to whether it needed updating or not. -The \fI\-n\fP option causes the actions not to be taken, only the normal or verbose status messages displayed; -this implies \fI\-f\fP since no database changes will be performed and thus there\(aqs little reason to seek confirmation. -.UNINDENT -.UNINDENT -.UNINDENT -.SH SEE ALSO -.sp -kadmin(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man new file mode 100644 index 000000000..b35513886 --- /dev/null +++ b/src/man/kdb5_util.man @@ -0,0 +1,391 @@ +.TH "KDB5_UTIL" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +kdb5_util \- Kerberos database maintenance utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkdb5_util\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-M\fP \fImkeyname\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-sf\fP \fIstashfilename\fP] +[\fB\-m\fP] +\fIcommand\fP [\fIcommand_options\fP] +.SH DESCRIPTION +.sp +kdb5_util allows an administrator to perform maintenance procedures on +the KDC database. Databases can be created, destroyed, and dumped to +or loaded from ASCII files. kdb5_util can create a Kerberos master +key stash file or perform live rollover of the master key. +.sp +When kdb5_util is run, it attempts to acquire the master key and open +the database. However, execution continues regardless of whether or +not kdb5_util successfully opens the database, because the database +may not exist yet or the stash file may be corrupt. +.sp +Note that some KDC database modules may not support all kdb5_util +commands. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +specifies the Kerberos realm of the database. +.TP +.B \fB\-d\fP \fIdbname\fP +.sp +specifies the name under which the principal database is stored; +by default the database is that listed in \fIkdc.conf(5)\fP. The +password policy database and lock files are also derived from this +value. +.TP +.B \fB\-k\fP \fImkeytype\fP +.sp +specifies the key type of the master key in the database. The +default is given by the \fBmaster_key_type\fP variable in +\fIkdc.conf(5)\fP. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +.sp +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-M\fP \fImkeyname\fP +.sp +principal name for the master key in the database. If not +specified, the name is determined by the \fBmaster_key_name\fP +variable in \fIkdc.conf(5)\fP. +.TP +.B \fB\-m\fP +.sp +specifies that the master database password should be read from +the keyboard rather than fetched from a file on disk. +.TP +.B \fB\-sf\fP \fIstash_file\fP +.sp +specifies the stash filename of the master database password. If +not specified, the filename is determined by the +\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP. +.TP +.B \fB\-P\fP \fIpassword\fP +.sp +specifies the master database password. Using this option may +expose the password to other users on the system via the process +list. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBcreate\fP [\fB\-s\fP] +.UNINDENT +.UNINDENT +.sp +Creates a new database. If the \fB\-s\fP option is specified, the stash +file is also created. This command fails if the database already +exists. If the command is successful, the database is opened just as +if it had already existed when the program was first run. +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdestroy\fP [\fB\-f\fP] +.UNINDENT +.UNINDENT +.sp +Destroys the database, first overwriting the disk sectors and then +unlinking the files, after prompting the user for confirmation. With +the \fB\-f\fP argument, does not prompt the user. +.SS stash +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBstash\fP [\fB\-f\fP \fIkeyfile\fP] +.UNINDENT +.UNINDENT +.sp +Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP +argument can be used to override the \fIkeyfile\fP specified at startup. +.SS dump +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdump\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] +[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] +[\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]] +.UNINDENT +.UNINDENT +.sp +Dumps the current Kerberos and KADM5 database into an ASCII file. By +default, the database is dumped in current format, "kdb5_util +load_dump version 6". If filename is not specified, or is the string +"\-", the dump is sent to standard output. Options: +.INDENT 0.0 +.TP +.B \fB\-old\fP +.sp +causes the dump to be in the Kerberos 5 Beta 5 and earlier dump +format ("kdb5_edit load_dump version 2.0"). +.TP +.B \fB\-b6\fP +.sp +causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit +load_dump version 3.0"). +.TP +.B \fB\-b7\fP +.sp +causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util +load_dump version 4"). This was the dump format produced on +releases prior to 1.2.2. +.TP +.B \fB\-ov\fP +.sp +causes the dump to be in "ovsec_adm_export" format. +.TP +.B \fB\-r13\fP +.sp +causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util +load_dump version 5"). This was the dump format produced on +releases prior to 1.8. +.TP +.B \fB\-verbose\fP +.sp +causes the name of each principal and policy to be printed as it +is dumped. +.TP +.B \fB\-mkey_convert\fP +.sp +prompts for a new master key. This new master key will be used to +re\-encrypt principal key data in the dumpfile. The principal keys +themselves will not be changed. +.TP +.B \fB\-new_mkey_file\fP \fImkey_file\fP +.sp +the filename of a stash file. The master key in this stash file +will be used to re\-encrypt the key data in the dumpfile. The key +data in the database will not be changed. +.TP +.B \fB\-rev\fP +.sp +dumps in reverse order. This may recover principals that do not +dump normally, in cases where database corruption has occurred. +.TP +.B \fB\-recurse\fP +.sp +causes the dump to walk the database recursively (btree only). +This may recover principals that do not dump normally, in cases +where database corruption has occurred. In cases of such +corruption, this option will probably retrieve more principals +than the \fB\-rev\fP option will. +.UNINDENT +.SS load +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBload\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] +[\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP] +.UNINDENT +.UNINDENT +.sp +Loads a database dump from the named file into the named database. If +no option is given to determine the format of the dump file, the +format is detected automatically and handled as appropriate. Unless +the \fB\-update\fP option is given, \fBload\fP creates a new database +containing only the data in the dump file, overwriting the contents of +any previously existing database. Note that when using the LDAP KDC +database module, the \fB\-update\fP flag is required. +.sp +Options: +.INDENT 0.0 +.TP +.B \fB\-old\fP +.sp +requires the database to be in the Kerberos 5 Beta 5 and earlier +format ("kdb5_edit load_dump version 2.0"). +.TP +.B \fB\-b6\fP +.sp +requires the database to be in the Kerberos 5 Beta 6 format +("kdb5_edit load_dump version 3.0"). +.TP +.B \fB\-b7\fP +.sp +requires the database to be in the Kerberos 5 Beta 7 format +("kdb5_util load_dump version 4"). +.TP +.B \fB\-ov\fP +.sp +requires the database to be in "ovsec_adm_import" format. Must be +used with the \fB\-update\fP option. +.TP +.B \fB\-hash\fP +.sp +requires the database to be stored as a hash. If this option is +not specified, the database will be stored as a btree. This +option is not recommended, as databases stored in hash format are +known to corrupt data and lose principals. +.TP +.B \fB\-verbose\fP +.sp +causes the name of each principal and policy to be printed as it +is dumped. +.TP +.B \fB\-update\fP +.sp +records from the dump file are added to or updated in the existing +database. (This is useful in conjunction with an ovsec_adm_export +format dump if you want to preserve per\-principal policy +information, since the current default format does not contain +this data.) Otherwise, a new database is created containing only +what is in the dump file and the old one destroyed upon successful +completion. +.UNINDENT +.sp +If specified, \fIdbname\fP overrides the value specified on the command +line or the default. +.SS ark +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Adds new random keys to \fIprincipal\fP at the next available key version +number. Keys for the current highest key version number will be +preserved. The \fB\-e\fP option specifies the list of encryption and +salt types to be used for the new keys. +.SS add_mkey +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP] +.UNINDENT +.UNINDENT +.sp +Adds a new master key to the master key principal, but does not mark +it as active. Existing master keys will remain. The \fB\-e\fP option +specifies the encryption type of the new master key; see +\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of +possible values. The \fB\-s\fP option stashes the new master key in the +stash file, which will be created if it doesn\(aqt already exist. +.sp +After a new master key is added, it should be propagated to slave +servers via a manual or periodic invocation of \fIkprop(8)\fP. Then, +the stash files on the slave servers should be updated with the +kdb5_util \fBstash\fP command. Once those steps are complete, the key +is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. +.SS use_mkey +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP] +.UNINDENT +.UNINDENT +.sp +Sets the activation time of the master key specified by \fImkeyVNO\fP. +Once a master key becomes active, it will be used to encrypt newly +created principal keys. If no \fItime\fP argument is given, the current +time is used, causing the specified master key version to become +active immediately. The format of \fItime\fP is specified in the +\fIdate_format\fP section of the \fIkadmin(1)\fP man page. +.sp +After a new master key becomes active, the kdb5_util +\fBupdate_princ_encryption\fP command can be used to update all +principal keys to be encrypted in the new master key. +.SS list_mkeys +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist_mkeys\fP +.UNINDENT +.UNINDENT +.sp +List all master keys, from most recent to earliest, in the master key +principal. The output will show the kvno, enctype, and salt type for +each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP. A +\fB*\fP following an mkey denotes the currently active master key. +.SS purge_mkeys +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] +.UNINDENT +.UNINDENT +.sp +Delete master keys from the master key principal that are not used to +protect any principals. This command can be used to remove old master +keys all principal keys are protected by a newer master key. +.INDENT 0.0 +.TP +.B \fB\-f\fP +.sp +does not prompt for confirmation. +.TP +.B \fB\-n\fP +.sp +performs a dry run, showing master keys that would be purged, but +not actually purging any keys. +.TP +.B \fB\-v\fP +.sp +gives more verbose output. +.UNINDENT +.SS update_princ_encryption +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] +[\fIprinc\-pattern\fP] +.UNINDENT +.UNINDENT +.sp +Update all principal records (or only those matching the +\fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the +active database master key, if they are encrypted using older +versions, and give a count at the end of the number of principals +updated. If the \fB\-f\fP option is not given, ask for confirmation +before starting to make changes. The \fB\-v\fP option causes each +principal processed to be listed, with an indication as to whether it +needed updating or not. The \fB\-n\fP option performs a dry run, only +showing the actions which would have been taken. +.SH SEE ALSO +.sp +\fIkadmin(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdc.conf.5 b/src/man/kdc.conf.5 deleted file mode 100644 index 49f300773..000000000 --- a/src/man/kdc.conf.5 +++ /dev/null @@ -1,408 +0,0 @@ -.TH "KDC.CONF" "5" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kdc.conf \- Kerberos V5 KDC configuration file -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.sp -The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your kdc.conf file in the directory \fI/usr/local/var/krb5kdc\fP. You can override the default location by setting the environment variable \fIKRB5_KDC_PROFILE\fP. -.SH STRUCTURE -.sp -The kdc.conf file is set up in the same format as the \fIkrb5.conf\fP file. The kdc.conf file may contain any or all of the following three sections: -.TS -center; -|l|l|. -_ -T{ -\fI\%[kdcdefaults]\fP -T} T{ -Contains default values for overall behavior of the KDC. -T} -_ -T{ -\fI\%[realms]\fP -T} T{ -Contains subsections keyed by Kerberos realm names. Each subsection describes realm\-specific information, including where to find the Kerberos servers for that realm. -T} -_ -T{ -\fI\%[logging]\fP -T} T{ -Contains relations which determine how Kerberos programs are to perform logging. -T} -_ -.TE -.SH SECTIONS -.SS \fB[kdcdefaults]\fP -.sp -The following relation is defined in the [kdcdefaults] section: -.INDENT 0.0 -.TP -.B \fBhost_based_services\fP -.sp -This relation lists the services that will get host\-based referral processing even if the server principal is not marked as host\-based by the client. -.TP -.B \fBkdc_max_dgram_reply_size\fP -.sp -Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. -.TP -.B \fBkdc_ports\fP -.sp -This relation lists the ports on which the Kerberos server should listen for UDP requests by default. This list is a comma separated list of integers. If this relation is not specified, the compiled\-in default is 88,750, the first being the assigned Kerberos port and the second which was used by Kerberos V4. -.TP -.B \fBkdc_tcp_ports\fP -.sp -This relation lists the ports on which the Kerberos server should listen for TCP connections by default. This list is a comma separated list of integers. If this relation is not specified, the compiled\-in default is not to listen for TCP connections at all. -.sp -If you wish to change this (which we do not recommend, because the current implementation has little protection against denial\-of\-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88. -.TP -.B \fBno_host_referral\fP -.sp -This relation blocks the specified services from host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fIhost_based_services\fP. \fIno_host_referral\fP = * will disable referral processing altogether. -.TP -.B \fBrestrict_anonymous_to_tgt\fP -.sp -This flag determines the default value of restrict_anonymous_to_tgt for realms. The default value is false. -.UNINDENT -.SS \fB[realms]\fP -.sp -Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm. -.sp -For each realm, the following tags may be specified in the [realms] subsection: -.INDENT 0.0 -.TP -.B \fBacl_file\fP -.sp -(String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP. -.TP -.B \fBdatabase_name\fP -.sp -This string specifies the location of the Kerberos database for this realm. -.TP -.B \fBdefault_principal_expiration\fP -.sp -(Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is 0. -.TP -.B \fBdefault_principal_flags\fP -.sp -(Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\-separated list of flags, with \(aq+\(aq before each flag that should be enabled and \(aq\-\(aq before each flag that should be disabled. The default is \fIpostdateable, forwardable, tgt\-based, renewable, proxiable, dup\-skey, allow\-tickets\fP, and \fIservice enabled\fP. -.sp -There are a number of possible flags: -.INDENT 7.0 -.TP -.B \fIallow\-tickets\fP -.sp -Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. -.TP -.B \fIdup\-skey\fP -.sp -Enabling this flag allows the principal to obtain a session key for another user, permitting user\-to\-user authentication for this principal. -.TP -.B \fIforwardable\fP -.sp -Enabling this flag allows the principal to obtain forwardable tickets. -.TP -.B \fIhwauth\fP -.sp -If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. -.TP -.B \fIno\-auth\-data\-required\fP -.sp -Enabling this flag prvents PAC data from being added to the service tickets. -.TP -.B \fIok\-as\-delegate\fP -.sp -If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. -.TP -.B \fIok\-to\-auth\-as\-delegate\fP -.sp -Enabling this flag allows the principal to use S4USelf ticket. -.TP -.B \fIpostdateable\fP -.sp -Enabling this flag allows the principal to obtain postdateable tickets. -.TP -.B \fIpreauth\fP -.sp -If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set. -.TP -.B \fIproxiable\fP -.sp -Enabling this flag allows the principal to obtain proxy tickets. -.TP -.B \fIpwchange\fP -.sp -Enabling this flag forces a password change for this principal. -.TP -.B \fIpwservice\fP -.sp -If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user\(aqs password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. -.TP -.B \fIrenewable\fP -.sp -Enabling this flag allows the principal to obtain renewable tickets. -.TP -.B \fIservice\fP -.sp -Enabling this flag allows the the KDC to issue service tickets for this principal. -.TP -.B \fItgt\-based\fP -.sp -Enabling this flag allows a principal to obtain tickets based on a ticket\-granting\-ticket, rather than repeating the authentication process that was used to obtain the TGT. -.UNINDENT -.TP -.B \fBdict_file\fP -.sp -(String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. -.TP -.B \fBhost_based_services\fP -.sp -(Whitespace\- or comma\-separated list) This relation lists the services that will get host\-based referral processing even if the server principal is not marked as host\-based by the client. -.TP -.B \fBiprop_enable\fP -.sp -This boolean ("true" or "false") specifies whether incremental database propagation is enabled. The default is "false". -.TP -.B \fBiprop_master_ulogsize\fP -.sp -This numeric value specifies the maximum number of log entries to be retained for incremental propagation. The maximum value is 2500; default is 1000. -.TP -.B \fBiprop_slave_poll\fP -.sp -This delta time string specfies how often the slave KDC polls for new updates from the master. Default is "2m" (that is, two minutes). -.TP -.B \fBiprop_port\fP -.sp -(Port number.) This specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. -.TP -.B \fBiprop_logfile\fP -.sp -(File name) This specifies where the update log file for the realm database is to be stored. The default is to use the \fIdatabase_name\fP entry from the realms section of the krb5 config file, with \fI.ulog\fP appended. (NOTE: If \fIdatabase_name\fP isn\(aqt specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \fIdbmodules\fP section, then the hard\-coded default for \fIdatabase_name\fP is used. Determination of the \fIiprop_logfile\fP default value will not use values from the \fIdbmodules\fP section.) -.TP -.B \fBkadmind_port\fP -.sp -(Port number.) Specifies the port on which the kadmind daemon is to listen for this realm. The assigned port for kadmind is 749. -.TP -.B \fBkey_stash_file\fP -.sp -(String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, where REALM is the Kerberos realm. -.TP -.B \fBkdc_ports\fP -.sp -(String.) Specifies the list of ports that the KDC is to listen to for UDP requests for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used. -.TP -.B \fBkdc_tcp_ports\fP -.sp -(String.) Specifies the list of ports that the KDC is to listen to for TCP requests for this realm. By default, the value of kdc_tcp_ports as specified in the [kdcdefaults] section is used. -.TP -.B \fBmaster_key_name\fP -.sp -(String.) Specifies the name of the principal associated with the master key. The default is K/M. -.TP -.B \fBmaster_key_type\fP -.sp -(Key type string.) Specifies the master key\(aqs key type. The default value for this is des3\-cbc\-sha1. For a list of all possible values, see \fISupported_Encryption_Types_and_Salts\fP. -.TP -.B \fBmax_life\fP -.sp -(Delta time string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. -.TP -.B \fBmax_renewable_life\fP -.sp -(Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. -.TP -.B \fBno_host_referral\fP -.sp -(Whitespace\- or comma\-separated list) This relation blocks the specified services from host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fIhost_based_services\fP. \fIno_host_referral\fP = * will disable referral processing altogether. -.TP -.B \fBreject_bad_transit\fP -.sp -A boolean value (true, false). If set to true, the KDC will check the list of transited realms for cross\-realm tickets against the transit path computed from the realm names and the capaths section of its krb5.conf file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. -.sp -If the disable\-transited\-check flag is set in the incoming request, this check is not performed at all. Having the reject_bad_transit option will cause such ticket requests to be rejected always. -.sp -This transit path checking and config file option currently apply only to TGS requests. -.sp -Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server\-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don\(aqt want the KDC to do the validation. -.sp -This is a per\-realm option so that multiple\-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not. -.sp -This option defaults to true. -.TP -.B \fBrestrict_anonymous_to_tgt\fP -.sp -A boolean value (true, false). If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm\(aqs ticket\-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. By default, the value of restrict_anonymous_to_tgt as specified in the [kdcdefaults] section is used. -.TP -.B \fBsupported_enctypes\fP -.sp -List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal. For lists of possible values, see \fISupported_Encryption_Types_and_Salts\fP -.UNINDENT -.SS \fB[logging]\fP -.sp -See \fIlogging\fP section in \fIkrb5.conf\fP -.SH PKINIT OPTIONS -.IP Note -. -The following are pkinit\-specific options. Note that these values may be specified in [kdcdefaults] as global defaults, or within a realm\-specific subsection of [realms]. Also note that a realm\-specific value over\-rides, does not add to, a generic [kdcdefaults] specification. The search order is: -.INDENT 0.0 -.IP 1. 3 -. -realm\-specific subsection of [realms] -.INDENT 3.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B [realms] -.INDENT 7.0 -.TP -.B EXAMPLE.COM = { -. -pkinit_anchors = FILE:/usr/local/example.com.crt -.UNINDENT -.sp -} -.UNINDENT -.UNINDENT -.UNINDENT -.IP 2. 3 -. -generic value in the [kdcdefaults] section. -.INDENT 3.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B [kdcdefaults] -. -pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.RE -.sp -For information about the syntax of some of these options, see See pkinit identity syntax. -.INDENT 0.0 -.TP -.B \fBpkinit_anchors\fP -.sp -Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. -.TP -.B \fBpkinit_dh_min_bits\fP -.sp -Specifies the minimum number of bits the KDC is willing to accept for a client\(aqs Diffie\-Hellman key. The default is 2048. -.TP -.B \fBpkinit_allow_upn\fP -.sp -Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. -.sp -The default is \fIfalse\fP. -.sp -Without this option, the KDC will only accept certificates with the \fIid\-pkinit\-san\fP as defined in \fI\%RFC 4556\fP. There is currently no option to disable SAN checking in the KDC. -.TP -.B \fBpkinit_eku_checking\fP -.sp -This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: -.INDENT 7.0 -.TP -.B \fIkpClientAuth\fP -.sp -This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as defined in \fI\%RFC 4556\fP. -.TP -.B \fIscLogin\fP -.sp -If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be accepted. -.TP -.B \fInone\fP -.sp -If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. -.UNINDENT -.TP -.B \fBpkinit_identity\fP -.sp -Specifies the location of the KDC\(aqs X.509 identity information. This option is required if pkinit is to be supported by the KDC. -.TP -.B \fBpkinit_kdc_ocsp\fP -.sp -Specifies the location of the KDC\(aqs OCSP. -.TP -.B \fBpkinit_mapping_file\fP -.sp -Specifies the name of the ACL pkinit mapping file. This file maps principals to the certificates that they can use. -.TP -.B \fBpkinit_pool\fP -.sp -Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs certificate and a trusted anchor. This option may be specified multiple times. -.TP -.B \fBpkinit_revoke\fP -.sp -Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. -.TP -.B \fBpkinit_require_crl_checking\fP -.sp -The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and pkinit_require_crl_checking is false, then verification succeeds. -.sp -However, if pkinit_require_crl_checking is true and there is no CRL information available for the issuing CA, then verification fails. -.sp -\fIpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. -.UNINDENT -.SH SAMPLE KDC.CONF FILE -.sp -Here\(aqs an example of a kdc.conf file: -.sp -.nf -.ft C -[kdcdefaults] - kdc_ports = 88 - -[realms] - ATHENA.MIT.EDU = { - kadmind_port = 749 - max_life = 12h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = des3\-hmac\-sha1 - supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4 - } - -[logging] - kdc = FILE:/usr/local/var/krb5kdc/kdc.log - admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log -.ft P -.fi -.SH FILES -.sp -/usr/local/var/krb5kdc/kdc.conf -.SH SEE ALSO -.sp -krb5.conf(5), krb5kdc(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man new file mode 100644 index 000000000..5ff5d2ba7 --- /dev/null +++ b/src/man/kdc.conf.man @@ -0,0 +1,939 @@ +.TH "KDC.CONF" "5" " " "0.0.1" "MIT Kerberos" +.SH NAME +kdc.conf \- Kerberos V5 KDC configuration file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.sp +The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which +are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and +\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program. +Relations documented here may also be specified in krb5.conf. +.sp +Normally, the kdc.conf file is found in the KDC state directory, +\fB@LOCALSTATEDIR@/krb5kdc\fP. You can override the default location by setting the +environment variable \fBKRB5_KDC_PROFILE\fP. +.SH STRUCTURE +.sp +The kdc.conf file is set up in the same format as the +\fIkrb5.conf(5)\fP file. +.SH SECTIONS +.sp +The kdc.conf file may contain the following sections: +.TS +center; +|l|l|. +_ +T{ +\fI\%[kdcdefaults]\fP +T} T{ +Default values for KDC behavior +T} +_ +T{ +\fI\%[realms]\fP +T} T{ +Realm\-specific database configuration and settings +T} +_ +T{ +\fI\%[logging]\fP +T} T{ +Controls how Kerberos daemons perform logging +T} +_ +T{ +\fI\%[dbdefaults]\fP +T} T{ +Default database settings +T} +_ +T{ +\fI\%[dbmodules]\fP +T} T{ +Per\-database settings +T} +_ +.TE +.SS [kdcdefaults] +.sp +With one exception, relations in the [kdcdefaults] section specify +default values for realm variables, to be used if the [realms] +subsection does not contain a relation for the tag. See the +\fI\%[realms]\fP section for the definitions of these relations. +.INDENT 0.0 +.IP \(bu 2 +. +\fBhost_based_services\fP +.IP \(bu 2 +. +\fBkdc_ports\fP +.IP \(bu 2 +. +\fBkdc_tcp_ports\fP +.IP \(bu 2 +. +\fBno_host_referral\fP +.IP \(bu 2 +. +\fBrestrict_anonymous_to_tgt\fP +.UNINDENT +.INDENT 0.0 +.TP +.B \fBkdc_max_dgram_reply_size\fP +.sp +Specifies the maximum packet size that can be sent over UDP. The +default value is 4096 bytes. +.UNINDENT +.SS [realms] +.sp +Each tag in the [realms] section of the file names a Kerberos realm. +The value of the tag is a subsection where the relations in that +subsection define KDC parameters for that particular realm. +.sp +For each realm, the following tags may be specified in the [realms] +subsection: +.INDENT 0.0 +.TP +.B \fBacl_file\fP +.sp +(String.) Location of the access control list file that +\fIkadmind(8)\fP uses to determine which principals are allowed +which permissions on the database. The default value is +\fB@LOCALSTATEDIR@/krb5kdc\fP\fB/kadm5.acl\fP. +.TP +.B \fBdatabase_module\fP +.sp +This relation indicates the name of the configuration section +under \fI\%[dbmodules]\fP for database specific parameters used by +the loadable database library. +.TP +.B \fBdatabase_name\fP +.sp +(String.) This string specifies the location of the Kerberos +database for this realm, if the DB2 back\-end is being used. If a +\fBdatabase_module\fP is specified for the realm and the +corresponding module contains a \fBdatabase_name\fP parameter, that +value will take precedence over this one. The default value is +\fB@LOCALSTATEDIR@/krb5kdc\fP\fB/principal\fP. +.TP +.B \fBdefault_principal_expiration\fP +.sp +(Absolute time string.) Specifies the default expiration date of +principals created in this realm. The default value is 0, which +means no expiration date. +.TP +.B \fBdefault_principal_flags\fP +.sp +(Flag string.) Specifies the default attributes of principals +created in this realm. The format for this string is a +comma\-separated list of flags, with \(aq+\(aq before each flag that +should be enabled and \(aq\-\(aq before each flag that should be +disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP, +\fBrenewable\fP, \fBproxiable\fP, \fBdup\-skey\fP, \fBallow\-tickets\fP, and +\fBservice\fP flags default to enabled. +.sp +There are a number of possible flags: +.INDENT 7.0 +.TP +.B \fBallow\-tickets\fP +.sp +Enabling this flag means that the KDC will issue tickets for +this principal. Disabling this flag essentially deactivates +the principal within this realm. +.TP +.B \fBdup\-skey\fP +.sp +Enabling this flag allows the principal to obtain a session +key for another user, permitting user\-to\-user authentication +for this principal. +.TP +.B \fBforwardable\fP +.sp +Enabling this flag allows the principal to obtain forwardable +tickets. +.TP +.B \fBhwauth\fP +.sp +If this flag is enabled, then the principal is required to +preauthenticate using a hardware device before receiving any +tickets. +.TP +.B \fBno\-auth\-data\-required\fP +.sp +Enabling this flag prvents PAC data from being added to the +service tickets. +.TP +.B \fBok\-as\-delegate\fP +.sp +If this flag is enabled, it hints the client that credentials +can and should be delegated when authenticating to the +service. +.TP +.B \fBok\-to\-auth\-as\-delegate\fP +.sp +Enabling this flag allows the principal to use S4USelf ticket. +.TP +.B \fBpostdateable\fP +.sp +Enabling this flag allows the principal to obtain postdateable +tickets. +.TP +.B \fBpreauth\fP +.sp +If this flag is enabled on a client principal, then that +principal is required to preauthenticate to the KDC before +receiving any tickets. On a service principal, enabling this +flag means that service tickets for this principal will only +be issued to clients with a TGT that has the preauthenticated +ticket set. +.TP +.B \fBproxiable\fP +.sp +Enabling this flag allows the principal to obtain proxy +tickets. +.TP +.B \fBpwchange\fP +.sp +Enabling this flag forces a password change for this +principal. +.TP +.B \fBpwservice\fP +.sp +If this flag is enabled, it marks this principal as a password +change service. This should only be used in special cases, +for example, if a user\(aqs password has expired, then the user +has to get tickets for that principal without going through +the normal password authentication in order to be able to +change the password. +.TP +.B \fBrenewable\fP +.sp +Enabling this flag allows the principal to obtain renewable +tickets. +.TP +.B \fBservice\fP +.sp +Enabling this flag allows the the KDC to issue service tickets +for this principal. +.TP +.B \fBtgt\-based\fP +.sp +Enabling this flag allows a principal to obtain tickets based +on a ticket\-granting\-ticket, rather than repeating the +authentication process that was used to obtain the TGT. +.UNINDENT +.TP +.B \fBdict_file\fP +.sp +(String.) Location of the dictionary file containing strings that +are not allowed as passwords. If none is specified or if there is +no policy assigned to the principal, no dictionary checks of +passwords will be performed. +.TP +.B \fBhost_based_services\fP +.sp +(Whitespace\- or comma\-separated list.) Lists services which will +get host\-based referral processing even if the server principal is +not marked as host\-based by the client. +.TP +.B \fBiprop_enable\fP +.sp +(Boolean value.) Specifies whether incremental database +propagation is enabled. The default value is false. +.TP +.B \fBiprop_master_ulogsize\fP +.sp +(Integer.) Specifies the maximum number of log entries to be +retained for incremental propagation. The maximum value is 2500; +the default value is 1000. +.TP +.B \fBiprop_slave_poll\fP +.sp +(Delta time string.) Specifies how often the slave KDC polls for +new updates from the master. The default value is \fB2m\fP (that +is, two minutes). +.TP +.B \fBiprop_port\fP +.sp +(Port number.) Specifies the port number to be used for +incremental propagation. This is required in both master and +slave configuration files. +.TP +.B \fBiprop_logfile\fP +.sp +(File name.) Specifies where the update log file for the realm +database is to be stored. The default is to use the +\fBdatabase_name\fP entry from the realms section of the krb5 config +file, with \fB.