diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
| commit | b0e4d68d5124581ae353493d69bea352de4cff8a (patch) | |
| tree | 43300ec43e83eccd367fd76fdfdefba2dcd7d8f4 /doc/html/admin | |
| parent | 33a9b234e7087f573ef08cd7318c6497ba08b439 (diff) | |
Notes
Diffstat (limited to 'doc/html/admin')
40 files changed, 199 insertions, 109 deletions
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html index aeab6f19fdba..70300c8e3886 100644 --- a/doc/html/admin/admin_commands/index.html +++ b/doc/html/admin/admin_commands/index.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -161,7 +161,7 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html index 6efa10e95cbe..6b2b3304c936 100644 --- a/doc/html/admin/admin_commands/k5srvutil.html +++ b/doc/html/admin/admin_commands/k5srvutil.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -200,7 +200,7 @@ place.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html index b1e796c3c214..270fc9376f04 100644 --- a/doc/html/admin/admin_commands/kadmin_local.html +++ b/doc/html/admin/admin_commands/kadmin_local.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -587,6 +587,12 @@ accepted values.</dd> <dd>Enables One Time Passwords (OTP) preauthentication for a client <em>principal</em>. The <em>value</em> is a JSON string representing an array of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd> +<dt><strong>pkinit_cert_match</strong></dt> +<dd>Specifies a matching expression that defines the certificate +attributes required for the client certificate used by the +principal during PKINIT authentication. The matching expression +is in the same format as those used by the <strong>pkinit_cert_match</strong> +option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. (New in release 1.16.)</dd> </dl> <p>This command requires the <strong>modify</strong> privilege.</p> <p>Alias: <strong>setstr</strong></p> @@ -958,7 +964,7 @@ interface to the OpenVision Kerberos administration program.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html index 7cf3d38e7726..d30f4cede9e9 100644 --- a/doc/html/admin/admin_commands/kadmind.html +++ b/doc/html/admin/admin_commands/kadmind.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -253,7 +253,7 @@ to full resync requests when iprop is enabled.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html index 673118aac6b8..b47450502a01 100644 --- a/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -536,7 +536,7 @@ userpolicy <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html index 66fec5262644..87493732a708 100644 --- a/doc/html/admin/admin_commands/kdb5_util.html +++ b/doc/html/admin/admin_commands/kdb5_util.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -591,7 +591,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html index 962d316aab40..73939b48421a 100644 --- a/doc/html/admin/admin_commands/kprop.html +++ b/doc/html/admin/admin_commands/kprop.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -199,7 +199,7 @@ on the remote host.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html index b8252223a043..163f4ac8cd75 100644 --- a/doc/html/admin/admin_commands/kpropd.html +++ b/doc/html/admin/admin_commands/kpropd.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -75,6 +75,7 @@ [<strong>-F</strong> <em>principal_database</em>] [<strong>-p</strong> <em>kdb5_util_prog</em>] [<strong>-P</strong> <em>port</em>] +[<strong>–pid-file</strong>=<em>pid_file</em>] [<strong>-d</strong>] [<strong>-t</strong>]</p> </div> @@ -149,6 +150,9 @@ is only useful in combination with the <strong>-S</strong> option.</dd> <dt><strong>-a</strong> <em>acl_file</em></dt> <dd>Allows the user to specify the path to the kpropd.acl file; by default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd> +<dt><strong>–pid-file</strong>=<em>pid_file</em></dt> +<dd>In standalone mode, write the process ID of the daemon into +<em>pid_file</em>.</dd> </dl> </div> <div class="section" id="environment"> @@ -262,7 +266,7 @@ will allow Kerberos database propagation via <a class="reference internal" href= <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html index a961170ccf98..50b7c7e4d35a 100644 --- a/doc/html/admin/admin_commands/kproplog.html +++ b/doc/html/admin/admin_commands/kproplog.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -225,7 +225,7 @@ output generated for one entry:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html index 22a0c0ca87e4..f39779bf4f0e 100644 --- a/doc/html/admin/admin_commands/krb5kdc.html +++ b/doc/html/admin/admin_commands/krb5kdc.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -253,7 +253,7 @@ description for further details.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html index de4700ef9cc1..ba95ebbe71ff 100644 --- a/doc/html/admin/admin_commands/ktutil.html +++ b/doc/html/admin/admin_commands/ktutil.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -130,7 +130,7 @@ V4 srvtab file.</p> <h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> -<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em></div></blockquote> +<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em> [<strong>-s</strong> <em>salt</em>]</div></blockquote> <p>Add <em>principal</em> to keylist using key or password.</p> <p>Alias: <strong>addent</strong></p> </div> @@ -268,7 +268,7 @@ ktutil: <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html index 15e622cf0b5d..1e5e1941f991 100644 --- a/doc/html/admin/admin_commands/sserver.html +++ b/doc/html/admin/admin_commands/sserver.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -246,7 +246,7 @@ probably not installed in the proper directory.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html index 223fd15864f6..603f95e2ecd8 100644 --- a/doc/html/admin/advanced/index.html +++ b/doc/html/admin/advanced/index.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -143,7 +143,7 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html index e74d2b80770a..662067e84ff6 100644 --- a/doc/html/admin/advanced/ldapbackend.html +++ b/doc/html/admin/advanced/ldapbackend.