1 files changed, 0 insertions, 442 deletions
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
deleted file mode 100644
index 9ee85aa337ce7..0000000000000
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ /dev/null
@@ -1,442 +0,0 @@
-.\" Copyright (c) 1999 - 2003 Kungliga Tekniska H�gskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
-.\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
-.\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
-.\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\"
-.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $
-.\"
-.Dd April 11, 1999
-.Dt KRB5.CONF 5
-.Os HEIMDAL
-.Sh NAME
-.Nm /etc/krb5.conf
-.Nd configuration file for Kerberos 5
-.Sh DESCRIPTION
-The
-.Nm
-file specifies several configuration parameters for the Kerberos 5
-library, as well as for some programs.
-.Pp
-The file consists of one or more sections, containing a number of
-bindings.
-The value of each binding can be either a string or a list of other
-bindings.
-The grammar looks like:
-.Bd -literal -offset indent
-file:
-	/* empty */
-	sections
-
-sections:
-	section sections
-	section
-
-section:
-	'[' section_name ']' bindings
-
-section_name:
-	STRING
-
-bindings:
-	binding bindings
-	binding
-
-binding:
-	name '=' STRING
-	name '=' '{' bindings '}'
-
-name:
-	STRING
-
-.Ed
-.Li STRINGs
-consists of one or more non-whitespace characters.
-.Pp
-STRINGs that are specified later in this man-page uses the following
-notation.
-.Bl -tag -width "xxx" -offset indent
-.It boolean
-values can be either yes/true or no/false.
-.It time
-values can be a list of year, month, day, hour, min, second.
-Example: 1 month 2 days 30 min.
-.It etypes
-valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
-des3-cbc-sha1.
-.It address
-an address can be either a IPv4 or a IPv6 address.
-.El
-.Pp
-Currently recognised sections and bindings are:
-.Bl -tag -width "xxx" -offset indent
-.It Li [appdefaults]
-Specifies the default values to be used for Kerberos applications.
-You can specify defaults per application, realm, or a combination of
-these.
-The preference order is:
-.Bl -enum -compact
-.It
-.Va application Va realm Va option
-.It
-.Va application Va option
-.It
-.Va realm Va option
-.It
-.Va option
-.El
-.Pp
-The supported options are:
-.Bl -tag -width "xxx" -offset indent
-.It Li forwardable = Va boolean
-When obtaining initial credentials, make the credentials forwardable.
-.It Li proxiable = Va boolean
-When obtaining initial credentials, make the credentials proxiable.
-.It Li no-addresses = Va boolean
-When obtaining initial credentials, request them for an empty set of
-addresses, making the tickets valid from any address.
-.It Li ticket_lifetime = Va time
-Default ticket lifetime.
-.It Li renew_lifetime = Va time
-Default renewable ticket lifetime.
-.El
-.It Li [libdefaults]
-.Bl -tag -width "xxx" -offset indent
-.It Li default_realm = Va REALM
-Default realm to use, this is also known as your
-.Dq local realm .
-The default is the result of
-.Fn krb5_get_host_realm "local hostname" .
-.It Li clockskew = Va time
-Maximum time differential (in seconds) allowed when comparing
-times.
-Default is 300 seconds (five minutes).
-.It Li kdc_timeout = Va time
-Maximum time to wait for a reply from the kdc, default is 3 seconds.
-.It v4_name_convert
-.It v4_instance_resolve
-These are described in the
-.Xr krb5_425_conv_principal  3
-manual page.
-.It Li capath = {
-.Bl -tag -width "xxx" -offset indent
-.It Va destination-realm Li = Va next-hop-realm
-.It ...
-.El
-Normally, all requests to realms different from the one of the current
-client are sent to this KDC to get cross-realm tickets.
-If this KDC does not have a cross-realm key with the desired realm and
-the hierarchical path to that realm does not work, a path can be
-configured using this directive.
-The text shown above instructs the KDC to try to obtain a cross-realm
-ticket to
-.Va next-hop-realm
-when the desired realm is
-.Va destination-realm .
-This configuration should preferably be done on the KDC where it will
-help all its clients but can also be done on the client itself.
-.It Li }
-.It Li default_etypes = Va etypes...
-A list of default encryption types to use.
-.It Li default_etypes_des = Va etypes...
-A list of default encryption types to use when requesting a DES credential.
-.It Li default_keytab_name = Va keytab
-The keytab to use if no other is specified, default is
-.Dq FILE:/etc/krb5.keytab .
-.It Li dns_lookup_kdc = Va boolean
-Use DNS SRV records to lookup KDC services location.