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt +specified in the realms section, perhaps because the LDAP database +back end is being used, or the file name is specified in the +[dbmodules] section, then the hard\-coded default for +\fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP +default value will not use values from the [dbmodules] section.) +.TP +.B \fBkadmind_port\fP +.sp +(Port number.) Specifies the port on which the \fIkadmind(8)\fP +daemon is to listen for this realm. The assigned port for kadmind +is 749. +.TP +.B \fBkey_stash_file\fP +.sp +(String.) Specifies the location where the master key has been +stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. +.TP +.B \fBkdc_ports\fP +.sp +(Whitespace\- or comma\-separated list.) Lists the ports on which +the Kerberos server should listen for UDP requests, as a +comma\-separated list of integers. The default value is +\fB88,750\fP, which are the assigned Kerberos port and the port +historically used by Kerberos V4. +.TP +.B \fBkdc_tcp_ports\fP +.sp +(Whitespace\- or comma\-separated list.) Lists the ports on which +the Kerberos server should listen for TCP connections, as a +comma\-separated list of integers. If this relation is not +specified, the compiled\-in default is not to listen for TCP +connections at all. +.sp +If you wish to change this (note that the current implementation +has little protection against denial\-of\-service attacks), the +standard port number assigned for Kerberos TCP traffic is port 88. +.TP +.B \fBmaster_key_name\fP +.sp +(String.) Specifies the name of the principal associated with the +master key. The default is \fBK/M\fP. +.TP +.B \fBmaster_key_type\fP +.sp +(Key type string.) Specifies the master key\(aqs key type. The +default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible +values, see \fI\%Encryption and salt types\fP. +.TP +.B \fBmax_life\fP +.sp +(Delta time string.) Specifies the maximum time period for which +a ticket may be valid in this realm. The default value is 24 +hours. +.TP +.B \fBmax_renewable_life\fP +.sp +(Delta time string.) Specifies the maximum time period during +which a valid ticket may be renewed in this realm. The default +value is 0. +.TP +.B \fBno_host_referral\fP +.sp +(Whitespace\- or comma\-separated list.) Lists services to block +from getting host\-based referral processing, even if the client +marks the server principal as host\-based or the service is also +listed in \fBhost_based_services\fP. \fBno_host_referral = *\fP will +disable referral processing altogether. +.TP +.B \fBreject_bad_transit\fP +.sp +(Boolean value.) If set to true, the KDC will check the list of +transited realms for cross\-realm tickets against the transit path +computed from the realm names and the capaths section of its +\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued +contains any realms not in the computed path, the ticket will not +be issued, and an error will be returned to the client instead. +If this value is set to false, such tickets will be issued +anyways, and it will be left up to the application server to +validate the realm transit path. +.sp +If the disable\-transited\-check flag is set in the incoming +request, this check is not performed at all. Having the +\fBreject_bad_transit\fP option will cause such ticket requests to +be rejected always. +.sp +This transit path checking and config file option currently apply +only to TGS requests. +.sp +The default value is true. +.TP +.B \fBrestrict_anonymous_to_tgt\fP +.sp +(Boolean value.) If set to true, the KDC will reject ticket +requests from anonymous principals to service principals other +than the realm\(aqs ticket\-granting service. This option allows +anonymous PKINIT to be enabled for use as FAST armor tickets +without allowing anonymous authentication to services. The +default value is false. +.TP +.B \fBsupported_enctypes\fP +.sp +(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt +combinations of principals for this realm. Any principals created +through \fIkadmin(1)\fP will have keys of these types. The +default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of +possible values, see \fI\%Encryption and salt types\fP. +.UNINDENT +.SS [logging] +.sp +The [logging] section indicates how \fIkrb5kdc(8)\fP and +\fIkadmind(8)\fP perform logging. The keys in this section are +daemon names, which may be one of: +.INDENT 0.0 +.TP +.B \fBadmin_server\fP +.sp +Specifies how \fIkadmind(8)\fP performs logging. +.TP +.B \fBkdc\fP +.sp +Specifies how \fIkrb5kdc(8)\fP performs logging. +.TP +.B \fBdefault\fP +.sp +Specifies how either daemon performs logging in the absence of +relations specific to the daemon. +.UNINDENT +.sp +Values are of the following forms: +.INDENT 0.0 +.TP +.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP +.sp +This value causes the daemon\(aqs logging messages to go to the +\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten. +If the \fB:\fP form is used, the file is appended to. +.TP +.B \fBSTDERR\fP +.sp +This value causes the daemon\(aqs logging messages to go to its +standard error stream. +.TP +.B \fBCONSOLE\fP +.sp +This value causes the daemon\(aqs logging messages to go to the +console, if the system supports it. +.TP +.B \fBDEVICE=\fP\fI\fP +.sp +This causes the daemon\(aqs logging messages to go to the specified +device. +.TP +.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] +.sp +This causes the daemon\(aqs logging messages to go to the system log. +.sp +The severity argument specifies the default severity of system log +messages. This may be any of the following severities supported +by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, +\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, +and \fBDEBUG\fP. +.sp +The facility argument specifies the facility under which the +messages are logged. This may be any of the following facilities +supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, +\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, +\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP. +.sp +If no severity is specified, the default is \fBERR\fP. If no +facility is specified, the default is \fBAUTH\fP. +.UNINDENT +.sp +In the following example, the logging messages from the KDC will go to +the console and to the system log under the facility LOG_DAEMON with +default severity of LOG_INFO; and the logging messages from the +administrative server will be appended to the file +\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON + admin_server = FILE:/var/adm/kadmin.log + admin_server = DEVICE=/dev/tty04 +.ft P +.fi +.UNINDENT +.UNINDENT +.SS [dbdefaults] +.sp +The [dbdefaults] section specifies default values for some database +parameters, to be used if the [dbmodules] subsection does not contain +a relation for the tag. See the \fI\%[dbmodules]\fP section for the +definitions of these relations. +.INDENT 0.0 +.IP \(bu 2 +. +\fBldap_kerberos_container_dn\fP +.IP \(bu 2 +. +\fBldap_kdc_dn\fP +.IP \(bu 2 +. +\fBldap_kadmind_dn\fP +.IP \(bu 2 +. +\fBldap_service_password_file\fP +.IP \(bu 2 +. +\fBldap_servers\fP +.IP \(bu 2 +. +\fBldap_conns_per_server\fP +.UNINDENT +.SS [dbmodules] +.sp +The [dbmodules] section contains parameters used by the KDC database +library and database modules. The following tag may be specified +in the [dbmodules] section: +.INDENT 0.0 +.TP +.B \fBdb_module_dir\fP +.sp +This tag controls where the plugin system looks for modules. The +value should be an absolute path. +.UNINDENT +.sp +Other tags in the [dbmodules] section name a configuration subsection +for parameters which can be referred to by a realm\(aqs +\fBdatabase_module\fP parameter. The following tags may be specified in +the subsection: +.INDENT 0.0 +.TP +.B \fBdatabase_name\fP +.sp +This DB2\-specific tag indicates the location of the database in +the filesystem. The default is \fB@LOCALSTATEDIR@/krb5kdc\fP\fB/principal\fP. +.TP +.B \fBdb_library\fP +.sp +This tag indicates the name of the loadable database module. The +value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the +LDAP module. +.TP +.B \fBdisable_last_success\fP +.sp +If set to \fBtrue\fP, suppresses KDC updates to the "Last successful +authentication" field of principal entries requiring +preauthentication. Setting this flag may improve performance. +(Principal entries which do not require preauthentication never +update the "Last successful authentication" field.). +.TP +.B \fBdisable_lockout\fP +.sp +If set to \fBtrue\fP, suppresses KDC updates to the "Last failed +authentication" and "Failed password attempts" fields of principal +entries requiring preauthentication. Setting this flag may +improve performance, but also disables account lockout. +.TP +.B \fBldap_conns_per_server\fP +.sp +This LDAP\-specific tag indicates the number of connections to be +maintained per LDAP server. +.TP +.B \fBldap_kadmind_dn\fP +.sp +This LDAP\-specific tag indicates the default bind DN for the +\fIkadmind(8)\fP daemon. kadmind does a login to the directory +as this object. This object should have the rights to read and +write the Kerberos data in the LDAP database. +.TP +.B \fBldap_kdc_dn\fP +.sp +This LDAP\-specific tag indicates the default bind DN for the +\fIkrb5kdc(8)\fP daemon. The KDC does a login to the directory +as this object. This object should have the rights to read the +Kerberos data in the LDAP database, and to write data unless +\fBdisable_lockout\fP and \fBdisable_last_success\fP are true. +.TP +.B \fBldap_kerberos_container_dn\fP +.sp +This LDAP\-specific tag indicates the DN of the container object +where the realm objects will be located. +.TP +.B \fBldap_servers\fP +.sp +This LDAP\-specific tag indicates the list of LDAP servers that the +Kerberos servers can connect to. The list of LDAP servers is +whitespace\-separated. The LDAP server is specified by a LDAP URI. +It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect +to the LDAP server. +.TP +.B \fBldap_service_password_file\fP +.sp +This LDAP\-specific tag indicates the file containing the stashed +passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the +\fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects. This file must +be kept secure. +.UNINDENT +.SH PKINIT OPTIONS +.IP Note +. +The following are pkinit\-specific options. These values may +be specified in [kdcdefaults] as global defaults, or within +a realm\-specific subsection of [realms]. Also note that a +realm\-specific value over\-rides, does not add to, a generic +[kdcdefaults] specification. The search order is: +.RE +.INDENT 0.0 +.IP 1. 3 +. +realm\-specific subsection of [realms], +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + EXAMPLE.COM = { + pkinit_anchors = FILE\e:/usr/local/example.com.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +. +generic value in the [kdcdefaults] section. +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[kdcdefaults] + pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/ +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.sp +For information about the syntax of some of these options, see +\fISpecifying PKINIT identity information\fP in +\fIkrb5.conf(5)\fP. +.INDENT 0.0 +.TP +.B \fBpkinit_anchors\fP +.sp +Specifies the location of trusted anchor (root) certificates which +the KDC trusts to sign client certificates. This option is +required if pkinit is to be supported by the KDC. This option may +be specified multiple times. +.TP +.B \fBpkinit_dh_min_bits\fP +.sp +Specifies the minimum number of bits the KDC is willing to accept +for a client\(aqs Diffie\-Hellman key. The default is 2048. +.TP +.B \fBpkinit_allow_upn\fP +.sp +Specifies that the KDC is willing to accept client certificates +with the Microsoft UserPrincipalName (UPN) Subject Alternative +Name (SAN). This means the KDC accepts the binding of the UPN in +the certificate to the Kerberos principal name. The default value +is false. +.sp +Without this option, the KDC will only accept certificates with +the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. There is currently +no option to disable SAN checking in the KDC. +.TP +.B \fBpkinit_eku_checking\fP +.sp +This option specifies what Extended Key Usage (EKU) values the KDC +is willing to accept in client certificates. The values +recognized in the kdc.conf file are: +.INDENT 7.0 +.TP +.B \fBkpClientAuth\fP +.sp +This is the default value and specifies that client +certificates must have the id\-pkinit\-KPClientAuth EKU as +defined in \fI\%RFC 4556\fP. +.TP +.B \fBscLogin\fP +.sp +If scLogin is specified, client certificates with the +Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be +accepted. +.TP +.B \fBnone\fP +.sp +If none is specified, then client certificates will not be +checked to verify they have an acceptable EKU. The use of +this option is not recommended. +.UNINDENT +.TP +.B \fBpkinit_identity\fP +.sp +Specifies the location of the KDC\(aqs X.509 identity information. +This option is required if pkinit is to be supported by the KDC. +.TP +.B \fBpkinit_kdc_ocsp\fP +.sp +Specifies the location of the KDC\(aqs OCSP. +.TP +.B \fBpkinit_mapping_file\fP +.sp +Specifies the name of the ACL pkinit mapping file. This file maps +principals to the certificates that they can use. +.TP +.B \fBpkinit_pool\fP +.sp +Specifies the location of intermediate certificates which may be +used by the KDC to complete the trust chain between a client\(aqs +certificate and a trusted anchor. This option may be specified +multiple times. +.TP +.B \fBpkinit_revoke\fP +.sp +Specifies the location of Certificate Revocation List (CRL) +information to be used by the KDC when verifying the validity of +client certificates. This option may be specified multiple times. +.TP +.B \fBpkinit_require_crl_checking\fP +.sp +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \fBpkinit_require_crl_checking\fP is false, then verification +succeeds. +.sp +However, if \fBpkinit_require_crl_checking\fP is true and there is +no CRL information available for the issuing CA, then verification +fails. +.sp +\fBpkinit_require_crl_checking\fP should be set to true if the +policy is such that up\-to\-date CRLs must be present for every CA. +.UNINDENT +.SH ENCRYPTION AND SALT TYPES +.sp +Any tag in the configuration files which requires a list of encryption +types can be set to some combination of the following strings. +Encryption types marked as "weak" are available for compatibility but +not recommended for use. +.TS +center; +|l|l|. +_ +T{ +des\-cbc\-crc +T} T{ +DES cbc mode with CRC\-32 (weak) +T} +_ +T{ +des\-cbc\-md4 +T} T{ +DES cbc mode with RSA\-MD4 (weak) +T} +_ +T{ +des\-cbc\-md5 +T} T{ +DES cbc mode with RSA\-MD5 (weak) +T} +_ +T{ +des\-cbc\-raw +T} T{ +DES cbc mode raw (weak) +T} +_ +T{ +des3\-cbc\-raw +T} T{ +Triple DES cbc mode raw (weak) +T} +_ +T{ +des3\-cbc\-sha1 des3\-hmac\-sha1 des3\-cbc\-sha1\-kd +T} T{ +Triple DES cbc mode with HMAC/sha1 +T} +_ +T{ +des\-hmac\-sha1 +T} T{ +DES with HMAC/sha1 (weak) +T} +_ +T{ +aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256 +T} T{ +CTS mode with 96\-bit SHA\-1 HMAC +T} +_ +T{ +aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128 +T} T{ +CTS mode with 96\-bit SHA\-1 HMAC +T} +_ +T{ +arcfour\-hmac rc4\-hmac arcfour\-hmac\-md5 +T} T{ +RC4 with HMAC/MD5 +T} +_ +T{ +arcfour\-hmac\-exp rc4\-hmac\-exp arcfour\-hmac\-md5\-exp +T} T{ +Exportable RC4 with HMAC/MD5 (weak) +T} +_ +T{ +des +T} T{ +The DES family: des\-cbc\-crc, des\-cbc\-md5, and des\-cbc\-md4 (weak) +T} +_ +T{ +des3 +T} T{ +The triple DES family: des3\-cbc\-sha1 +T} +_ +T{ +aes +T} T{ +The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96 +T} +_ +T{ +rc4 +T} T{ +The RC4 family: arcfour\-hmac +T} +_ +.TE +.sp +The string \fBDEFAULT\fP can be used to refer to the default set of +types for the variable in question. Types or families can be removed +from the current list by prefixing them with a minus sign ("\-"). +Types or families can be prefixed with a plus sign ("+") for symmetry; +it has the same meaning as just listing the type or family. For +example, "\fBDEFAULT \-des\fP" would be the default set of encryption +types with DES types removed, and "\fBdes3 DEFAULT\fP" would be the +default set of encryption types with triple DES types moved to the +front. +.sp +While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos +operations, they are not supported by very old versions of our GSSAPI +implementation (krb5\-1.3.1 and earlier). Services running versions of +krb5 without AES support must not be given AES keys in the KDC +database. +.sp +Kerberos keys for users are usually derived from passwords. To ensure +that people who happen to pick the same password do not have the same +key, Kerberos 5 incorporates more information into the key using +something called a salt. The supported salt types are as follows: +.TS +center; +|l|l|. +_ +T{ +normal +T} T{ +default for Kerberos Version 5 +T} +_ +T{ +v4 +T} T{ +the only type used by Kerberos Version 4 (no salt) +T} +_ +T{ +norealm +T} T{ +same as the default, without using realm information +T} +_ +T{ +onlyrealm +T} T{ +uses only realm information as the salt +T} +_ +T{ +afs3 +T} T{ +AFS version 3, only used for compatibility with Kerberos 4 in AFS +T} +_ +T{ +special +T} T{ +generate a random salt +T} +_ +.TE +.SH SAMPLE KDC.CONF FILE +.sp +Here\(aqs an example of a kdc.conf file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[kdcdefaults] + kdc_ports = 88 + +[realms] + ATHENA.MIT.EDU = { + kadmind_port = 749 + max_life = 12h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3\-hmac\-sha1 + supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4 + } + +[logging] + kdc = FILE:/usr/local/var/krb5kdc/kdc.log + admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log +.ft P +.fi +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB@LOCALSTATEDIR@/krb5kdc\fP\fB/kdc.conf\fP +.SH SEE ALSO +.sp +\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdestroy.1 b/src/man/kdestroy.1 deleted file mode 100644 index 9ca626482..000000000 --- a/src/man/kdestroy.1 +++ /dev/null @@ -1,113 +0,0 @@ -.TH "KDESTROY" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kdestroy \- destroy Kerberos tickets -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fIkdestroy\fP -.sp -[\fB\-A\fP] -[\fB\-q\fP] -[\fB\-c\fP \fIcache_name\fP] -.UNINDENT -.SH DESCRIPTION -.sp -The \fIkdestroy\fP utility destroys the user\(aqs active Kerberos -authorization tickets by writing zeros to the specified -credentials cache that contains them. If the credentials -cache is not specified, the default credentials cache is destroyed. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-A\fP -.sp -Destroys all caches in the collection, if a cache collection is -available. -.TP -.B \fB\-q\fP -.sp -Run quietly. Normally \fIkdestroy\fP beeps if it fails to destroy the user\(aqs tickets. -The \fI\-q\fP flag suppresses this behavior. -.TP -.B \fB\-c\fP \fIcache_name\fP -.sp -Use \fIcache_name\fP as the credentials (ticket) cache name and location; -if this option is not used, the default cache name and location are used. -.sp -The default credentials cache may vary between systems. -If the \fBKRB5CCNAME\fP environment variable is set, its -value is used to name the default ticket cache. -.UNINDENT -.UNINDENT -.UNINDENT -.SH NOTE -.sp -Most installations recommend that you place the \fIkdestroy\fP command in your \fI.logout\fP file, -so that your tickets are destroyed automatically when you log out. -.SH ENVIRONMENT -.sp -\fIkdestroy\fP uses the following environment variable: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -.sp -Location of the default Kerberos 5 credentials (ticket) -cache, in the form \fItype\fP:\fIresidual\fP. If no type prefix is -present, the \fBFILE\fP type is assumed. The type of the -default cache may determine the availability of a cache -collection; for instance, a default cache of type \fBDIR\fP -causes caches within the directory to be present in the -collection. -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.sp -/tmp/krb5cc_[uid] \- Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the decimal UID of the user). -.SH SEE ALSO -.sp -kinit(1), klist(1) -.SH BUGS -.sp -Only the tickets in the specified credentials cache are destroyed. -Separate ticket caches are used to hold root instance and password changing tickets. -These should probably be destroyed too, or all of a user\(aqs tickets kept in a single credentials cache. -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man new file mode 100644 index 000000000..c17852249 --- /dev/null +++ b/src/man/kdestroy.man @@ -0,0 +1,103 @@ +.TH "KDESTROY" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kdestroy \- destroy Kerberos tickets +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkdestroy\fP +[\fB\-A\fP] +[\fB\-q\fP] +[\fB\-c\fP \fIcache_name\fP] +.SH DESCRIPTION +.sp +The kdestroy utility destroys the user\(aqs active Kerberos authorization +tickets by overwriting and deleting the credentials cache that +contains them. If the credentials cache is not specified, the default +credentials cache is destroyed. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-A\fP +.sp +Destroys all caches in the collection, if a cache collection is +available. +.TP +.B \fB\-q\fP +.sp +Run quietly. Normally kdestroy beeps if it fails to destroy the +user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior. +.TP +.B \fB\-c\fP \fIcache_name\fP +.sp +Use \fIcache_name\fP as the credentials (ticket) cache name and +location; if this option is not used, the default cache name and +location are used. +.sp +The default credentials cache may vary between systems. If the +\fBKRB5CCNAME\fP environment variable is set, its value is used to +name the default ticket cache. +.UNINDENT +.SH NOTE +.sp +Most installations recommend that you place the kdestroy command in +your .logout file, so that your tickets are destroyed automatically +when you log out. +.SH ENVIRONMENT +.sp +kdestroy uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +.sp +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB/tmp/krb5cc_[uid]\fP +.sp +Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the +decimal UID of the user). +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIklist(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kinit.1 b/src/man/kinit.1 deleted file mode 100644 index 3560bcb50..000000000 --- a/src/man/kinit.1 +++ /dev/null @@ -1,258 +0,0 @@ -.TH "KINIT" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kinit \- obtain and cache Kerberos ticket-granting ticket -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkinit\fP -.sp -[\fB\-V\fP] -[\fB\-l\fP \fIlifetime\fP] -[\fB\-s\fP \fIstart_time\fP] -[\fB\-r\fP \fIrenewable_life\fP] -[\fB\-p\fP | \-\fBP\fP] -[\fB\-f\fP | \-\fBF\fP] -[\fB\-a\fP] -[\fB\-A\fP] -[\fB\-C\fP] -[\fB\-E\fP] -[\fB\-v\fP] -[\fB\-R\fP] -[\fB\-k\fP [\-\fBt\fP \fIkeytab_file\fP]] -[\fB\-c\fP \fIcache_name\fP] -[\fB\-n\fP] -[\fB\-S\fP \fIservice_name\fP] -[\fB\-T\fP \fIarmor_ccache\fP] -[\fB\-X\fP \fIattribute[=value]\fP] -[\fIprincipal\fP] -.UNINDENT -.SH DESCRIPTION -.sp -\fIkinit\fP obtains and caches an initial ticket\-granting ticket for principal. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.sp -\fB\-V\fP display verbose output. -.INDENT 0.0 -.TP -.B \fB\-l\fP \fIlifetime\fP -.sp -requests a ticket with the lifetime lifetime. The -value for lifetime must be followed immediately by one -of the following delimiters: -.sp -.nf -.ft C -s seconds -m minutes -h hours -d days -.ft P -.fi -.sp -as in "kinit \-l 90m". You cannot mix units; a value of "3h30m" will result in an error. -.sp -If the \fB\-l\fP option is not specified, the default ticket lifetime -(configured by each site) is used. Specifying a ticket lifetime longer than the maximum -ticket lifetime (configured by each site) results in a ticket with the maximum lifetime. -.TP -.B \fB\-s\fP \fIstart_time\fP -.sp -requests a postdated ticket, valid starting at -\fIstart_time\fP. Postdated tickets are issued with the -\fIinvalid\fP flag set, and need to be fed back to the kdc -before use. -.TP -.B \fB\-r\fP \fIrenewable_life\fP -.sp -requests renewable tickets, with a total lifetime of -\fIrenewable_life\fP. The duration is in the same format as -the \fB\-l\fP option, with the same delimiters. -.UNINDENT -.sp -\fB\-f\fP request forwardable tickets. -.sp -\fB\-F\fP do not request forwardable tickets. -.sp -\fB\-p\fP request proxiable tickets. -.sp -\fB\-P\fP do not request proxiable tickets. -.sp -\fB\-a\fP request tickets with the local address[es]. -.sp -\fB\-A\fP request address\-less tickets. -.sp -\fB\-C\fP requests canonicalization of the principal name. -.sp -\fB\-E\fP treats the principal name as an enterprise name. -.INDENT 0.0 -.TP -.B \fB\-v\fP -.sp -requests that the ticket granting ticket in the cache -(with the \fIinvalid\fP flag set) be passed to the KDC for validation. -If the ticket is within its requested time range, -the cache is replaced with the validated ticket. -.TP -.B \fB\-R\fP -.sp -requests renewal of the ticket\-granting ticket. -Note that an expired ticket cannot be renewed, even if the ticket -is still within its renewable life. -.TP -.