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -280,7 +280,7 @@ master key stash:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html index ec846446c12f..8ac29b3dca51 100644 --- a/doc/html/admin/advanced/retiring-des.html +++ b/doc/html/admin/advanced/retiring-des.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -526,7 +526,7 @@ converted to the new master key.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html index ef7f37524d9c..09dea1613c52 100644 --- a/doc/html/admin/appl_servers.html +++ b/doc/html/admin/appl_servers.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -332,7 +332,7 @@ point for learning to configure firewalls.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html index 0d91bfe5f5cd..25f97cfe94b5 100644 --- a/doc/html/admin/auth_indicator.html +++ b/doc/html/admin/auth_indicator.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -182,7 +182,7 @@ attribute.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html index c62dfd5b6809..9e005ec8557a 100644 --- a/doc/html/admin/backup_host.html +++ b/doc/html/admin/backup_host.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -167,7 +167,7 @@ corrupted, you can load the most recent dump onto the master KDC. <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html index 8b6207cb6a03..2325611706ae 100644 --- a/doc/html/admin/conf_files/index.html +++ b/doc/html/admin/conf_files/index.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -159,7 +159,7 @@ KDC database.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html index 640fc7bc1c9c..05eab8bbae62 100644 --- a/doc/html/admin/conf_files/kadm5_acl.html +++ b/doc/html/admin/conf_files/kadm5_acl.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 </pre></div> </div> -<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with -an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p> -<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his -<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line -1). He has no permissions at all with his null instance, -<tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other -non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have -inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> -(matches line 3).</p> +<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an +<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting +keys.</p> +<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except +extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance, +<tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line 1). He has no +permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> +(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null +instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions +with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p> <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire or change the password of their null instance, but not any other null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the @@ -222,9 +223,20 @@ in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals.</p> <p>(line 6) Finally, the Service Management System principal -<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours.</p> +<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours.</p> +</div> +<div class="section" id="module-behavior"> +<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2> +<p>The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file.</p> +<p>To operate without an ACL file, set the <em>acl_file</em> variable in +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></tt>.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> @@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#syntax">SYNTAX</a></li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html index b81a78f740f7..183e63cd26d8 100644 --- a/doc/html/admin/conf_files/kdc_conf.html +++ b/doc/html/admin/conf_files/kdc_conf.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -149,9 +149,10 @@ to define one parameter for the ATHENA.MIT.EDU realm:</p> <dt><strong>acl_file</strong></dt> <dd>(String.) Location of the access control list file that <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more information on Kerberos ACL -file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd> +which permissions on the Kerberos database. To operate without an +ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> +<span class="pre">""</span></tt>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more +information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd> <dt><strong>database_module</strong></dt> <dd>(String.) This relation indicates the name of the configuration section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters @@ -242,6 +243,10 @@ are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.</dd> +<dt><strong>encrypted_challenge_indicator</strong></dt> +<dd>(String.) Specifies the authentication indicator value that the KDC +asserts into tickets obtained using FAST encrypted challenge +pre-authentication. New in 1.16.</dd> <dt><strong>host_based_services</strong></dt> <dd>(Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is @@ -741,8 +746,6 @@ This option is required if pkinit is to be supported by the KDC.</dd> <dd>Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.)</dd> -<dt><strong>pkinit_kdc_ocsp</strong></dt> -<dd>Specifies the location of the KDC’s OCSP.</dd> <dt><strong>pkinit_pool</strong></dt> <dd>Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client’s @@ -776,8 +779,8 @@ Encryption types marked as “weak” are available for compatibility bu not recommended for use.</p> <table border="1" class="docutils"> <colgroup> -<col width="44%" /> -<col width="56%" /> +<col width="30%" /> +<col width="70%" /> </colgroup> <tbody valign="top"> <tr class="row-odd"><td>des-cbc-crc</td> @@ -832,7 +835,7 @@ not recommended for use.