-.It Li dns_lookup_realm = Va boolean
-Use DNS TXT records to lookup domain to realm mappings.
-.It Li kdc_timesync = Va boolean
-Try to keep track of the time differential between the local machine
-and the KDC, and then compensate for that when issuing requests.
-.It Li max_retries = Va number
-The max number of times to try to contact each KDC.
-.It Li ticket_lifetime = Va time
-Default ticket lifetime.
-.It Li renew_lifetime = Va time
-Default renewable ticket lifetime.
-.It Li forwardable = Va boolean
-When obtaining initial credentials, make the credentials forwardable.
-This option is also valid in the [realms] section.
-.It Li proxiable = Va boolean
-When obtaining initial credentials, make the credentials proxiable.
-This option is also valid in the [realms] section.
-.It Li verify_ap_req_nofail = Va boolean
-If enabled, failure to verify credentials against a local key is a
-fatal error.
-The application has to be able to read the corresponding service key
-for this to work.
-Some applications, like
-.Xr su 8 ,
-enable this option unconditionally.
-.It Li warn_pwexpire = Va time
-How soon to warn for expiring password.
-Default is seven days.
-.It Li http_proxy = Va proxy-spec
-A HTTP-proxy to use when talking to the KDC via HTTP.
-.It Li dns_proxy = Va proxy-spec
-Enable using DNS via HTTP.
-.It Li extra_addresses = Va address...
-A list of addresses to get tickets for along with all local addresses.
-.It Li time_format = Va string
-How to print time strings in logs, this string is passed to
-.Xr strftime 3 .
-.It Li date_format = Va string
-How to print date strings in logs, this string is passed to
-.Xr strftime 3 .
-.It Li log_utc = Va boolean
-Write log-entries using UTC instead of your local time zone.
-.It Li scan_interfaces = Va boolean
-Scan all network interfaces for addresses, as opposed to simply using
-the address associated with the system's host name.
-.It Li fcache_version = Va int
-Use file credential cache format version specified.
-.It Li krb4_get_tickets = Va boolean
-Also get Kerberos 4 tickets in
-.Nm kinit ,
-.Nm login ,
-and other programs.
-This option is also valid in the [realms] section.
-.El
-.It Li [domain_realm]
-This is a list of mappings from DNS domain to Kerberos realm.
-Each binding in this section looks like:
-.Pp
-.Dl domain = realm
-.Pp
-The domain can be either a full name of a host or a trailing
-component, in the latter case the domain-string should start with a
-period.
-The realm may be the token `dns_locate', in which case the actual
-realm will be determined using DNS (independently of the setting
-of the `dns_lookup_realm' option).
-.It Li [realms]
-.Bl -tag -width "xxx" -offset indent
-.It Va REALM Li = {
-.Bl -tag -width "xxx" -offset indent
-.It Li kdc = Va [service/]host[:port]
-Specifies a list of kdcs for this realm.
-If the optional
-.Va port
-is absent, the
-default value for the
-.Dq kerberos/udp
-.Dq kerberos/tcp ,
-and
-.Dq http/tcp
-port (depending on service) will be used.
-The kdcs will be used in the order that they are specified.
-.Pp
-The optional
-.Va service
-specifies over what medium the kdc should be
-contacted.
-Possible services are
-.Dq udp ,
-.Dq tcp , 
-and
-.Dq http .
-Http can also be written as
-.Dq http:// .
-Default service is
-.Dq udp 
-and
-.Dq tcp .
-.It Li admin_server = Va host[:port]
-Specifies the admin server for this realm, where all the modifications
-to the database are performed.
-.It Li kpasswd_server = Va host[:port]
-Points to the server where all the password changes are performed.
-If there is no such entry, the kpasswd port on the admin_server host
-will be tried.
-.It Li krb524_server = Va host[:port]
-Points to the server that does 524 conversions.
-If it is not mentioned, the krb524 port on the kdcs will be tried.
-.It Li v4_instance_convert
-.It Li v4_name_convert
-.It Li default_domain
-See
-.Xr krb5_425_conv_principal 3 .
-.El
-.It Li }
-.El
-.It Li [logging]
-.Bl -tag -width "xxx" -offset indent
-.It Va entity Li = Va destination
-Specifies that
-.Va entity
-should use the specified
-.Li destination
-for logging.
-See the
-.Xr krb5_openlog 3
-manual page for a list of defined destinations.
-.El
-.It Li [kdc]
-.Bl -tag -width "xxx" -offset indent
-.It database Li = {
-.Bl -tag -width "xxx" -offset indent
-.It dbname Li = Va DATABASENAME
-Use this database for this realm.
-.It realm Li = Va REALM
-Specifies the realm that will be stored in this database.
-.It mkey_file Li = Pa FILENAME
-Use this keytab file for the master key of this database.
-If not specified
-.Va DATABASENAME Ns .mkey
-will be used.
-.It acl_file Li = PA FILENAME
-Use this file for the ACL list of this database.
-.It log_file Li = Pa FILENAME
-Use this file as the log of changes performed to the database.
-This file is used by
-.Nm ipropd-master
-for propagating changes to slaves.
-.El
-.It Li }
-.It max-request = Va SIZE
-Maximum size of a kdc request.
-.It require-preauth = Va BOOL
-If set pre-authentication is required.
-Since krb4 requests are not pre-authenticated they will be rejected.
-.It ports = Va "list of ports"
-List of ports the kdc should listen to.
-.It addresses = Va "list of interfaces"
-List of addresses the kdc should bind to.
-.It enable-kerberos4 = Va BOOL
-Turn on Kerberos 4 support.
-.It v4-realm = Va REALM
-To what realm v4 requests should be mapped.
-.It enable-524 = Va BOOL
-Should the Kerberos 524 converting facility be turned on.
-Default is same as
-.Va enable-kerberos4 .
-.It enable-http = Va BOOL
-Should the kdc answer kdc-requests over http.
-.It enable-kaserver = Va BOOL
-If this kdc should emulate the AFS kaserver.
-.It check-ticket-addresses = Va BOOL
-verify the addresses in the tickets used in tgs requests.
-.\" XXX
-.It allow-null-ticket-addresses = Va BOOL
-Allow addresses-less tickets.
-.\" XXX
-.It allow-anonymous = Va BOOL
-If the kdc is allowed to hand out anonymous tickets.
-.It encode_as_rep_as_tgs_rep = Va BOOL
-Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
-.\" XXX
-.It kdc_warn_pwexpire = Va TIME
-The time before expiration that the user should be warned that her
-password is about to expire.
-.It logging = Va Logging
-What type of logging the kdc should use, see also [logging]/kdc.
-.It use_2b = Va principal list
-List of principals to use AFS 2b tokens for.
-.El
-.It Li [kadmin]
-.Bl -tag -width "xxx" -offset indent
-.It require-preauth = Va BOOL
-If pre-authentication is required to talk to the kadmin server.
-.It default_keys = Va keytypes...
-for each entry in
-.Va default_keys
-try to parse it as a sequence of
-.Va etype:salttype:salt
-syntax of this if something like:
-.Pp
-[(des|des3|etype):](pw-salt|afs3-salt)[:string]
-.Pp
-If
-.Ar etype
-is omitted it means everything, and if string is omitted it means the
-default salt string (for that principal and encryption type).
-Additional special values of keytypes are:
-.Bl -tag -width "xxx" -offset indent
-.It v5
-The Kerberos 5 salt
-.Va pw-salt
-.It v4
-The Kerberos 4 salt
-.Va des:pw-salt:
-.El
-.It use_v4_salt = Va BOOL
-When true, this is the same as
-.Pp
-.Va default_keys = Va des3:pw-salt Va v4
-.Pp
-and is only left for backwards compatibility.
-.El
-.El
-.Sh ENVIRONMENT
-.Ev KRB5_CONFIG
-points to the configuration file to read.
-.Sh EXAMPLE
-.Bd -literal -offset indent
-[libdefaults]
-	default_realm = FOO.SE
-[domain_realm]
-	.foo.se = FOO.SE
-	.bar.se = FOO.SE
-[realms]
-	FOO.SE = {
-		kdc = kerberos.foo.se
-		v4_name_convert = {
-			rcmd = host
-		}
-		v4_instance_convert = {
-			xyz = xyz.bar.se
-		}
-		default_domain = foo.se
-	}
-[logging]
-	kdc = FILE:/var/heimdal/kdc.log
-	kdc = SYSLOG:INFO
-	default = SYSLOG:INFO:USER
-.Ed
-.Sh DIAGNOSTICS
-Since
-.Nm
-is read and parsed by the krb5 library, there is not a lot of
-opportunities for programs to report parsing errors in any useful
-format.
-To help overcome this problem, there is a program
-.Nm verify_krb5_conf
-that reads
-.Nm
-and tries to emit useful diagnostics from parsing errors.
-Note that this program does not have any way of knowing what options
-are actually used and thus cannot warn about unknown or misspelled
-ones.
-.Sh SEE ALSO
-.Xr kinit 1 ,
-.Xr krb5_425_conv_principal 3 ,
-.Xr krb5_openlog 3 ,
-.Xr strftime 3 ,
-.Xr verify_krb5_conf 8