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP] -.sp -requests a ticket, obtained from a key in the local host\(aqs \fIkeytab\fP file. -The name and location of the key tab file may be specified with the -\fB\-t\fP \fIkeytab_file\fP option; otherwise the default name and location will be used. -By default a host ticket is requested but any principal may be specified. -On a KDC, the special keytab location \fBKDB:\fP can be used to indicate that kinit -should open the KDC database and look up the key directly. -This permits an administrator to obtain tickets as any principal that -supports password\-based authentication. -.TP -.B \fB\-n\fP -.sp -Requests anonymous processing. -Two types of anonymous principals are supported. -.sp -For fully anonymous Kerberos, configure pkinit on the KDC and configure -\fIpkinit_anchors\fP in the client\(aqs krb5.conf. Then use the \fB\-n\fP option with -a principal of the form \fI@REALM\fP (an empty principal name followed by the -at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. -.sp -A second form of anonymous tickets is supported; these realm\-exposed tickets -hide the identity of the client but not the client\(aqs realm. -For this mode, use \fBkinit \-n\fP with a normal principal name. -If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. -.sp -As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. -.TP -.B \fB\-T\fP \fIarmor_ccache\fP -.sp -Specifies the name of a credential cache that already contains a ticket. If supported by the KDC, This -ccache will be used to armor the request so that an attacker would have to know both the key of the armor -ticket and the key of the principal used for authentication in order to attack the request. Armoring also -makes sure that the response from the KDC is not modified in transit. -.TP -.B \fB\-c\fP \fIcache_name\fP -.sp -use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache name and location; -if this option is not used, the default cache name and location are used. -.sp -The default credentials cache may vary between systems. If -the \fBKRB5CCNAME\fP environment variable is set, its value is -used to name the default ticket cache. If a principal name -is specified and the type of the default credentials cache -supports a collection (such as the DIR type), an existing -cache containing credentials for the principal is selected -or a new one is created and becomes the new primary cache. -Otherwise, any existing contents of the default cache are -destroyed by kinit. -.TP -.B \fB\-S\fP \fIservice_name\fP -.sp -specify an alternate service name to use when getting initial tickets. -.TP -.B \fB\-X\fP \fIattribute\fP [= \fIvalue\fP ] -.sp -specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be passed to pre\-authentication plugins. -The acceptable attribute and value values vary from pre\-authentication plugin to plugin. -This option may be specified multiple times to specify multiple attributes. -If no value is specified, it is assumed to be "yes". -.sp -The following attributes are recognized by the OpenSSL pkinit pre\-authentication mechanism: -.INDENT 7.0 -.INDENT 3.5 -.sp -\fBX509_user_identity\fP = \fIvalue\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -specify where to find user\(aqs X509 identity information -.UNINDENT -.UNINDENT -.sp -\fBX509_anchors\fP = \fIvalue\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -specify where to find trusted X509 anchor information -.UNINDENT -.UNINDENT -.sp -\fBflag_RSA_PROTOCOL\fP [ = \fIyes\fP ] -.INDENT 0.0 -.INDENT 3.5 -.sp -specify use of RSA, rather than the default Diffie\-Hellman protocol -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIkinit\fP uses the following environment variables: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -.sp -Location of the default Kerberos 5 credentials (ticket) -cache, in the form \fItype\fP:\fIresidual\fP. If no type prefix is -present, the \fBFILE\fP type is assumed. The type of the -default cache may determine the availability of a cache -collection; for instance, a default cache of type \fBDIR\fP -causes caches within the directory to be present in the -collection. -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.sp -/tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -.sp -/etc/krb5.keytab default location for the local host\(aqs keytab file. -.SH SEE ALSO -.sp -klist(1), kdestroy(1), kerberos(1) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kinit.man b/src/man/kinit.man new file mode 100644 index 000000000..4d88691bc --- /dev/null +++ b/src/man/kinit.man @@ -0,0 +1,275 @@ +.TH "KINIT" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kinit \- obtain and cache Kerberos ticket-granting ticket +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkinit\fP +[\fB\-V\fP] +[\fB\-l\fP \fIlifetime\fP] +[\fB\-s\fP \fIstart_time\fP] +[\fB\-r\fP \fIrenewable_life\fP] +[\fB\-p\fP | \-\fBP\fP] +[\fB\-f\fP | \-\fBF\fP] +[\fB\-a\fP] +[\fB\-A\fP] +[\fB\-C\fP] +[\fB\-E\fP] +[\fB\-v\fP] +[\fB\-R\fP] +[\fB\-k\fP [\-\fBt\fP \fIkeytab_file\fP]] +[\fB\-c\fP \fIcache_name\fP] +[\fB\-n\fP] +[\fB\-S\fP \fIservice_name\fP] +[\fB\-T\fP \fIarmor_ccache\fP] +[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] +[\fIprincipal\fP] +.SH DESCRIPTION +.sp +kinit obtains and caches an initial ticket\-granting ticket for +\fIprincipal\fP. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-V\fP +.sp +display verbose output. +.TP +.B \fB\-l\fP \fIlifetime\fP +.sp +requests a ticket with the lifetime \fIlifetime\fP. The integer value +for \fIlifetime\fP must be followed immediately by one of the +following delimiters: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +s seconds +m minutes +h hours +d days +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +as in \fBkinit \-l 90m\fP. You cannot mix units; a value of +\fB3h30m\fP will result in an error. +.sp +If the \fB\-l\fP option is not specified, the default ticket lifetime +(configured by each site) is used. Specifying a ticket lifetime +longer than the maximum ticket lifetime (configured by each site) +results in a ticket with the maximum lifetime. +.TP +.B \fB\-s\fP \fIstart_time\fP +.sp +requests a postdated ticket, valid starting at \fIstart_time\fP. +Postdated tickets are issued with the \fBinvalid\fP flag set, and +need to be resubmitted to the KDC for validation before use. +.TP +.B \fB\-r\fP \fIrenewable_life\fP +.sp +requests renewable tickets, with a total lifetime of +\fIrenewable_life\fP. The duration is in the same format as the +\fB\-l\fP option, with the same delimiters. +.TP +.B \fB\-f\fP +.sp +requests forwardable tickets. +.TP +.B \fB\-F\fP +.sp +requests non\-forwardable tickets. +.TP +.B \fB\-p\fP +.sp +requests proxiable tickets. +.TP +.B \fB\-P\fP +.sp +requests non\-proxiable tickets. +.TP +.B \fB\-a\fP +.sp +requests tickets restricted to the host\(aqs local address[es]. +.TP +.B \fB\-A\fP +.sp +requests tickets not restricted by address. +.TP +.B \fB\-C\fP +.sp +requests canonicalization of the principal name, and allows the +KDC to reply with a different client principal from the one +requested. +.TP +.B \fB\-E\fP +.sp +treats the principal name as an enterprise name (implies the +\fB\-C\fP option). +.TP +.B \fB\-v\fP +.sp +requests that the ticket\-granting ticket in the cache (with the +\fBinvalid\fP flag set) be passed to the KDC for validation. If the +ticket is within its requested time range, the cache is replaced +with the validated ticket. +.TP +.B \fB\-R\fP +.sp +requests renewal of the ticket\-granting ticket. Note that an +expired ticket cannot be renewed, even if the ticket is still +within its renewable life. +.TP +.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP] +.sp +requests a ticket, obtained from a key in the local host\(aqs keytab. +The location of the keytab may be specified with the \fB\-t\fP +\fIkeytab_file\fP option; otherwise the default keytab will be used. +By default, a host ticket for the local host is requested, but any +principal may be specified. On a KDC, the special keytab location +\fBKDB:\fP can be used to indicate that kinit should open the KDC +database and look up the key directly. This permits an +administrator to obtain tickets as any principal that supports +authentication based on the key. +.TP +.B \fB\-n\fP +.sp +Requests anonymous processing. Two types of anonymous principals +are supported. +.sp +For fully anonymous Kerberos, configure pkinit on the KDC and +configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP. +Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP +(an empty principal name followed by the at\-sign and a realm +name). If permitted by the KDC, an anonymous ticket will be +returned. +.sp +A second form of anonymous tickets is supported; these +realm\-exposed tickets hide the identity of the client but not the +client\(aqs realm. For this mode, use \fBkinit \-n\fP with a normal +principal name. If supported by the KDC, the principal (but not +realm) will be replaced by the anonymous principal. +.sp +As of release 1.8, the MIT Kerberos KDC only supports fully +anonymous operation. +.TP +.B \fB\-T\fP \fIarmor_ccache\fP +.sp +Specifies the name of a credentials cache that already contains a +ticket. If supported by the KDC, this cache will be used to armor +the request, preventing offline dictionary attacks and allowing +the use of additional preauthentication mechanisms. Armoring also +makes sure that the response from the KDC is not modified in +transit. +.TP +.B \fB\-c\fP \fIcache_name\fP +.sp +use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache +location. If this option is not used, the default cache location +is used. +.sp +The default cache location may vary between systems. If the +\fBKRB5CCNAME\fP environment variable is set, its value is used to +locate the default cache. If a principal name is specified and +the type of the default cache supports a collection (such as the +DIR type), an existing cache containing credentials for the +principal is selected or a new one is created and becomes the new +primary cache. Otherwise, any existing contents of the default +cache are destroyed by kinit. +.TP +.B \fB\-S\fP \fIservice_name\fP +.sp +specify an alternate service name to use when getting initial +tickets. +.TP +.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] +.sp +specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be +interpreted by pre\-authentication modules. The acceptable +attribute and value values vary from module to module. This +option may be specified multiple times to specify multiple +attributes. If no value is specified, it is assumed to be "yes". +.sp +The following attributes are recognized by the PKINIT +pre\-authentication mechanism: +.INDENT 7.0 +.TP +.B \fBX509_user_identity\fP=\fIvalue\fP +.sp +specify where to find user\(aqs X509 identity information +.TP +.B \fBX509_anchors\fP=\fIvalue\fP +.sp +specify where to find trusted X509 anchor information +.TP +.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] +.sp +specify use of RSA, rather than the default Diffie\-Hellman +protocol +.UNINDENT +.UNINDENT +.SH ENVIRONMENT +.sp +kinit uses the following environment variables: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +.sp +Location of the default Kerberos 5 credentials cache, in the form +\fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP +type is assumed. The type of the default cache may determine the +availability of a cache collection; for instance, a default cache +of type \fBDIR\fP causes caches within the directory to be present +in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB/tmp/krb5cc_[uid]\fP +.sp +default location of Kerberos 5 credentials cache ([\fIuid\fP] is the +decimal UID of the user). +.TP +.B \fB/etc/krb5.keytab\fP +.sp +default location for the local host\(aqs keytab. +.UNINDENT +.SH SEE ALSO +.sp +\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/klist.1 b/src/man/klist.1 deleted file mode 100644 index b56aa5034..000000000 --- a/src/man/klist.1 +++ /dev/null @@ -1,161 +0,0 @@ -.TH "KLIST" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -klist \- list cached Kerberos tickets -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBklist\fP -.sp -[\fB\-e\fP] -[[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]] -[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]] -[\fB\-V\fP] -[\fIcache_name\fP | \fIkeytab_name\fP] -.UNINDENT -.SH DESCRIPTION -.sp -\fIklist\fP lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a \fIkeytab\fP file. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-e\fP -.sp -Displays the encryption types of the session key and the ticket for each credential in the credential cache, -or each key in the keytab file. -.TP -.B \fB\-l\fP -.sp -If a cache collection is available, displays a table -summarizing the caches present in the collection. -.TP -.B \fB\-A\fP -.sp -If a cache collection is available, displays the contents of -all of the caches in the collection. -.TP -.B \fB\-c\fP -.sp -List tickets held in a credentials cache. This is the default if neither \fI\-c\fP nor \fI\-k\fP is specified. -.TP -.B \fB\-f\fP -.sp -Shows the flags present in the credentials, using the following abbreviations: -.sp -.nf -.ft C -F Forwardable -f forwarded -P Proxiable -p proxy -D postDateable -d postdated -R Renewable -I Initial -i invalid -H Hardware authenticated -A preAuthenticated -T Transit policy checked -O Okay as delegate -a anonymous -.ft P -.fi -.TP -.B \fB\-s\fP -.sp -Causes \fIklist\fP to run silently (produce no output), but to still set the exit status according to whether it -finds the credentials cache. The exit status is \(aq0\(aq if \fIklist\fP finds a credentials cache, and \(aq1\(aq if it does not -or if the tickets are expired. -.TP -.B \fB\-a\fP -.sp -Display list of addresses in credentials. -.TP -.B \fB\-n\fP -.sp -Show numeric addresses instead of reverse\-resolving addresses. -.TP -.B \fB\-k\fP -.sp -List keys held in a keytab file. -.TP -.B \fB\-t\fP -.sp -Display the time entry timestamps for each keytab entry in the keytab file. -.TP -.B \fB\-K\fP -.sp -Display the value of the encryption key in each \fIkeytab\fP entry in the \fIkeytab\fP file. -.TP -.B \fB\-V\fP -.sp -Display the Kerberos version number and exit. -.UNINDENT -.sp -If \fBcache_name\fP or \fBkeytab_name\fP is not specified, \fIklist\fP will display the credentials in the default credentials cache or -\fIkeytab\fP file as appropriate. If the \fIKRB5CCNAME\fP environment variable is set, its value is used to name the default ticket cache. -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIklist\fP uses the following environment variable: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -.sp -Location of the default Kerberos 5 credentials (ticket) -cache, in the form \fItype\fP:\fIresidual\fP. If no type prefix is -present, the \fBFILE\fP type is assumed. The type of the -default cache may determine the availability of a cache -collection; for instance, a default cache of type \fBDIR\fP -causes caches within the directory to be present in the -collection. -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.sp -/tmp/krb5cc_[uid] \- Default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -.sp -/etc/krb5.keytab \- Default location for the local host\(aqs keytab file. -.SH SEE ALSO -.sp -kinit(1), kdestroy(1) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/klist.man b/src/man/klist.man new file mode 100644 index 000000000..80b1f12ce --- /dev/null +++ b/src/man/klist.man @@ -0,0 +1,169 @@ +.TH "KLIST" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +klist \- list cached Kerberos tickets +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBklist\fP +[\fB\-e\fP] +[[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]] +[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]] +[\fB\-V\fP] +[\fIcache_name\fP|\fIkeytab_name\fP] +.SH DESCRIPTION +.sp +klist lists the Kerberos principal and Kerberos tickets held in a +credentials cache, or the keys held in a keytab file. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-e\fP +.sp +Displays the encryption types of the session key and the ticket +for each credential in the credential cache, or each key in the +keytab file. +.TP +.B \fB\-l\fP +.sp +If a cache collection is available, displays a table summarizing +the caches present in the collection. +.TP +.B \fB\-A\fP +.sp +If a cache collection is available, displays the contents of all +of the caches in the collection. +.TP +.B \fB\-c\fP +.sp +List tickets held in a credentials cache. This is the default if +neither \fB\-c\fP nor \fB\-k\fP is specified. +.TP +.B \fB\-f\fP +.sp +Shows the flags present in the credentials, using the following +abbreviations: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +F Forwardable +f forwarded +P Proxiable +p proxy +D postDateable +d postdated +R Renewable +I Initial +i invalid +H Hardware authenticated +A preAuthenticated +T Transit policy checked +O Okay as delegate +a anonymous +.ft P +.fi +.UNINDENT +.UNINDENT +.TP +.B \fB\-s\fP +.sp +Causes klist to run silently (produce no output), but to still set +the exit status according to whether it finds the credentials +cache. The exit status is \(aq0\(aq if klist finds a credentials cache, +and \(aq1\(aq if it does not or if the tickets are expired. +.TP +.B \fB\-a\fP +.sp +Display list of addresses in credentials. +.TP +.B \fB\-n\fP +.sp +Show numeric addresses instead of reverse\-resolving addresses. +.TP +.B \fB\-k\fP +.sp +List keys held in a keytab file. +.TP +.B \fB\-t\fP +.sp +Display the time entry timestamps for each keytab entry in the +keytab file. +.TP +.B \fB\-K\fP +.sp +Display the value of the encryption key in each keytab entry in +the keytab file. +.TP +.B \fB\-V\fP +.sp +Display the Kerberos version number and exit. +.UNINDENT +.sp +If \fIcache_name\fP or \fIkeytab_name\fP is not specified, klist will display +the credentials in the default credentials cache or keytab file as +appropriate. If the \fBKRB5CCNAME\fP environment variable is set, its +value is used to locate the default ticket cache. +.SH ENVIRONMENT +.sp +klist uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +.sp +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB/tmp/krb5cc_[uid]\fP +.sp +Default location of Kerberos 5 credentials cache ([uid] is the +decimal UID of the user). +.TP +.B \fB/etc/krb5.keytab\fP +.sp +Default location for the local host\(aqs keytab file. +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kpasswd.1 b/src/man/kpasswd.1 deleted file mode 100644 index ec1c252d5..000000000 --- a/src/man/kpasswd.1 +++ /dev/null @@ -1,79 +0,0 @@ -.TH "KPASSWD" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kpasswd \- change a user's Kerberos password -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fIkpasswd\fP [ \fIprincipal\fP ] -.SH DESCRIPTION -.sp -The \fIkpasswd\fP command is used to change a Kerberos principal\(aqs password. -\fIkpasswd\fP prompts for the current Kerberos password, which is used to obtain a -\fIchangepw\fP ticket from the KDC for the user\(aqs Kerberos realm. -If \fIkpasswd\fP successfully obtains the \fIchangepw\fP ticket, the user is prompted twice for -the new password, and the password is changed. -.sp -If the principal is governed by a policy that specifies the length and/or number of -character classes required in the new password, the new password must conform to the policy. -(The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) -.SH OPTIONS -.INDENT 0.0 -.TP -.B \fIprincipal\fP -.sp -Change the password for the Kerberos principal principal. -Otherwise, \fIkpasswd\fP uses the principal name from an existing ccache if there is one; -if not, the principal is derived from the identity of the user invoking the \fIkpasswd\fP command. -.UNINDENT -.SH PORTS -.sp -\fIkpasswd\fP looks first for: -.sp -.nf -.ft C -kpasswd_server = host:port -.ft P -.fi -.sp -in the [\fIrealms\fP] section of the \fIkrb5.conf\fP file under the current realm. -If that is missing, \fIkpasswd\fP looks for the \fIadmin_server\fP entry, but substitutes 464 for the port. -.SH SEE ALSO -.sp -kadmin(8), kadmind(8) -.SH BUGS -.sp -\fIkpasswd\fP may not work with multi\-homed hosts running on the Solaris platform. -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man new file mode 100644 index 000000000..0aab125b7 --- /dev/null +++ b/src/man/kpasswd.man @@ -0,0 +1,65 @@ +.TH "KPASSWD" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kpasswd \- change a user's Kerberos password +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkpasswd\fP [\fIprincipal\fP] +.SH DESCRIPTION +.sp +The kpasswd command is used to change a Kerberos principal\(aqs password. +kpasswd first prompts for the current Kerberos password, then prompts +the user twice for the new password, and the password is changed. +.sp +If the principal is governed by a policy that specifies the length +and/or number of character classes required in the new password, the +new password must conform to the policy. (The five character classes +are lower case, upper case, numbers, punctuation, and all other +characters.) +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fIprincipal\fP +.sp +Change the password for the Kerberos principal principal. +Otherwise, kpasswd uses the principal name from an existing ccache +if there is one; if not, the principal is derived from the +identity of the user invoking the kpasswd command. +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kprop.8 b/src/man/kprop.man similarity index 67% rename from src/man/kprop.8 rename to src/man/kprop.man index 999aa6c82..d4e2d0c36 100644 --- a/src/man/kprop.8 +++ b/src/man/kprop.man @@ -1,4 +1,4 @@ -.TH "KPROP" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" +.TH "KPROP" "8" " " "0.0.1" "MIT Kerberos" .SH NAME kprop \- propagate a Kerberos V5 principal database to a slave server . @@ -31,28 +31,22 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" Man page generated from reStructeredText. . .SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkprop\fP .sp +\fBkprop\fP [\fB\-r\fP \fIrealm\fP] [\fB\-f\fP \fIfile\fP] [\fB\-d\fP] [\fB\-P\fP \fIport\fP] [\fB\-s\fP \fIkeytab\fP] \fIslave_host\fP -.UNINDENT .SH DESCRIPTION .sp -\fIkprop\fP is used to propagate a Kerberos V5 database dump file from the master -Kerberos server to a slave Kerberos server, which is specified by \fIslave_host\fP. -This is done by transmitting the dumped database file to the slave server over -an encrypted, secure channel. -The dump file must be created by \fIkdb5_util(8)\fP. +kprop is used to securely propagate a Kerberos V5 database dump file +from the master Kerberos server to a slave Kerberos server, which is +specified by \fIslave_host\fP. The dump file must be created by +\fIkdb5_util(8)\fP. .SH OPTIONS .INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP .sp @@ -60,13 +54,14 @@ Specifies the realm of the master server. .TP .B \fB\-f\fP \fIfile\fP .sp -Specifies the filename where the dumped principal database file is to be found; -by default the dumped database file is normally -\fI/usr/local/var/krb5kdc/slave_datatrans\fP. +Specifies the filename where the dumped principal database file is +to be found; by default the dumped database file is normally +\fB@LOCALSTATEDIR@/krb5kdc\fP\fB/slave_datatrans\fP. .TP .B \fB\-P\fP \fIport\fP .sp -Specifies the port to use to contact the \fIkpropd(8)\fP server on the remote host. +Specifies the port to use to contact the \fIkpropd(8)\fP server +on the remote host. .TP .B \fB\-d\fP .sp @@ -76,23 +71,17 @@ Prints debugging information. .sp Specifies the location of the keytab file. .UNINDENT -.UNINDENT -.UNINDENT .SH ENVIRONMENT .sp \fIkprop\fP uses the following environment variable: .INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 .IP \(bu 2 . \fBKRB5_CONFIG\fP .UNINDENT -.UNINDENT -.UNINDENT .SH SEE ALSO .sp -kpropd(8), kdb5_util(8), krb5kdc(8) +\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kpropd.8 b/src/man/kpropd.8 deleted file mode 100644 index af7c0e273..000000000 --- a/src/man/kpropd.8 +++ /dev/null @@ -1,161 +0,0 @@ -.TH "KPROPD" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kpropd \- Kerberos V5 slave KDC update server -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkpropd\fP -.sp -[ \fB\-r\fP \fIrealm\fP ] -[ \fB\-a\fP \fIacl_file\fP ] -[ \fB\-f\fP \fIslave_dumpfile\fP ] -[ \fB\-F\fP \fIprincipal_database\fP ] -[ \fB\-p\fP \fIkdb5_util_prog\fP ] -[ \fB\-P\fP \fIport\fP ] -[ \fB\-d\fP ] -[ \fB\-S\fP ] -.UNINDENT -.SH DESCRIPTION -.sp -The \fIkpropd\fP command runs on the slave KDC server. -It listens for update requests made by the \fIkprop(8)\fP program, -and periodically requests incremental updates from the master KDC. -.sp -When the slave receives a \fIkprop\fP request from the master, -\fIkpropd\fP accepts the dumped KDC database and places it in a file, -and then runs \fIkdb5_util(8)\fP to load the dumped database into -the active database which is used by \fIkrb5kdc(8)\fP. -Thus, the master Kerberos server can use \fIkprop(8)\fP -to propagate its database to the slave servers. -Upon a successful download of the KDC database file, -the slave Kerberos server will have an up\-to\-date KDC database. -.sp -Normally, \fIkpropd\fP is invoked out of inetd(8). -This is done by adding a line to the \fIinetd.conf\fP file which looks like this: -.sp -.nf -.ft C -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -.ft P -.fi -.sp -However, \fIkpropd\fP can also run as a standalone daemon, if the \fI\-S\fP option is turned on. -This is done for debugging purposes, or if for some reason the system administrator -just doesn\(aqt want to run it out of inetd(8). -.sp -When the slave periodically requests incremental updates, -\fIkpropd\fP updates its \fIprincipal.ulog\fP file with any updates from the master. -\fIkproplog(8)\fP can be used to view a summary of the update entry log on the slave KDC. -Incremental propagation is not enabled by default; -it can be enabled using the \fIiprop_enable\fP and \fIiprop_slave_poll\fP settings in \fIkdc.conf\fP. -The principal "kiprop/slavehostname@REALM" -(where "slavehostname" is the name of the slave KDC host, -and "REALM" is the name of the Kerberos realm) -must be present in the slave\(aqs keytab file. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Specifies the realm of the master server. -.TP -.B \fB\-f\fP \fIfile\fP -.sp -Specifies the filename where the dumped principal database file is to be stored; -by default the dumped database file \fI/usr/local/var/krb5kdc/from_master\fP. -.TP -.B \fB\-p\fP -.sp -Allows the user to specify the pathname to the \fIkdb5_util(8)\fP program; -by default the pathname used is /usr/local/sbin/kdb5_util. -.TP -.B \fB\-S\fP -.sp -Turn on standalone mode. Normally, \fIkpropd\fP is invoked out of inetd(8) -so it expects a network connection to be passed to it from inetd(8). -If the \fI\-S\fP option is specified, \fIkpropd\fP will put itself into the background, -and wait for connections to the \fIkrb5_prop\fP port specified in /etc/services. -.TP -.B \fB\-d\fP -.sp -Turn on debug mode. In this mode, if the \fI\-S\fP option is selected, -\fIkpropd\fP will not detach itself from the current job and run in the background. -Instead, it will run in the foreground and print out debugging messages -during the database propagation. -.TP -.B \fB\-P\fP -.sp -Allow for an alternate port number for \fIkpropd\fP to listen on. -This is only useful if the program is run in standalone mode. -.TP -.B \fB\-a\fP \fIacl_file\fP -.sp -Allows the user to specify the path to the \fIkpropd.acl\fP file; -by default the path used is /usr/local/var/krb5kdc/kpropd.acl. -.UNINDENT -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIkpropd\fP uses the following environment variables: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -\fBKRB5_CONFIG\fP -.IP \(bu 2 -. -\fBKRB5_KDC_PROFILE\fP -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.INDENT 0.0 -.TP -.B \fIkpropd.acl\fP -.sp -Access file for \fIkpropd\fP; the default location is \fI/usr/local/var/krb5kdc/kpropd.acl\fP. -Each entry is a line containing the principal of a \fIhost\fP from which the local machine -will allow Kerberos database propagation via \fIkprop(8)\fP. -.UNINDENT -.SH SEE ALSO -.sp -kprop(8), kdb5_util(8), krb5kdc(8), inetd(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kpropd.man b/src/man/kpropd.man new file mode 100644 index 000000000..2f7553626 --- /dev/null +++ b/src/man/kpropd.man @@ -0,0 +1,158 @@ +.TH "KPROPD" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +kpropd \- Kerberos V5 slave KDC update server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkpropd\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-a\fP \fIacl_file\fP] +[\fB\-f\fP \fIslave_dumpfile\fP] +[\fB\-F\fP \fIprincipal_database\fP] +[\fB\-p\fP \fIkdb5_util_prog\fP] +[\fB\-P\fP \fIport\fP] +[\fB\-d\fP] +[\fB\-S\fP] +.SH DESCRIPTION +.sp +The \fIkpropd\fP command runs on the slave KDC server. It listens for +update requests made by the \fIkprop(8)\fP program. If incremental +propagation is enabled, it periodically requests incremental updates +from the master KDC. +.sp +When the slave receives a kprop request from the master, kpropd +accepts the dumped KDC database and places it in a file, and then runs +\fIkdb5_util(8)\fP to load the dumped database into the active +database which is used by \fIkrb5kdc(8)\fP. This allows the master +Kerberos server to use \fIkprop(8)\fP to propagate its database to +the slave servers. Upon a successful download of the KDC database +file, the slave Kerberos server will have an up\-to\-date KDC database. +.sp +Normally, kpropd is invoked out of inetd(8). This is done by adding +a line to the \fB/etc/inetd.conf\fP file which looks like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +kpropd can also run as a standalone daemon by specifying the \fB\-S\fP +option. This is done for debugging purposes, or if for some reason +the system administrator just doesn\(aqt want to run it out of inetd(8). +.sp +Incremental propagation may be enabled with the \fBiprop_enable\fP +variable in \fIkdc.conf(5)\fP. If incremental propagation is +enabled, the slave periodically polls the master KDC for updates, at +an interval determined by the \fBiprop_slave_poll\fP variable. If the +slave receives updates, kpropd updates its log file with any updates +from the master. \fIkproplog(8)\fP can be used to view a summary of +the update entry log on the slave KDC. If incremental propagation is +enabled, the principal \fBkiprop/slavehostname@REALM\fP (where +\fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the +name of the Kerberos realm) must be present in the slave\(aqs keytab +file. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the realm of the master server. +.TP +.B \fB\-f\fP \fIfile\fP +.sp +Specifies the filename where the dumped principal database file is +to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@/krb5kdc\fP\fB/from_master\fP. +.TP +.B \fB\-p\fP +.sp +Allows the user to specify the pathname to the \fIkdb5_util(8)\fP +program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP. +.TP +.B \fB\-S\fP +.sp +Turn on standalone mode. Normally, kpropd is invoked out of +inetd(8) so it expects a network connection to be passed to it +from inetd(8). If the \fB\-S\fP option is specified, kpropd will put +itself into the background, and wait for connections on port 754 +(or the port specified with the \fB\-P\fP option if given). +.TP +.B \fB\-d\fP +.sp +Turn on debug mode. In this mode, if the \fB\-S\fP option is +selected, kpropd will not detach itself from the current job and +run in the background. Instead, it will run in the foreground and +print out debugging messages during the database propagation. +.TP +.B \fB\-P\fP +.sp +Allow for an alternate port number for kpropd to listen on. This +is only useful in combination with the \fB\-S\fP option. +.TP +.B \fB\-a\fP \fIacl_file\fP +.sp +Allows the user to specify the path to the kpropd.acl file; by +default the path used is \fB@LOCALSTATEDIR@/krb5kdc\fP\fB/kpropd.acl\fP. +.UNINDENT +.SH ENVIRONMENT +.sp +kpropd uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +. +\fBKRB5_CONFIG\fP +.IP \(bu 2 +. +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B kpropd.acl +. +Access file for kpropd; the default location is +\fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line +containing the principal of a host from which the local machine +will allow Kerberos database propagation via \fIkprop(8)\fP. +.UNINDENT +.SH SEE ALSO +.sp +\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kproplog.8 b/src/man/kproplog.8 deleted file mode 100644 index e02c0ddff..000000000 --- a/src/man/kproplog.8 +++ /dev/null @@ -1,120 +0,0 @@ -.TH "KPROPLOG" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kproplog \- display the contents of the Kerberos principal update log -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] -.SH DESCRIPTION -.sp -The \fIkproplog\fP command displays the contents of the Kerberos principal -update log to standard output. -It can be used to keep track of the \fIincremental\fP updates -to the principal database, when enabled. -The update log file contains the update log maintained by the \fIkadmind\fP process -on the master KDC server and the \fIkpropd\fP process on the slave KDC servers. -When updates occur, they are logged to this file. -Subsequently any KDC slave configured for \fIincremental\fP updates will request -the current data from the master KDC and update their \fIprincipal.ulog\fP file -with any updates returned. -.sp -The \fIkproplog\fP command can only be run on a KDC server by someone with privileges -comparable to the superuser. -It will display update entries for that server only. -.sp -If no options are specified, the summary of the update log is displayed. -If invoked on the master, all of the update entries are also displayed. -When invoked on a slave KDC server, only a summary of the updates are displayed, -which includes the serial number of the last update received and -the associated time stamp of the last update. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-h\fP -.sp -Display a summary of the update log. -This information includes the database version number, state of the database, -the number of updates in the log, the time stamp of the first and last update, -and the version number of the first and last update entry. -.TP -.B \fB\-e\fP \fInum\fP -.sp -Display the last \fInum\fP update entries in the log. -This is useful when debugging synchronization between KDC servers. -.TP -.B \fB\-v\fP -.sp -Display individual attributes per update. An example of the output generated for one entry: -.sp -.nf -.ft C -Update Entry - Update serial # : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIkproplog\fP uses the following environment variables: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -\fBKRB5_KDC_PROFILE\fP -.UNINDENT -.UNINDENT -.UNINDENT -.SH SEE ALSO -.sp -kpropd(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kproplog.man b/src/man/kproplog.man new file mode 100644 index 000000000..d5bd21c1a --- /dev/null +++ b/src/man/kproplog.man @@ -0,0 +1,115 @@ +.TH "KPROPLOG" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +kproplog \- display the contents of the Kerberos principal update log +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] +.SH DESCRIPTION +.sp +The kproplog command displays the contents of the KDC database update +log to standard output. It can be used to keep track of incremental +updates to the principal database. The update log file contains the +update log maintained by the \fIkadmind(8)\fP process on the master +KDC server and the \fIkpropd(8)\fP process on the slave KDC servers. +When updates occur, they are logged to this file. Subsequently any +KDC slave configured for incremental updates will request the current +data from the master KDC and update their log file with any updates +returned. +.sp +The kproplog command requires read access to the update log file. It +will display update entries only for the KDC it runs on. +.sp +If no options are specified, kproplog displays a summary of the update +log. If invoked on the master, kproplog also displays all of the +update entries. If invoked on a slave KDC server, kproplog displays +only a summary of the updates, which includes the serial number of the +last update received and the associated time stamp of the last update. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-h\fP +.sp +Display a summary of the update log. This information includes +the database version number, state of the database, the number of +updates in the log, the time stamp of the first and last update, +and the version number of the first and last update entry. +.TP +.B \fB\-e\fP \fInum\fP +.sp +Display the last \fInum\fP update entries in the log. This is useful +when debugging synchronization between KDC servers. +.TP +.B \fB\-v\fP +.sp +Display individual attributes per update. An example of the +output generated for one entry: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +Update Entry + Update serial # : 4 + Update operation : Add + Update principal : test@EXAMPLE.COM + Update size : 424 + Update committed : True + Update time stamp : Fri Feb 20 23:37:42 2004 + Attributes changed : 6 + Principal + Key data + Password last changed + Modifying principal + Modification time + TL data +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH ENVIRONMENT +.sp +kproplog uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +. +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH SEE ALSO +.sp +\fIkpropd(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5-send-pr.man b/src/man/krb5-send-pr.man new file mode 100644 index 000000000..004958898 --- /dev/null +++ b/src/man/krb5-send-pr.man @@ -0,0 +1,231 @@ +.TH "KRB5-SEND-PR" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +krb5-send-pr \- send problem report (PR) to a central support site +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkrb5\-send\-pr\fP +[\fIsite\fP] +[\fB\-f\fP \fIproblem\-report\fP] +[\fB\-t\fP \fImail\-address\fP] +[\fB\-P\fP] +[\fB\-L\fP] +[\fB\-s\fP \fIseverity\fP] +[\fB\-c\fP \fIaddress\fP] +[\fB\-\-request\-id\fP] +[\fB\-V\fP] +.SH DESCRIPTION +.sp +krb5\-send\-pr is a tool used to submit problem reports (PRs) to a +central support site. In most cases the correct site will be the +default. This argument indicates the support site which is +responsible for the category of problem involved. Some sites may use +a local address as a default. \fIsite\fP values are defined by using the +aliases(5). +.sp +krb5\-send\-pr invokes an editor on a problem report template (after +trying to fill in some fields with reasonable default values). When +you exit the editor, krb5\-send\-pr sends the completed form to the +Problem Report Management System (\fBGNATS\fP) at a central support +site. At the support site, the PR is assigned a unique number and is +stored in the GNATS database according to its category and +submitter\-id. GNATS automatically replies with an acknowledgement, +citing the category and the PR number. +.sp +To ensure that a PR is handled promptly, it should contain your (unique) +\fIsubmitter\-id\fP and one of the available \fIcategories\fP to identify the problem area. +(Use \fIkrb5\-send\-pr \-L\fP to see a list of categories.) +.sp +The krb5\-send\-pr template at your site should already be customized +with your submitter\-id (running \fBinstall\-sid submitter\-id\fP to +accomplish this is part of the installation procedures for +krb5\-send\-pr). If this hasn\(aqt been done, see your system +administrator for your submitter\-id, or request one from your support +site by invoking \fBkrb5\-send\-pr \-\-request\-id\fP. If your site does not +distinguish between different user sites, or if you are not affiliated +with the support site, use \fBnet\fP for this field. +.sp +The more precise your problem description and the more complete your +information, the faster your support team can solve your problems. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-f\fP \fIproblem\-report\fP +.sp +Specify a file \fIproblem\-report\fP which already contains a complete +problem report. krb5\-send\-pr sends the contents of the file +without invoking the editor. If the value for problem\-report is +\fB\-\fP, then krb5\-send\-pr reads from standard input. +.TP +.B \fB\-s\fP \fIseverity\fP +.sp +Give the problem report the severity \fIseverity\fP. +.TP +.B \fB\-t\fP \fImail\-address\fP +.sp +Change mail address at the support site for problem reports. The +default mail address is the address used for the default site. +Use the site argument rather than this option in nearly all cases. +.TP +.B \fB\-c\fP \fIaddress\fP +.sp +Put \fIaddress\fP in the \fICc:\fP header of the message. +.TP +.B \fB\-P\fP +.sp +Print the form specified by the environment variable \fBPR_FORM\fP +on standard output. If \fBPR_FORM\fP is not set, print the standard +blank PR template. No mail is sent. +.TP +.B \fB\-L\fP +.sp +Print the list of available categories. No mail is sent. +.TP +.B \fB\-\-request\-id\fP +.sp +Sends mail to the default support site, or site if specified, with +a request for your submitter\-id. If you are not affiliated with +site, use a submitter\-id of \fBnet\fP. +.TP +.B \fB\-V\fP +.sp +Display the krb5\-send\-pr version number. +.UNINDENT +.IP Note +. +Use krb5\-send\-pr to submit problem reports rather than +mailing them directly. Using both the template and +krb5\-send\-pr itself will help ensure all necessary +information will reach the support site. +.RE +.SH ENVIRONMENT +.sp +The environment variable \fBEDITOR\fP specifies the editor to invoke on +the template. Default: \fBvi\fP. +.sp +If the environment variable \fBPR_FORM\fP is set, then its value is used +as the file name of the template for your problem\-report editing +session. You can use this to start with a partially completed form +(for example, a form with the identification fields already +completed). +.SH HOW TO FILL OUT A PROBLEM REPORT +.sp +Problem reports have to be in a particular form so that a program can +easily manage them. Please remember the following guidelines: +.INDENT 0.0 +.IP \(bu 2 +. +Describe only one problem with each problem report. +.IP \(bu 2 +. +For follow\-up mail, use the same subject line as the one in the +automatic acknowledgent. It consists of category, PR number and the +original synopsis line. This allows the support site to relate +several mail messages to a particular PR and to record them +automatically. +.IP \(bu 2 +. +Please try to be as accurate as possible in the subject and/or +synopsis line. +.IP \(bu 2 +. +The subject and the synopsis line are not confidential. This is +because open\-bugs lists are compiled from them. Avoid confidential +information there. +.UNINDENT +.sp +See the GNU Info file \fIkrb5\-send\-pr.info\fP or the document +Reporting Problems With krb5\-send\-pr for detailed information on reporting problems. +.SH HOW TO SUBMIT TEST CASES, CODE, ETC. +.sp +Submit small code samples with the PR. Contact the support site for +instructions on submitting larger test cases and problematic source +code. +.SH FILES +.INDENT 0.0 +.TP +.B \fB/tmp/p$$\fP +.sp +copy of PR used in editing session +.TP +.B \fB/tmp/pf$$\fP +.sp +copy of empty PR form, for testing purposes +.TP +.B \fB/tmp/pbad$$\fP +.sp +file for rejected PRs +.UNINDENT +.SH EMACS USER INTERFACE +.sp +An Emacs user interface for krb5\-send\-pr with completion of field +values is part of the krb5\-send\-pr distribution (invoked with \fBM\-x +krb5\-send\-pr\fP). See the file krb5\-send\-pr.info or the ASCII file +INSTALL in the top level directory of the distribution for +configuration and installation information. The Emacs LISP template +file is krb5\-send\-pr\-el.in and is installed as krb5\-send\-pr.el. +.SH INSTALLATION AND CONFIGURATION +.sp +See krb5\-send\-pr.info or INSTALL for installation instructions. +.SH SEE ALSO +.sp +Reporting Problems Using krb5\-send\-pr (also installed as the GNU Info +file krb5\-send\-pr.info). +.sp +gnats(l), query\-pr(1), edit\-pr(1), gnats(8), queue\-pr(8), at\-pr(8), +mkcat(8), mkdist(8). +.SH AUTHORS +.sp +Jeffrey Osier, Brendan Kehoe, Jason Merrill, Heinz G. Seidl (Cygnus Support) +.SH COPYING +.sp +Copyright (c) 1992, 1993 Free Software Foundation, Inc. +.sp +Permission is granted to make and distribute verbatim copies of this +manual provided the copyright notice and this permission notice are +preserved on all copies. +.sp +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. +.sp +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5.conf.5 b/src/man/krb5.conf.5 deleted file mode 100644 index 5612a481c..000000000 --- a/src/man/krb5.conf.5 +++ /dev/null @@ -1,1159 +0,0 @@ -.TH "KRB5.CONF" "5" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -krb5.conf \- Kerberos configuration file -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.sp -The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG. -.SH STRUCTURE -.sp -The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form: -.sp -.nf -.ft C -foo = bar -.ft P -.fi -.sp -or -.sp -.nf -.ft C -fubar = { - foo = bar - baz = quux -} -.ft P -.fi -.sp -Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. -.sp -For example, if you have the following lines: -.sp -.nf -.ft C -foo = bar* -foo = baz -.ft P -.fi -.sp -then the second value of \fIfoo\fP (baz) would never be read. -.sp -The krb5.conf file can include other files using either of the following directives at the beginning of a line: -.sp -.nf -.ft C -include FILENAME -includedir DIRNAME -.ft P -.fi -.sp -\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Included profile files are syntactically independent of their parents, so each included file must begin with a section header. -.sp -The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers: -.sp -.nf -.ft C -module MODULEPATH:RESIDUAL -.ft P -.fi -.sp -\fIMODULEPATH\fP may be relative to the library path of the krb5 installation, or it may be an absolute path. \fIRESIDUAL\fP is provided to the module at initialization time. If krb5.conf uses a module directive, kdc.conf should also use one if it exists. -.sp -The krb5.conf file may contain any or all of the following sections: -.TS -center; -|l|l|. -_ -T{ -\fI\%libdefaults\fP -T} T{ -Contains default values used by the Kerberos V5 library. -T} -_ -T{ -\fI\%realms\fP -T} T{ -Contains subsections keyed by Kerberos realm names. Each subsection describes realm\-specific information, including where to find the Kerberos servers for that realm. -T} -_ -T{ -\fI\%domain_realm\fP -T} T{ -Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name. -T} -_ -T{ -\fI\%logging\fP -T} T{ -Contains relations which determine how Kerberos programs are to perform logging. -T} -_ -T{ -\fI\%capaths\fP -T} T{ -Contains the authentication paths used with direct (nonhierarchical) cross\-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross\-realm authentication. It is also used by the end\-service when checking the transited field for trusted intermediate realms. -T} -_ -T{ -\fI\%plugins\fP -T} T{ -Contains tags to register dynamic plugin modules and to turn modules on and off. -T} -_ -T{ -\fI\%appdefaults\fP -T} T{ -Contains default values that can be used by Kerberos V5 applications. -T} -_ -.TE -.SH SECTIONS -.SS \fB[libdefaults]\fP -.sp -The libdefaults section may contain any of the following relations: -.INDENT 0.0 -.TP -.B \fBallow_weak_crypto\fP -.sp -If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in \fISupported_Encryption_Types_and_Salts\fP). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. -.TP -.B \fBap_req_checksum_type\fP -.sp -An integer which specifies the type of AP\-REQ checksum to use in authenticators. -This variable should be unset so the appropriate checksum for the encryption key in use will be used. -This can be set if backward compatibility requires a specific checksum type. -See the \fIkdc_req_checksum_type\fP configuration option for the possible values and their meanings. -.TP -.B \fBcanonicalize\fP -.sp -This flag indicates to the KDC that the client is prepared to receive a reply that contains a principal name other than the one requested. -The client should expect, when sending names with the "canonicalize" KDC option, -that names in the KDC\(aqs reply will be different than the name in the request. -The default value for this flag is not set. -.TP -.B \fBccache_type\fP -.sp -Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4. -.TP -.B \fBclockskew\fP -.sp -Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. -.TP -.B \fBdefault_keytab_name\fP -.sp -This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is \fI/etc/krb5.keytab\fP. -.TP -.B \fBdefault_realm\fP -.sp -Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see \fIudns_label\fP), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned. -.TP -.B \fBdefault_tgs_enctypes\fP -.sp -Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see \fISupported_Encryption_Types_and_Salts\fP for a list of the accepted values for this tag). The default value is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP. -.TP -.B \fBdefault_tkt_enctypes\fP -.sp -Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP. -.TP -.B \fBdns_fallback\fP -.sp -General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. -.TP -.B \fBdns_lookup_kdc\fP -.sp -Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. (Note that the admin_server entry must be in the file, because the DNS implementation for it is incomplete.) -.sp -Enabling this option does open up a type of denial\-of\-service attack, if someone spoofs the DNS records and redirects you to another server. However, it\(aqs no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. -.sp -If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure\-time options; if none were given, the default is to enable this option. If the DNS support is not compiled in, this entry has no effect. -.TP -.B \fBdns_lookup_realm\fP -.sp -Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host. -.sp -Enabling this option may permit a redirection attack, where spoofed DNS replies persuade a client to authenticate to the wrong realm, when talking to the wrong host (either by spoofing yet more DNS records or by intercepting the net traffic). Depending on how the client software manages hostnames, however, it could already be vulnerable to such attacks. We are looking at possible ways to minimize or eliminate this exposure. For now, we encourage more adventurous sites to try using Secure DNS. -.sp -If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure\-time options; if none were given, the default is to disable this option. If the DNS support is not compiled in, this entry has no effect. -.TP -.B \fBextra_addresses\fP -.sp -This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma\-separated list. -.TP -.B \fBforwardable\fP -.sp -If this flag is set, initial tickets by default will be forwardable. The default value for this flag is not set. -.TP -.B \fBignore_acceptor_hostname\fP -.sp -When accepting GSSAPI or krb5 security contexts for host\-based service principals, -ignore any hostname passed by the calling application and allow any service principal present in the keytab -which matches the service name and realm name (if given). -This option can improve the administrative flexibility of server applications on multihomed hosts, -but can compromise the security of virtual hosting environments. The default value is false. -.TP -.B \fBk5login_authoritative\fP -.sp -If the value of this relation is true (the default), principals must be listed in a local user\(aqs k5login file to be granted login access, if a k5login file exists. If the value of this relation is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. -.TP -.B \fBk5login_directory\fP -.sp -If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user\(aqs home directory, with the filename .k5login. For security reasons, k5login files must be owned by the local user or by root. -.TP -.B \fBkdc_default_options\fP -.sp -Default KDC options (Xored for multiple values) when requesting initial credentials. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). -.TP -.B \fBkdc_timesync\fP -.sp -If this is set to 1 (for true), then client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock. This corrective factor is only used by the Kerberos library. The default is 1. -.TP -.B \fBkdc_req_checksum_type\fP -.sp -An integer which specifies the type of checksum to use for the KDC requests for compatibility with DCE security servers -which do not support the default RSA MD5 used by Kerberos V5. -This applies to DCE 1.1 and earlier. -Use a value of 2 to use the RSA MD4 instead. -This value is only used for DES keys; other keys use the preferred checksum type for those keys. -.sp -The possible values and their meanings are as follows. -.TS -center; -|l|l|. -_ -T{ -1 -T} T{ -CRC32 -T} -_ -T{ -2 -T} T{ -RSA MD4 -T} -_ -T{ -3 -T} T{ -RSA MD4 DES -T} -_ -T{ -4 -T} T{ -DES CBC -T} -_ -T{ -7 -T} T{ -RSA MD5 -T} -_ -T{ -8 -T} T{ -RSA MD5 DES -T} -_ -T{ -9 -T} T{ -NIST SHA -T} -_ -T{ -12 -T} T{ -HMAC SHA1 DES3 -T} -_ -T{ -\-138 -T} T{ -Microsoft MD5 HMAC checksum type -T} -_ -.TE -.TP -.B \fBnoaddresses\fP -.sp -Setting this flag causes the initial Kerberos ticket to be addressless. The default for the flag is set. -.TP -.B \fBpermitted_enctypes\fP -.sp -Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP. -.TP -.B \fBplugin_base_dir\fP -.sp -If set, determines the base directory where krb5 plugins are located. -The default value is the "krb5/plugins" subdirectory of the krb5 library directory. -.TP -.B \fBpreferred_preauth_types\fP -.sp -This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. -.TP -.B \fBproxiable\fP -.sp -If this flag is set, initial tickets by default will be proxiable. The default value for this flag is not set. -.TP -.B \fBrdns\fP -.sp -If set to false, prevent the use of reverse DNS resolution when translating hostnames into service principal names. Defaults to true. Setting this flag to false is more secure, but may force users to exclusively use fully qualified domain names when authenticating to services. -.TP -.B \fBrealm_try_domains\fP -.sp -Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the host\(aqs domain itself, 1 means to also try the domain\(aqs immediate parent, and so forth. The library\(aqs usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm\-\-which may involve consulting DNS if \fIdns_lookup_kdc\fP is set. The default is not to search domain components. -.TP -.B \fBrenew_lifetime\fP -.sp -The value of this tag is the default renewable lifetime for initial tickets. The default value for the tag is 0. -.UNINDENT -.sp -\fBsafe_checksum_type\fP -.INDENT 0.0 -.INDENT 3.5 -.sp -An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). -For compatibility with applications linked against DCE version 1.1 or earlier Kerberos libraries, -use a value of 3 to use the RSA MD4 DES instead. -This field is ignored when its value is incompatible with the session key type. -See the \fIkdc_req_checksum_type\fP configuration option for the possible values and their meanings. -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B \fBticket_lifetime\fP -.sp -The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day. -.TP -.B \fBudp_preference_limit\fP -.sp -When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fIudp_preference_list\fP. If the message is smaller than \fIudp_preference_list\fP, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. -.TP -.B \fBverify_ap_req_nofail\fP -.sp -If this flag is set, then an attempt to get initial credentials will fail if the client machine does not have a keytab. The default for the flag is not set. -.UNINDENT -.SS \fB[realms]\fP -.sp -Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm\(aqs subsection: -.INDENT 0.0 -.TP -.B \fBadmin_server\fP -.sp -Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmin server for the realm. -.TP -.B \fBauth_to_local\fP -.sp -This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: -.INDENT 7.0 -.TP -.B DB:filename -. -The principal will be looked up in the database filename. Support for this is not currently compiled in by default. -.TP -.B RULE:exp -. -The local name will be formulated from exp. -.sp -The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n\(aqth component of the principal for $n (e.g. if the principal was \fIjohndoe/admin\fP then [2:$2$1foo] would result in the string "adminjohndoefoo"). If this string matches regexp, then the s//[g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string. -.TP -.B DEFAULT -. -The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. -.UNINDENT -.sp -For example: -.sp -.nf -.ft C -[realms] - ATHENA.MIT.EDU = { - auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ - auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// - auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auto_to_local = DEFAULT - } -.ft P -.fi -.sp -would result in any principal without \fIroot\fP or \fIadmin\fP as the second component to be translated with the default rule. A principal with a second component of \fIadmin\fP will become its first component. \fIroot\fP will be used as the local name for any principal with a second component of \fIroot\fP. The exception to these two rules are any principals \fIjohndoe\fP/*, which will always get the local name \fIguest\fP. -.TP -.B \fBauth_to_local_names\fP -.sp -This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. -.TP -.B \fBdatabase_module\fP -.sp -This relation indicates the name of the configuration section under [dbmodules] for database specific parameters used by the loadable database library. -.TP -.B \fBdefault_domain\fP -.sp -This tag is used for Kerberos 4 compatibility. Kerberos 4 does not require the entire hostname of a server to be in its principal like Kerberos 5 does. This tag provides the domain name needed to produce a full hostname when translating V4 principal names into V5 principal names. All servers in this realm are assumed to be in the domain given as the value of this tag -.TP -.B \fBkdc\fP -.sp -The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs (see \fIudns_label\fP). -.TP -.B \fBkpasswd_server\fP -.sp -Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the \fIadmin_server\fP host will be tried. -.TP -.B \fBkrb524_server\fP -.sp -Points to the server that does 524 conversions. If it is not mentioned, the krb524 port 4444 on the kdc will be tried. -.TP -.B \fBmaster_kdc\fP -.sp -Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user\(aqs password has just been changed, and the updated database has not been propagated to the slave servers yet. -.TP -.B \fBv4_instance_convert\fP -.sp -This subsection allows the administrator to configure exceptions to the default_domain mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. -.TP -.B \fBv4_realm\fP -.sp -This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. -.UNINDENT -.SS \fB[domain_realm]\fP -.sp -The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name, or a domain name, where domain names are indicated by a prefix of a period (.). The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case. -.sp -If no translation entry applies, the host\(aqs realm is considered to be the hostname\(aqs domain portion converted to upper case. For example, the following [domain_realm] section: -.sp -.nf -.ft C -[domain_realm] - crash.mit.edu = TEST.ATHENA.MIT.EDU - .mit.edu = ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU - example.com = EXAMPLE.COM -.ft P -.fi -.sp -maps the host