</p> <td>The triple DES family: des3-cbc-sha1</td> </tr> <tr class="row-even"><td>aes</td> -<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td> +<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td> </tr> <tr class="row-odd"><td>rc4</td> <td>The RC4 family: arcfour-hmac</td> @@ -1045,7 +1048,7 @@ follows:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html index ca50e7ad27f1..70144fa0bde9 100644 --- a/doc/html/admin/conf_files/krb5_conf.html +++ b/doc/html/admin/conf_files/krb5_conf.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -112,9 +112,10 @@ includedir DIRNAME directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ”.conf” are also included. Included -profile files are syntactically independent of their parents, so each -included file must begin with a section header.</p> +1.15, files with names ending in ”.conf” are also included, unless the +name begins with ”.”. Included profile files are syntactically +independent of their parents, so each included file must begin with a +section header.</p> <p>The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -223,7 +224,7 @@ the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag. -The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types +The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</p> <p class="last">Do not set this unless required for specific backward @@ -236,7 +237,7 @@ libraries are upgraded.</p> the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly +<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</p> <p class="last">Do not set this unless required for specific backward @@ -308,7 +309,7 @@ files in the user’s home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root.</dd> <dt><strong>kcm_mach_service</strong></dt> -<dd>On OS X only, determines the name of the bootstrap service used to +<dd>On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM daemon. The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd> @@ -379,7 +380,7 @@ used across NATs. The default value is true.</dd> <dt><strong>permitted_enctypes</strong></dt> <dd>Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is -<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly +<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly removed from this list if the value of <strong>allow_weak_crypto</strong> is false.</dd> <dt><strong>plugin_base_dir</strong></dt> @@ -749,6 +750,9 @@ client principal</dd> <dt><strong>realm</strong></dt> <dd>Uses the service realm to guess an appropriate cache from the collection</dd> +<dt><strong>hostname</strong></dt> +<dd>If the service principal is host-based, uses the service hostname +to guess an appropriate cache from the collection</dd> </dl> </div> <div class="section" id="pwqual-interface"> @@ -776,6 +780,23 @@ interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface.</p> </div> +<div class="section" id="kadm5-auth-interface"> +<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4> +<p>The kadm5_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built-in modules exist for this interface:</p> +<dl class="docutils"> +<dt><strong>acl</strong></dt> +<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes +operations which are allowed according to the rules in the file.</dd> +<dt><strong>self</strong></dt> +<dd>This module authorizes self-service operations including password +changes, creation of new random keys, fetching the client’s +principal record or string attributes, and fetching the policy +record associated with the client principal.</dd> +</dl> +</div> <div class="section" id="clpreauth-and-kdcpreauth-interfaces"> <span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4> <p>The clpreauth and kdcpreauth interfaces allow plugin modules to @@ -840,6 +861,28 @@ the account’s <a class="reference internal" href="../../user/user_config/k principal name maps to the local account name.</dd> </dl> </div> +<div class="section" id="certauth-interface"> +<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4> +<p>The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built-in modules exist for this interface:</p> +<dl class="docutils"> +<dt><strong>pkinit_san</strong></dt> +<dd>This module authorizes the certificate if it contains a PKINIT +Subject Alternative Name for the requested client principal, or a +Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong> +is set to true for the realm.</dd> +<dt><strong>pkinit_eku</strong></dt> +<dd>This module rejects the certificate if it does not contain an +Extended Key Usage attribute consistent with the +<strong>pkinit_eku_checking</strong> value for the realm.</dd> +<dt><strong>dbmatch</strong></dt> +<dd>This module authorizes or rejects the certificate according to +whether it matches the <strong>pkinit_cert_match</strong> string attribute on +the client principal, if that attribute is present.</dd> +</dl> +</div> </div> </div> <div class="section" id="pkinit-options"> @@ -1195,9 +1238,11 @@ Valid parameters are:</p> <li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li> <li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li> <li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li> +<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li> <li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li> <li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li> <li><a class="reference internal" href="#localauth-interface">localauth interface</a></li> +<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li> </ul> </li> </ul> @@ -1275,7 +1320,7 @@ Valid parameters are:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html index 7cdd64dd2cb4..2a9b830ca2a7 100644 --- a/doc/html/admin/conf_ldap.html +++ b/doc/html/admin/conf_ldap.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -304,7 +304,7 @@ for initial ticket requests.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html index dc1cd1971fc9..3b52d123088c 100644 --- a/doc/html/admin/database.html +++ b/doc/html/admin/database.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -1834,7 +1834,7 @@ config file, and the per-slave dump files are stored in <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html index 1cee3212704b..56e5b6be0ae2 100644 --- a/doc/html/admin/enctypes.html +++ b/doc/html/admin/enctypes.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -321,7 +321,7 @@ single-DES enctypes by default.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html index 087accf2a729..a5a6c8ae1109 100644 --- a/doc/html/admin/env_variables.html +++ b/doc/html/admin/env_variables.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -168,7 +168,7 @@ programs).</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html index 809a2db19269..3c0dbaa87656 100644 --- a/doc/html/admin/host_config.html +++ b/doc/html/admin/host_config.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -342,7 +342,7 @@ take over, and the rest of krb5.conf will be ignored.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html index 4dcdc1b25d44..7429ffb922ee 100644 --- a/doc/html/admin/https.html +++ b/doc/html/admin/https.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -176,7 +176,7 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class=" <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html index adfb25bb083c..54fffddfba05 100644 --- a/doc/html/admin/index.html +++ b/doc/html/admin/index.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -163,7 +163,7 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html index ba51b3e151d9..9c321e46a69f 100644 --- a/doc/html/admin/install.html +++ b/doc/html/admin/install.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -178,7 +178,7 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html index 21a292e941d1..753e53d0f1cb 100644 --- a/doc/html/admin/install_appl_srv.html +++ b/doc/html/admin/install_appl_srv.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -211,7 +211,7 @@ readable only by root.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html index a75799d4b763..9c4fabbd0f03 100644 --- a/doc/html/admin/install_clients.html +++ b/doc/html/admin/install_clients.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -188,7 +188,7 @@ krb5.conf.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html index ceec8cb320fd..b3984a5ed599 100644 --- a/doc/html/admin/install_kdc.html +++ b/doc/html/admin/install_kdc.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -631,7 +631,7 @@ for details.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html index 96cae8efd487..ad1b66e5458c 100644 --- a/doc/html/admin/lockout.html +++ b/doc/html/admin/lockout.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -276,7 +276,7 @@ read access, account lockout will not function.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html index 7c99a4e135d1..4375c3ff6bbb 100644 --- a/doc/html/admin/otp.html +++ b/doc/html/admin/otp.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -224,7 +224,7 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre"> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html index 60645816cd16..50e073c82f0f 100644 --- a/doc/html/admin/pkinit.html +++ b/doc/html/admin/pkinit.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -266,6 +266,25 @@ time as follows:</p> <div class="highlight-python"><div class="highlight"><pre>kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' </pre></div> </div> +<p>By default, the KDC requires PKINIT client certificates to have the +standard Extended Key Usage and Subject Alternative Name attributes +for PKINIT. Starting in release 1.16, it is possible to authorize +client certificates based on the subject or other criteria instead of +the standard PKINIT Subject Alternative Name, by setting the +<strong>pkinit_cert_match</strong> string attribute on each client principal entry. +For example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$" +</pre></div> +</div> +<p>The <strong>pkinit_cert_match</strong> string attribute follows the syntax used by +the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>pkinit_cert_match</strong> relation. To allow the +use of non-PKINIT client certificates, it will also be necessary to +disable key usage checking using the <strong>pkinit_eku_checking</strong> relation; +for example:</p> +<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults] + pkinit_eku_checking = none +</pre></div> +</div> </div> <div class="section" id="configuring-the-clients"> <h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2> @@ -423,7 +442,7 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html index b1097c57a0f6..ecf6c969c612 100644 --- a/doc/html/admin/princ_dns.html +++ b/doc/html/admin/princ_dns.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -238,7 +238,7 @@ krb5-1.10 or later.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html index c64eeab32de2..2d5ca3ae7918 100644 --- a/doc/html/admin/realm_config.html +++ b/doc/html/admin/realm_config.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -245,7 +245,7 @@ to other transport types, or find a master server. The URI record can convey more information about a realm’s KDCs with a single query.</p> <p>The client performs a query for the following URI records:</p> <ul class="simple"> -<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for fiding KDCs.</li> +<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for finding KDCs.</li> <li><tt class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></tt> for finding kadmin services.</li> <li><tt class="docutils literal"><span class="pre">_kpasswd.REALM</span></tt> for finding password services.</li> </ul> @@ -375,7 +375,7 @@ database to additional slaves.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html index 85782d4b97f7..96d17b09d369 100644 --- a/doc/html/admin/troubleshoot.html +++ b/doc/html/admin/troubleshoot.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -249,7 +249,7 @@ location on the slave.</li> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html index 23c8e7bb5b66..7dfb6478b4e0 100644 --- a/doc/html/admin/various_envs.html +++ b/doc/html/admin/various_envs.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -165,7 +165,7 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> |