with the \fIexact\fP name \fIcrash.mit.edu\fP into the TEST.ATHENA.MIT.EDU realm. The period prefix in \fI.mit.edu\fP denotes that \fIall\fP systems in the \fImit.edu\fP domain belong to ATHENA.MIT.EDU realm. -Note the entries for the hosts \fImit.edu\fP and \fIexample.com\fP. Without these entries, these hosts would be mapped into the Kerberos realms EDU and COM, respectively. -.SS \fB[logging]\fP -.sp -The [logging] section indicates how a particular entity is to perform its logging. The relations in this section assign one or more values to the entity name. Currently, the following entities are used: -.INDENT 0.0 -.TP -.B \fBadmin_server\fP -.sp -These entries specify how the administrative server is to perform its logging. -.TP -.B \fBdefault\fP -.sp -These entries specify how to perform logging in the absence of explicit specifications otherwise. -.TP -.B \fBkdc\fP -.sp -These entries specify how the KDC is to perform its logging. -.UNINDENT -.sp -Values are of the following forms: -.nf -FILE= -FILE: -.fi -.sp -.INDENT 0.0 -.INDENT 3.5 -.sp -This value causes the entity\(aqs logging messages to go to the specified file. If the = form is used, the file is overwritten. If the : form is used, the file is appended to. -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B STDERR -. -This value causes the entity\(aqs logging messages to go to its standard error stream. -.TP -.B CONSOLE -. -This value causes the entity\(aqs logging messages to go to the console, if the system supports it. -.TP -.B DEVICE= -. -This causes the entity\(aqs logging messages to go to the specified device. -.TP -.B SYSLOG[:[:]] -. -This causes the entity\(aqs logging messages to go to the system log. -.sp -The severity argument specifies the default severity of system log messages. This may be any of the following severities supported by the syslog(3) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity. -.sp -The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7. -.sp -If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH. -.UNINDENT -.sp -In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file \fI/var/adm/kadmin.log\fP and sent to the device \fI/dev/tty04\fP.: -.sp -.nf -.ft C -[logging] - kdc = CONSOLE - kdc = SYSLOG:INFO:DAEMON - admin_server = FILE:/var/adm/kadmin.log - admin_server = DEVICE=/dev/tty04 -.ft P -.fi -.SS \fB[capaths]\fP -.sp -In order to perform direct (non\-hierarchical) cross\-realm authentication, a database is needed to construct the authentication paths between the realms. This section defines that database. -.sp -A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. -.sp -There is a tag for each participating realm, and each tag has subtags for each of the realms. The value of the subtags is an intermediate realm which may participate in the cross\-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. -.sp -There are n**2 possible entries in this table, but only those entries which will be needed on the client or the server need to be present. The client needs a tag for its local realm, with subtags for all the realms of servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve. -.sp -For example, \fIANL.GOV, PNL.GOV\fP, and \fINERSC.GOV\fP all wish to use the \fIES.NET\fP realm as an intermediate realm. \fIANL\fP has a sub realm of \fITEST.ANL.GOV\fP which will authenticate with \fINERSC.GOV\fP but not \fIPNL.GOV\fP. The [capaths] section for \fIANL.GOV\fP systems would look like this: -.sp -.nf -.ft C -[capaths] - ANL.GOV = { - TEST.ANL.GOV = . - PNL.GOV = ES.NET - NERSC.GOV = ES.NET - ES.NET = . - } - TEST.ANL.GOV = { - ANL.GOV = . - } - PNL.GOV = { - ANL.GOV = ES.NET - } - NERSC.GOV = { - ANL.GOV = ES.NET - } - ES.NET = { - ANL.GOV = . - } -.ft P -.fi -.sp -The [capaths] section of the configuration file used on \fINERSC.GOV\fP systems would look like this: -.sp -.nf -.ft C -[capaths] - NERSC.GOV = { - ANL.GOV = ES.NET - TEST.ANL.GOV = ES.NET - TEST.ANL.GOV = ANL.GOV - PNL.GOV = ES.NET - ES.NET = . - } - ANL.GOV = { - NERSC.GOV = ES.NET - } - PNL.GOV = { - NERSC.GOV = ES.NET - } - ES.NET = { - NERSC.GOV = . - } - TEST.ANL.GOV = { - NERSC.GOV = ANL.GOV - NERSC.GOV = ES.NET - } -.ft P -.fi -.sp -In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to determine the path. (It is not important to the server, since the transited field is not sorted.) -.sp -This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE 1.1 did not fill in the transited field, and should be used with caution. -.SS \fB[dbdefaults]\fP -.sp -The [dbdefaults] section provides default values for the database specific parameters. It can also specify the configuration section under \fI\%dbmodules\fP section for database specific parameters used by the database library. -.sp -The following tags are used in this section: -.INDENT 0.0 -.TP -.B \fBdatabase_module\fP -.sp -This relation indicates the name of the configuration section under the \fI\%dbmodules\fP for database specific parameters used by the loadable database library. -.TP -.B \fBldap_kerberos_container_dn\fP -.sp -This LDAP specific tag indicates the DN of the container object where the realm objects will be located. This value is used if the container object is not mentioned in the configuration section under \fI\%dbmodules\fP. -.TP -.B \fBldap_kdc_dn\fP -.sp -This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database. This value is used if the bind DN for the KDC is not mentioned in the configuration section under \fI\%dbmodules\fP. -.TP -.B \fBldap_kadmind_dn\fP -.sp -This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. This value is used if the bind DN for the Administration server is not mentioned in the configuration section under \fI\%dbmodules\fP. -.TP -.B \fBldap_service_password_file\fP -.sp -This LDAP specific tag indicates the file containing the stashed passwords (created by kdb5_ldap_util stashsrvpw) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under \fI\%dbmodules\fP. -.TP -.B \fBldap_servers\fP -.sp -This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. This value is used if no LDAP servers are mentioned in the configuration section under \fI\%dbmodules\fP. It is recommended to use the \fIldapi://\fP or \fIldaps://\fP interface and not to use \fIldap://\fP interface. -.TP -.B \fBldap_conns_per_server\fP -.sp -This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under \fI\%dbmodules\fP. The default value is 5. -.UNINDENT -.SS \fB[dbmodules]\fP -.sp -Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters. -.sp -For each section, the following tags may be specified in the subsection: -.INDENT 0.0 -.TP -.B \fBdatabase_name\fP -.sp -This DB2\-specific tag indicates the location of the database in the filesystem. The default is \fI/usr/local/var/krb5kdc/principal\fP. -.TP -.B \fBdb_library\fP -.sp -This tag indicates the name of the loadable database library. The value should be \fIdb2\fP for DB2 database and \fIkldap\fP for LDAP database. -.TP -.B \fBdb_module_dir\fP -.sp -This tag controls where the plugin system looks for modules. The value should be an absolute path. -.TP -.B \fBdisable_last_success\fP -.sp -If set to \fItrue\fP, suppresses KDC updates to the \fI"Last successful authentication"\fP field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). -.TP -.B \fBdisable_lockout\fP -.sp -If set to \fItrue\fP, suppresses KDC updates to the \fI"Last failed authentication"\fP and \fI"Failed password attempts"\fP fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. -.TP -.B \fBldap_conns_per_server\fP -.sp -This LDAP specific tags indicates the number of connections to be maintained per LDAP server. -.TP -.B \fBldap_kadmind_dn\fP -.sp -This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. -.TP -.B \fBldap_kdc_dn\fP -.sp -This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database. -.TP -.B \fBldap_kerberos_container_dn\fP -.sp -This LDAP specific tag indicates the DN of the container object where the realm objects will be located. -.TP -.B \fBldap_servers\fP -.sp -This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. It is recommended to use \fIldapi://\fP or \fIldaps://\fP interface to connect to the LDAP server. -.TP -.B \fBldap_service_password_file\fP -.sp -This LDAP specific tag indicates the file containing the stashed passwords (created by \fIkdb5_ldap_util stashsrvpw\fP) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. -.UNINDENT -.SS \fB[appdefaults]\fP -.sp -Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. -.sp -For example: -.sp -.nf -.ft C -[appdefaults] - telnet = { - ATHENA.MIT.EDU = { - option1 = false - } - } - telnet = { - option1 = true - option2 = true - } - ATHENA.MIT.EDU = { - option2 = false - } - option2 = true -.ft P -.fi -.sp -The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ATHENA.MIT.EDU should have option1 set to false and option2 set to true. Any other programs in ATHENA.MIT.EDU should have option2 set to false by default. Any programs running in other realms should have option2 set to true. -.sp -The list of specifiable options for each application may be found in that application\(aqs man pages. The application defaults specified here are overridden by those specified in the \fI\%realms\fP section. -.SH PLUGINS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -\fI\%pwqual\fP interface -.IP \(bu 2 -. -\fI\%kadm5_hook\fP interface -.IP \(bu 2 -. -\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces -.UNINDENT -.UNINDENT -.UNINDENT -.sp -Tags in the \fB[plugins]\fP section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. -.sp -Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: -.INDENT 0.0 -.TP -.B \fBdisable\fP -.sp -This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. -.TP -.B \fBenable_only\fP -.sp -This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. -.TP -.B \fBmodule\fP -.sp -This tag may have multiple values. Each value is a string of the form "modulename:pathname", which causes the shared object located at pathname to be registered as a dynamic module named modulename for the pluggable interface. If pathname is not an absolute path, it will be treated as relative to the "krb5/plugins" subdirectory of the krb5 library directory. -.UNINDENT -.sp -The following subsections are currently supported within the [plugins] section: -.SS pwqual interface -.sp -The \fBpwqual\fP subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. In addition to any registered dynamic modules, the following built\-in modules exist (and may be disabled with the disable tag): -.INDENT 0.0 -.TP -.B \fBdict\fP -.sp -Checks against the realm dictionary file -.TP -.B \fBempty\fP -.sp -Rejects empty passwords -.TP -.B \fBhesiod\fP -.sp -Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) -.TP -.B \fBprinc\fP -.sp -Checks against components of the principal name -.UNINDENT -.SS kadm5_hook interface -.sp -The \fBkadm5_hook\fP interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. -.SS clpreauth and kdcpreauth interfaces -.sp -The \fBclpreauth\fP and \fBkdcpreauth\fP interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built\-in modules exist for these interfaces: -.INDENT 0.0 -.TP -.B \fBpkinit\fP -.sp -This module implements the PKINIT preauthentication mechanism. -.TP -.B \fBencrypted_challenge\fP -.sp -This module implements the encrypted challenge FAST factor. -.TP -.B \fBencrypted_timestamp\fP -.sp -This module implements the encrypted timestamp mechanism. -.UNINDENT -.SH PKINIT OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -pkinit identity syntax -.IP \(bu 2 -. -pkinit krb5.conf options -.UNINDENT -.UNINDENT -.UNINDENT -.IP Note -. -The following are pkinit\-specific options. Note that these values may be specified in \fI[libdefaults]\fP as global defaults, or within a realm\-specific subsection of \fI[libdefaults]\fP, or may be specified as realm\-specific values in the \fI[realms]\fP section. Also note that a realm\-specific value over\-rides, does not add to, a generic \fI[libdefaults]\fP specification. The search order is: -.INDENT 0.0 -.IP 1. 3 -. -realm\-specific subsection of [libdefaults] -.INDENT 3.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B [libdefaults] -.INDENT 7.0 -.TP -.B EXAMPLE.COM = { -. -pkinit_anchors = FILE:/usr/local/example.com.crt -.UNINDENT -.sp -} -.UNINDENT -.UNINDENT -.UNINDENT -.IP 2. 3 -. -realm\-specific value in the [realms] section, -.INDENT 3.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B [realms] -.INDENT 7.0 -.TP -.B OTHERREALM.ORG = { -. -pkinit_anchors = FILE:/usr/local/otherrealm.org.crt -.UNINDENT -.sp -} -.UNINDENT -.UNINDENT -.UNINDENT -.IP 3. 3 -. -generic value in the [libdefaults] section. -.INDENT 3.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B [libdefaults] -. -pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.RE -.SS Specifying pkinit identity information -.sp -The syntax for specifying Public Key identity, trust, and revocation information for pkinit is as follows: -.INDENT 0.0 -.TP -.B FILE:file\-name[,key\-file\-name] -. -This option has context\-specific behavior. -.nf -pkinit_identity -pkinit_identities -.fi -.sp -.INDENT 7.0 -.INDENT 3.5 -.sp -\fIfile\-name\fP specifies the name of a PEM\-format file containing the user\(aqs certificate. If \fIkey\-file\-name\fP is not specified, the user\(aqs private key is expected to be in file\-name as well. Otherwise, \fIkey\-file\-name\fP is the name of the file containing the private key. -.UNINDENT -.UNINDENT -.nf -pkinit_anchors -pkinit_pool -.fi -.sp -.INDENT 7.0 -.INDENT 3.5 -.sp -\fIfile\-name\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. -.UNINDENT -.UNINDENT -.TP -.B DIR:directory\-name -. -This option has context\-specific behavior. -.nf -pkinit_identity -pkinit_identities -.fi -.sp -.INDENT 7.0 -.INDENT 3.5 -.sp -\fIdirectory\-name\fP specifies a directory with files named *.crt and *.key, where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with .crt is found, a matching file ending with .key is assumed to contain the private key. If no such file is found, then the certificate in the .crt is not used. -.UNINDENT -.UNINDENT -.nf -pkinit_anchors -pkinit_pool -.fi -.sp -.INDENT 7.0 -.INDENT 3.5 -.sp -\fIdirectory\-name\fP is assumed to be an OpenSSL\-style hashed CA directory where each CA cert is stored in a file named \fIhash\-of\-ca\-cert.#\fP. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. -.UNINDENT -.UNINDENT -.INDENT 7.0 -.TP -.B pkinit_revoke -. -\fIdirectory\-name\fP is assumed to be an OpenSSL\-style hashed CA directory where each revocation list is stored in a file named \fIhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. -.UNINDENT -.TP -.B PKCS12:pkcs12\-file\-name -. -\fIpkcs12\-file\-name\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. -.TP -.B PKCS11:[module_name=]module\-name[:slotid=slot\-id][:token=token\-label][:certid=cert\-id][:certlabel=cert\-label] -. -All keyword/values are optional. module\-name specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodule\-name\fP. If no module\-name is specified, the default is \fIopensc\-pkcs11.so\fP. \fIslotid=\fP and/or \fItoken=\fP may be specified to force the use of a particular smard card reader or token if there is more than one available. \fIcertid=\fP and/or \fIcertlabel=\fP may be specified to force the selection of a particular certificate on the device. See the \fIpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for pkinit. -.TP -.B ENV:environment\-variable\-name -. -environment\-variable\-name specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fIENV:X509_PROXY\fP, where environment variable \fIX509_PROXY\fP has been set to \fIFILE:/tmp/my_proxy.pem\fP. -.UNINDENT -.SS PKINIT krb5.conf options -.INDENT 0.0 -.TP -.B \fBpkinit_anchors\fP -.sp -Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. -.TP -.B \fBpkinit_cert_match\fP -.sp -Specifies matching rules that the client certificate must match before it is used to attempt pkinit authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting pkinit authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. -.sp -The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP string representations from the certificate Subject DN and Issuer DN values. -.sp -The syntax of the matching rules is: -.sp -.nf -.ft C -[relation\-operator]component\-rule ... -.ft P -.fi -.sp -where -.INDENT 7.0 -.TP -.B \fIrelation\-operator\fP -.sp -can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The default is &&. -.TP -.B \fIcomponent\-rule\fP -.sp -can be one of the following. Note that there is no punctuation or whitespace between component rules. -.sp -\fIregular\-expression\fP -.sp -\fIregular\-expression\fP -.sp -\fIregular\-expression\fP -.INDENT 7.0 -.TP -.B \fIextended\-key\-usage\-list\fP -.sp -where \fIextended\-key\-usage\-list\fP is a comma\-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. -.INDENT 7.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -pkinit -.IP \(bu 2 -. -msScLogin -.IP \(bu 2 -. -clientAuth -.IP \(bu 2 -. -emailProtection -.UNINDENT -.UNINDENT -.UNINDENT -.TP -.B \fIkey\-usage\-list\fP -.sp -where \fIkey\-usage\-list\fP is a comma\-separated list of required Key Usage values. All values in the list must be present in the certificate. -.INDENT 7.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -digitalSignature -.IP \(bu 2 -. -keyEncipherment -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.sp -Examples: -.sp -.nf -.ft C -pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM -pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* -pkinit_cert_match = msScLogin,clientAuthdigitalSignature -.ft P -.fi -.TP -.B \fBpkinit_eku_checking\fP -.sp -This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: -.INDENT 7.0 -.TP -.B \fIkpKDC\fP -.sp -This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP. -.TP -.B \fIkpServerAuth\fP -.sp -If kpServerAuth is specified, a KDC certificate with the id\-kp\-serverAuth EKU as used by Microsoft will be accepted. -.TP -.B \fInone\fP -.sp -If none is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. -.UNINDENT -.TP -.B \fBpkinit_dh_min_bits\fP -.sp -Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are currently 1024, 2048, and 4096. The default is 2048. -.TP -.B \fBpkinit_identities\fP -.sp -Specifies the location(s) to be used to find the user\(aqs X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity information is found and authentication is attempted. Note that these values are not used if the user specifies X509_user_identity on the command line. -.TP -.B \fBpkinit_kdc_hostname\fP -.sp -The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). -.TP -.B \fBpkinit_longhorn\fP -.sp -If this flag is set to true, we are talking to the Longhorn KDC. -.TP -.B \fBpkinit_pool\fP -.sp -Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. -.TP -.B \fBpkinit_require_crl_checking\fP -.sp -The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and \fIpkinit_require_crl_checking\fP is false, then verification succeeds. -.sp -However, if \fIpkinit_require_crl_checking\fP is true and there is no CRL information available for the issuing CA, then verification fails. -.sp -\fIpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. -.TP -.B \fBpkinit_revoke\fP -.sp -Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. -.TP -.B \fBpkinit_win2k\fP -.sp -This flag specifies whether the target realm is assumed to support only the old, pre\-RFC version of the protocol. The default is false. -.TP -.B \fBpkinit_win2k_require_binding\fP -.sp -If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. The default is false. -.UNINDENT -.SH SAMPLE KRB5.CONF FILE -.sp -Here is an example of a generic krb5.conf file: -.sp -.nf -.ft C -[libdefaults] - default_realm = ATHENA.MIT.EDU - default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc - default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc - dns_lookup_kdc = true - dns_lookup_realm = false - -[realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu - kdc = kerberos\-1.mit.edu - kdc = kerberos\-2.mit.edu:750 - admin_server = kerberos.mit.edu - master_kdc = kerberos.mit.edu - default_domain = mit.edu - } - EXAMPLE.COM = { - kdc = kerberos.example.com - kdc = kerberos\-1.example.com - admin_server = kerberos.example.com - } - OPENLDAP.MIT.EDU = { - kdc = kerberos.mit.edu - admin_server = kerberos.mit.edu - database_module = openldap_ldapconf - } - -[domain_realm] - .mit.edu = ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU - -[capaths] - ATHENA.MIT.EDU = { - EXAMPLE.COM = . - } - EXAMPLE.COM = { - ATHENA.MIT.EDU = . - } - -[logging] - kdc = SYSLOG:INFO - admin_server = FILE=/var/kadm5.log -[dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com -[dbmodules] - openldap_ldapconf = { - db_library = kldap - disable_last_success = true - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com - ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read rights on - # the realm container and principal subtrees - ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read and write rights on - # the realm container and principal subtrees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 -} -.ft P -.fi -.SH FILES -.sp -/etc/krb5.conf -.SH SEE ALSO -.sp -syslog(3) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man new file mode 100644 index 000000000..cc85bb9ea --- /dev/null +++ b/src/man/krb5.conf.man @@ -0,0 +1,1303 @@ +.TH "KRB5.CONF" "5" " " "0.0.1" "MIT Kerberos" +.SH NAME +krb5.conf \- Kerberos configuration file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.sp +The krb5.conf file contains Kerberos configuration information, +including the locations of KDCs and admin servers for the Kerberos +realms of interest, defaults for the current realm and for Kerberos +applications, and mappings of hostnames onto Kerberos realms. +Normally, you should install your krb5.conf file in the directory +\fB/etc\fP. You can override the default location by setting the +environment variable \fBKRB5_CONFIG\fP. +.SH STRUCTURE +.sp +The krb5.conf file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. Each +section may contain zero or more relations, of the form: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +foo = bar +.ft P +.fi +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B or +.sp +.nf +.ft C +fubar = { + foo = bar + baz = quux +} +.ft P +.fi +.UNINDENT +.sp +Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP +value for the tag. This means that neither the remainder of this +configuration file nor any other configuration file will be checked +for any other values for this tag. +.INDENT 0.0 +.TP +.B For example, if you have the following lines: +.sp +.nf +.ft C +foo = bar* +foo = baz +.ft P +.fi +.UNINDENT +.sp +then the second value of \fBfoo\fP (\fBbaz\fP) would never be read. +.sp +The krb5.conf file can include other files using either of the +following directives at the beginning of a line: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +include FILENAME +includedir DIRNAME +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or +directory must exist and be readable. Including a directory includes +all files within the directory whose names consist solely of +alphanumeric characters, dashes, or underscores. Included profile +files are syntactically independent of their parents, so each included +file must begin with a section header. +.sp +The krb5.conf file can specify that configuration should be obtained +from a loadable module, rather than the file itself, using the +following directive at the beginning of a line before any section +headers: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +module MODULEPATH:RESIDUAL +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fIMODULEPATH\fP may be relative to the library path of the krb5 +installation, or it may be an absolute path. \fIRESIDUAL\fP is provided +to the module at initialization time. If krb5.conf uses a module +directive, \fIkdc.conf(5)\fP should also use one if it exists. +.SH SECTIONS +.sp +The krb5.conf file may contain the following sections: +.TS +center; +|l|l|. +_ +T{ +\fI\%[libdefaults]\fP +T} T{ +Settings used by the Kerberos V5 library +T} +_ +T{ +\fI\%[realms]\fP +T} T{ +Realm\-specific contact information and settings +T} +_ +T{ +\fI\%[domain_realm]\fP +T} T{ +Maps server hostnames to Kerberos realms +T} +_ +T{ +\fI\%[capaths]\fP +T} T{ +Authentication paths for non\-hierarchical cross\-realm +T} +_ +T{ +\fI\%[appdefaults]\fP +T} T{ +Settings used by some Kerberos V5 applications +T} +_ +T{ +\fI\%[plugins]\fP +T} T{ +Controls plugin module registration +T} +_ +.TE +.SS [libdefaults] +.sp +The libdefaults section may contain any of the following relations: +.INDENT 0.0 +.TP +.B \fBallow_weak_crypto\fP +.sp +If this flag is set to false, then weak encryption types will be +filtered out of the previous three lists (as noted in +\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The +default value for this tag is false, which may cause +authentication failures in existing Kerberos infrastructures that +do not support strong crypto. Users in affected environments +should set this tag to true until their infrastructure adopts +stronger ciphers. +.TP +.B \fBap_req_checksum_type\fP +.sp +An integer which specifies the type of AP\-REQ checksum to use in +authenticators. This variable should be unset so the appropriate +checksum for the encryption key in use will be used. This can be +set if backward compatibility requires a specific checksum type. +See the \fBkdc_req_checksum_type\fP configuration option for the +possible values and their meanings. +.TP +.B \fBcanonicalize\fP +.sp +If this flag is set to true, initial ticket requests to the KDC +will request canonicalization of the client principal name, and +answers with different client principals than the requested +principal will be accepted. The default value is false. +.TP +.B \fBccache_type\fP +.sp +This parameter determines the format of credential cache types +created by \fIkinit(1)\fP or other programs. The default value +is 4, which represents the most current format. Smaller values +can be used for compatibility with very old implementations of +Kerberos which interact with credential caches on the same host. +.TP +.B \fBclockskew\fP +.sp +Sets the maximum allowable amount of clockskew in seconds that the +library will tolerate before assuming that a Kerberos message is +invalid. The default value is 300 seconds, or five minutes. +.TP +.B \fBdefault_keytab_name\fP +.sp +This relation specifies the default keytab name to be used by +application servers such as telnetd and rlogind. The default is +\fB/etc/krb5.keytab\fP. +.TP +.B \fBdefault_realm\fP +.sp +Identifies the default Kerberos realm for the client. Set its +value to your Kerberos realm. If this value is not set, then a +realm must be specified with every Kerberos principal when +invoking programs such as \fIkinit(1)\fP. +.TP +.B \fBdefault_tgs_enctypes\fP +.sp +Identifies the supported list of session key encryption types that +should be returned by the KDC. The list may be delimited with +commas or whitespace. See \fIEncryption_and_salt_types\fP in +\fIkdc.conf(5)\fP for a list of the accepted values for this tag. +The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types +will be implicitly removed from this list if the value of +\fBallow_weak_crypto\fP is false. +.TP +.B \fBdefault_tkt_enctypes\fP +.sp +Identifies the supported list of session key encryption types that +should be requested by the client. The format is the same as for +default_tgs_enctypes. The default value for this tag is +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +removed from this list if the value of \fBallow_weak_crypto\fP is +false. +.TP +.B \fBdns_lookup_kdc\fP +.sp +Indicate whether DNS SRV records should be used to locate the KDCs +and other servers for a realm, if they are not listed in the +krb5.conf information for the realm. (Note that the admin_server +entry must be in the krb5.conf realm information in order to +contact kadmind, because the DNS implementation for kadmin is +incomplete.) +.sp +Enabling this option does open up a type of denial\-of\-service +attack, if someone spoofs the DNS records and redirects you to +another server. However, it\(aqs no worse than a denial of service, +because that fake KDC will be unable to decode anything you send +it (besides the initial ticket request, which has no encrypted +data), and anything the fake KDC sends will not be trusted without +verification using some secret that it won\(aqt know. +.TP +.B \fBextra_addresses\fP +.sp +This allows a computer to use multiple local addresses, in order +to allow Kerberos to work in a network that uses NATs while still +using address\-restricted tickets. The addresses should be in a +comma\-separated list. This option has no effect if +\fBnoaddresses\fP is true. +.TP +.B \fBforwardable\fP +.sp +If this flag is true, initial tickets will be forwardable by +default, if allowed by the KDC. The default value is false. +.TP +.B \fBignore_acceptor_hostname\fP +.sp +When accepting GSSAPI or krb5 security contexts for host\-based +service principals, ignore any hostname passed by the calling +application, and allow clients to authenticate to any service +principal in the keytab matching the service name and realm name +(if given). This option can improve the administrative +flexibility of server applications on multihomed hosts, but could +compromise the security of virtual hosting environments. The +default value is false. +.TP +.B \fBk5login_authoritative\fP +.sp +If this flag is true, principals must be listed in a local user\(aqs +k5login file to be granted login access, if a \fI.k5login(5)\fP +file exists. If this flag is false, a principal may still be +granted login access through other mechanisms even if a k5login +file exists but does not list the principal. The default value is +true. +.TP +.B \fBk5login_directory\fP +.sp +If set, the library will look for a local user\(aqs k5login file +within the named directory, with a filename corresponding to the +local username. If not set, the library will look for k5login +files in the user\(aqs home directory, with the filename .k5login. +For security reasons, .k5login files must be owned by +the local user or by root. +.TP +.B \fBkdc_default_options\fP +.sp +Default KDC options (Xored for multiple values) when requesting +initial tickets. By default it is set to 0x00000010 +(KDC_OPT_RENEWABLE_OK). +.TP +.B \fBkdc_timesync\fP +.sp +If this flag is true, client machines will compute the difference +between their time and the time returned by the KDC in the +timestamps in the tickets and use this value to correct for an +inaccurate system clock when requesting service tickets or +authenticating to services. This corrective factor is only used +by the Kerberos library; it is not used to change the system +clock. The default value is true. +.TP +.B \fBkdc_req_checksum_type\fP +.sp +An integer which specifies the type of checksum to use for the KDC +requests, for compatibility with very old KDC implementations. +This value is only used for DES keys; other keys use the preferred +checksum type for those keys. +.sp +The possible values and their meanings are as follows. +.TS +center; +|l|l|. +_ +T{ +1 +T} T{ +CRC32 +T} +_ +T{ +2 +T} T{ +RSA MD4 +T} +_ +T{ +3 +T} T{ +RSA MD4 DES +T} +_ +T{ +4 +T} T{ +DES CBC +T} +_ +T{ +7 +T} T{ +RSA MD5 +T} +_ +T{ +8 +T} T{ +RSA MD5 DES +T} +_ +T{ +9 +T} T{ +NIST SHA +T} +_ +T{ +12 +T} T{ +HMAC SHA1 DES3 +T} +_ +T{ +\-138 +T} T{ +Microsoft MD5 HMAC checksum type +T} +_ +.TE +.TP +.B \fBnoaddresses\fP +.sp +If this flag is true, requests for initial tickets will not be +made with address restrictions set, allowing the tickets to be +used across NATs. The default value is true. +.TP +.B \fBpermitted_enctypes\fP +.sp +Identifies all encryption types that are permitted for use in +session key encryption. The default value for this tag is +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +removed from this list if the value of \fBallow_weak_crypto\fP is +false. +.TP +.B \fBplugin_base_dir\fP +.sp +If set, determines the base directory where krb5 plugins are +located. The default value is the \fBkrb5/plugins\fP subdirectory +of the krb5 library directory. +.TP +.B \fBpreferred_preauth_types\fP +.sp +This allows you to set the preferred preauthentication types which +the client will attempt before others which may be advertised by a +KDC. The default value for this setting is "17, 16, 15, 14", +which forces libkrb5 to attempt to use PKINIT if it is supported. +.TP +.B \fBproxiable\fP +.sp +If this flag is true, initial tickets will be proxiable by +default, if allowed by the KDC. The default value is false. +.TP +.B \fBrdns\fP +.sp +If this flag is true, reverse name lookup will be used in addition +to forward name lookup to canonicalizing hostnames for use in +service principal names. The default value is true. +.TP +.B \fBrealm_try_domains\fP +.sp +Indicate whether a host\(aqs domain components should be used to +determine the Kerberos realm of the host. The value of this +variable is an integer: \-1 means not to search, 0 means to try the +host\(aqs domain itself, 1 means to also try the domain\(aqs immediate +parent, and so forth. The library\(aqs usual mechanism for locating +Kerberos realms is used to determine whether a domain is a valid +realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is +set. The default is not to search domain components. +.TP +.B \fBrenew_lifetime\fP +.sp +Sets the default renewable lifetime for initial ticket requests. +The default value is 0. +.TP +.B \fBsafe_checksum_type\fP +.sp +An integer which specifies the type of checksum to use for the +KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For +compatibility with applications linked against DCE version 1.1 or +earlier Kerberos libraries, use a value of 3 to use the RSA MD4 +DES instead. This field is ignored when its value is incompatible +with the session key type. See the \fBkdc_req_checksum_type\fP +configuration option for the possible values and their meanings. +.TP +.B \fBticket_lifetime\fP +.sp +Sets the default lifetime for initial ticket requests. The +default value is 1 day. +.TP +.B \fBudp_preference_limit\fP +.sp +When sending a message to the KDC, the library will try using TCP +before UDP if the size of the message is above +\fBudp_preference_limit\fP. If the message is smaller than +\fBudp_preference_limit\fP, then UDP will be tried before TCP. +Regardless of the size, both protocols will be tried if the first +attempt fails. +.TP +.B \fBverify_ap_req_nofail\fP +.sp +If this flag is true, then an attempt to verify initial +credentials will fail if the client machine does not have a +keytab. The default value is false. +.UNINDENT +.SS [realms] +.sp +Each tag in the [realms] section of the file is the name of a Kerberos +realm. The value of the tag is a subsection with relations that +define the properties of that particular realm. For each realm, the +following tags may be specified in the realm\(aqs subsection: +.INDENT 0.0 +.TP +.B \fBadmin_server\fP +.sp +Identifies the host where the administration server is running. +Typically, this is the master Kerberos server. This tag must be +given a value in order to communicate with the \fIkadmind(8)\fP +server for the realm. +.TP +.B \fBauth_to_local\fP +.sp +This tag allows you to set a general rule for mapping principal +names to local user names. It will be used if there is not an +explicit mapping for the principal name that is being +translated. The possible values are: +.INDENT 7.0 +.TP +.B \fBRULE:\fP\fIexp\fP +.sp +The local name will be formulated from \fIexp\fP. +.sp +The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP. +The integer \fIn\fP indicates how many components the target +principal should have. If this matches, then a string will be +formed from \fIstring\fP, substituting the realm of the principal +for \fB$0\fP and the \fIn\fP\(aqth component of the principal for +\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then +\fB[2:$2$1foo]\fP would result in the string +\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then +the \fBs//[g]\fP substitution command will be run over the +string. The optional \fBg\fP will cause the substitution to be +global over the \fIstring\fP, instead of replacing only the first +match in the \fIstring\fP. +.TP +.B \fBDEFAULT\fP +.sp +The principal name will be used as the local user name. If +the principal has more than one component or is not in the +default realm, this rule is not applicable and the conversion +will fail. +.TP +.B For example: +.sp +.nf +.ft C +[realms] + ATHENA.MIT.EDU = { + auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ + auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// + auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ + auto_to_local = DEFAULT + } +.ft P +.fi +.UNINDENT +.sp +would result in any principal without \fBroot\fP or \fBadmin\fP as the +second component to be translated with the default rule. A +principal with a second component of \fBadmin\fP will become its +first component. \fBroot\fP will be used as the local name for any +principal with a second component of \fBroot\fP. The exception to +these two rules are any principals \fBjohndoe/*\fP, which will +always get the local name \fBguest\fP. +.TP +.B \fBauth_to_local_names\fP +.sp +This subsection allows you to set explicit mappings from principal +names to local user names. The tag is the mapping name, and the +value is the corresponding local user name. +.TP +.B \fBdefault_domain\fP +.sp +This tag specifies the domain used to expand hostnames when +translating Kerberos 4 service principals to Kerberos 5 principals +(for example, when converting \fBrcmd.hostname\fP to +\fBhost/hostname.domain\fP). +.TP +.B \fBkdc\fP +.sp +The name or address of a host running a KDC for that realm. An +optional port number, separated from the hostname by a colon, may +be included. If the name or address contains colons (for example, +if it is an IPv6 address), enclose it in square brackets to +distinguish the colon from a port separator. For your computer to +be able to communicate with the KDC for each realm, this tag must +be given a value in each realm subsection in the configuration +file, or there must be DNS SRV records specifying the KDCs. +.TP +.B \fBkpasswd_server\fP +.sp +Points to the server where all the password changes are performed. +If there is no such entry, the port 464 on the \fBadmin_server\fP +host will be tried. +.TP +.B \fBmaster_kdc\fP +.sp +Identifies the master KDC(s). Currently, this tag is used in only +one case: If an attempt to get credentials fails because of an +invalid password, the client software will attempt to contact the +master KDC, in case the user\(aqs password has just been changed, and +the updated database has not been propagated to the slave servers +yet. +.TP +.B \fBv4_instance_convert\fP +.sp +This subsection allows the administrator to configure exceptions +to the \fBdefault_domain\fP mapping rule. It contains V4 instances +(the tag name) which should be translated to some specific +hostname (the tag value) as the second component in a Kerberos V5 +principal name. +.TP +.B \fBv4_realm\fP +.sp +This relation is used by the krb524 library routines when +converting a V5 principal name to a V4 principal name. It is used +when the V4 realm name and the V5 realm name are not the same, but +still share the same principal names and passwords. The tag value +is the Kerberos V4 realm name. +.UNINDENT +.SS [domain_realm] +.sp +The [domain_realm] section provides a translation from a domain name +or hostname to a Kerberos realm name. The tag name can be a host name +or domain name, where domain names are indicated by a prefix of a +period (\fB.\fP). The value of the relation is the Kerberos realm name +for that particular host or domain. The Kerberos realm may be +identified either in the \fI\%realms\fP section or using DNS SRV records. +Host names and domain names should be in lower case. For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[domain_realm] + crash.mit.edu = TEST.ATHENA.MIT.EDU + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +maps the host with the exact name \fBcrash.mit.edu\fP into the +TEST.ATHENA.MIT.EDU realm. The period prefix in \fB.mit.edu\fP denotes +that all systems in the \fBmit.edu\fP domain belong to +\fBATHENA.MIT.EDU\fP realm. The third entry maps the host \fBmit.edu\fP +itself to the \fBATHENA.MIT.EDU\fP realm. +.sp +If no translation entry applies to a hostname used for a service +principal for a service ticket request, the library will try to get a +referral to the appropriate realm from the client realm\(aqs KDC. If +that does not succeed, the host\(aqs realm is considered to be the +hostname\(aqs domain portion converted to uppercase, unless the +\fBrealm_try_domains\fP setting in [libdefaults] causes a different +parent domain to be used. +.SS [capaths] +.sp +In order to perform direct (non\-hierarchical) cross\-realm +authentication, configuration is needed to determine the +authentication paths between realms. +.sp +A client will use this section to find the authentication path between +its realm and the realm of the server. The server will use this +section to verify the authentication path used by the client, by +checking the transited field of the received ticket. +.sp +There is a tag for each participating client realm, and each tag has +subtags for each of the server realms. The value of the subtags is an +intermediate realm which may participate in the cross\-realm +authentication. The subtags may be repeated if there is more then one +intermediate realm. A value of "." means that the two realms share +keys directly, and no intermediate realms should be allowed to +participate. +.sp +Only those entries which will be needed on the client or the server +need to be present. A client needs a tag for its local realm with +subtags for all the realms of servers it will need to authenticate to. +A server needs a tag for each realm of the clients it will serve, with +a subtag of the server realm. +.sp +For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to +use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub +realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP +but not \fBPNL.GOV\fP. The [capaths] section for \fBANL.GOV\fP systems +would look like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[capaths] + ANL.GOV = { + TEST.ANL.GOV = . + PNL.GOV = ES.NET + NERSC.GOV = ES.NET + ES.NET = . + } + TEST.ANL.GOV = { + ANL.GOV = . + } + PNL.GOV = { + ANL.GOV = ES.NET + } + NERSC.GOV = { + ANL.GOV = ES.NET + } + ES.NET = { + ANL.GOV = . + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The [capaths] section of the configuration file used on \fBNERSC.GOV\fP +systems would look like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[capaths] + NERSC.GOV = { + ANL.GOV = ES.NET + TEST.ANL.GOV = ES.NET + TEST.ANL.GOV = ANL.GOV + PNL.GOV = ES.NET + ES.NET = . + } + ANL.GOV = { + NERSC.GOV = ES.NET + } + PNL.GOV = { + NERSC.GOV = ES.NET + } + ES.NET = { + NERSC.GOV = . + } + TEST.ANL.GOV = { + NERSC.GOV = ANL.GOV + NERSC.GOV = ES.NET + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When a subtag is used more than once within a tag, clients will use +the order of values to determine the path. The order of values is not +important to servers. +.SS [appdefaults] +.sp +Each tag in the [appdefaults] section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application[s]. The +value of the tag defines the default behaviors for that application. +.INDENT 0.0 +.TP +.B For example: +.sp +.nf +.ft C +[appdefaults] + telnet = { + ATHENA.MIT.EDU = { + option1 = false + } + } + telnet = { + option1 = true + option2 = true + } + ATHENA.MIT.EDU = { + option2 = false + } + option2 = true +.ft P +.fi +.UNINDENT +.sp +The above four ways of specifying the value of an option are shown in +order of decreasing precedence. In this example, if telnet is running +in the realm EXAMPLE.COM, it should, by default, have option1 and +option2 set to true. However, a telnet program in the realm +\fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and +\fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should +have \fBoption2\fP set to false by default. Any programs running in +other realms should have \fBoption2\fP set to true. +.sp +The list of specifiable options for each application may be found in +that application\(aqs man pages. The application defaults specified here +are overridden by those specified in the \fI\%realms\fP section. +.SS [plugins] +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +. +\fI\%pwqual\fP interface +.IP \(bu 2 +. +\fI\%kadm5_hook\fP interface +.IP \(bu 2 +. +\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces +.UNINDENT +.UNINDENT +.UNINDENT +.sp +Tags in the [plugins] section can be used to register dynamic plugin +modules and to turn modules on and off. Not every krb5 pluggable +interface uses the [plugins] section; the ones that do are documented +here. +.sp +Each pluggable interface corresponds to a subsection of [plugins]. +All subsections support the same tags: +.INDENT 0.0 +.TP +.B \fBdisable\fP +.sp +This tag may have multiple values. If there are values for this +tag, then the named modules will be disabled for the pluggable +interface. +.TP +.B \fBenable_only\fP +.sp +This tag may have multiple values. If there are values for this +tag, then only the named modules will be enabled for the pluggable +interface. +.TP +.B \fBmodule\fP +.sp +This tag may have multiple values. Each value is a string of the +form \fBmodulename:pathname\fP, which causes the shared object +located at \fIpathname\fP to be registered as a dynamic module named +\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an +absolute path, it will be treated as relative to the +\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP. +.UNINDENT +.sp +The following subsections are currently supported within the [plugins] +section: +.SS ccselect interface +.sp +The ccselect subsection controls modules for credential cache +selection within a cache collection. In addition to any registered +dynamic modules, the following built\-in modules exist (and may be +disabled with the disable tag): +.INDENT 0.0 +.TP +.B \fBk5identity\fP +.sp +Uses a .k5identity file in the user\(aqs home directory to select a +client principal +.TP +.B \fBrealm\fP +.sp +Uses the service realm to guess an appropriate cache from the +collection +.UNINDENT +.SS pwqual interface +.sp +The pwqual subsection controls modules for the password quality +interface, which is used to reject weak passwords when passwords are +changed. The following built\-in modules exist for this interface: +.INDENT 0.0 +.TP +.B \fBdict\fP +.sp +Checks against the realm dictionary file +.TP +.B \fBempty\fP +.sp +Rejects empty passwords +.TP +.B \fBhesiod\fP +.sp +Checks against user information stored in Hesiod (only if Kerberos +was built with Hesiod support) +.TP +.B \fBprinc\fP +.sp +Checks against components of the principal name +.UNINDENT +.SS kadm5_hook interface +.sp +The kadm5_hook interface provides plugins with information on +principal creation, modification, password changes and deletion. This +interface can be used to write a plugin to synchronize MIT Kerberos +with another database such as Active Directory. No plugins are built +in for this interface. +.SS clpreauth and kdcpreauth interfaces +.sp +The clpreauth and kdcpreauth interfaces allow plugin modules to +provide client and KDC preauthentication mechanisms. The following +built\-in modules exist for these interfaces: +.INDENT 0.0 +.TP +.B \fBpkinit\fP +.sp +This module implements the PKINIT preauthentication mechanism. +.TP +.B \fBencrypted_challenge\fP +.sp +This module implements the encrypted challenge FAST factor. +.TP +.B \fBencrypted_timestamp\fP +.sp +This module implements the encrypted timestamp mechanism. +.UNINDENT +.SH PKINIT OPTIONS +.IP Note +. +The following are PKINIT\-specific options. These values may +be specified in [libdefaults] as global defaults, or within +a realm\-specific subsection of [libdefaults], or may be +specified as realm\-specific values in the [realms] section. +A realm\-specific value overrides, not adds to, a generic +[libdefaults] specification. The search order is: +.RE +.INDENT 0.0 +.IP 1. 3 +. +realm\-specific subsection of [libdefaults]: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + EXAMPLE.COM = { + pkinit_anchors = FILE\e:/usr/local/example.com.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +. +realm\-specific value in the [realms] section, +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + OTHERREALM.ORG = { + pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 3. 3 +. +generic value in the [libdefaults] section. +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/ +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS Specifying PKINIT identity information +.sp +The syntax for specifying Public Key identity, trust, and revocation +information for PKINIT is as follows: +.INDENT 0.0 +.TP +.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] +.sp +This option has context\-specific behavior. +.sp +In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP +specifies the name of a PEM\-format file containing the user\(aqs +certificate. If \fIkeyfilename\fP is not specified, the user\(aqs +private key is expected to be in \fIfilename\fP as well. Otherwise, +\fIkeyfilename\fP is the name of the file containing the private key. +.sp +In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to +be the name of an OpenSSL\-style ca\-bundle file. +.TP +.B \fBDIR:\fP\fIdirname\fP +.sp +This option has context\-specific behavior. +.sp +In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP +specifies a directory with files named \fB*.crt\fP and \fB*.key\fP +where the first part of the file name is the same for matching +pairs of certificate and private key files. When a file with a +name ending with \fB.crt\fP is found, a matching file ending with +\fB.key\fP is assumed to contain the private key. If no such file +is found, then the certificate in the \fB.crt\fP is not used. +.sp +In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to +be an OpenSSL\-style hashed CA directory where each CA cert is +stored in a file named \fBhash\-of\-ca\-cert.#\fP. This infrastructure +is encouraged, but all files in the directory will be examined and +if they contain certificates (in PEM format), they will be used. +.sp +In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style +hashed CA directory where each revocation list is stored in a file +named \fBhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged, +but all files in the directory will be examined and if they +contain a revocation list (in PEM format), they will be used. +.TP +.B \fBPKCS12:\fP\fIfilename\fP +.sp +\fIfilename\fP is the name of a PKCS #12 format file, containing the +user\(aqs certificate and private key. +.TP +.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] +.sp +All keyword/values are optional. \fImodname\fP specifies the location +of a library implementing PKCS #11. If a value is encountered +with no keyword, it is assumed to be the \fImodname\fP. If no +module\-name is specified, the default is \fBopensc\-pkcs11.so\fP. +\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of +a particular smard card reader or token if there is more than one +available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to +force the selection of a particular certificate on the device. +See the \fBpkinit_cert_match\fP configuration option for more ways +to select a particular certificate to use for PKINIT. +.TP +.B \fBENV:\fP\fIenvvar\fP +.sp +\fIenvvar\fP specifies the name of an environment variable which has +been set to a value conforming to one of the previous values. For +example, \fBENV:X509_PROXY\fP, where environment variable +\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP. +.UNINDENT +.SS PKINIT krb5.conf options +.INDENT 0.0 +.TP +.B \fBpkinit_anchors\fP +.sp +Specifies the location of trusted anchor (root) certificates which +the client trusts to sign KDC certificates. This option may be +specified multiple times. These values from the config file are +not used if the user specifies X509_anchors on the command line. +.TP +.B \fBpkinit_cert_match\fP +.sp +Specifies matching rules that the client certificate must match +before it is used to attempt PKINIT authentication. If a user has +multiple certificates available (on a smart card, or via other +media), there must be exactly one certificate chosen before +attempting PKINIT authentication. This option may be specified +multiple times. All the available certificates are checked +against each rule in order until there is a match of exactly one +certificate. +.sp +The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP +string representations from the certificate Subject DN and Issuer +DN values. +.sp +The syntax of the matching rules is: +.INDENT 7.0 +.INDENT 3.5 +.sp +[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... +.UNINDENT +.UNINDENT +.sp +where: +.INDENT 7.0 +.TP +.B \fIrelation\-operator\fP +.sp +can be either \fB&&\fP, meaning all component rules must match, +or \fB||\fP, meaning only one component rule must match. The +default is \fB&&\fP. +.TP +.B \fIcomponent\-rule\fP +.sp +can be one of the following. Note that there is no +punctuation or whitespace between component rules. +.INDENT 7.0 +.INDENT 3.5 +.nf +\fB\fP\fIregular\-expression\fP +\fB\fP\fIregular\-expression\fP +\fB\fP\fIregular\-expression\fP +\fB\fP\fIextended\-key\-usage\-list\fP +\fB\fP\fIkey\-usage\-list\fP +.fi +.sp +.UNINDENT +.UNINDENT +.sp +\fIextended\-key\-usage\-list\fP is a comma\-separated list of +required Extended Key Usage values. All values in the list +must be present in the certificate. Extended Key Usage values +can be: +.INDENT 7.0 +.IP \(bu 2 +. +pkinit +.IP \(bu 2 +. +msScLogin +.IP \(bu 2 +. +clientAuth +.IP \(bu 2 +. +emailProtection +.UNINDENT +.sp +\fIkey\-usage\-list\fP is a comma\-separated list of required Key +Usage values. All values in the list must be present in the +certificate. Key Usage values can be: +.INDENT 7.0 +.IP \(bu 2 +. +digitalSignature +.IP \(bu 2 +. +keyEncipherment +.UNINDENT +.UNINDENT +.sp +Examples: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM +pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* +pkinit_cert_match = msScLogin,clientAuthdigitalSignature +.ft P +.fi +.UNINDENT +.UNINDENT +.TP +.B \fBpkinit_eku_checking\fP +.sp +This option specifies what Extended Key Usage value the KDC +certificate presented to the client must contain. (Note that if +the KDC certificate has the pkinit SubjectAlternativeName encoded +as the Kerberos TGS name, EKU checking is not necessary since the +issuing CA has certified this as a KDC certificate.) The values +recognized in the krb5.conf file are: +.INDENT 7.0 +.TP +.B \fBkpKDC\fP +.sp +This is the default value and specifies that the KDC must have +the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP. +.TP +.B \fBkpServerAuth\fP +.sp +If \fBkpServerAuth\fP is specified, a KDC certificate with the +id\-kp\-serverAuth EKU as used by Microsoft will be accepted. +.TP +.B \fBnone\fP +.sp +If \fBnone\fP is specified, then the KDC certificate will not be +checked to verify it has an acceptable EKU. The use of this +option is not recommended. +.UNINDENT +.TP +.B \fBpkinit_dh_min_bits\fP +.sp +Specifies the size of the Diffie\-Hellman key the client will +attempt to use. The acceptable values are 1024, 2048, and 4096. +The default is 2048. +.TP +.B \fBpkinit_identities\fP +.sp +Specifies the location(s) to be used to find the user\(aqs X.509 +identity information. This option may be specified multiple +times. Each value is attempted in order until identity +information is found and authentication is attempted. Note that +these values are not used if the user specifies +\fBX509_user_identity\fP on the command line. +.TP +.B \fBpkinit_kdc_hostname\fP +.sp +The presense of this option indicates that the client is willing +to accept a KDC certificate with a dNSName SAN (Subject +Alternative Name) rather than requiring the id\-pkinit\-san as +defined in \fI\%RFC 4556\fP. This option may be specified multiple +times. Its value should contain the acceptable hostname for the +KDC (as contained in its certificate). +.TP +.B \fBpkinit_longhorn\fP +.sp +If this flag is set to true, we are talking to the Longhorn KDC. +.TP +.B \fBpkinit_pool\fP +.sp +Specifies the location of intermediate certificates which may be +used by the client to complete the trust chain between a KDC +certificate and a trusted anchor. This option may be specified +multiple times. +.TP +.B \fBpkinit_require_crl_checking\fP +.sp +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \fBpkinit_require_crl_checking\fP is false, then verification +succeeds. +.sp +However, if \fBpkinit_require_crl_checking\fP is true and there is +no CRL information available for the issuing CA, then verification +fails. +.sp +\fBpkinit_require_crl_checking\fP should be set to true if the +policy is such that up\-to\-date CRLs must be present for every CA. +.TP +.B \fBpkinit_revoke\fP +.sp +Specifies the location of Certificate Revocation List (CRL) +information to be used by the client when verifying the validity +of the KDC certificate presented. This option may be specified +multiple times. +.TP +.B \fBpkinit_win2k\fP +.sp +This flag specifies whether the target realm is assumed to support +only the old, pre\-RFC version of the protocol. The default is +false. +.TP +.B \fBpkinit_win2k_require_binding\fP +.sp +If this flag is set to true, it expects that the target KDC is +patched to return a reply with a checksum rather than a nonce. +The default is false. +.UNINDENT +.SH SAMPLE KRB5.CONF FILE +.sp +Here is an example of a generic krb5.conf file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + default_realm = ATHENA.MIT.EDU + default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc + default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc + dns_lookup_kdc = true + dns_lookup_realm = false + +[realms] + ATHENA.MIT.EDU = { + kdc = kerberos.mit.edu + kdc = kerberos\-1.mit.edu + kdc = kerberos\-2.mit.edu:750 + admin_server = kerberos.mit.edu + master_kdc = kerberos.mit.edu + default_domain = mit.edu + } + EXAMPLE.COM = { + kdc = kerberos.example.com + kdc = kerberos\-1.example.com + admin_server = kerberos.example.com + } + OPENLDAP.MIT.EDU = { + kdc = kerberos.mit.edu + admin_server = kerberos.mit.edu + database_module = openldap_ldapconf + } + +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + +[capaths] + ATHENA.MIT.EDU = { + EXAMPLE.COM = . + } + EXAMPLE.COM = { + ATHENA.MIT.EDU = . + } + +[logging] + kdc = SYSLOG:INFO + admin_server = FILE=/var/kadm5.log +[dbdefaults] + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com +[dbmodules] + openldap_ldapconf = { + db_library = kldap + disable_last_success = true + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com + ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 +} +.ft P +.fi +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB/etc/krb5.conf\fP +.SH SEE ALSO +.sp +syslog(3) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5kdc.8 b/src/man/krb5kdc.8 deleted file mode 100644 index 96fc25370..000000000 --- a/src/man/krb5kdc.8 +++ /dev/null @@ -1,168 +0,0 @@ -.TH "KRB5KDC" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -krb5kdc \- Kerberos V5 KDC -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkrb5kdc\fP -.sp -[ \fB\-x\fP \fIdb_args\fP ] -[ \fB\-d\fP \fIdbname\fP ] -[ \fB\-k\fP \fIkeytype\fP ] -[ \fB\-M\fP \fImkeyname\fP ] -[ \fB\-p\fP \fIportnum\fP ] -[ \fB\-m\fP ] -[ \fB\-r\fP \fIrealm\fP ] -[ \fB\-n\fP ] -[ \fB\-w\fP \fInumworkers\fP ] -[ \fB\-P\fP \fIpid_file\fP ] -.UNINDENT -.SH DESCRIPTION -.sp -\fIkrb5kdc\fP is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). -.SH OPTIONS -.sp -The \fB\-x\fP \fIdb_args\fP option specifies the database specific arguments. -.INDENT 0.0 -.INDENT 3.5 -.sp -Options supported for LDAP database are: -.INDENT 0.0 -.TP -.B \fB\-x\fP nconns= -.sp -Specifies the number of connections to be maintained per LDAP server. -.TP -.B \fB\-x\fP host= -.sp -Specifies the LDAP server to connect to by a LDAP URI. -.TP -.B \fB\-x\fP binddn= -.sp -Specifies the DN of the object used by the KDC server to bind to the LDAP server. -This object should have the rights to read the realm container, principal container and -the subtree that is referenced by the realm. -.TP -.B \fB\-x\fP bindpwd= -.sp -Specifies the password for the above mentioned binddn. -It is recommended not to use this option. Instead, the password can be -stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP -.UNINDENT -.UNINDENT -.UNINDENT -.sp -The \fB\-r\fP \fIrealm\fP option specifies the realm for which the server should provide service. -.sp -The \fB\-d\fP \fIdbname\fP option specifies the name under which the principal database can be found. -This option does not apply to the LDAP database. -.sp -The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key to be entered manually -as a password when \fB\-m\fP is given; the default is "des\-cbc\-crc". -.sp -The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the master key -in the database (usually "K/M" in the KDC\(aqs realm). -.sp -The \fB\-m\fP option specifies that the master database password should be fetched -from the keyboard rather than from a file on disk. -.sp -The \fB\-n\fP option specifies that the KDC does not put itself in the background -and does not disassociate itself from the terminal. -In normal operation, you should always allow the KDC to place itself in the background. -.sp -The \fB\-P\fP \fIpid_file\fP option tells the KDC to write its PID (followed by a newline) -into \fIpid_file\fP after it starts up. -This can be used to identify whether the KDC is still running and to allow -init scripts to stop the correct process. -.sp -The \fB\-p\fP \fIportnum\fP option specifies the default UDP port number which the KDC -should listen on for Kerberos version 5 requests. -This value is used when no port is specified in the KDC profile and -when no port is specified in the Kerberos configuration file. -If no value is available, then the value in \fI/etc/services\fP for service "kerberos" is used. -.sp -The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP processes -to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file -if the \fB\-P\fP option is also given) acts as a supervisor. -The supervisor will relay SIGHUP signals to the worker subprocesses, -and will terminate the worker subprocess if the it is itself terminated or -if any other worker process exits. -.IP Note -. -On operating systems which do not have \fIpktinfo\fP support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC starts. -.RE -.SH EXAMPLE -.sp -The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. -Per\-realm options that can be specified on the command line pertain for each realm -that follows it and are superseded by subsequent definitions of the same option. -For example: -.sp -.nf -.ft C -krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3 -.ft P -.fi -.sp -specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. -Additionally, per\-realm parameters may be specified in the \fIkdc.conf\fP file. -The location of this file may be specified by the \fIKRB5_KDC_PROFILE\fP environment variable. -Parameters specified in this file take precedence over options specified on the command line. -See the \fIkdc.conf\fP description for further details. -.SH ENVIRONMENT -.sp -\fIkrb5kdc\fP uses the following environment variables: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.IP \(bu 2 -. -\fBKRB5_CONFIG\fP -.IP \(bu 2 -. -\fBKRB5_KDC_PROFILE\fP -.UNINDENT -.UNINDENT -.UNINDENT -.SH SEE ALSO -.sp -kdb5_util(8), kdc.conf(5), krb5.conf(5), kdb5_ldap_util(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man new file mode 100644 index 000000000..97bee967a --- /dev/null +++ b/src/man/krb5kdc.man @@ -0,0 +1,179 @@ +.TH "KRB5KDC" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +krb5kdc \- Kerberos V5 KDC +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkrb5kdc\fP +[\fB\-x\fP \fIdb_args\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-k\fP \fIkeytype\fP] +[\fB\-M\fP \fImkeyname\fP] +[\fB\-p\fP \fIportnum\fP] +[\fB\-m\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-n\fP] +[\fB\-w\fP \fInumworkers\fP] +[\fB\-P\fP \fIpid_file\fP] +.SH DESCRIPTION +.sp +krb5kdc is the Kerberos version 5 Authentication Service and Key +Distribution Center (AS/KDC). +.SH OPTIONS +.sp +The \fB\-r\fP \fIrealm\fP option specifies the realm for which the server +should provide service. +.sp +The \fB\-d\fP \fIdbname\fP option specifies the name under which the +principal database can be found. This option does not apply to the +LDAP database. +.sp +The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key +to be entered manually as a password when \fB\-m\fP is given; the default +is \fBdes\-cbc\-crc\fP. +.sp +The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the +master key in the database (usually \fBK/M\fP in the KDC\(aqs realm). +.sp +The \fB\-m\fP option specifies that the master database password should +be fetched from the keyboard rather than from a stash file. +.sp +The \fB\-n\fP option specifies that the KDC does not put itself in the +background and does not disassociate itself from the terminal. In +normal operation, you should always allow the KDC to place itself in +the background. +.sp +The \fB\-P\fP \fIpid_file\fP option tells the KDC to write its PID into +\fIpid_file\fP after it starts up. This can be used to identify whether +the KDC is still running and to allow init scripts to stop the correct +process. +.sp +The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers +which the KDC should listen on for Kerberos version 5 requests, as a +comma\-separated list. This value overrides the UDP port numbers +specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but +may be overridden by realm\-specific values. If no value is given from +any source, the default ports are 88 and 750. +.sp +The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP +processes to listen to the KDC ports and process requests in parallel. +The top level KDC process (whose pid is recorded in the pid file if +the \fB\-P\fP option is also given) acts as a supervisor. The supervisor +will relay SIGHUP signals to the worker subprocesses, and will +terminate the worker subprocess if the it is itself terminated or if +any other worker process exits. +.IP Note +. +On operating systems which do not have \fIpktinfo\fP support, +using worker processes will prevent the KDC from listening +for UDP packets on network interfaces created after the KDC +starts. +.RE +.sp +The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. +Options supported for the LDAP database module are: +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-x\fP nconns= +.sp +Specifies the number of connections to be maintained per +LDAP server. +.TP +.B \fB\-x\fP host= +.sp +Specifies the LDAP server to connect to by URI. +.TP +.B \fB\-x\fP binddn= +.sp +Specifies the DN of the object used by the KDC server to bind +to the LDAP server. This object should have read and write +privileges to the realm container, the principal container, +and the subtree that is referenced by the realm. +.TP +.B \fB\-x\fP bindpwd= +.sp +Specifies the password for the above mentioned binddn. Using +this option may expose the password to other users on the +system via the process list; to avoid this, instead stash the +password using the \fBstashsrvpw\fP command of +\fIkdb5_ldap_util(8)\fP. +.UNINDENT +.UNINDENT +.UNINDENT +.SH EXAMPLE +.sp +The KDC may service requests for multiple realms (maximum 32 realms). +The realms are listed on the command line. Per\-realm options that can +be specified on the command line pertain for each realm that follows +it and are superseded by subsequent definitions of the same option. +.sp +For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +specifies that the KDC listen on port 2001 for REALM1 and on port 2002 +for REALM2 and REALM3. Additionally, per\-realm parameters may be +specified in the \fIkdc.conf(5)\fP file. The location of this file +may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable. +Per\-realm parameters specified in this file take precedence over +options specified on the command line. See the \fIkdc.conf(5)\fP +description for further details. +.SH ENVIRONMENT +.sp +krb5kdc uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +. +\fBKRB5_CONFIG\fP +.IP \(bu 2 +. +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH SEE ALSO +.sp +\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP, +\fIkdb5_ldap_util(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/ksu.1 b/src/man/ksu.1 deleted file mode 100644 index b87e6d4f2..000000000 --- a/src/man/ksu.1 +++ /dev/null @@ -1,397 +0,0 @@ -.TH "KSU" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -ksu \- Kerberized super-user -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBksu\fP -.sp -[ \fItarget_user\fP ] -[ \fB\-n\fP \fItarget_principal_name\fP ] -[ \fB\-c\fP \fIsource_cache_name\fP ] -[ \fB\-k\fP ] -[ \fB\-D\fP ] -[ \fB\-r\fP time ] -[ \fB\-pf\fP ] -[ \fB\-l\fP \fIlifetime\fP ] -[ \fB\-z | Z\fP ] -[ \fB\-q\fP ] -[ \fB\-e\fP \fIcommand\fP [ args ... ] ] [ \fB\-a\fP [ args ... ] ] -.UNINDENT -.SH REQUIREMENTS -.sp -Must have Kerberos version 5 installed to compile \fIksu\fP. Must have a Kerberos version 5 server running to use \fIksu\fP. -.SH DESCRIPTION -.sp -\fIksu\fP is a Kerberized version of the \fIsu\fP program that has two missions: -one is to securely change the real and effective user ID to that of the target user, -and the other is to create a new security context. -.IP Note -. -For the sake of clarity, all references to and attributes of the user invoking the program -will start with \(aqsource\(aq (e.g. \fIsource user, source cache\fP, etc.). -.sp -Likewise, all references to and attributes of the target account will start with \(aqtarget\(aq. -.RE -.SH AUTHENTICATION -.sp -To fulfill the first mission, \fIksu\fP operates in two phases: authentication and authorization. -Resolving the target principal name is the first step in authentication. -The user can either specify his principal name with the \fI\-n\fP option (e.g. \fI\-n jqpublic@USC.EDU\fP ) or -a default principal name will be assigned using a heuristic described in the \fIOPTIONS\fP section (see \fI\-n\fP option). -The target user name must be the first argument to \fIksu\fP; if not specified root is the default. -If \(aq.\(aq is specified then the target user will be the source user (e.g. \fIksu\fP .). -If the source user is root or the target user is the source user, no authentication or authorization takes place. -Otherwise, \fIksu\fP looks for an appropriate Kerberos ticket in the source cache. -.sp -The ticket can either be for the end\-server or a ticket granting ticket (TGT) for the target principal\(aqs realm. -If the ticket for the end\-server is already in the cache, it\(aqs decrypted and verified. -If it\(aqs not in the cache but the TGT is, the TGT is used to obtain the ticket for the end\-server. -The end\-server ticket is then verified. -If neither ticket is in the cache, but \fIksu\fP is compiled with the \fIGET_TGT_VIA_PASSWD\fP define, -the user will be prompted for a Kerberos password which will then be used to get a TGT. -If the user is logged in remotely and does not have a secure channel, the password may be exposed. -If neither ticket is in the cache and \fIGET_TGT_VIA_PASSWD\fP is not defined, authentication fails. -.SH AUTHORIZATION -.sp -This section describes authorization of the source user when \fIksu\fP is invoked without the \fI\-e\fP option. -For a description of the \-e option, see the OPTIONS section. -.sp -Upon successful authentication, \fIksu\fP checks whether the target principal is authorized to access the target account. -In the target user\(aqs home directory, \fIksu\fP attempts to access two authorization files: \fI.k5login\fP and \fI.k5users\fP. -In the \fI.k5login\fP file each line contains the name of a principal that is authorized to access the account. -.sp -For example: -.sp -.nf -.ft C -jqpublic@USC.EDU -jqpublic/secure@USC.EDU -jqpublic/admin@USC.EDU -.ft P -.fi -.sp -The format of \fI.k5users\fP is the same, except the principal name may be followed by a list of commands -that the principal is authorized to execute. (see the \fI\-e\fP option in the \fIOPTIONS\fP section for details). -.sp -Thus if the target principal name is found in the \fI.k5login\fP file the source user is authorized to access the target account. -Otherwise \fIksu\fP looks in the \fI.k5users\fP file. -If the target principal name is found without any trailing commands or followed only by \(aq*\(aq then the source user is authorized. -If either \fI.k5login\fP or \fI.k5users\fP exist but an appropriate entry for the target principal does not exist then access is denied. -If neither file exists then the principal will be granted access to the account according to the aname\->lname mapping rules. -Otherwise, authorization fails. -.SH EXECUTION OF THE TARGET SHELL -.sp -Upon successful authentication and authorization, \fIksu\fP proceeds in a similar fashion to \fIsu\fP. -The environment is unmodified with the exception of USER, HOME and SHELL variables. -If the target user is not root, USER gets set to the target user name. -Otherwise USER remains unchanged. -Both HOME and SHELL are set to the target login\(aqs default values. -In addition, the environment variable \fIKRB5CCNAME\fP gets set to the name of the target cache. -The real and effective user ID are changed to that of the target user. -The target user\(aqs shell is then invoked (the shell name is specified in the password file). -Upon termination of the shell, \fIksu\fP deletes the target cache (unless \fIksu\fP is invoked with the \fI\-k\fP option). -This is implemented by first doing a fork and then an exec, instead of just exec, as done by \fIsu\fP. -.SH CREATING A NEW SECURITY CONTEXT -.sp -\fIksu\fP can be used to create a new security context for the target program -(either the target shell, or command specified via the \fI\-e\fP option). -The target program inherits a set of credentials from the source user. -By default, this set includes all of the credentials in the source cache -plus any additional credentials obtained during authentication. -The source user is able to limit the credentials in this set by using \fI\-z\fP or \fI\-Z\fP option. -\fI\-z\fP restricts the copy of tickets from the source cache to the target cache -to only the tickets where client == the target principal name. -The \fI\-Z\fP option provides the target user with a fresh target cache (no creds in the cache). -Note that for security reasons, when the source user is root and target user is non\-root, -\fI\-z\fP option is the default mode of operation. -.sp -While no authentication takes place if the source user is root or is the same as the target user, -additional tickets can still be obtained for the target cache. -If \fI\-n\fP is specified and no credentials can be copied to the target cache, -the source user is prompted for a Kerberos password (unless \fI\-Z\fP specified or \fIGET_TGT_VIA_PASSWD\fP is undefined). -If successful, a TGT is obtained from the Kerberos server and stored in the target cache. -Otherwise, if a password is not provided (user hit return) \fIksu\fP continues in a normal mode -of operation (the target cache will not contain the desired TGT). -If the wrong password is typed in, \fIksu\fP fails. -.sp -\fISide Note\fP: during authentication, only the tickets that could be obtained without -providing a password are cached in in the source cache. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-n\fP \fItarget_principal_name\fP -.sp -Specify a Kerberos target principal name. Used in authentication and authorization phases of \fIksu\fP. -.sp -If \fIksu\fP is invoked without \fI\-n\fP, a default principal name is assigned via the following heuristic: -.INDENT 7.0 -.TP -.B \fICase 1: source user is non\-root.\fP -.sp -If the target user is the source user the default principal name is set to the default principal of the source cache. -If the cache does not exist then the default principal name is set to target_user@local_realm. -If the source and target users are different and neither ~target_user/\fI.k5users\fP nor ~target_user/\fI.k5login\fP exist -then the default principal name is \fItarget_user_login_name@local_realm\fP. -Otherwise, starting with the first principal listed below, \fIksu\fP checks if the principal is authorized to access the target account -and whether there is a legitimate ticket for that principal in the source cache. -If both conditions are met that principal becomes the default target principal, -otherwise go to the next principal. -.INDENT 7.0 -.IP a. 3 -. -default principal of the source cache -.IP b. 3 -. -target_user@local_realm -.IP c. 3 -. -source_user@local_realm -.UNINDENT -.sp -If a\-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. -If that fails select the first principal that is authorized to access the target account from the above list. -If none are authorized and \fIksu\fP is configured with \fIPRINC_LOOK_AHEAD\fP turned on, select the default principal as follows: -.sp -For each candidate in the above list, select an authorized principal that has the same realm name and -first part of the principal name equal to the prefix of the candidate. -For example if candidate a) is \fIjqpublic@ISI.EDU\fP and \fIjqpublic/secure@ISI.EDU\fP is authorized to access the target account -then the default principal is set to \fIjqpublic/secure@ISI.EDU\fP. -.TP -.B \fICase 2: source user is root.\fP -.sp -If the target user is non\-root then the default principal name is \fItarget_user@local_realm\fP. -Else, if the source cache exists the default principal name is set to the default principal of the source cache. -If the source cache does not exist, default principal name is set to \fIroot@local_realm\fP. -.UNINDENT -.TP -.B \fB\-c\fP \fIsource_cache_name\fP -.sp -Specify source cache name (e.g. \-c FILE:/tmp/my_cache). -If \fI\-c\fP option is not used then the name is obtained from \fIKRB5CCNAME\fP environment variable. -If \fIKRB5CCNAME\fP is not defined the source cache name is set to krb5cc_. -The target cache name is automatically set to krb5cc_.(gen_sym()), -where gen_sym generates a new number such that the resulting cache does not already exist. -For example: -.sp -.nf -.ft C -krb5cc_1984.2 -.ft P -.fi -.TP -.B \fB\-k\fP -.sp -Do not delete the target cache upon termination of the target shell or a command ( \fI\-e\fP command). -Without \fI\-k\fP, \fIksu\fP deletes the target cache. -.TP -.B \fB\-D\fP -.sp -Turn on debug mode. -.TP -.B \fB\-z\fP -.sp -Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. -Use the \fI\-n\fP option if you want the tickets for other then the default principal. -Note that the \fI\-z\fP option is mutually exclusive with the \fI\-Z\fP option. -.TP -.B \fB\-Z\fP -.sp -Don\(aqt copy any tickets from the source cache to the target cache. -Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. -Note that the \fI\-Z\fP option is mutually exclusive with the \fI\-z\fP option. -.TP -.B \fB\-q\fP -.sp -Suppress the printing of status messages. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -Ticket granting ticket options -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP -.sp -The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate -the source user. In this case if \fIksu\fP is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined), -the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos -server. -.TP -.B \fB\-l\fP \fIlifetime\fP -.sp -option specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime -(configured by each site) is used instead. -.TP -.B \fB\-r\fP \fItime\fP -.sp -option specifies that the \fIRENEWABLE\fP option should be requested for the ticket, and specifies the desired total lifetime of the ticket. -.TP -.B \fB\-p\fP -.sp -option specifies that the PROXIABLE option should be requested for the ticket. -.TP -.B \fB\-f\fP -.sp -option specifies that the FORWARDABLE option should be requested for the ticket. -.TP -.B \fB\-e\fP \fIcommand\fP [args ...] -.sp -\fIksu\fP proceeds exactly the same as if it was invoked without the \fI\-e\fP option, -except instead of executing the target shell, \fIksu\fP executes the specified command -Example of usage: -.sp -.nf -.ft C -ksu bob \-e ls \-lag -.ft P -.fi -.sp -The authorization algorithm for \fI\-e\fP is as follows: -.sp -If the source user is root or source user == target user, no authorization takes place and the command is executed. -If source user id != 0, and ~target_user/\fI.k5users\fP file does not exist, authorization fails. -Otherwise, ~target_user/\fI.k5users\fP file must have an appropriate entry for target principal to get authorized. -.sp -The \fI.k5users\fP file format: -.sp -A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. -A principal name followed by a \(aq*\(aq means that the user is authorized to execute any command. Thus, in the following example: -.sp -.nf -.ft C -jqpublic@USC.EDU ls mail /local/kerberos/klist -jqpublic/secure@USC.EDU * -jqpublic/admin@USC.EDU -.ft P -.fi -.sp -\fIjqpublic@USC.EDU\fP is only authorized to execute \fIls\fP, \fImail\fP and \fIklist\fP commands. -\fIjqpublic/secure@USC.EDU\fP is authorized to execute any command. -\fIjqpublic/admin@USC.EDU\fP is not authorized to execute any command. -Note, that \fIjqpublic/admin@USC.EDU\fP is authorized to execute the target shell (regular \fIksu\fP, without the \fI\-e\fP option) -but \fIjqpublic@USC.EDU\fP is not. -.sp -The commands listed after the principal name must be either a full path names or just the program name. -In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of \fIksu\fP. -Which command gets executed ? -.sp -If the source user is \fIroot\fP or the target user is the source user or the user is authorized to execute any command (\(aq*\(aq entry) -then command can be either a full or a relative path leading to the target program. -Otherwise, the user must specify either a full path or just the program name. -.TP -.B \fB\-a\fP \fIargs\fP -.sp -Specify arguments to be passed to the target shell. -Note: that all flags and parameters following \-a will be passed to the shell, -thus all options intended for \fIksu\fP must precede \fI\-a\fP. -.sp -The \fI\-a\fP option can be used to simulate the \fI\-e\fP option if used as follows: -.sp -.nf -.ft C -\-a \-c [command [arguments]]. -.ft P -.fi -.sp -\fI\-c\fP is interpreted by the c\-shell to execute the command. -.UNINDENT -.UNINDENT -.UNINDENT -.SH INSTALLATION INSTRUCTIONS -.sp -\fIksu\fP can be compiled with the following four flags: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBGET_TGT_VIA_PASSWD\fP -.sp -In case no appropriate tickets are found in the source cache, -the user will be prompted for a Kerberos password. -The password is then used to get a ticket granting ticket from the Kerberos server. -The danger of configuring \fIksu\fP with this macro is if the source user is logged in remotely -and does not have a secure channel, the password may get exposed. -.TP -.B \fBPRINC_LOOK_AHEAD\fP -.sp -During the resolution of the default principal name, \fIPRINC_LOOK_AHEAD\fP enables \fIksu\fP to find -principal names in the \fI.k5users\fP file as described in the \fIOPTIONS\fP section (see \fI\-n\fP option). -.TP -.B \fBCMD_PATH\fP -.sp -Specifies a list of directories containing programs that users are authorized to execute (via \fI.k5users\fP file). -.TP -.B \fBHAVE_GETUSERSHELL\fP -.sp -If the source user is non\-root, \fIksu\fP insists that the target user\(aqs shell to be invoked is a "legal shell". -\fIgetusershell(3)\fP is called to obtain the names of "legal shells". -Note that the target user\(aqs shell is obtained from the passwd file. -.UNINDENT -.UNINDENT -.UNINDENT -.sp -SAMPLE CONFIGURATION -.INDENT 0.0 -.INDENT 3.5 -.sp -KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin" -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP -.B PERMISSIONS FOR KSU -. -\fIksu\fP should be owned by root and have the \fIset user id\fP bit turned on. -.TP -.B END\-SERVER ENTRY -. -\fIksu\fP attempts to get a ticket for the end server just as Kerberized telnet and rlogin. -Thus, there must be an entry for the server in the Kerberos database (e.g. \fIhost/nii.isi.edu@ISI.EDU\fP). -The keytab file must be in an appropriate location. -.UNINDENT -.SH SIDE EFFECTS -.sp -\fIksu\fP deletes all expired tickets from the source cache. -.SH AUTHOR OF KSU: -.sp -GENNADY (ARI) MEDVINSKY -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/ksu.man b/src/man/ksu.man new file mode 100644 index 000000000..d45a5f596 --- /dev/null +++ b/src/man/ksu.man @@ -0,0 +1,476 @@ +.TH "KSU" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +ksu \- Kerberized super-user +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBksu\fP +[ \fItarget_user\fP ] +[ \fB\-n\fP \fItarget_principal_name\fP ] +[ \fB\-c\fP \fIsource_cache_name\fP ] +[ \fB\-k\fP ] +[ \fB\-D\fP ] +[ \fB\-r\fP time ] +[ \fB\-pf\fP ] +[ \fB\-l\fP \fIlifetime\fP ] +[ \fB\-z | Z\fP ] +[ \fB\-q\fP ] +[ \fB\-e\fP \fIcommand\fP [ args ... ] ] [ \fB\-a\fP [ args ... ] ] +.SH REQUIREMENTS +.sp +Must have Kerberos version 5 installed to compile ksu. Must have a +Kerberos version 5 server running to use ksu. +.SH DESCRIPTION +.sp +ksu is a Kerberized version of the su program that has two missions: +one is to securely change the real and effective user ID to that of +the target user, and the other is to create a new security context. +.IP Note +. +For the sake of clarity, all references to and attributes of +the user invoking the program will start with "source" +(e.g. "source user", "source cache", etc.). +.sp +Likewise, all references to and attributes of the target +account will start with "target". +.RE +.SH AUTHENTICATION +.sp +To fulfill the first mission, ksu operates in two phases: +authentication and authorization. Resolving the target principal name +is the first step in authentication. The user can either specify his +principal name with the \fB\-n\fP option (e.g. \fB\-n jqpublic@USC.EDU\fP) +or a default principal name will be assigned using a heuristic +described in the OPTIONS section (see \fB\-n\fP option). The target user +name must be the first argument to ksu; if not specified root is the +default. If \fB.\fP is specified then the target user will be the +source user (e.g. \fBksu .\fP). If the source user is root or the +target user is the source user, no authentication or authorization +takes place. Otherwise, ksu looks for an appropriate Kerberos ticket +in the source cache. +.sp +The ticket can either be for the end\-server or a ticket granting +ticket (TGT) for the target principal\(aqs realm. If the ticket for the +end\-server is already in the cache, it\(aqs decrypted and verified. If +it\(aqs not in the cache but the TGT is, the TGT is used to obtain the +ticket for the end\-server. The end\-server ticket is then verified. +If neither ticket is in the cache, but ksu is compiled with the +\fBGET_TGT_VIA_PASSWD\fP define, the user will be prompted for a +Kerberos password which will then be used to get a TGT. If the user +is logged in remotely and does not have a secure channel, the password +may be exposed. If neither ticket is in the cache and +\fBGET_TGT_VIA_PASSWD\fP is not defined, authentication fails. +.SH AUTHORIZATION +.sp +This section describes authorization of the source user when ksu is +invoked without the \fB\-e\fP option. For a description of the \fB\-e\fP +option, see the OPTIONS section. +.sp +Upon successful authentication, ksu checks whether the target +principal is authorized to access the target account. In the target +user\(aqs home directory, ksu attempts to access two authorization files: +\fI.k5login(5)\fP and .k5users. In the .k5login file each line +contains the name of a principal that is authorized to access the +account. +.INDENT 0.0 +.TP +.B For example: +.sp +.nf +.ft C +jqpublic@USC.EDU +jqpublic/secure@USC.EDU +jqpublic/admin@USC.EDU +.ft P +.fi +.UNINDENT +.sp +The format of .k5users is the same, except the principal name may be +followed by a list of commands that the principal is authorized to +execute (see the \fB\-e\fP option in the OPTIONS section for details). +.sp +Thus if the target principal name is found in the .k5login file the +source user is authorized to access the target account. Otherwise ksu +looks in the .k5users file. If the target principal name is found +without any trailing commands or followed only by \fB*\fP then the +source user is authorized. If either .k5login or .k5users exist but +an appropriate entry for the target principal does not exist then +access is denied. If neither file exists then the principal will be +granted access to the account according to the aname\->lname mapping +rules. Otherwise, authorization fails. +.SH EXECUTION OF THE TARGET SHELL +.sp +Upon successful authentication and authorization, ksu proceeds in a +similar fashion to su. The environment is unmodified with the +exception of USER, HOME and SHELL variables. If the target user is +not root, USER gets set to the target user name. Otherwise USER +remains unchanged. Both HOME and SHELL are set to the target login\(aqs +default values. In addition, the environment variable \fBKRB5CCNAME\fP +gets set to the name of the target cache. The real and effective user +ID are changed to that of the target user. The target user\(aqs shell is +then invoked (the shell name is specified in the password file). Upon +termination of the shell, ksu deletes the target cache (unless ksu is +invoked with the \fB\-k\fP option). This is implemented by first doing a +fork and then an exec, instead of just exec, as done by su. +.SH CREATING A NEW SECURITY CONTEXT +.sp +ksu can be used to create a new security context for the target +program (either the target shell, or command specified via the \fB\-e\fP +option). The target program inherits a set of credentials from the +source user. By default, this set includes all of the credentials in +the source cache plus any additional credentials obtained during +authentication. The source user is able to limit the credentials in +this set by using \fB\-z\fP or \fB\-Z\fP option. \fB\-z\fP restricts the copy +of tickets from the source cache to the target cache to only the +tickets where client == the target principal name. The \fB\-Z\fP option +provides the target user with a fresh target cache (no creds in the +cache). Note that for security reasons, when the source user is root +and target user is non\-root, \fB\-z\fP option is the default mode of +operation. +.sp +While no authentication takes place if the source user is root or is +the same as the target user, additional tickets can still be obtained +for the target cache. If \fB\-n\fP is specified and no credentials can +be copied to the target cache, the source user is prompted for a +Kerberos password (unless \fB\-Z\fP specified or \fBGET_TGT_VIA_PASSWD\fP +is undefined). If successful, a TGT is obtained from the Kerberos +server and stored in the target cache. Otherwise, if a password is +not provided (user hit return) ksu continues in a normal mode of +operation (the target cache will not contain the desired TGT). If the +wrong password is typed in, ksu fails. +.IP Note +. +During authentication, only the tickets that could be +obtained without providing a password are cached in in the +source cache. +.RE +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-n\fP \fItarget_principal_name\fP +.sp +Specify a Kerberos target principal name. Used in authentication +and authorization phases of ksu. +.sp +If ksu is invoked without \fB\-n\fP, a default principal name is +assigned via the following heuristic: +.INDENT 7.0 +.IP \(bu 2 +. +Case 1: source user is non\-root. +.sp +If the target user is the source user the default principal name +is set to the default principal of the source cache. If the +cache does not exist then the default principal name is set to +\fBtarget_user@local_realm\fP. If the source and target users are +different and neither \fB~target_user/.k5users\fP nor +\fB~target_user/.k5login\fP exist then the default principal name +is \fBtarget_user_login_name@local_realm\fP. Otherwise, starting +with the first principal listed below, ksu checks if the +principal is authorized to access the target account and whether +there is a legitimate ticket for that principal in the source +cache. If both conditions are met that principal becomes the +default target principal, otherwise go to the next principal. +.INDENT 2.0 +.IP a. 3 +. +default principal of the source cache +.IP b. 3 +. +target_user@local_realm +.IP c. 3 +. +source_user@local_realm +.UNINDENT +.sp +If a\-c fails try any principal for which there is a ticket in +the source cache and that is authorized to access the target +account. If that fails select the first principal that is +authorized to access the target account from the above list. If +none are authorized and ksu is configured with +\fBPRINC_LOOK_AHEAD\fP turned on, select the default principal as +follows: +.sp +For each candidate in the above list, select an authorized +principal that has the same realm name and first part of the +principal name equal to the prefix of the candidate. For +example if candidate a) is \fBjqpublic@ISI.EDU\fP and +\fBjqpublic/secure@ISI.EDU\fP is authorized to access the target +account then the default principal is set to +\fBjqpublic/secure@ISI.EDU\fP. +.IP \(bu 2 +. +Case 2: source user is root. +.sp +If the target user is non\-root then the default principal name +is \fBtarget_user@local_realm\fP. Else, if the source cache +exists the default principal name is set to the default +principal of the source cache. If the source cache does not +exist, default principal name is set to \fBroot\e@local_realm\fP. +.UNINDENT +.UNINDENT +.sp +\fB\-c\fP \fIsource_cache_name\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Specify source cache name (e.g. \fB\-c FILE:/tmp/my_cache\fP). If +\fB\-c\fP option is not used then the name is obtained from +\fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not +defined the source cache name is set to \fBkrb5cc_\fP. +The target cache name is automatically set to \fBkrb5cc_.(gen_sym())\fP, where gen_sym generates a new number such that +the resulting cache does not already exist. For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +krb5cc_1984.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-k\fP +.sp +Do not delete the target cache upon termination of the target +shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes +the target cache. +.TP +.B \fB\-D\fP +.sp +Turn on debug mode. +.TP +.B \fB\-z\fP +.sp +Restrict the copy of tickets from the source cache to the target +cache to only the tickets where client == the target principal +name. Use the \fB\-n\fP option if you want the tickets for other then +the default principal. Note that the \fB\-z\fP option is mutually +exclusive with the \fB\-Z\fP option. +.TP +.B \fB\-Z\fP +.sp +Don\(aqt copy any tickets from the source cache to the target cache. +Just create a fresh target cache, where the default principal name +of the cache is initialized to the target principal name. Note +that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP +option. +.TP +.B \fB\-q\fP +.sp +Suppress the printing of status messages. +.UNINDENT +.sp +Ticket granting ticket options: +.INDENT 0.0 +.TP +.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP +.sp +The ticket granting ticket options only apply to the case where +there are no appropriate tickets in the cache to authenticate the +source user. In this case if ksu is configured to prompt users +for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the +ticket granting ticket options that are specified will be used +when getting a ticket granting ticket from the Kerberos server. +.TP +.B \fB\-l\fP \fIlifetime\fP +.sp +specifies the lifetime to be requested for the ticket; if this +option is not specified, the default ticket lifetime (configured +by each site) is used instead. +.TP +.B \fB\-r\fP \fItime\fP +.sp +specifies that the \fBrenewable\fP option should be requested for +the ticket, and specifies the desired total lifetime of the +ticket. +.TP +.B \fB\-p\fP +.sp +specifies that the \fBproxiable\fP option should be requested for +the ticket. +.TP +.B \fB\-f\fP +.sp +option specifies that the \fBforwardable\fP option should be +requested for the ticket. +.TP +.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...] +.sp +ksu proceeds exactly the same as if it was invoked without the +\fB\-e\fP option, except instead of executing the target shell, ksu +executes the specified command. Example of usage: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +ksu bob \-e ls \-lag +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The authorization algorithm for \fB\-e\fP is as follows: +.sp +If the source user is root or source user == target user, no +authorization takes place and the command is executed. If source +user id != 0, and \fB~target_user/.k5users\fP file does not exist, +authorization fails. Otherwise, \fB~target_user/.k5users\fP file +must have an appropriate entry for target principal to get +authorized. +.sp +The .k5users file format: +.sp +A single principal entry on each line that may be followed by a +list of commands that the principal is authorized to execute. A +principal name followed by a \fB*\fP means that the user is +authorized to execute any command. Thus, in the following +example: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +jqpublic@USC.EDU ls mail /local/kerberos/klist +jqpublic/secure@USC.EDU * +jqpublic/admin@USC.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBjqpublic@USC.EDU\fP is only authorized to execute \fBls\fP, +\fBmail\fP and \fBklist\fP commands. \fBjqpublic/secure@USC.EDU\fP is +authorized to execute any command. \fBjqpublic/admin@USC.EDU\fP is +not authorized to execute any command. Note, that +\fBjqpublic/admin@USC.EDU\fP is authorized to execute the target +shell (regular ksu, without the \fB\-e\fP option) but +\fBjqpublic@USC.EDU\fP is not. +.sp +The commands listed after the principal name must be either a full +path names or just the program name. In the second case, +\fBCMD_PATH\fP specifying the location of authorized programs must +be defined at the compilation time of ksu. Which command gets +executed? +.sp +If the source user is root or the target user is the source user +or the user is authorized to execute any command (\fB*\fP entry) +then command can be either a full or a relative path leading to +the target program. Otherwise, the user must specify either a +full path or just the program name. +.TP +.B \fB\-a\fP \fIargs\fP +.sp +Specify arguments to be passed to the target shell. Note that all +flags and parameters following \-a will be passed to the shell, +thus all options intended for ksu must precede \fB\-a\fP. +.sp +The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if +used as follows: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +\-a \-c [command [arguments]]. +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fB\-c\fP is interpreted by the c\-shell to execute the command. +.UNINDENT +.SH INSTALLATION INSTRUCTIONS +.sp +ksu can be compiled with the following four flags: +.INDENT 0.0 +.TP +.B \fBGET_TGT_VIA_PASSWD\fP +.sp +In case no appropriate tickets are found in the source cache, the +user will be prompted for a Kerberos password. The password is +then used to get a ticket granting ticket from the Kerberos +server. The danger of configuring ksu with this macro is if the +source user is logged in remotely and does not have a secure +channel, the password may get exposed. +.TP +.B \fBPRINC_LOOK_AHEAD\fP +.sp +During the resolution of the default principal name, +\fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in +the .k5users file as described in the OPTIONS section +(see \fB\-n\fP option). +.TP +.B \fBCMD_PATH\fP +.sp +Specifies a list of directories containing programs that users are +authorized to execute (via .k5users file). +.TP +.B \fBHAVE_GETUSERSHELL\fP +.sp +If the source user is non\-root, ksu insists that the target user\(aqs +shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is +called to obtain the names of "legal shells". Note that the +target user\(aqs shell is obtained from the passwd file. +.TP +.B Sample configuration: +.sp +.nf +.ft C +KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin" +.ft P +.fi +.UNINDENT +.sp +ksu should be owned by root and have the set user id bit turned on. +.sp +ksu attempts to get a ticket for the end server just as Kerberized +telnet and rlogin. Thus, there must be an entry for the server in the +Kerberos database (e.g. \fBhost/nii.isi.edu@ISI.EDU\fP). The keytab +file must be in an appropriate location. +.SH SIDE EFFECTS +.sp +ksu deletes all expired tickets from the source cache. +.SH AUTHOR OF KSU +.sp +GENNADY (ARI) MEDVINSKY +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kswitch.1 b/src/man/kswitch.1 deleted file mode 100644 index a4fa6b3d7..000000000 --- a/src/man/kswitch.1 +++ /dev/null @@ -1,87 +0,0 @@ -.TH "KSWITCH" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kswitch \- switch primary ticket cache -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.sp -\fBkswitch\fP {\fB\-c\fP \fIcachename\fP | \fB\-p\fP \fIprincipal\fP} -.SH DESCRIPTION -.sp -\fIkswitch\fP makes the specified credential cache the primary cache for -the collection, if a cache collection is available. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-c\fP \fIcachename\fP -.sp -Directly specifies the credential cache to be made primary. -.TP -.B \fB\-p\fP \fIprincipal\fP -.sp -Causes the cache collection to be searched for a cache -containing credentials for \fIprincipal\fP. If one is found, -that collection is made primary. -.UNINDENT -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIkswitch\fP uses the following environment variables: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -.sp -Location of the default Kerberos 5 credentials (ticket) -cache, in the form \fItype\fP:\fIresidual\fP. If no type prefix is -present, the \fBFILE\fP type is assumed. The type of the -default cache may determine the availability of a cache -collection; for instance, a default cache of type \fBDIR\fP -causes caches within the directory to be present in the -collection. -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.sp -/tmp/krb5cc_[uid] \- Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the decimal UID of the user). -.SH SEE ALSO -.sp -kinit(1), kdestroy(1), klist(1), kerberos(1) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kswitch.man b/src/man/kswitch.man new file mode 100644 index 000000000..b265b78fb --- /dev/null +++ b/src/man/kswitch.man @@ -0,0 +1,84 @@ +.TH "KSWITCH" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kswitch \- switch primary ticket cache +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkswitch\fP +{\fB\-c\fP \fIcachename\fP|\fB\-p\fP \fIprincipal\fP} +.SS DESCRIPTION +.sp +kswitch makes the specified credential cache the primary cache for the +collection, if a cache collection is available. +.SS OPTIONS +.INDENT 0.0 +.TP +.B \fB\-c\fP \fIcachename\fP +.sp +Directly specifies the credential cache to be made primary. +.TP +.B \fB\-p\fP \fIprincipal\fP +.sp +Causes the cache collection to be searched for a cache containing +credentials for \fIprincipal\fP. If one is found, that collection is +made primary. +.UNINDENT +.SS ENVIRONMENT +.sp +kswitch uses the following environment variables: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +.sp +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SS FILES +.INDENT 0.0 +.TP +.B \fB/tmp/krb5cc_[uid]\fP +.sp +Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the +decimal UID of the user). +.UNINDENT +.SS SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/ktutil.1 b/src/man/ktutil.man similarity index 59% rename from src/man/ktutil.1 rename to src/man/ktutil.man index 0fc656646..be2cc7da4 100644 --- a/src/man/ktutil.1 +++ b/src/man/ktutil.man @@ -1,4 +1,4 @@ -.TH "KTUTIL" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" +.TH "KTUTIL" "1" " " "0.0.1" "MIT Kerberos" .SH NAME ktutil \- Kerberos keytab file maintenance utility . @@ -35,94 +35,142 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] \fBktutil\fP .SH DESCRIPTION .sp -The \fIktutil\fP command invokes a subshell from which an administrator can read, write, or edit entries in a Kerberos V5 keytab or V4 srvtab file. +The ktutil command invokes a command interface from which an +administrator can read, write, or edit entries in a keytab or Kerberos +V4 srvtab file. .SH COMMANDS +.SS list .INDENT 0.0 .INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist\fP +.sp +\fBlist\fP +.UNINDENT +.UNINDENT .sp Displays the current keylist. .sp Alias: \fBl\fP -.TP -.B \fBread_kt\fP \fIkeytab\fP +.SS read_kt +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBread_kt\fP \fIkeytab\fP +.UNINDENT +.UNINDENT .sp Read the Kerberos V5 keytab file \fIkeytab\fP into the current keylist. .sp Alias: \fBrkt\fP -.TP -.B \fBread_st\fP \fIsrvtab\fP +.SS read_st +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBread_st\fP \fIsrvtab\fP +.UNINDENT +.UNINDENT .sp Read the Kerberos V4 srvtab file \fIsrvtab\fP into the current keylist. .sp Alias: \fBrst\fP -.TP -.B \fBwrite_kt\fP \fIkeytab\fP +.SS write_kt +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBwrite_kt\fP \fIkeytab\fP +.UNINDENT +.UNINDENT .sp Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP. .sp Alias: \fBwkt\fP -.TP -.B \fBwrite_st\fP \fIsrvtab\fP +.SS write_st +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBwrite_st\fP \fIsrvtab\fP +.UNINDENT +.UNINDENT .sp Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP. .sp Alias: \fBwst\fP -.TP -.B \fBclear_list\fP +.SS clear_list +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBclear_list\fP +.UNINDENT +.UNINDENT .sp Clear the current keylist. .sp Alias: \fBclear\fP -.TP -.B \fBdelete_entry\fP \fIslot\fP +.SS delete_entry +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdelete_entry\fP \fIslot\fP +.UNINDENT +.UNINDENT .sp Delete the entry in slot number \fIslot\fP from the current keylist. .sp -Alias: \fIdelent\fP -.TP -.B \fBadd_entry\fP (\fB\-key | \-password)\fP \fB\-p\fP \fIprincipal\fP \fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP +Alias: \fBdelent\fP +.SS add_entry +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP +\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP +.UNINDENT +.UNINDENT .sp Add \fIprincipal\fP to keylist using key or password. .sp Alias: \fBaddent\fP -.TP -.B \fBlist_requests\fP +.SS list_requests +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBlist_requests\fP +.UNINDENT +.UNINDENT .sp Displays a listing of available commands. .sp Aliases: \fBlr\fP, \fB?\fP -.TP -.B \fBquit\fP -.sp -Quits ktutil. +.SS quit +.INDENT 0.0 +.INDENT 3.5 .sp -Aliases: \fBexit\fP, \fBq\fP -.UNINDENT +\fBquit\fP .UNINDENT .UNINDENT .sp -EXAMPLE: +Quits ktutil. +.sp +Aliases: \fBexit\fP, \fBq\fP +.SH EXAMPLE +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C -ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e aes128\-cts\-hmac\-sha1\-96 +ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e + aes128\-cts\-hmac\-sha1\-96 Password for alice@BLEEP.COM: -ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e aes256\-cts\-hmac\-sha1\-96 +ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e + aes256\-cts\-hmac\-sha1\-96 Password for alice@BLEEP.COM: ktutil: write_kt keytab ktutil: .ft P .fi -.SH SEE ALSO -.INDENT 0.0 -.INDENT 3.5 -.sp -kadmin(8), kdb5_util(8) .UNINDENT .UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIkdb5_util(8)\fP .SH AUTHOR MIT .SH COPYRIGHT diff --git a/src/man/kvno.1 b/src/man/kvno.1 deleted file mode 100644 index d554ec0ad..000000000 --- a/src/man/kvno.1 +++ /dev/null @@ -1,116 +0,0 @@ -.TH "KVNO" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kvno \- print key version numbers of Kerberos principals -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkvno\fP -.sp -[\fB\-c\fP \fIccache\fP] -[\fB\-e\fP \fIetype\fP] -[\fB\-q\fP] -[\fB\-h\fP] -[\fB\-P\fP] -[\fB\-S\fP \fIsname\fP] -[\fB\-U\fP \fIfor_user\fP] -\fIservice1 service2\fP ... -.UNINDENT -.SH DESCRIPTION -.sp -\fIkvno\fP acquires a service ticket for the specified Kerberos principals and -prints out the key version numbers of each. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-c\fP \fIccache\fP -.sp -Specifies the name of a credentials cache to use (if not the default) -.TP -.B \fB\-e\fP \fIetype\fP -.sp -Specifies the enctype which will be requested for the session key of all -the services named on the command line. -This is useful in certain backward compatibility situations. -.TP -.B \fB\-q\fP -.sp -Suppress printing -.TP -.B \fB\-h\fP -.sp -Prints a usage statement and exits -.TP -.B \fB\-P\fP -.sp -Specifies that the \fIservice1 service2\fP ... arguments are to be treated as -services for which credentials should be acquired using constrained delegation. -This option is only valid when used in conjunction with protocol transition. -.TP -.B \fB\-S\fP \fIsname\fP -.sp -Specifies that \fIkrb5_sname_to_principal()\fP will be used to build principal names. -If this flag is specified, the \fIservice1 service2\fP ... arguments are interpreted as -\fIhostnames\fP (rather than principal names), -and \fIsname\fP is interpreted as the service name. -.TP -.B \fB\-U\fP \fIfor_user\fP -.sp -Specifies that protocol transition (S4U2Self) is to be used -to acquire a ticket on behalf of \fIfor_user\fP. -If constrained delegation is not requested, -the service name must match the credentials cache client principal. -.UNINDENT -.UNINDENT -.UNINDENT -.SH ENVIRONMENT -.sp -\fIkvno\fP uses the following environment variable: -.INDENT 0.0 -.INDENT 3.5 -.sp -\fBKRB5CCNAME\fP \- Location of the credentials (ticket) cache. -.UNINDENT -.UNINDENT -.SH FILES -.sp -/tmp/krb5cc_[uid] \- Default location of the credentials cache ([uid] is the decimal UID of the user). -.SH SEE ALSO -.sp -kinit(1), kdestroy(1) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. diff --git a/src/man/kvno.man b/src/man/kvno.man new file mode 100644 index 000000000..38ef7af2d --- /dev/null +++ b/src/man/kvno.man @@ -0,0 +1,119 @@ +.TH "KVNO" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +kvno \- print key version numbers of Kerberos principals +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkvno\fP +[\fB\-c\fP \fIccache\fP] +[\fB\-e\fP \fIetype\fP] +[\fB\-q\fP] +[\fB\-h\fP] +[\fB\-P\fP] +[\fB\-S\fP \fIsname\fP] +[\fB\-U\fP \fIfor_user\fP] +\fIservice1 service2\fP ... +.SH DESCRIPTION +.sp +kvno acquires a service ticket for the specified Kerberos principals +and prints out the key version numbers of each. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-c\fP \fIccache\fP +.sp +Specifies the name of a credentials cache to use (if not the +default) +.TP +.B \fB\-e\fP \fIetype\fP +.sp +Specifies the enctype which will be requested for the session key +of all the services named on the command line. This is useful in +certain backward compatibility situations. +.TP +.B \fB\-q\fP +.sp +Suppress printing output when successful. If a service ticket +cannot be obtained, an error message will still be printed and +kvno will exit with nonzero status. +.TP +.B \fB\-h\fP +.sp +Prints a usage statement and exits. +.TP +.B \fB\-P\fP +.sp +Specifies that the \fIservice1 service2\fP ... arguments are to be +treated as services for which credentials should be acquired using +constrained delegation. This option is only valid when used in +conjunction with protocol transition. +.TP +.B \fB\-S\fP \fIsname\fP +.sp +Specifies that the \fIservice1 service2\fP ... arguments are +interpreted as hostnames, and the service principals are to be +constructed from those hostnames and the service name \fIsname\fP. +The service hostnames will be canonicalized according to the usual +rules for constructing service principals. +.TP +.B \fB\-U\fP \fIfor_user\fP +.sp +Specifies that protocol transition (S4U2Self) is to be used to +acquire a ticket on behalf of \fIfor_user\fP. If constrained +delegation is not requested, the service name must match the +credentials cache client principal. +.UNINDENT +.SH ENVIRONMENT +.sp +kvno uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +.sp +Location of the credentials (ticket) cache. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB/tmp/krb5cc_[uid]\fP +.sp +Default location of the credentials cache ([\fIuid\fP] is the decimal +UID of the user). +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/sclient.man b/src/man/sclient.man new file mode 100644 index 000000000..0d0c95102 --- /dev/null +++ b/src/man/sclient.man @@ -0,0 +1,50 @@ +.TH "SCLIENT" "1" " " "0.0.1" "MIT Kerberos" +.SH NAME +sclient \- sample Kerberos version 5 client +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBsclient\fP \fIremotehost\fP +.SH DESCRIPTION +.sp +sclient is a sample application, primarily useful for testing +purposes. It contacts a sample server \fIsserver(8)\fP and +authenticates to it using Kerberos version 5 tickets, then displays +the server\(aqs response. +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIsserver(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/sserver.man b/src/man/sserver.man new file mode 100644 index 000000000..aa07d4f24 --- /dev/null +++ b/src/man/sserver.man @@ -0,0 +1,199 @@ +.TH "SSERVER" "8" " " "0.0.1" "MIT Kerberos" +.SH NAME +sserver \- sample Kerberos version 5 server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBsserver\fP +[ \fB\-p\fP \fIport\fP ] +[ \fB\-S\fP \fIkeytab\fP ] +[ \fIserver_port\fP ] +.SH DESCRIPTION +.sp +sserver and \fIsclient(1)\fP are a simple demonstration client/server +application. When sclient connects to sserver, it performs a Kerberos +authentication, and then sserver returns to sclient the Kerberos +principal which was used for the Kerberos authentication. It makes a +good test that Kerberos has been successfully installed on a machine. +.sp +The service name used by sserver and sclient is sample. Hence, +sserver will require that there be a keytab entry for the service +\fBsample/hostname.domain.name@REALM.NAME\fP. This keytab is generated +using the \fIkadmin(1)\fP program. The keytab file is usually +installed as \fB/etc/krb5.keytab\fP. +.sp +The \fB\-S\fP option allows for a different keytab than the default. +.sp +sserver is normally invoked out of inetd(8), using a line in +\fB/etc/inetd.conf\fP that looks like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sample stream tcp nowait root /usr/local/sbin/sserver sserver +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Since \fBsample\fP is normally not a port defined in \fB/etc/services\fP, +you will usually have to add a line to \fB/etc/services\fP which looks +like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sample 13135/tcp +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When using sclient, you will first have to have an entry in the +Kerberos database, by using \fIkadmin(1)\fP, and then you have to get +Kerberos tickets, by using \fIkinit(1)\fP. Also, if you are running +the sclient program on a different host than the sserver it will be +connecting to, be sure that both hosts have an entry in /etc/services +for the sample tcp port, and that the same port number is in both +files. +.sp +When you run sclient you should see something like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sendauth succeeded, reply is: +reply len 32, contents: +You are nlgilman@JIMI.MIT.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.SH COMMON ERROR MESSAGES +.INDENT 0.0 +.IP 1. 3 +. +kinit returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +kinit: Client not found in Kerberos database while getting + initial credentials +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that you didn\(aqt create an entry for your username in the +Kerberos database. +.IP 2. 3 +. +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +unknown service sample/tcp; check /etc/services +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that you don\(aqt have an entry in /etc/services for the +sample tcp port. +.IP 3. 3 +. +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +connect: Connection refused +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This probably means you didn\(aqt edit /etc/inetd.conf correctly, or +you didn\(aqt restart inetd after editing inetd.conf. +.IP 4. 3 +. +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +sclient: Server not found in Kerberos database while using + sendauth +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that the \fBsample/hostname@LOCAL.REALM\fP service was not +defined in the Kerberos database; it should be created using +\fIkadmin(1)\fP, and a keytab file needs to be generated to make +the key for that service principal available for sclient. +.IP 5. 3 +. +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +sendauth rejected, error reply is: + "No such file or directory" +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This probably means sserver couldn\(aqt find the keytab file. It was +probably not installed in the proper directory. +.UNINDENT +.SH SEE ALSO +.sp +\fIsclient(1)\fP, services(5), inetd(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +.