diff options
Diffstat (limited to 'src/man')
31 files changed, 8001 insertions, 0 deletions
diff --git a/src/man/Makefile.in b/src/man/Makefile.in new file mode 100644 index 000000000000..4bc670badf6c --- /dev/null +++ b/src/man/Makefile.in @@ -0,0 +1,144 @@ +mydir=man +BUILDTOP=$(REL).. + +SPHINX_BUILD=sphinx-build +GROFF=@GROFF@ +GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c +localstatedir=@localstatedir@ +runstatedir=@runstatedir@ +sysconfdir=@sysconfdir@ +DEFCCNAME=@DEFCCNAME@ +DEFKTNAME=@DEFKTNAME@ +DEFCKTNAME=@DEFCKTNAME@ + +MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ + kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ + kdestroy.sub kinit.sub klist.sub kpasswd.sub kprop.sub kpropd.sub \ + kproplog.sub krb5.conf.sub krb5-config.sub krb5kdc.sub ksu.sub \ + kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub + +docsrc=$(top_srcdir)/../doc + +# Update checked-in man pages from RST sources in the top-level doc +# directory. This can be done from an unconfigured tree with: +# make -f Makefile.in top_srcdir=.. srcdir=. man +# make -f Makefile.in clean +# The sed command deletes some trailing whitespace that the docutils +# manpage writer outputs near the end of its output files. +man: $(docsrc)/version.py + rm -rf rst_man + $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man + for f in rst_man/*.[0-9]; do \ + name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \ + sed -e '/^\.\\" $$/d' \ + -e '/^\.\\"/s/reStructeredText/reStructuredText/' \ + $$f > $(srcdir)/$$name.man; \ + done + +$(docsrc)/version.py: $(top_srcdir)/patchlevel.h + (cd $(BUILDTOP)/doc && make version.py) + +.SUFFIXES: .man .sub + +.man.sub: + sed -e 's|@BINDIR@|$(CLIENT_BINDIR)|g' \ + -e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \ + -e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \ + -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \ + -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \ + -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ + -e 's|@CCNAME@|$(DEFCCNAME)|g' \ + -e 's|@KTNAME@|$(DEFKTNAME)|g' \ + -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@ + +all: $(MANSUBS) + +clean: + rm -rf $(MANSUBS) rst_man + +install: install-clientman install-fileman install-adminman install-serverman + +install-catman: install-clientcat install-filecat install-admincat install-servercat + +install-clientman: + $(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1 + $(INSTALL_DATA) kadmin.sub $(DESTDIR)$(CLIENT_MANDIR)/kadmin.1 + $(INSTALL_DATA) kdestroy.sub $(DESTDIR)$(CLIENT_MANDIR)/kdestroy.1 + $(INSTALL_DATA) kinit.sub $(DESTDIR)$(CLIENT_MANDIR)/kinit.1 + $(INSTALL_DATA) klist.sub $(DESTDIR)$(CLIENT_MANDIR)/klist.1 + $(INSTALL_DATA) kpasswd.sub $(DESTDIR)$(CLIENT_MANDIR)/kpasswd.1 + $(INSTALL_DATA) krb5-config.sub $(DESTDIR)$(CLIENT_MANDIR)/krb5-config.1 + $(INSTALL_DATA) ksu.sub $(DESTDIR)$(CLIENT_MANDIR)/ksu.1 + $(INSTALL_DATA) kswitch.sub $(DESTDIR)$(CLIENT_MANDIR)/kswitch.1 + $(INSTALL_DATA) ktutil.sub $(DESTDIR)$(CLIENT_MANDIR)/ktutil.1 + $(INSTALL_DATA) kvno.sub $(DESTDIR)$(CLIENT_MANDIR)/kvno.1 + $(INSTALL_DATA) sclient.sub $(DESTDIR)$(CLIENT_MANDIR)/sclient.1 + +install-fileman: + $(INSTALL_DATA) $(srcdir)/dot.k5identity.5 \ + $(DESTDIR)$(FILE_MANDIR)/.k5identity.5 + $(INSTALL_DATA) k5identity.sub $(DESTDIR)$(FILE_MANDIR)/k5identity.5 + $(INSTALL_DATA) $(srcdir)/dot.k5login.5 \ + $(DESTDIR)$(FILE_MANDIR)/.k5login.5 + $(INSTALL_DATA) k5login.sub $(DESTDIR)$(FILE_MANDIR)/k5login.5 + $(INSTALL_DATA) kadm5.acl.sub $(DESTDIR)$(FILE_MANDIR)/kadm5.acl.5 + $(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5 + $(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5 + +install-adminman: + $(INSTALL_DATA) $(srcdir)/kadmin.local.8 \ + $(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8 + $(INSTALL_DATA) kdb5_ldap_util.sub \ + $(DESTDIR)$(ADMIN_MANDIR)/kdb5_ldap_util.8 + $(INSTALL_DATA) kdb5_util.sub $(DESTDIR)$(ADMIN_MANDIR)/kdb5_util.8 + $(INSTALL_DATA) kprop.sub $(DESTDIR)$(ADMIN_MANDIR)/kprop.8 + $(INSTALL_DATA) kproplog.sub $(DESTDIR)$(ADMIN_MANDIR)/kproplog.8 + +install-serverman: + $(INSTALL_DATA) kadmind.sub $(DESTDIR)$(SERVER_MANDIR)/kadmind.8 + $(INSTALL_DATA) kpropd.sub $(DESTDIR)$(SERVER_MANDIR)/kpropd.8 + $(INSTALL_DATA) krb5kdc.sub $(DESTDIR)$(SERVER_MANDIR)/krb5kdc.8 + $(INSTALL_DATA) sserver.sub $(DESTDIR)$(SERVER_MANDIR)/sserver.8 + +install-clientcat: + $(GROFF_MAN) k5srvutil.sub > $(DESTDIR)$(CLIENT_CATDIR)/k5srvutil.1 + $(GROFF_MAN) kadmin.sub > $(DESTDIR)$(CLIENT_CATDIR)/kadmin.1 + $(GROFF_MAN) kdestroy.sub > $(DESTDIR)$(CLIENT_CATDIR)/kdestroy.1 + $(GROFF_MAN) kinit.sub > $(DESTDIR)$(CLIENT_CATDIR)/kinit.1 + $(GROFF_MAN) klist.sub > $(DESTDIR)$(CLIENT_CATDIR)/klist.1 + $(GROFF_MAN) kpasswd.sub > $(DESTDIR)$(CLIENT_CATDIR)/kpasswd.1 + $(GROFF_MAN) krb5-config.sub > $(DESTDIR)$(CLIENT_CATDIR)/krb5-config.1 + $(GROFF_MAN) ksu.sub > $(DESTDIR)$(CLIENT_CATDIR)/ksu.1 + $(GROFF_MAN) kswitch.sub > $(DESTDIR)$(CLIENT_CATDIR)/kswitch.1 + $(GROFF_MAN) ktutil.sub > $(DESTDIR)$(CLIENT_CATDIR)/ktutil.1 + $(GROFF_MAN) kvno.sub > $(DESTDIR)$(CLIENT_CATDIR)/kvno.1 + $(GROFF_MAN) sclient.sub > $(DESTDIR)$(CLIENT_CATDIR)/sclient.1 + +install-filecat: + $(GROFF_MAN) k5identity.sub > $(DESTDIR)$(FILE_CATDIR)/k5identity.5 + ($(RM) $(DESTDIR)$(FILE_CATDIR)/.k5identity.5; \ + $(LN_S) $(FILE_CATDIR)/k5identity.5 \ + $(DESTDIR)$(FILE_CATDIR)/.k5identity.5) + $(GROFF_MAN) k5login.sub > $(DESTDIR)$(FILE_CATDIR)/k5login.5 + ($(RM) $(DESTDIR)$(FILE_CATDIR)/.k5login.5; \ + $(LN_S) $(FILE_CATDIR)/k5login.5 \ + $(DESTDIR)$(FILE_CATDIR)/.k5login.5) + $(GROFF_MAN) kadm5.acl.sub > $(DESTDIR)$(FILE_CATDIR)/kadm5.acl.5 + $(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5 + $(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5 + +install-admincat: + ($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \ + $(LN_S) $(CLIENT_CATDIR)/kadmin.1 \ + $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8) + $(GROFF_MAN) kdb5_ldap_util.sub > \ + $(DESTDIR)$(ADMIN_CATDIR)/kdb5_ldap_util.8 + $(GROFF_MAN) kdb5_util.sub > $(DESTDIR)$(ADMIN_CATDIR)/kdb5_util.8 + $(GROFF_MAN) kprop.sub > $(DESTDIR)$(ADMIN_CATDIR)/kprop.8 + $(GROFF_MAN) kproplog.sub > $(DESTDIR)$(ADMIN_CATDIR)/kproplog.8 + +install-servercat: + $(GROFF_MAN) kadmind.sub > $(DESTDIR)$(SERVER_CATDIR)/kadmind.8 + $(GROFF_MAN) kpropd.sub > $(DESTDIR)$(SERVER_CATDIR)/kpropd.8 + $(GROFF_MAN) krb5kdc.sub > $(DESTDIR)$(SERVER_CATDIR)/krb5kdc.8 + $(GROFF_MAN) sserver.sub > $(DESTDIR)$(SERVER_CATDIR)/sserver.8 diff --git a/src/man/README b/src/man/README new file mode 100644 index 000000000000..3e81deb6b09b --- /dev/null +++ b/src/man/README @@ -0,0 +1,4 @@ +The manual page files in this directory are generated from +reStructuredText format from doc/. Edits made here will not +survive a run of "make rstman" from the doc directory, except for the +files that implement "shadow manpages". diff --git a/src/man/deps b/src/man/deps new file mode 100644 index 000000000000..2feac3c9d388 --- /dev/null +++ b/src/man/deps @@ -0,0 +1 @@ +# No dependencies here. diff --git a/src/man/dot.k5identity.5 b/src/man/dot.k5identity.5 new file mode 100644 index 000000000000..8af572af1687 --- /dev/null +++ b/src/man/dot.k5identity.5 @@ -0,0 +1 @@ +.so man5/k5identity.5 diff --git a/src/man/dot.k5login.5 b/src/man/dot.k5login.5 new file mode 100644 index 000000000000..60c82a4d88c8 --- /dev/null +++ b/src/man/dot.k5login.5 @@ -0,0 +1 @@ +.so man5/k5login.5 diff --git a/src/man/k5identity.man b/src/man/k5identity.man new file mode 100644 index 000000000000..48866b8e9521 --- /dev/null +++ b/src/man/k5identity.man @@ -0,0 +1,103 @@ +.\" Man page generated from reStructuredText. +. +.TH "K5IDENTITY" "5" " " "1.15.1" "MIT Kerberos" +.SH NAME +k5identity \- Kerberos V5 client principal selection rules +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The .k5identity file, which resides in a user\(aqs home directory, +contains a list of rules for selecting a client principals based on +the server being accessed. These rules are used to choose a +credential cache within the cache collection when possible. +.sp +Blank lines and lines beginning with \fB#\fP are ignored. Each line has +the form: +.INDENT 0.0 +.INDENT 3.5 +\fIprincipal\fP \fIfield\fP=\fIvalue\fP ... +.UNINDENT +.UNINDENT +.sp +If the server principal meets all of the field constraints, then +principal is chosen as the client principal. The following fields are +recognized: +.INDENT 0.0 +.TP +.B \fBrealm\fP +If the realm of the server principal is known, it is matched +against \fIvalue\fP, which may be a pattern using shell wildcards. +For host\-based server principals, the realm will generally only be +known if there is a \fIdomain_realm\fP section in +\fIkrb5.conf(5)\fP with a mapping for the hostname. +.TP +.B \fBservice\fP +If the server principal is a host\-based principal, its service +component is matched against \fIvalue\fP, which may be a pattern using +shell wildcards. +.TP +.B \fBhost\fP +If the server principal is a host\-based principal, its hostname +component is converted to lower case and matched against \fIvalue\fP, +which may be a pattern using shell wildcards. +.sp +If the server principal matches the constraints of multiple lines +in the .k5identity file, the principal from the first matching +line is used. If no line matches, credentials will be selected +some other way, such as the realm heuristic or the current primary +cache. +.UNINDENT +.SH EXAMPLE +.sp +The following example .k5identity file selects the client principal +\fBalice@KRBTEST.COM\fP if the server principal is within that realm, +the principal \fBalice/root@EXAMPLE.COM\fP if the server host is within +a servers subdomain, and the principal \fBalice/mail@EXAMPLE.COM\fP when +accessing the IMAP service on \fBmail.example.com\fP: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +alice@KRBTEST.COM realm=KRBTEST.COM +alice/root@EXAMPLE.COM host=*.servers.example.com +alice/mail@EXAMPLE.COM host=mail.example.com service=imap +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +kerberos(1), \fIkrb5.conf(5)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/k5login.man b/src/man/k5login.man new file mode 100644 index 000000000000..f6a1706be8b6 --- /dev/null +++ b/src/man/k5login.man @@ -0,0 +1,96 @@ +.\" Man page generated from reStructuredText. +. +.TH "K5LOGIN" "5" " " "1.15.1" "MIT Kerberos" +.SH NAME +k5login \- Kerberos V5 acl file for host access +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The .k5login file, which resides in a user\(aqs home directory, contains +a list of the Kerberos principals. Anyone with valid tickets for a +principal in the file is allowed host access with the UID of the user +in whose home directory the file resides. One common use is to place +a .k5login file in root\(aqs home directory, thereby granting system +administrators remote root access to the host via Kerberos. +.SH EXAMPLES +.sp +Suppose the user \fBalice\fP had a .k5login file in her home directory +containing just the following line: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +bob@FOOBAR.ORG +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This would allow \fBbob\fP to use Kerberos network applications, such as +ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos +tickets. In a default configuration (with \fBk5login_authoritative\fP set +to true in \fIkrb5.conf(5)\fP), this .k5login file would not let +\fBalice\fP use those network applications to access her account, since +she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP +set to false, a default rule would permit the principal \fBalice\fP in the +machine\(aqs default realm to access the \fBalice\fP account. +.sp +Let us further suppose that \fBalice\fP is a system administrator. +Alice and the other system administrators would have their principals +in root\(aqs .k5login file on each host: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +alice@BLEEP.COM + +joeadmin/root@BLEEP.COM +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This would allow either system administrator to log in to these hosts +using their Kerberos tickets instead of having to type the root +password. Note that because \fBbob\fP retains the Kerberos tickets for +his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the +privileges that require \fBalice\fP\(aqs tickets, such as root access to +any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs +password. +.SH SEE ALSO +.sp +kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man new file mode 100644 index 000000000000..066a99118f3b --- /dev/null +++ b/src/man/k5srvutil.man @@ -0,0 +1,91 @@ +.\" Man page generated from reStructuredText. +. +.TH "K5SRVUTIL" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +k5srvutil \- host key table (keytab) manipulation utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBk5srvutil\fP \fIoperation\fP +[\fB\-i\fP] +[\fB\-f\fP \fIfilename\fP] +[\fB\-e\fP \fIkeysalts\fP] +.SH DESCRIPTION +.sp +k5srvutil allows an administrator to list keys currently in +a keytab, to obtain new keys for a principal currently in a keytab, +or to delete non\-current keys from a keytab. +.sp +\fIoperation\fP must be one of the following: +.INDENT 0.0 +.TP +.B \fBlist\fP +Lists the keys in a keytab, showing version number and principal +name. +.TP +.B \fBchange\fP +Uses the kadmin protocol to update the keys in the Kerberos +database to new randomly\-generated keys, and updates the keys in +the keytab to match. If a key\(aqs version number doesn\(aqt match the +version number stored in the Kerberos server\(aqs database, then the +operation will fail. If the \fB\-i\fP flag is given, k5srvutil will +prompt for confirmation before changing each key. If the \fB\-k\fP +option is given, the old and new keys will be displayed. +Ordinarily, keys will be generated with the default encryption +types and key salts. This can be overridden with the \fB\-e\fP +option. Old keys are retained in the keytab so that existing +tickets continue to work, but \fBdelold\fP should be used after +such tickets expire, to prevent attacks against the old keys. +.TP +.B \fBdelold\fP +Deletes keys that are not the most recent version from the keytab. +This operation should be used some time after a change operation +to remove old keys, after existing tickets issued for the service +have expired. If the \fB\-i\fP flag is given, then k5srvutil will +prompt for confirmation for each principal. +.TP +.B \fBdelete\fP +Deletes particular keys in the keytab, interactively prompting for +each key. +.UNINDENT +.sp +In all cases, the default keytab is used unless this is overridden by +the \fB\-f\fP option. +.sp +k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in +place. +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIktutil(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man new file mode 100644 index 000000000000..9043775f84c6 --- /dev/null +++ b/src/man/kadm5.acl.man @@ -0,0 +1,267 @@ +.\" Man page generated from reStructuredText. +. +.TH "KADM5.ACL" "5" " " "1.15.1" "MIT Kerberos" +.SH NAME +kadm5.acl \- Kerberos ACL file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List +(ACL) file to manage access rights to the Kerberos database. +For operations that affect principals, the ACL file also controls +which principals can operate on which other principals. +.sp +The default location of the Kerberos ACL file is +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP +variable in \fIkdc.conf(5)\fP\&. +.SH SYNTAX +.sp +Empty lines and lines starting with the sharp sign (\fB#\fP) are +ignored. Lines containing ACL entries have the format: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +principal permissions [target_principal [restrictions] ] +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +Line order in the ACL file is important. The first matching entry +will control access for an actor principal on a target principal. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fIprincipal\fP +(Partially or fully qualified Kerberos principal name.) Specifies +the principal whose permissions are to be set. +.sp +Each component of the name may be wildcarded using the \fB*\fP +character. +.TP +.B \fIpermissions\fP +Specifies what operations may or may not be performed by a +\fIprincipal\fP matching a particular entry. This is a string of one or +more of the following list of characters or their upper\-case +counterparts. If the character is \fIupper\-case\fP, then the operation +is disallowed. If the character is \fIlower\-case\fP, then the operation +is permitted. +.TS +center; +|l|l|. +_ +T{ +a +T} T{ +[Dis]allows the addition of principals or policies +T} +_ +T{ +c +T} T{ +[Dis]allows the changing of passwords for principals +T} +_ +T{ +d +T} T{ +[Dis]allows the deletion of principals or policies +T} +_ +T{ +e +T} T{ +[Dis]allows the extraction of principal keys +T} +_ +T{ +i +T} T{ +[Dis]allows inquiries about principals or policies +T} +_ +T{ +l +T} T{ +[Dis]allows the listing of all principals or policies +T} +_ +T{ +m +T} T{ +[Dis]allows the modification of principals or policies +T} +_ +T{ +p +T} T{ +[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP) +T} +_ +T{ +s +T} T{ +[Dis]allows the explicit setting of the key for a principal +T} +_ +T{ +x +T} T{ +Short for admcilsp. All privileges (except \fBe\fP) +T} +_ +T{ +* +T} T{ +Same as x. +T} +_ +.TE +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +The \fBextract\fP privilege is not included in the wildcard +privilege; it must be explicitly assigned. This privilege +allows the user to extract keys from the database, and must be +handled with great care to avoid disclosure of important keys +like those of the kadmin/* or krbtgt/* principals. The +\fBlockdown_keys\fP principal attribute can be used to prevent +key extraction from specific principals regardless of the +granted privilege. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fItarget_principal\fP +(Optional. Partially or fully qualified Kerberos principal name.) +Specifies the principal on which \fIpermissions\fP may be applied. +Each component of the name may be wildcarded using the \fB*\fP +character. +.sp +\fItarget_principal\fP can also include back\-references to \fIprincipal\fP, +in which \fB*number\fP matches the corresponding wildcard in +\fIprincipal\fP\&. +.TP +.B \fIrestrictions\fP +(Optional) A string of flags. Allowed restrictions are: +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B {+|\-}\fIflagname\fP +flag is forced to the indicated value. The permissible flags +are the same as those for the \fBdefault_principal_flags\fP +variable in \fIkdc.conf(5)\fP\&. +.TP +.B \fI\-clearpolicy\fP +policy is forced to be empty. +.TP +.B \fI\-policy pol\fP +policy is forced to be \fIpol\fP\&. +.TP +.B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP +(\fIgetdate\fP string) associated value will be forced to +MIN(\fItime\fP, requested value). +.UNINDENT +.UNINDENT +.UNINDENT +.sp +The above flags act as restrictions on any add or modify operation +which is allowed due to that ACL line. +.UNINDENT +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 +If the kadmind ACL file is modified, the kadmind daemon needs to be +restarted for changes to take effect. +.UNINDENT +.UNINDENT +.SH EXAMPLE +.sp +Here is an example of a kadm5.acl file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +*/admin@ATHENA.MIT.EDU * # line 1 +joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 +joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 +*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 +*/root@ATHENA.MIT.EDU l * # line 5 +sms@ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with +an \fBadmin\fP instance has all administrative privileges. +.sp +(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his +\fBadmin\fP instance, \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line +1). He has no permissions at all with his null instance, +\fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other +non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have +inquire permissions with any principal that has the instance \fBroot\fP +(matches line 3). +.sp +(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire +or change the password of their null instance, but not any other +null instance. (Here, \fB*1\fP denotes a back\-reference to the +component matching the first wildcard in the actor principal.) +.sp +(line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate +the list of principals in the database, and the list of policies +in the database. This line is separate from line 4, because list +permission can only be granted globally, not to specific target +principals. +.sp +(line 6) Finally, the Service Management System principal +\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it +creates or modifies will not be able to get postdateable tickets or +tickets with a life of longer than 9 hours. +.SH SEE ALSO +.sp +\fIkdc.conf(5)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kadmin.local.8 b/src/man/kadmin.local.8 new file mode 100644 index 000000000000..00df30db6f9d --- /dev/null +++ b/src/man/kadmin.local.8 @@ -0,0 +1 @@ +.so man1/kadmin.1 diff --git a/src/man/kadmin.man b/src/man/kadmin.man new file mode 100644 index 000000000000..5105eca28e76 --- /dev/null +++ b/src/man/kadmin.man @@ -0,0 +1,1072 @@ +.\" Man page generated from reStructuredText. +. +.TH "KADMIN" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kadmin \- Kerberos V5 database administration program +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkadmin\fP +[\fB\-O\fP|\fB\-N\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP] +[\fB\-w\fP \fIpassword\fP] +[\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]] +[command args...] +.sp +\fBkadmin.local\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-e\fP \fIenc\fP:\fIsalt\fP ...] +[\fB\-m\fP] +[\fB\-x\fP \fIdb_args\fP] +[command args...] +.SH DESCRIPTION +.sp +kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 +administration system. They provide nearly identical functionalities; +the difference is that kadmin.local directly accesses the KDC +database, while kadmin performs operations using \fIkadmind(8)\fP\&. +Except as explicitly noted otherwise, this man page will use "kadmin" +to refer to both versions. kadmin provides for the maintenance of +Kerberos principals, password policies, and service key tables +(keytabs). +.sp +The remote kadmin client uses Kerberos to authenticate to kadmind +using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is +the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP\&. +If the credentials cache contains a ticket for one of these +principals, and the \fB\-c\fP credentials_cache option is specified, that +ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and +\fB\-k\fP options are used to specify the client Kerberos principal name +used to authenticate. Once kadmin has determined the principal name, +it requests a service ticket from the KDC, and uses that service +ticket to authenticate to kadmind. +.sp +Since kadmin.local directly accesses the KDC database, it usually must +be run directly on the master KDC with sufficient permissions to read +the KDC database. If the KDC database uses the LDAP database module, +kadmin.local can be run on any host which can access the LDAP server. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Use \fIrealm\fP as the default database realm. +.TP +.B \fB\-p\fP \fIprincipal\fP +Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append +\fB/admin\fP to the primary principal name of the default ccache, +the value of the \fBUSER\fP environment variable, or the username as +obtained with getpwuid, in order of preference. +.TP +.B \fB\-k\fP +Use a keytab to decrypt the KDC response instead of prompting for +a password. In this case, the default principal will be +\fBhost/hostname\fP\&. If there is no keytab specified with the +\fB\-t\fP option, then the default keytab will be used. +.TP +.B \fB\-t\fP \fIkeytab\fP +Use \fIkeytab\fP to decrypt the KDC response. This can only be used +with the \fB\-k\fP option. +.TP +.B \fB\-n\fP +Requests anonymous processing. Two types of anonymous principals +are supported. For fully anonymous Kerberos, configure PKINIT on +the KDC and configure \fBpkinit_anchors\fP in the client\(aqs +\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal +of the form \fB@REALM\fP (an empty principal name followed by the +at\-sign and a realm name). If permitted by the KDC, an anonymous +ticket will be returned. A second form of anonymous tickets is +supported; these realm\-exposed tickets hide the identity of the +client but not the client\(aqs realm. For this mode, use \fBkinit +\-n\fP with a normal principal name. If supported by the KDC, the +principal (but not realm) will be replaced by the anonymous +principal. As of release 1.8, the MIT Kerberos KDC only supports +fully anonymous operation. +.TP +.B \fB\-c\fP \fIcredentials_cache\fP +Use \fIcredentials_cache\fP as the credentials cache. The +cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP +(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin +server) or \fBkadmin/admin\fP service; it can be acquired with the +\fIkinit(1)\fP program. If this option is not specified, kadmin +requests a new service ticket from the KDC, and stores it in its +own temporary ccache. +.TP +.B \fB\-w\fP \fIpassword\fP +Use \fIpassword\fP instead of prompting for one. Use this option with +care, as it may expose the password to other users on the system +via the process list. +.TP +.B \fB\-q\fP \fIquery\fP +Perform the specified query and then exit. +.TP +.B \fB\-d\fP \fIdbname\fP +Specifies the name of the KDC database. This option does not +apply to the LDAP database module. +.TP +.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] +Specifies the admin server which kadmin should contact. +.TP +.B \fB\-m\fP +If using kadmin.local, prompt for the database master password +instead of reading it from a stash file. +.TP +.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." +Sets the keysalt list to be used for any new keys created. See +\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible +values. +.TP +.B \fB\-O\fP +Force use of old AUTH_GSSAPI authentication flavor. +.TP +.B \fB\-N\fP +Prevent fallback to AUTH_GSSAPI authentication flavor. +.TP +.B \fB\-x\fP \fIdb_args\fP +Specifies the database specific arguments. See the next section +for supported options. +.UNINDENT +.sp +Starting with release 1.14, if any command\-line arguments remain after +the options, they will be treated as a single query to be executed. +This mode of operation is intended for scripts and behaves differently +from the interactive mode in several respects: +.INDENT 0.0 +.IP \(bu 2 +Query arguments are split by the shell, not by kadmin. +.IP \(bu 2 +Informational and warning messages are suppressed. Error messages +and query output (e.g. for \fBget_principal\fP) will still be +displayed. +.IP \(bu 2 +Confirmation prompts are disabled (as if \fB\-force\fP was given). +Password prompts will still be issued as required. +.IP \(bu 2 +The exit status will be non\-zero if the query fails. +.UNINDENT +.sp +The \fB\-q\fP option does not carry these behavior differences; the query +will be processed as if it was entered interactively. The \fB\-q\fP +option cannot be used in combination with a query in the remaining +arguments. +.SH DATABASE OPTIONS +.sp +Database options can be used to override database\-specific defaults. +Supported options for the DB2 module are: +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-x dbname=\fP*filename* +Specifies the base filename of the DB2 database. +.TP +.B \fB\-x lockiter\fP +Make iteration operations hold the lock for the duration of +the entire operation, rather than temporarily releasing the +lock while handling each principal. This is the default +behavior, but this option exists to allow command line +override of a [dbmodules] setting. First introduced in +release 1.13. +.TP +.B \fB\-x unlockiter\fP +Make iteration operations unlock the database for each +principal, instead of holding the lock for the duration of the +entire operation. First introduced in release 1.13. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +Supported options for the LDAP module are: +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-x host=\fP\fIldapuri\fP +Specifies the LDAP server to connect to by a LDAP URI. +.TP +.B \fB\-x binddn=\fP\fIbind_dn\fP +Specifies the DN used to bind to the LDAP server. +.TP +.B \fB\-x bindpwd=\fP\fIpassword\fP +Specifies the password or SASL secret used to bind to the LDAP +server. Using this option may expose the password to other +users on the system via the process list; to avoid this, +instead stash the password using the \fBstashsrvpw\fP command of +\fIkdb5_ldap_util(8)\fP\&. +.TP +.B \fB\-x sasl_mech=\fP\fImechanism\fP +Specifies the SASL mechanism used to bind to the LDAP server. +The bind DN is ignored if a SASL mechanism is used. New in +release 1.13. +.TP +.B \fB\-x sasl_authcid=\fP\fIname\fP +Specifies the authentication name used when binding to the +LDAP server with a SASL mechanism, if the mechanism requires +one. New in release 1.13. +.TP +.B \fB\-x sasl_authzid=\fP\fIname\fP +Specifies the authorization name used when binding to the LDAP +server with a SASL mechanism. New in release 1.13. +.TP +.B \fB\-x sasl_realm=\fP\fIrealm\fP +Specifies the realm used when binding to the LDAP server with +a SASL mechanism, if the mechanism uses one. New in release +1.13. +.TP +.B \fB\-x debug=\fP\fIlevel\fP +sets the OpenLDAP client library debug level. \fIlevel\fP is an +integer to be interpreted by the library. Debugging messages +are printed to standard error. New in release 1.12. +.UNINDENT +.UNINDENT +.UNINDENT +.SH COMMANDS +.sp +When using the remote client, available commands may be restricted +according to the privileges specified in the \fIkadm5.acl(5)\fP file +on the admin server. +.SS add_principal +.INDENT 0.0 +.INDENT 3.5 +\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP +.UNINDENT +.UNINDENT +.sp +Creates the principal \fInewprinc\fP, prompting twice for a password. If +no password policy is specified with the \fB\-policy\fP option, and the +policy named \fBdefault\fP is assigned to the principal if it exists. +However, creating a policy named \fBdefault\fP will not automatically +assign this policy to previously existing principals. This policy +assignment can be suppressed with the \fB\-clearpolicy\fP option. +.sp +This command requires the \fBadd\fP privilege. +.sp +Aliases: \fBaddprinc\fP, \fBank\fP +.sp +Options: +.INDENT 0.0 +.TP +.B \fB\-expire\fP \fIexpdate\fP +(\fIgetdate\fP string) The expiration date of the principal. +.TP +.B \fB\-pwexpire\fP \fIpwexpdate\fP +(\fIgetdate\fP string) The password expiration date. +.TP +.B \fB\-maxlife\fP \fImaxlife\fP +(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life +for the principal. +.TP +.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP +(\fIduration\fP or \fIgetdate\fP string) The maximum renewable +life of tickets for the principal. +.TP +.B \fB\-kvno\fP \fIkvno\fP +The initial key version number. +.TP +.B \fB\-policy\fP \fIpolicy\fP +The password policy used by this principal. If not specified, the +policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP +is specified). +.TP +.B \fB\-clearpolicy\fP +Prevents any policy from being assigned when \fB\-policy\fP is not +specified. +.TP +.B {\-|+}\fBallow_postdated\fP +\fB\-allow_postdated\fP prohibits this principal from obtaining +postdated tickets. \fB+allow_postdated\fP clears this flag. +.TP +.B {\-|+}\fBallow_forwardable\fP +\fB\-allow_forwardable\fP prohibits this principal from obtaining +forwardable tickets. \fB+allow_forwardable\fP clears this flag. +.TP +.B {\-|+}\fBallow_renewable\fP +\fB\-allow_renewable\fP prohibits this principal from obtaining +renewable tickets. \fB+allow_renewable\fP clears this flag. +.TP +.B {\-|+}\fBallow_proxiable\fP +\fB\-allow_proxiable\fP prohibits this principal from obtaining +proxiable tickets. \fB+allow_proxiable\fP clears this flag. +.TP +.B {\-|+}\fBallow_dup_skey\fP +\fB\-allow_dup_skey\fP disables user\-to\-user authentication for this +principal by prohibiting this principal from obtaining a session +key for another user. \fB+allow_dup_skey\fP clears this flag. +.TP +.B {\-|+}\fBrequires_preauth\fP +\fB+requires_preauth\fP requires this principal to preauthenticate +before being allowed to kinit. \fB\-requires_preauth\fP clears this +flag. When \fB+requires_preauth\fP is set on a service principal, +the KDC will only issue service tickets for that service principal +if the client\(aqs initial authentication was performed using +preauthentication. +.TP +.B {\-|+}\fBrequires_hwauth\fP +\fB+requires_hwauth\fP requires this principal to preauthenticate +using a hardware device before being allowed to kinit. +\fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is +set on a service principal, the KDC will only issue service tickets +for that service principal if the client\(aqs initial authentication was +performed using a hardware device to preauthenticate. +.TP +.B {\-|+}\fBok_as_delegate\fP +\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets +issued with this principal as the service. Clients may use this +flag as a hint that credentials should be delegated when +authenticating to the service. \fB\-ok_as_delegate\fP clears this +flag. +.TP +.B {\-|+}\fBallow_svr\fP +\fB\-allow_svr\fP prohibits the issuance of service tickets for this +principal. \fB+allow_svr\fP clears this flag. +.TP +.B {\-|+}\fBallow_tgs_req\fP +\fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) +request for a service ticket for this principal is not permitted. +\fB+allow_tgs_req\fP clears this flag. +.TP +.B {\-|+}\fBallow_tix\fP +\fB\-allow_tix\fP forbids the issuance of any tickets for this +principal. \fB+allow_tix\fP clears this flag. +.TP +.B {\-|+}\fBneedchange\fP +\fB+needchange\fP forces a password change on the next initial +authentication to this principal. \fB\-needchange\fP clears this +flag. +.TP +.B {\-|+}\fBpassword_changing_service\fP +\fB+password_changing_service\fP marks this principal as a password +change service principal. +.TP +.B {\-|+}\fBok_to_auth_as_delegate\fP +\fB+ok_to_auth_as_delegate\fP allows this principal to acquire +forwardable tickets to itself from arbitrary users, for use with +constrained delegation. +.TP +.B {\-|+}\fBno_auth_data_required\fP +\fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from +being added to service tickets for the principal. +.TP +.B {\-|+}\fBlockdown_keys\fP +\fB+lockdown_keys\fP prevents keys for this principal from leaving +the KDC via kadmind. The chpass and extract operations are denied +for a principal with this attribute. The chrand operation is +allowed, but will not return the new keys. The delete and rename +operations are also denied if this attribute is set, in order to +prevent a malicious administrator from replacing principals like +krbtgt/* or kadmin/* with new principals without the attribute. +This attribute can be set via the network protocol, but can only +be removed using kadmin.local. +.TP +.B \fB\-randkey\fP +Sets the key of the principal to a random value. +.TP +.B \fB\-nokey\fP +Causes the principal to be created with no key. New in release +1.12. +.TP +.B \fB\-pw\fP \fIpassword\fP +Sets the password of the principal to the specified string and +does not prompt for a password. Note: using this option in a +shell script may expose the password to other users on the system +via the process list. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +Uses the specified keysalt list for setting the keys of the +principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +list of possible values. +.TP +.B \fB\-x\fP \fIdb_princ_args\fP +Indicates database\-specific options. The options for the LDAP +database module are: +.INDENT 7.0 +.TP +.B \fB\-x dn=\fP\fIdn\fP +Specifies the LDAP object that will contain the Kerberos +principal being created. +.TP +.B \fB\-x linkdn=\fP\fIdn\fP +Specifies the LDAP object to which the newly created Kerberos +principal object will point. +.TP +.B \fB\-x containerdn=\fP\fIcontainer_dn\fP +Specifies the container object under which the Kerberos +principal is to be created. +.TP +.B \fB\-x tktpolicy=\fP\fIpolicy\fP +Associates a ticket policy to the Kerberos principal. +.UNINDENT +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be +specified with the \fBdn\fP option. +.IP \(bu 2 +If the \fIdn\fP or \fIcontainerdn\fP options are not specified while +adding the principal, the principals are created under the +principal container configured in the realm or the realm +container. +.IP \(bu 2 +\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or +principal container configured in the realm. +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: addprinc jennifer +WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: +Re\-enter password for principal jennifer@ATHENA.MIT.EDU: +Principal "jennifer@ATHENA.MIT.EDU" created. +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_principal +.INDENT 0.0 +.INDENT 3.5 +\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Modifies the specified principal, changing the fields as specified. +The options to \fBadd_principal\fP also apply to this command, except +for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the +option \fB\-clearpolicy\fP will clear the current policy of a principal. +.sp +This command requires the \fImodify\fP privilege. +.sp +Alias: \fBmodprinc\fP +.sp +Options (in addition to the \fBaddprinc\fP options): +.INDENT 0.0 +.TP +.B \fB\-unlock\fP +Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according +to its password policy) so that it can successfully authenticate. +.UNINDENT +.SS rename_principal +.INDENT 0.0 +.INDENT 3.5 +\fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP +.UNINDENT +.UNINDENT +.sp +Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This +command prompts for confirmation, unless the \fB\-force\fP option is +given. +.sp +This command requires the \fBadd\fP and \fBdelete\fP privileges. +.sp +Alias: \fBrenprinc\fP +.SS delete_principal +.INDENT 0.0 +.INDENT 3.5 +\fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Deletes the specified \fIprincipal\fP from the database. This command +prompts for deletion, unless the \fB\-force\fP option is given. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelprinc\fP +.SS change_password +.INDENT 0.0 +.INDENT 3.5 +\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Changes the password of \fIprincipal\fP\&. Prompts for a new password if +neither \fB\-randkey\fP or \fB\-pw\fP is specified. +.sp +This command requires the \fBchangepw\fP privilege, or that the +principal running the program is the same as the principal being +changed. +.sp +Alias: \fBcpw\fP +.sp +The following options are available: +.INDENT 0.0 +.TP +.B \fB\-randkey\fP +Sets the key of the principal to a random value. +.TP +.B \fB\-pw\fP \fIpassword\fP +Set the password to the specified string. Using this option in a +script may expose the password to other users on the system via +the process list. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +Uses the specified keysalt list for setting the keys of the +principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +list of possible values. +.TP +.B \fB\-keepold\fP +Keeps the existing keys in the database. This flag is usually not +necessary except perhaps for \fBkrbtgt\fP principals. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re\-enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS purgekeys +.INDENT 0.0 +.INDENT 3.5 +\fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Purges previously retained old keys (e.g., from \fBchange_password +\-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then +only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If +\fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option +is new in release 1.12. +.sp +This command requires the \fBmodify\fP privilege. +.SS get_principal +.INDENT 0.0 +.INDENT 3.5 +\fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Gets the attributes of principal. With the \fB\-terse\fP option, outputs +fields as quoted tab\-separated strings. +.sp +This command requires the \fBinquire\fP privilege, or that the principal +running the the program to be the same as the one being listed. +.sp +Alias: \fBgetprinc\fP +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, des\-cbc\-crc +Key: vno 1, des\-cbc\-crc:v4 +Attributes: +Policy: [none] + +kadmin: getprinc \-terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list_principals +.INDENT 0.0 +.INDENT 3.5 +\fBlist_principals\fP [\fIexpression\fP] +.UNINDENT +.UNINDENT +.sp +Retrieves all or some principal names. \fIexpression\fP is a shell\-style +glob expression that can contain the wild\-card characters \fB?\fP, +\fB*\fP, and \fB[]\fP\&. All principal names matching the expression are +printed. If no expression is provided, all principal names are +printed. If the expression does not contain an \fB@\fP character, an +\fB@\fP character followed by the local realm is appended to the +expression. +.sp +This command requires the \fBlist\fP privilege. +.sp +Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBget_princs\fP +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: listprincs test* +test3@SECURE\-TEST.OV.COM +test2@SECURE\-TEST.OV.COM +test1@SECURE\-TEST.OV.COM +testuser@SECURE\-TEST.OV.COM +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS get_strings +.INDENT 0.0 +.INDENT 3.5 +\fBget_strings\fP \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Displays string attributes on \fIprincipal\fP\&. +.sp +This command requires the \fBinquire\fP privilege. +.sp +Alias: \fBgetstr\fP +.SS set_string +.INDENT 0.0 +.INDENT 3.5 +\fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP +.UNINDENT +.UNINDENT +.sp +Sets a string attribute on \fIprincipal\fP\&. String attributes are used to +supply per\-principal configuration to the KDC and some KDC plugin +modules. The following string attribute names are recognized by the +KDC: +.INDENT 0.0 +.TP +.B \fBrequire_auth\fP +Specifies an authentication indicator which is required to +authenticate to the principal as a service. Multiple indicators +can be specified, separated by spaces; in this case any of the +specified indicators will be accepted. (New in release 1.14.) +.TP +.B \fBsession_enctypes\fP +Specifies the encryption types supported for session keys when the +principal is authenticated to as a server. See +\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the +accepted values. +.TP +.B \fBotp\fP +Enables One Time Passwords (OTP) preauthentication for a client +\fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array +of objects, each having optional \fBtype\fP and \fBusername\fP fields. +.UNINDENT +.sp +This command requires the \fBmodify\fP privilege. +.sp +Alias: \fBsetstr\fP +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +set_string host/foo.mit.edu session_enctypes aes128\-cts +set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" +.ft P +.fi +.UNINDENT +.UNINDENT +.SS del_string +.INDENT 0.0 +.INDENT 3.5 +\fBdel_string\fP \fIprincipal\fP \fIkey\fP +.UNINDENT +.UNINDENT +.sp +Deletes a string attribute from \fIprincipal\fP\&. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelstr\fP +.SS add_policy +.INDENT 0.0 +.INDENT 3.5 +\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Adds a password policy named \fIpolicy\fP to the database. +.sp +This command requires the \fBadd\fP privilege. +.sp +Alias: \fBaddpol\fP +.sp +The following options are available: +.INDENT 0.0 +.TP +.B \fB\-maxlife\fP \fItime\fP +(\fIduration\fP or \fIgetdate\fP string) Sets the maximum +lifetime of a password. +.TP +.B \fB\-minlife\fP \fItime\fP +(\fIduration\fP or \fIgetdate\fP string) Sets the minimum +lifetime of a password. +.TP +.B \fB\-minlength\fP \fIlength\fP +Sets the minimum length of a password. +.TP +.B \fB\-minclasses\fP \fInumber\fP +Sets the minimum number of character classes required in a +password. The five character classes are lower case, upper case, +numbers, punctuation, and whitespace/unprintable characters. +.TP +.B \fB\-history\fP \fInumber\fP +Sets the number of past keys kept for a principal. This option is +not supported with the LDAP KDC database module. +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-maxfailure\fP \fImaxnumber\fP +Sets the number of authentication failures before the principal is +locked. Authentication failures are only tracked for principals +which require preauthentication. The counter of failed attempts +resets to 0 after a successful attempt to authenticate. A +\fImaxnumber\fP value of 0 (the default) disables lockout. +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-failurecountinterval\fP \fIfailuretime\fP +(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time +between authentication failures. If an authentication failure +happens after \fIfailuretime\fP has elapsed since the previous +failure, the number of authentication failures is reset to 1. A +\fIfailuretime\fP value of 0 (the default) means forever. +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-lockoutduration\fP \fIlockouttime\fP +(\fIduration\fP or \fIgetdate\fP string) Sets the duration for +which the principal is locked from authenticating if too many +authentication failures occur without the specified failure count +interval elapsing. A duration of 0 (the default) means the +principal remains locked out until it is administratively unlocked +with \fBmodprinc \-unlock\fP\&. +.TP +.B \fB\-allowedkeysalts\fP +Specifies the key/salt tuples supported for long\-term keys when +setting or changing a principal\(aqs password/keys. See +\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the +accepted values, but note that key/salt tuples must be separated +with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use +a value of \(aq\-\(aq. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Modifies the password policy named \fIpolicy\fP\&. Options are as described +for \fBadd_policy\fP\&. +.sp +This command requires the \fBmodify\fP privilege. +.sp +Alias: \fBmodpol\fP +.SS delete_policy +.INDENT 0.0 +.INDENT 3.5 +\fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation +before deletion. The command will fail if the policy is in use by any +principals. +.sp +This command requires the \fBdelete\fP privilege. +.sp +Alias: \fBdelpol\fP +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: del_policy guests +Are you sure you want to delete the policy "guests"? +(yes/no): yes +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS get_policy +.INDENT 0.0 +.INDENT 3.5 +\fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP +.UNINDENT +.UNINDENT +.sp +Displays the values of the password policy named \fIpolicy\fP\&. With the +\fB\-terse\fP flag, outputs the fields as quoted strings separated by +tabs. +.sp +This command requires the \fBinquire\fP privilege. +.sp +Alias: getpol +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: get_policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get_policy \-terse admin +admin 15552000 0 6 2 5 17 +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The "Reference count" is the number of principals using that policy. +With the LDAP KDC database module, the reference count field is not +meaningful. +.SS list_policies +.INDENT 0.0 +.INDENT 3.5 +\fBlist_policies\fP [\fIexpression\fP] +.UNINDENT +.UNINDENT +.sp +Retrieves all or some policy names. \fIexpression\fP is a shell\-style +glob expression that can contain the wild\-card characters \fB?\fP, +\fB*\fP, and \fB[]\fP\&. All policy names matching the expression are +printed. If no expression is provided, all existing policy names are +printed. +.sp +This command requires the \fBlist\fP privilege. +.sp +Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&. +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: listpols +test\-pol +dict\-only +once\-a\-min +test\-pol\-nopw + +kadmin: listpols t* +test\-pol +test\-pol\-nopw +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS ktadd +.INDENT 0.0 +.INDENT 3.5 +.nf +\fBktadd\fP [options] \fIprincipal\fP +\fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP +.fi +.sp +.UNINDENT +.UNINDENT +.sp +Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a +keytab file. Each principal\(aqs keys are randomized in the process. +The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP +command. +.sp +This command requires the \fBinquire\fP and \fBchangepw\fP privileges. +With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege. +.sp +The options are: +.INDENT 0.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is +used. +.TP +.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +Uses the specified keysalt list for setting the new keys of the +principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +list of possible values. +.TP +.B \fB\-q\fP +Display less verbose information. +.TP +.B \fB\-norandkey\fP +Do not randomize the keys. The keys and their version numbers stay +unchanged. This option cannot be specified in combination with the +\fB\-e\fP option. +.UNINDENT +.sp +An entry for each of the principal\(aqs unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab + FILE:/tmp/foo\-new\-keytab +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS ktremove +.INDENT 0.0 +.INDENT 3.5 +\fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] +.UNINDENT +.UNINDENT +.sp +Removes entries for the specified \fIprincipal\fP from a keytab. Requires +no permissions, since this does not require database access. +.sp +If the string "all" is specified, all entries for that principal are +removed; if the string "old" is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed. +.sp +The options are: +.INDENT 0.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is +used. +.TP +.B \fB\-q\fP +Display less verbose information. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS lock +.sp +Lock database exclusively. Use with extreme caution! This command +only works with the DB2 KDC database module. +.SS unlock +.sp +Release the exclusive database lock. +.SS list_requests +.sp +Lists available for kadmin requests. +.sp +Aliases: \fBlr\fP, \fB?\fP +.SS quit +.sp +Exit program. If the database was locked, the lock is released. +.sp +Aliases: \fBexit\fP, \fBq\fP +.SH HISTORY +.sp +The kadmin program was originally written by Tom Yu at MIT, as an +interface to the OpenVision Kerberos administration program. +.SH SEE ALSO +.sp +\fIkpasswd(1)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kadmind.man b/src/man/kadmind.man new file mode 100644 index 000000000000..65647f97c797 --- /dev/null +++ b/src/man/kadmind.man @@ -0,0 +1,150 @@ +.\" Man page generated from reStructuredText. +. +.TH "KADMIND" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kadmind \- KADM5 administration server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkadmind\fP +[\fB\-x\fP \fIdb_args\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-m\fP] +[\fB\-nofork\fP] +[\fB\-proponly\fP] +[\fB\-port\fP \fIport\-number\fP] +[\fB\-P\fP \fIpid_file\fP] +[\fB\-p\fP \fIkdb5_util_path\fP] +[\fB\-K\fP \fIkprop_path\fP] +[\fB\-k\fP \fIkprop_port\fP] +[\fB\-F\fP \fIdump_file\fP] +.SH DESCRIPTION +.sp +kadmind starts the Kerberos administration server. kadmind typically +runs on the master Kerberos server, which stores the KDC database. If +the KDC database uses the LDAP module, the administration server and +the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as \fIkadmin(1)\fP and +\fIkpasswd(1)\fP to administer the information in these database. +.sp +kadmind requires a number of configuration files to be set up in order +for it to work: +.INDENT 0.0 +.TP +.B \fIkdc.conf(5)\fP +The KDC configuration file contains configuration information for +the KDC and admin servers. kadmind uses settings in this file to +locate the Kerberos database, and is also affected by the +\fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related +settings. +.TP +.B \fIkadm5.acl(5)\fP +kadmind\(aqs ACL (access control list) tells it which principals are +allowed to perform administration actions. The pathname to the +ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP +variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. +.UNINDENT +.sp +After the server begins running, it puts itself in the background and +disassociates itself from its controlling terminal. +.sp +kadmind can be configured for incremental database propagation. +Incremental propagation allows slave KDC servers to receive principal +and policy updates incrementally instead of receiving full dumps of +the database. This facility can be enabled in the \fIkdc.conf(5)\fP +file with the \fBiprop_enable\fP option. Incremental propagation +requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the +master KDC\(aqs canonical host name, and REALM the realm name). In +release 1.13, this principal is automatically created and registered +into the datebase. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +specifies the realm that kadmind will serve; if it is not +specified, the default realm of the host is used. +.TP +.B \fB\-m\fP +causes the master database password to be fetched from the +keyboard (before the server puts itself in the background, if not +invoked with the \fB\-nofork\fP option) rather than from a file on +disk. +.TP +.B \fB\-nofork\fP +causes the server to remain in the foreground and remain +associated to the terminal. In normal operation, you should allow +the server to place itself in the background. +.TP +.B \fB\-proponly\fP +causes the server to only listen and respond to Kerberos slave +incremental propagation polling requests. This option can be used +to set up a hierarchical propagation topology where a slave KDC +provides incremental updates to other Kerberos slaves. +.TP +.B \fB\-port\fP \fIport\-number\fP +specifies the port on which the administration server listens for +connections. The default port is determined by the +\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&. +.TP +.B \fB\-P\fP \fIpid_file\fP +specifies the file to which the PID of kadmind process should be +written after it starts up. This file can be used to identify +whether kadmind is still running and to allow init scripts to stop +the correct process. +.TP +.B \fB\-p\fP \fIkdb5_util_path\fP +specifies the path to the kdb5_util command to use when dumping the +KDB in response to full resync requests when iprop is enabled. +.TP +.B \fB\-K\fP \fIkprop_path\fP +specifies the path to the kprop command to use to send full dumps +to slaves in response to full resync requests. +.TP +.B \fB\-k\fP \fIkprop_port\fP +specifies the port by which the kprop process that is spawned by kadmind +connects to the slave kpropd, in order to transfer the dump file during +an iprop full resync request. +.TP +.B \fB\-F\fP \fIdump_file\fP +specifies the file path to be used for dumping the KDB in response +to full resync requests when iprop is enabled. +.TP +.B \fB\-x\fP \fIdb_args\fP +specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments. +.UNINDENT +.SH SEE ALSO +.sp +\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP, +\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man new file mode 100644 index 000000000000..83591a70c12c --- /dev/null +++ b/src/man/kdb5_ldap_util.man @@ -0,0 +1,549 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDB5_LDAP_UTIL" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kdb5_ldap_util \- Kerberos configuration utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkdb5_ldap_util\fP +[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] +[\fB\-H\fP \fIldapuri\fP] +\fBcommand\fP +[\fIcommand_options\fP] +.SH DESCRIPTION +.sp +kdb5_ldap_util allows an administrator to manage realms, Kerberos +services and ticket policies. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-D\fP \fIuser_dn\fP +Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server. +.TP +.B \fB\-w\fP \fIpasswd\fP +Specifies the password of \fIuser_dn\fP\&. This option is not +recommended. +.TP +.B \fB\-H\fP \fIldapuri\fP +Specifies the URI of the LDAP server. It is recommended to use +\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +\fBcreate\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP] +[\fB\-s\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Creates realm in directory. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container. +.TP +.B \fB\-k\fP \fImkeytype\fP +Specifies the key type of the master key in the database. The +default is given by the \fBmaster_key_type\fP variable in +\fIkdc.conf(5)\fP\&. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-m\fP +Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk. +.TP +.B \fB\-P\fP \fIpassword\fP +Specifies the master database password. This option is not +recommended. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-sf\fP \fIstashfilename\fP +Specifies the stash file of the master database password. +.TP +.B \fB\-s\fP +Specifies that the stash file is to be created. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP\&. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Initializing database for realm \(aqATHENA.MIT.EDU\(aq +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\-enter KDC database master key to verify: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify +.INDENT 0.0 +.INDENT 3.5 +\fBmodify\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). This list replaces the existing list. +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the +container object in which the principals of a realm will be +created. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP\&. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r + ATHENA.MIT.EDU +Password for "cn=admin,o=org": +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view +.INDENT 0.0 +.INDENT 3.5 +\fBview\fP [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Destroys an existing realm. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP +If specified, will not prompt the user for confirmation. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +OK, deleting database of \(aqATHENA.MIT.EDU\(aq... +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list +.INDENT 0.0 +.INDENT 3.5 +\fBlist\fP +.UNINDENT +.UNINDENT +.sp +Lists the name of realms. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu list +Password for "cn=admin,o=org": +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\-LAB.MIT.EDU +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS stashsrvpw +.INDENT 0.0 +.INDENT 3.5 +\fBstashsrvpw\fP +[\fB\-f\fP \fIfilename\fP] +\fIname\fP +.UNINDENT +.UNINDENT +.sp +Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP \fIfilename\fP +Specifies the complete path of the service password file. By +default, \fB/usr/local/var/service_passwd\fP is used. +.TP +.B \fIname\fP +Specifies the name of the object whose password is to be stored. +If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for +simple binding, this should be the distinguished name it will +use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP +variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is +configured for SASL binding, this should be the authentication +name it will use as given by the \fBldap_kdc_sasl_authcid\fP or +\fBldap_kadmind_sasl_authcid\fP variable. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile + cn=service\-kdc,o=org +Password for "cn=service\-kdc,o=org": +Re\-enter password for "cn=service\-kdc,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS create_policy +.INDENT 0.0 +.INDENT 3.5 +\fBcreate_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Creates a ticket policy in the directory. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals. +.TP +.B \fIticket_flags\fP +Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the \fBadd_principal\fP +command in \fIkadmin(1)\fP\&. +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" + \-maxrenewlife "1 week" \-allow_postdated +needchange + \-allow_forwardable tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +\fBmodify_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a ticket policy. Options are same as for +\fBcreate_policy\fP\&. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU + \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" + +allow_postdated \-requires_preauth tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view_policy +.INDENT 0.0 +.INDENT 3.5 +\fBview_policy\fP +[\fB\-r\fP \fIrealm\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a ticket policy. Options: +.INDENT 0.0 +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy_policy +.INDENT 0.0 +.INDENT 3.5 +\fBdestroy_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-force\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Destroys an existing ticket policy. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-force\fP +Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy. +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + destroy_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +This will delete the policy object \(aqtktpolicy\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +** policy object \(aqtktpolicy\(aq deleted. +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list_policy +.INDENT 0.0 +.INDENT 3.5 +\fBlist_policy\fP +[\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Lists the ticket policies in realm if specified or in the default +realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + list_policy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +tktpolicy +tmppolicy +userpolicy +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man new file mode 100644 index 000000000000..cb637cbb0015 --- /dev/null +++ b/src/man/kdb5_util.man @@ -0,0 +1,557 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDB5_UTIL" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kdb5_util \- Kerberos database maintenance utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkdb5_util\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-M\fP \fImkeyname\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-sf\fP \fIstashfilename\fP] +[\fB\-m\fP] +\fIcommand\fP [\fIcommand_options\fP] +.SH DESCRIPTION +.sp +kdb5_util allows an administrator to perform maintenance procedures on +the KDC database. Databases can be created, destroyed, and dumped to +or loaded from ASCII files. kdb5_util can create a Kerberos master +key stash file or perform live rollover of the master key. +.sp +When kdb5_util is run, it attempts to acquire the master key and open +the database. However, execution continues regardless of whether or +not kdb5_util successfully opens the database, because the database +may not exist yet or the stash file may be corrupt. +.sp +Note that some KDC database modules may not support all kdb5_util +commands. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +specifies the Kerberos realm of the database. +.TP +.B \fB\-d\fP \fIdbname\fP +specifies the name under which the principal database is stored; +by default the database is that listed in \fIkdc.conf(5)\fP\&. The +password policy database and lock files are also derived from this +value. +.TP +.B \fB\-k\fP \fImkeytype\fP +specifies the key type of the master key in the database. The +default is given by the \fBmaster_key_type\fP variable in +\fIkdc.conf(5)\fP\&. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-M\fP \fImkeyname\fP +principal name for the master key in the database. If not +specified, the name is determined by the \fBmaster_key_name\fP +variable in \fIkdc.conf(5)\fP\&. +.TP +.B \fB\-m\fP +specifies that the master database password should be read from +the keyboard rather than fetched from a file on disk. +.TP +.B \fB\-sf\fP \fIstash_file\fP +specifies the stash filename of the master database password. If +not specified, the filename is determined by the +\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&. +.TP +.B \fB\-P\fP \fIpassword\fP +specifies the master database password. Using this option may +expose the password to other users on the system via the process +list. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +\fBcreate\fP [\fB\-s\fP] +.UNINDENT +.UNINDENT +.sp +Creates a new database. If the \fB\-s\fP option is specified, the stash +file is also created. This command fails if the database already +exists. If the command is successful, the database is opened just as +if it had already existed when the program was first run. +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +\fBdestroy\fP [\fB\-f\fP] +.UNINDENT +.UNINDENT +.sp +Destroys the database, first overwriting the disk sectors and then +unlinking the files, after prompting the user for confirmation. With +the \fB\-f\fP argument, does not prompt the user. +.SS stash +.INDENT 0.0 +.INDENT 3.5 +\fBstash\fP [\fB\-f\fP \fIkeyfile\fP] +.UNINDENT +.UNINDENT +.sp +Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP +argument can be used to override the \fIkeyfile\fP specified in +\fIkdc.conf(5)\fP\&. +.SS dump +.INDENT 0.0 +.INDENT 3.5 +\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP] +[\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] +[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]] +.UNINDENT +.UNINDENT +.sp +Dumps the current Kerberos and KADM5 database into an ASCII file. By +default, the database is dumped in current format, "kdb5_util +load_dump version 7". If filename is not specified, or is the string +"\-", the dump is sent to standard output. Options: +.INDENT 0.0 +.TP +.B \fB\-b7\fP +causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util +load_dump version 4"). This was the dump format produced on +releases prior to 1.2.2. +.TP +.B \fB\-ov\fP +causes the dump to be in "ovsec_adm_export" format. +.TP +.B \fB\-r13\fP +causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util +load_dump version 5"). This was the dump format produced on +releases prior to 1.8. +.TP +.B \fB\-r18\fP +causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util +load_dump version 6"). This was the dump format produced on +releases prior to 1.11. +.TP +.B \fB\-verbose\fP +causes the name of each principal and policy to be printed as it +is dumped. +.TP +.B \fB\-mkey_convert\fP +prompts for a new master key. This new master key will be used to +re\-encrypt principal key data in the dumpfile. The principal keys +themselves will not be changed. +.TP +.B \fB\-new_mkey_file\fP \fImkey_file\fP +the filename of a stash file. The master key in this stash file +will be used to re\-encrypt the key data in the dumpfile. The key +data in the database will not be changed. +.TP +.B \fB\-rev\fP +dumps in reverse order. This may recover principals that do not +dump normally, in cases where database corruption has occurred. +.TP +.B \fB\-recurse\fP +causes the dump to walk the database recursively (btree only). +This may recover principals that do not dump normally, in cases +where database corruption has occurred. In cases of such +corruption, this option will probably retrieve more principals +than the \fB\-rev\fP option will. +.sp +Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP +option. + +.sp +Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15, +doing a normal dump instead of a recursive traversal. + +.UNINDENT +.SS load +.INDENT 0.0 +.INDENT 3.5 +\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-hash\fP] +[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP] +.UNINDENT +.UNINDENT +.sp +Loads a database dump from the named file into the named database. If +no option is given to determine the format of the dump file, the +format is detected automatically and handled as appropriate. Unless +the \fB\-update\fP option is given, \fBload\fP creates a new database +containing only the data in the dump file, overwriting the contents of +any previously existing database. Note that when using the LDAP KDC +database module, the \fB\-update\fP flag is required. +.sp +Options: +.INDENT 0.0 +.TP +.B \fB\-b7\fP +requires the database to be in the Kerberos 5 Beta 7 format +("kdb5_util load_dump version 4"). This was the dump format +produced on releases prior to 1.2.2. +.TP +.B \fB\-ov\fP +requires the database to be in "ovsec_adm_import" format. Must be +used with the \fB\-update\fP option. +.TP +.B \fB\-r13\fP +requires the database to be in Kerberos 5 1.3 format ("kdb5_util +load_dump version 5"). This was the dump format produced on +releases prior to 1.8. +.TP +.B \fB\-r18\fP +requires the database to be in Kerberos 5 1.8 format ("kdb5_util +load_dump version 6"). This was the dump format produced on +releases prior to 1.11. +.TP +.B \fB\-hash\fP +requires the database to be stored as a hash. If this option is +not specified, the database will be stored as a btree. This +option is not recommended, as databases stored in hash format are +known to corrupt data and lose principals. +.TP +.B \fB\-verbose\fP +causes the name of each principal and policy to be printed as it +is dumped. +.TP +.B \fB\-update\fP +records from the dump file are added to or updated in the existing +database. Otherwise, a new database is created containing only +what is in the dump file and the old one destroyed upon successful +completion. +.UNINDENT +.sp +If specified, \fIdbname\fP overrides the value specified on the command +line or the default. +.SS ark +.INDENT 0.0 +.INDENT 3.5 +\fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP +.UNINDENT +.UNINDENT +.sp +Adds new random keys to \fIprincipal\fP at the next available key version +number. Keys for the current highest key version number will be +preserved. The \fB\-e\fP option specifies the list of encryption and +salt types to be used for the new keys. +.SS add_mkey +.INDENT 0.0 +.INDENT 3.5 +\fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP] +.UNINDENT +.UNINDENT +.sp +Adds a new master key to the master key principal, but does not mark +it as active. Existing master keys will remain. The \fB\-e\fP option +specifies the encryption type of the new master key; see +\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible +values. The \fB\-s\fP option stashes the new master key in the stash +file, which will be created if it doesn\(aqt already exist. +.sp +After a new master key is added, it should be propagated to slave +servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then, +the stash files on the slave servers should be updated with the +kdb5_util \fBstash\fP command. Once those steps are complete, the key +is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. +.SS use_mkey +.INDENT 0.0 +.INDENT 3.5 +\fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP] +.UNINDENT +.UNINDENT +.sp +Sets the activation time of the master key specified by \fImkeyVNO\fP\&. +Once a master key becomes active, it will be used to encrypt newly +created principal keys. If no \fItime\fP argument is given, the current +time is used, causing the specified master key version to become +active immediately. The format for \fItime\fP is \fIgetdate\fP string. +.sp +After a new master key becomes active, the kdb5_util +\fBupdate_princ_encryption\fP command can be used to update all +principal keys to be encrypted in the new master key. +.SS list_mkeys +.INDENT 0.0 +.INDENT 3.5 +\fBlist_mkeys\fP +.UNINDENT +.UNINDENT +.sp +List all master keys, from most recent to earliest, in the master key +principal. The output will show the kvno, enctype, and salt type for +each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A +\fB*\fP following an mkey denotes the currently active master key. +.SS purge_mkeys +.INDENT 0.0 +.INDENT 3.5 +\fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] +.UNINDENT +.UNINDENT +.sp +Delete master keys from the master key principal that are not used to +protect any principals. This command can be used to remove old master +keys all principal keys are protected by a newer master key. +.INDENT 0.0 +.TP +.B \fB\-f\fP +does not prompt for confirmation. +.TP +.B \fB\-n\fP +performs a dry run, showing master keys that would be purged, but +not actually purging any keys. +.TP +.B \fB\-v\fP +gives more verbose output. +.UNINDENT +.SS update_princ_encryption +.INDENT 0.0 +.INDENT 3.5 +\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] +[\fIprinc\-pattern\fP] +.UNINDENT +.UNINDENT +.sp +Update all principal records (or only those matching the +\fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals +updated. If the \fB\-f\fP option is not given, ask for confirmation +before starting to make changes. The \fB\-v\fP option causes each +principal processed to be listed, with an indication as to whether it +needed updating or not. The \fB\-n\fP option performs a dry run, only +showing the actions which would have been taken. +.SS tabdump +.INDENT 0.0 +.INDENT 3.5 +\fBtabdump\fP [\fB\-H\fP] [\fB\-c\fP] [\fB\-e\fP] [\fB\-n\fP] [\fB\-o\fP \fIoutfile\fP] +\fIdumptype\fP +.UNINDENT +.UNINDENT +.sp +Dump selected fields of the database in a tabular format suitable for +reporting (e.g., using traditional Unix text processing tools) or +importing into relational databases. The data format is tab\-separated +(default), or optionally comma\-separated (CSV), with a fixed number of +columns. The output begins with a header line containing field names, +unless suppression is requested using the \fB\-H\fP option. +.sp +The \fIdumptype\fP parameter specifies the name of an output table (see +below). +.sp +Options: +.INDENT 0.0 +.TP +.B \fB\-H\fP +suppress writing the field names in a header line +.TP +.B \fB\-c\fP +use comma separated values (CSV) format, with minimal quoting, +instead of the default tab\-separated (unquoted, unescaped) format +.TP +.B \fB\-e\fP +write empty hexadecimal string fields as empty fields instead of +as "\-1". +.TP +.B \fB\-n\fP +produce numeric output for fields that normally have symbolic +output, such as enctypes and flag names. Also requests output of +time stamps as decimal POSIX time_t values. +.TP +.B \fB\-o\fP \fIoutfile\fP +write the dump to the specified output file instead of to standard +output +.UNINDENT +.sp +Dump types: +.INDENT 0.0 +.TP +.B \fBkeydata\fP +principal encryption key information, including actual key data +(which is still encrypted in the master key) +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBkeyindex\fP +index of this key in the principal\(aqs key list +.TP +.B \fBkvno\fP +key version number +.TP +.B \fBenctype\fP +encryption type +.TP +.B \fBkey\fP +key data as a hexadecimal string +.TP +.B \fBsalttype\fP +salt type +.TP +.B \fBsalt\fP +salt data as a hexadecimal string +.UNINDENT +.TP +.B \fBkeyinfo\fP +principal encryption key information (as in \fBkeydata\fP above), +excluding actual key data +.TP +.B \fBprinc_flags\fP +principal boolean attributes. Flag names print as hexadecimal +numbers if the \fB\-n\fP option is specified, and all flag positions +are printed regardless of whether or not they are set. If \fB\-n\fP +is not specified, print all known flag names for each principal, +but only print hexadecimal flag names if the corresponding flag is +set. +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBflag\fP +flag name +.TP +.B \fBvalue\fP +boolean value (0 for clear, or 1 for set) +.UNINDENT +.TP +.B \fBprinc_lockout\fP +state information used for tracking repeated password failures +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBlast_success\fP +time stamp of most recent successful authentication +.TP +.B \fBlast_failed\fP +time stamp of most recent failed authentication +.TP +.B \fBfail_count\fP +count of failed attempts +.UNINDENT +.TP +.B \fBprinc_meta\fP +principal metadata +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBmodby\fP +name of last principal to modify this principal +.TP +.B \fBmodtime\fP +timestamp of last modification +.TP +.B \fBlastpwd\fP +timestamp of last password change +.TP +.B \fBpolicy\fP +policy object name +.TP +.B \fBmkvno\fP +key version number of the master key that encrypts this +principal\(aqs key data +.TP +.B \fBhist_kvno\fP +key version number of the history key that encrypts the key +history data for this principal +.UNINDENT +.TP +.B \fBprinc_stringattrs\fP +string attributes (key/value pairs) +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBkey\fP +attribute name +.TP +.B \fBvalue\fP +attribute value +.UNINDENT +.TP +.B \fBprinc_tktpolicy\fP +per\-principal ticket policy data, including maximum ticket +lifetimes +.INDENT 7.0 +.TP +.B \fBname\fP +principal name +.TP +.B \fBexpiration\fP +principal expiration date +.TP +.B \fBpw_expiration\fP +password expiration date +.TP +.B \fBmax_life\fP +maximum ticket lifetime +.TP +.B \fBmax_renew_life\fP +maximum renewable ticket lifetime +.UNINDENT +.UNINDENT +.sp +Examples: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ kdb5_util tabdump \-o keyinfo.txt keyinfo +$ cat keyinfo.txt +name keyindex kvno enctype salttype salt +foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 +bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 +bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 +$ sqlite3 +sqlite> .mode tabs +sqlite> .import keyinfo.txt keyinfo +sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq; +bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 +sqlite> .quit +$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt +bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man new file mode 100644 index 000000000000..10b333c38d29 --- /dev/null +++ b/src/man/kdc.conf.man @@ -0,0 +1,1196 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDC.CONF" "5" " " "1.15.1" "MIT Kerberos" +.SH NAME +kdc.conf \- Kerberos V5 KDC configuration file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.sp +The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which +are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and +\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program. +Relations documented here may also be specified in krb5.conf; for the +KDC programs mentioned, krb5.conf and kdc.conf will be merged into a +single configuration profile. +.sp +Normally, the kdc.conf file is found in the KDC state directory, +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\&. You can override the default location by setting the +environment variable \fBKRB5_KDC_PROFILE\fP\&. +.sp +Please note that you need to restart the KDC daemon for any configuration +changes to take effect. +.SH STRUCTURE +.sp +The kdc.conf file is set up in the same format as the +\fIkrb5.conf(5)\fP file. +.SH SECTIONS +.sp +The kdc.conf file may contain the following sections: +.TS +center; +|l|l|. +_ +T{ +\fI\%[kdcdefaults]\fP +T} T{ +Default values for KDC behavior +T} +_ +T{ +\fI\%[realms]\fP +T} T{ +Realm\-specific database configuration and settings +T} +_ +T{ +\fI\%[dbdefaults]\fP +T} T{ +Default database settings +T} +_ +T{ +\fI\%[dbmodules]\fP +T} T{ +Per\-database settings +T} +_ +T{ +\fI\%[logging]\fP +T} T{ +Controls how Kerberos daemons perform logging +T} +_ +.TE +.SS [kdcdefaults] +.sp +With two exceptions, relations in the [kdcdefaults] section specify +default values for realm variables, to be used if the [realms] +subsection does not contain a relation for the tag. See the +\fI\%[realms]\fP section for the definitions of these relations. +.INDENT 0.0 +.IP \(bu 2 +\fBhost_based_services\fP +.IP \(bu 2 +\fBkdc_listen\fP +.IP \(bu 2 +\fBkdc_ports\fP +.IP \(bu 2 +\fBkdc_tcp_listen\fP +.IP \(bu 2 +\fBkdc_tcp_ports\fP +.IP \(bu 2 +\fBno_host_referral\fP +.IP \(bu 2 +\fBrestrict_anonymous_to_tgt\fP +.UNINDENT +.INDENT 0.0 +.TP +.B \fBkdc_max_dgram_reply_size\fP +Specifies the maximum packet size that can be sent over UDP. The +default value is 4096 bytes. +.TP +.B \fBkdc_tcp_listen_backlog\fP +(Integer.) Set the size of the listen queue length for the KDC +daemon. The value may be limited by OS settings. The default +value is 5. +.UNINDENT +.SS [realms] +.sp +Each tag in the [realms] section is the name of a Kerberos realm. The +value of the tag is a subsection where the relations define KDC +parameters for that particular realm. The following example shows how +to define one parameter for the ATHENA.MIT.EDU realm: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + ATHENA.MIT.EDU = { + max_renewable_life = 7d 0h 0m 0s + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The following tags may be specified in a [realms] subsection: +.INDENT 0.0 +.TP +.B \fBacl_file\fP +(String.) Location of the access control list file that +\fIkadmind(8)\fP uses to determine which principals are allowed +which permissions on the Kerberos database. The default value is +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL +file see \fIkadm5.acl(5)\fP\&. +.TP +.B \fBdatabase_module\fP +(String.) This relation indicates the name of the configuration +section under \fI\%[dbmodules]\fP for database\-specific parameters +used by the loadable database library. The default value is the +realm name. If this configuration section does not exist, default +values will be used for all database parameters. +.TP +.B \fBdatabase_name\fP +(String, deprecated.) This relation specifies the location of the +Kerberos database for this realm, if the DB2 module is being used +and the \fI\%[dbmodules]\fP configuration section does not specify a +database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. +.TP +.B \fBdefault_principal_expiration\fP +(\fIabstime\fP string.) Specifies the default expiration date of +principals created in this realm. The default value is 0, which +means no expiration date. +.TP +.B \fBdefault_principal_flags\fP +(Flag string.) Specifies the default attributes of principals +created in this realm. The format for this string is a +comma\-separated list of flags, with \(aq+\(aq before each flag that +should be enabled and \(aq\-\(aq before each flag that should be +disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP, +\fBrenewable\fP, \fBproxiable\fP, \fBdup\-skey\fP, \fBallow\-tickets\fP, and +\fBservice\fP flags default to enabled. +.sp +There are a number of possible flags: +.INDENT 7.0 +.TP +.B \fBallow\-tickets\fP +Enabling this flag means that the KDC will issue tickets for +this principal. Disabling this flag essentially deactivates +the principal within this realm. +.TP +.B \fBdup\-skey\fP +Enabling this flag allows the principal to obtain a session +key for another user, permitting user\-to\-user authentication +for this principal. +.TP +.B \fBforwardable\fP +Enabling this flag allows the principal to obtain forwardable +tickets. +.TP +.B \fBhwauth\fP +If this flag is enabled, then the principal is required to +preauthenticate using a hardware device before receiving any +tickets. +.TP +.B \fBno\-auth\-data\-required\fP +Enabling this flag prevents PAC or AD\-SIGNEDPATH data from +being added to service tickets for the principal. +.TP +.B \fBok\-as\-delegate\fP +If this flag is enabled, it hints the client that credentials +can and should be delegated when authenticating to the +service. +.TP +.B \fBok\-to\-auth\-as\-delegate\fP +Enabling this flag allows the principal to use S4USelf tickets. +.TP +.B \fBpostdateable\fP +Enabling this flag allows the principal to obtain postdateable +tickets. +.TP +.B \fBpreauth\fP +If this flag is enabled on a client principal, then that +principal is required to preauthenticate to the KDC before +receiving any tickets. On a service principal, enabling this +flag means that service tickets for this principal will only +be issued to clients with a TGT that has the preauthenticated +bit set. +.TP +.B \fBproxiable\fP +Enabling this flag allows the principal to obtain proxy +tickets. +.TP +.B \fBpwchange\fP +Enabling this flag forces a password change for this +principal. +.TP +.B \fBpwservice\fP +If this flag is enabled, it marks this principal as a password +change service. This should only be used in special cases, +for example, if a user\(aqs password has expired, then the user +has to get tickets for that principal without going through +the normal password authentication in order to be able to +change the password. +.TP +.B \fBrenewable\fP +Enabling this flag allows the principal to obtain renewable +tickets. +.TP +.B \fBservice\fP +Enabling this flag allows the the KDC to issue service tickets +for this principal. +.TP +.B \fBtgt\-based\fP +Enabling this flag allows a principal to obtain tickets based +on a ticket\-granting\-ticket, rather than repeating the +authentication process that was used to obtain the TGT. +.UNINDENT +.TP +.B \fBdict_file\fP +(String.) Location of the dictionary file containing strings that +are not allowed as passwords. The file should contain one string +per line, with no additional whitespace. If none is specified or +if there is no policy assigned to the principal, no dictionary +checks of passwords will be performed. +.TP +.B \fBhost_based_services\fP +(Whitespace\- or comma\-separated list.) Lists services which will +get host\-based referral processing even if the server principal is +not marked as host\-based by the client. +.TP +.B \fBiprop_enable\fP +(Boolean value.) Specifies whether incremental database +propagation is enabled. The default value is false. +.TP +.B \fBiprop_master_ulogsize\fP +(Integer.) Specifies the maximum number of log entries to be +retained for incremental propagation. The default value is 1000. +Prior to release 1.11, the maximum value was 2500. +.TP +.B \fBiprop_slave_poll\fP +(Delta time string.) Specifies how often the slave KDC polls for +new updates from the master. The default value is \fB2m\fP (that +is, two minutes). +.TP +.B \fBiprop_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the iprop RPC +listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default (when \fBiprop_enable\fP is true) is to bind to the wildcard +address at the port specified in \fBiprop_port\fP\&. New in release +1.15. +.TP +.B \fBiprop_port\fP +(Port number.) Specifies the port number to be used for +incremental propagation. When \fBiprop_enable\fP is true, this +relation is required in the slave configuration file, and this +relation or \fBiprop_listen\fP is required in the master +configuration file, as there is no default port number. Port +numbers specified in \fBiprop_listen\fP entries will override this +port number for the \fIkadmind(8)\fP daemon. +.TP +.B \fBiprop_resync_timeout\fP +(Delta time string.) Specifies the amount of time to wait for a +full propagation to complete. This is optional in configuration +files, and is used by slave KDCs only. The default value is 5 +minutes (\fB5m\fP). New in release 1.11. +.TP +.B \fBiprop_logfile\fP +(File name.) Specifies where the update log file for the realm +database is to be stored. The default is to use the +\fBdatabase_name\fP entry from the realms section of the krb5 config +file, with \fB\&.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt +specified in the realms section, perhaps because the LDAP database +back end is being used, or the file name is specified in the +[dbmodules] section, then the hard\-coded default for +\fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP +default value will not use values from the [dbmodules] section.) +.TP +.B \fBkadmind_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the kadmin RPC +listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address at the port specified +in \fBkadmind_port\fP, or the standard kadmin port (749). New in +release 1.15. +.TP +.B \fBkadmind_port\fP +(Port number.) Specifies the port on which the \fIkadmind(8)\fP +daemon is to listen for this realm. Port numbers specified in +\fBkadmind_listen\fP entries will override this port number. The +assigned port for kadmind is 749, which is used by default. +.TP +.B \fBkey_stash_file\fP +(String.) Specifies the location where the master key has been +stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. +.TP +.B \fBkdc_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the UDP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. If the KDC daemon fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address on the standard port. +New in release 1.15. +.TP +.B \fBkdc_ports\fP +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as \fBkdc_listen\fP +if that relation is not defined. +.TP +.B \fBkdc_tcp_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the TCP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. To disable listening on TCP, set +this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&. +If the KDC daemon fails to bind to any of the specified addresses, +it will fail to start. The default is to bind to the wildcard +address on the standard port. New in release 1.15. +.TP +.B \fBkdc_tcp_ports\fP +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as +\fBkdc_tcp_listen\fP if that relation is not defined. +.TP +.B \fBkpasswd_listen\fP +(Comma\-separated list.) Specifies the kpasswd listening addresses +and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be +an interface address, a port number, or an address and port number +separated by a colon. If the address contains colons, enclose it +in square brackets. If no address is specified, the wildcard +address is used. If kadmind fails to bind to any of the specified +addresses, it will fail to start. The default is to bind to the +wildcard address at the port specified in \fBkpasswd_port\fP, or the +standard kpasswd port (464). New in release 1.15. +.TP +.B \fBkpasswd_port\fP +(Port number.) Specifies the port on which the \fIkadmind(8)\fP +daemon is to listen for password change requests for this realm. +Port numbers specified in \fBkpasswd_listen\fP entries will override +this port number. The assigned port for password change requests +is 464, which is used by default. +.TP +.B \fBmaster_key_name\fP +(String.) Specifies the name of the principal associated with the +master key. The default is \fBK/M\fP\&. +.TP +.B \fBmaster_key_type\fP +(Key type string.) Specifies the master key\(aqs key type. The +default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible +values, see \fI\%Encryption types\fP\&. +.TP +.B \fBmax_life\fP +(\fIduration\fP string.) Specifies the maximum time period for +which a ticket may be valid in this realm. The default value is +24 hours. +.TP +.B \fBmax_renewable_life\fP +(\fIduration\fP string.) Specifies the maximum time period +during which a valid ticket may be renewed in this realm. +The default value is 0. +.TP +.B \fBno_host_referral\fP +(Whitespace\- or comma\-separated list.) Lists services to block +from getting host\-based referral processing, even if the client +marks the server principal as host\-based or the service is also +listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will +disable referral processing altogether. +.TP +.B \fBdes_crc_session_supported\fP +(Boolean value). If set to true, the KDC will assume that service +principals support des\-cbc\-crc for session key enctype negotiation +purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is +false, or if des\-cbc\-crc is not a permitted enctype, then this +variable has no effect. Defaults to true. New in release 1.11. +.TP +.B \fBreject_bad_transit\fP +(Boolean value.) If set to true, the KDC will check the list of +transited realms for cross\-realm tickets against the transit path +computed from the realm names and the capaths section of its +\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued +contains any realms not in the computed path, the ticket will not +be issued, and an error will be returned to the client instead. +If this value is set to false, such tickets will be issued +anyways, and it will be left up to the application server to +validate the realm transit path. +.sp +If the disable\-transited\-check flag is set in the incoming +request, this check is not performed at all. Having the +\fBreject_bad_transit\fP option will cause such ticket requests to +be rejected always. +.sp +This transit path checking and config file option currently apply +only to TGS requests. +.sp +The default value is true. +.TP +.B \fBrestrict_anonymous_to_tgt\fP +(Boolean value.) If set to true, the KDC will reject ticket +requests from anonymous principals to service principals other +than the realm\(aqs ticket\-granting service. This option allows +anonymous PKINIT to be enabled for use as FAST armor tickets +without allowing anonymous authentication to services. The +default value is false. New in release 1.9. +.TP +.B \fBsupported_enctypes\fP +(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt +combinations of principals for this realm. Any principals created +through \fIkadmin(1)\fP will have keys of these types. The +default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of +possible values, see \fI\%Keysalt lists\fP\&. +.UNINDENT +.SS [dbdefaults] +.sp +The [dbdefaults] section specifies default values for some database +parameters, to be used if the [dbmodules] subsection does not contain +a relation for the tag. See the \fI\%[dbmodules]\fP section for the +definitions of these relations. +.INDENT 0.0 +.IP \(bu 2 +\fBldap_kerberos_container_dn\fP +.IP \(bu 2 +\fBldap_kdc_dn\fP +.IP \(bu 2 +\fBldap_kdc_sasl_authcid\fP +.IP \(bu 2 +\fBldap_kdc_sasl_authzid\fP +.IP \(bu 2 +\fBldap_kdc_sasl_mech\fP +.IP \(bu 2 +\fBldap_kdc_sasl_realm\fP +.IP \(bu 2 +\fBldap_kadmind_dn\fP +.IP \(bu 2 +\fBldap_kadmind_sasl_authcid\fP +.IP \(bu 2 +\fBldap_kadmind_sasl_authzid\fP +.IP \(bu 2 +\fBldap_kadmind_sasl_mech\fP +.IP \(bu 2 +\fBldap_kadmind_sasl_realm\fP +.IP \(bu 2 +\fBldap_service_password_file\fP +.IP \(bu 2 +\fBldap_servers\fP +.IP \(bu 2 +\fBldap_conns_per_server\fP +.UNINDENT +.SS [dbmodules] +.sp +The [dbmodules] section contains parameters used by the KDC database +library and database modules. Each tag in the [dbmodules] section is +the name of a Kerberos realm or a section name specified by a realm\(aqs +\fBdatabase_module\fP parameter. The following example shows how to +define one database parameter for the ATHENA.MIT.EDU realm: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[dbmodules] + ATHENA.MIT.EDU = { + disable_last_success = true + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The following tags may be specified in a [dbmodules] subsection: +.INDENT 0.0 +.TP +.B \fBdatabase_name\fP +This DB2\-specific tag indicates the location of the database in +the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. +.TP +.B \fBdb_library\fP +This tag indicates the name of the loadable database module. The +value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the +LDAP module. +.TP +.B \fBdisable_last_success\fP +If set to \fBtrue\fP, suppresses KDC updates to the "Last successful +authentication" field of principal entries requiring +preauthentication. Setting this flag may improve performance. +(Principal entries which do not require preauthentication never +update the "Last successful authentication" field.). First +introduced in release 1.9. +.TP +.B \fBdisable_lockout\fP +If set to \fBtrue\fP, suppresses KDC updates to the "Last failed +authentication" and "Failed password attempts" fields of principal +entries requiring preauthentication. Setting this flag may +improve performance, but also disables account lockout. First +introduced in release 1.9. +.TP +.B \fBldap_conns_per_server\fP +This LDAP\-specific tag indicates the number of connections to be +maintained per LDAP server. +.TP +.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP +These LDAP\-specific tags indicate the default DN for binding to +the LDAP server. The \fIkrb5kdc(8)\fP daemon uses +\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other +administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN +must have the rights to read and write the Kerberos data in the +LDAP database. The KDC DN must have the same rights, unless +\fBdisable_lockout\fP and \fBdisable_last_success\fP are true, in +which case it only needs to have rights to read the Kerberos data. +These tags are ignored if a SASL mechanism is set with +\fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&. +.TP +.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP +These LDAP\-specific tags specify the SASL mechanism (such as +\fBEXTERNAL\fP) to use when binding to the LDAP server. New in +release 1.13. +.TP +.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP +These LDAP\-specific tags specify the SASL authentication identity +to use when binding to the LDAP server. Not all SASL mechanisms +require an authentication identity. If the SASL mechanism +requires a secret (such as the password for \fBDIGEST\-MD5\fP), these +tags also determine the name within the +\fBldap_service_password_file\fP where the secret is stashed. New +in release 1.13. +.TP +.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP +These LDAP\-specific tags specify the SASL authorization identity +to use when binding to the LDAP server. In most circumstances +they do not need to be specified. New in release 1.13. +.TP +.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP +These LDAP\-specific tags specify the SASL realm to use when +binding to the LDAP server. In most circumstances they do not +need to be set. New in release 1.13. +.TP +.B \fBldap_kerberos_container_dn\fP +This LDAP\-specific tag indicates the DN of the container object +where the realm objects will be located. +.TP +.B \fBldap_servers\fP +This LDAP\-specific tag indicates the list of LDAP servers that the +Kerberos servers can connect to. The list of LDAP servers is +whitespace\-separated. The LDAP server is specified by a LDAP URI. +It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect +to the LDAP server. +.TP +.B \fBldap_service_password_file\fP +This LDAP\-specific tag indicates the file containing the stashed +passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the +\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the +\fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names +for SASL authentication. This file must be kept secure. +.TP +.B \fBunlockiter\fP +If set to \fBtrue\fP, this DB2\-specific tag causes iteration +operations to release the database lock while processing each +principal. Setting this flag to \fBtrue\fP can prevent extended +blocking of KDC or kadmin operations when dumps of large databases +are in progress. First introduced in release 1.13. +.UNINDENT +.sp +The following tag may be specified directly in the [dbmodules] +section to control where database modules are loaded from: +.INDENT 0.0 +.TP +.B \fBdb_module_dir\fP +This tag controls where the plugin system looks for database +modules. The value should be an absolute path. +.UNINDENT +.SS [logging] +.sp +The [logging] section indicates how \fIkrb5kdc(8)\fP and +\fIkadmind(8)\fP perform logging. It may contain the following +relations: +.INDENT 0.0 +.TP +.B \fBadmin_server\fP +Specifies how \fIkadmind(8)\fP performs logging. +.TP +.B \fBkdc\fP +Specifies how \fIkrb5kdc(8)\fP performs logging. +.TP +.B \fBdefault\fP +Specifies how either daemon performs logging in the absence of +relations specific to the daemon. +.TP +.B \fBdebug\fP +(Boolean value.) Specifies whether debugging messages are +included in log outputs other than SYSLOG. Debugging messages are +always included in the system log output because syslog performs +its own priority filtering. The default value is false. New in +release 1.15. +.UNINDENT +.sp +Logging specifications may have the following forms: +.INDENT 0.0 +.TP +.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP +This value causes the daemon\(aqs logging messages to go to the +\fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten. +If the \fB:\fP form is used, the file is appended to. +.TP +.B \fBSTDERR\fP +This value causes the daemon\(aqs logging messages to go to its +standard error stream. +.TP +.B \fBCONSOLE\fP +This value causes the daemon\(aqs logging messages to go to the +console, if the system supports it. +.TP +.B \fBDEVICE=\fP\fI<devicename>\fP +This causes the daemon\(aqs logging messages to go to the specified +device. +.TP +.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] +This causes the daemon\(aqs logging messages to go to the system log. +.sp +The severity argument specifies the default severity of system log +messages. This may be any of the following severities supported +by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, +\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, +and \fBDEBUG\fP\&. +.sp +The facility argument specifies the facility under which the +messages are logged. This may be any of the following facilities +supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, +\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, +\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. +.sp +If no severity is specified, the default is \fBERR\fP\&. If no +facility is specified, the default is \fBAUTH\fP\&. +.UNINDENT +.sp +In the following example, the logging messages from the KDC will go to +the console and to the system log under the facility LOG_DAEMON with +default severity of LOG_INFO; and the logging messages from the +administrative server will be appended to the file +\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON + admin_server = FILE:/var/adm/kadmin.log + admin_server = DEVICE=/dev/tty04 +.ft P +.fi +.UNINDENT +.UNINDENT +.SS [otp] +.sp +Each subsection of [otp] is the name of an OTP token type. The tags +within the subsection define the configuration required to forward a +One Time Password request to a RADIUS server. +.sp +For each token type, the following tags may be specified: +.INDENT 0.0 +.TP +.B \fBserver\fP +This is the server to send the RADIUS request to. It can be a +hostname with optional port, an ip address with optional port, or +a Unix domain socket address. The default is +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&. +.TP +.B \fBsecret\fP +This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP) +containing the secret used to encrypt the RADIUS packets. The +secret should appear in the first line of the file by itself; +leading and trailing whitespace on the line will be removed. If +the value of \fBserver\fP is a Unix domain socket address, this tag +is optional, and an empty secret will be used if it is not +specified. Otherwise, this tag is required. +.TP +.B \fBtimeout\fP +An integer which specifies the time in seconds during which the +KDC should attempt to contact the RADIUS server. This tag is the +total time across all retries and should be less than the time +which an OTP value remains valid for. The default is 5 seconds. +.TP +.B \fBretries\fP +This tag specifies the number of retries to make to the RADIUS +server. The default is 3 retries (4 tries). +.TP +.B \fBstrip_realm\fP +If this tag is \fBtrue\fP, the principal without the realm will be +passed to the RADIUS server. Otherwise, the realm will be +included. The default value is \fBtrue\fP\&. +.TP +.B \fBindicator\fP +This tag specifies an authentication indicator to be included in +the ticket if this token type is used to authenticate. This +option may be specified multiple times. (New in release 1.14.) +.UNINDENT +.sp +In the following example, requests are sent to a remote server via UDP: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[otp] + MyRemoteTokenType = { + server = radius.mydomain.com:1812 + secret = SEmfiajf42$ + timeout = 15 + retries = 5 + strip_realm = true + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +An implicit default token type named \fBDEFAULT\fP is defined for when +the per\-principal configuration does not specify a token type. Its +configuration is shown below. You may override this token type to +something applicable for your situation: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[otp] + DEFAULT = { + strip_realm = false + } +.ft P +.fi +.UNINDENT +.UNINDENT +.SH PKINIT OPTIONS +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +The following are pkinit\-specific options. These values may +be specified in [kdcdefaults] as global defaults, or within +a realm\-specific subsection of [realms]. Also note that a +realm\-specific value over\-rides, does not add to, a generic +[kdcdefaults] specification. The search order is: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.IP 1. 3 +realm\-specific subsection of [realms]: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + EXAMPLE.COM = { + pkinit_anchors = FILE:/usr/local/example.com.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +generic value in the [kdcdefaults] section: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[kdcdefaults] + pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.sp +For information about the syntax of some of these options, see +\fISpecifying PKINIT identity information\fP in +\fIkrb5.conf(5)\fP\&. +.INDENT 0.0 +.TP +.B \fBpkinit_anchors\fP +Specifies the location of trusted anchor (root) certificates which +the KDC trusts to sign client certificates. This option is +required if pkinit is to be supported by the KDC. This option may +be specified multiple times. +.TP +.B \fBpkinit_dh_min_bits\fP +Specifies the minimum number of bits the KDC is willing to accept +for a client\(aqs Diffie\-Hellman key. The default is 2048. +.TP +.B \fBpkinit_allow_upn\fP +Specifies that the KDC is willing to accept client certificates +with the Microsoft UserPrincipalName (UPN) Subject Alternative +Name (SAN). This means the KDC accepts the binding of the UPN in +the certificate to the Kerberos principal name. The default value +is false. +.sp +Without this option, the KDC will only accept certificates with +the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently +no option to disable SAN checking in the KDC. +.TP +.B \fBpkinit_eku_checking\fP +This option specifies what Extended Key Usage (EKU) values the KDC +is willing to accept in client certificates. The values +recognized in the kdc.conf file are: +.INDENT 7.0 +.TP +.B \fBkpClientAuth\fP +This is the default value and specifies that client +certificates must have the id\-pkinit\-KPClientAuth EKU as +defined in \fI\%RFC 4556\fP\&. +.TP +.B \fBscLogin\fP +If scLogin is specified, client certificates with the +Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be +accepted. +.TP +.B \fBnone\fP +If none is specified, then client certificates will not be +checked to verify they have an acceptable EKU. The use of +this option is not recommended. +.UNINDENT +.TP +.B \fBpkinit_identity\fP +Specifies the location of the KDC\(aqs X.509 identity information. +This option is required if pkinit is to be supported by the KDC. +.TP +.B \fBpkinit_indicator\fP +Specifies an authentication indicator to include in the ticket if +pkinit is used to authenticate. This option may be specified +multiple times. (New in release 1.14.) +.TP +.B \fBpkinit_kdc_ocsp\fP +Specifies the location of the KDC\(aqs OCSP. +.TP +.B \fBpkinit_pool\fP +Specifies the location of intermediate certificates which may be +used by the KDC to complete the trust chain between a client\(aqs +certificate and a trusted anchor. This option may be specified +multiple times. +.TP +.B \fBpkinit_revoke\fP +Specifies the location of Certificate Revocation List (CRL) +information to be used by the KDC when verifying the validity of +client certificates. This option may be specified multiple times. +.TP +.B \fBpkinit_require_crl_checking\fP +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \fBpkinit_require_crl_checking\fP is false, then verification +succeeds. +.sp +However, if \fBpkinit_require_crl_checking\fP is true and there is +no CRL information available for the issuing CA, then verification +fails. +.sp +\fBpkinit_require_crl_checking\fP should be set to true if the +policy is such that up\-to\-date CRLs must be present for every CA. +.UNINDENT +.SH ENCRYPTION TYPES +.sp +Any tag in the configuration files which requires a list of encryption +types can be set to some combination of the following strings. +Encryption types marked as "weak" are available for compatibility but +not recommended for use. +.TS +center; +|l|l|. +_ +T{ +des\-cbc\-crc +T} T{ +DES cbc mode with CRC\-32 (weak) +T} +_ +T{ +des\-cbc\-md4 +T} T{ +DES cbc mode with RSA\-MD4 (weak) +T} +_ +T{ +des\-cbc\-md5 +T} T{ +DES cbc mode with RSA\-MD5 (weak) +T} +_ +T{ +des\-cbc\-raw +T} T{ +DES cbc mode raw (weak) +T} +_ +T{ +des3\-cbc\-raw +T} T{ +Triple DES cbc mode raw (weak) +T} +_ +T{ +des3\-cbc\-sha1 des3\-hmac\-sha1 des3\-cbc\-sha1\-kd +T} T{ +Triple DES cbc mode with HMAC/sha1 +T} +_ +T{ +des\-hmac\-sha1 +T} T{ +DES with HMAC/sha1 (weak) +T} +_ +T{ +aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1 +T} T{ +AES\-256 CTS mode with 96\-bit SHA\-1 HMAC +T} +_ +T{ +aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1 +T} T{ +AES\-128 CTS mode with 96\-bit SHA\-1 HMAC +T} +_ +T{ +aes256\-cts\-hmac\-sha384\-192 aes256\-sha2 +T} T{ +AES\-256 CTS mode with 192\-bit SHA\-384 HMAC +T} +_ +T{ +aes128\-cts\-hmac\-sha256\-128 aes128\-sha2 +T} T{ +AES\-128 CTS mode with 128\-bit SHA\-256 HMAC +T} +_ +T{ +arcfour\-hmac rc4\-hmac arcfour\-hmac\-md5 +T} T{ +RC4 with HMAC/MD5 +T} +_ +T{ +arcfour\-hmac\-exp rc4\-hmac\-exp arcfour\-hmac\-md5\-exp +T} T{ +Exportable RC4 with HMAC/MD5 (weak) +T} +_ +T{ +camellia256\-cts\-cmac camellia256\-cts +T} T{ +Camellia\-256 CTS mode with CMAC +T} +_ +T{ +camellia128\-cts\-cmac camellia128\-cts +T} T{ +Camellia\-128 CTS mode with CMAC +T} +_ +T{ +des +T} T{ +The DES family: des\-cbc\-crc, des\-cbc\-md5, and des\-cbc\-md4 (weak) +T} +_ +T{ +des3 +T} T{ +The triple DES family: des3\-cbc\-sha1 +T} +_ +T{ +aes +T} T{ +The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96 +T} +_ +T{ +rc4 +T} T{ +The RC4 family: arcfour\-hmac +T} +_ +T{ +camellia +T} T{ +The Camellia family: camellia256\-cts\-cmac and camellia128\-cts\-cmac +T} +_ +.TE +.sp +The string \fBDEFAULT\fP can be used to refer to the default set of +types for the variable in question. Types or families can be removed +from the current list by prefixing them with a minus sign ("\-"). +Types or families can be prefixed with a plus sign ("+") for symmetry; +it has the same meaning as just listing the type or family. For +example, "\fBDEFAULT \-des\fP" would be the default set of encryption +types with DES types removed, and "\fBdes3 DEFAULT\fP" would be the +default set of encryption types with triple DES types moved to the +front. +.sp +While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos +operations, they are not supported by very old versions of our GSSAPI +implementation (krb5\-1.3.1 and earlier). Services running versions of +krb5 without AES support must not be given keys of these encryption +types in the KDC database. +.sp +The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in +release 1.15. Services running versions of krb5 without support for +these newer encryption types must not be given keys of these +encryption types in the KDC database. +.SH KEYSALT LISTS +.sp +Kerberos keys for users are usually derived from passwords. Kerberos +commands and configuration parameters that affect generation of keys +take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt +lists\fP\&. Each keysalt pair is an enctype name followed by a salttype +name, in the format \fIenc\fP:\fIsalt\fP\&. Individual keysalt list members are +separated by comma (",") characters or space characters. For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kadmin \-e aes256\-cts:normal,aes128\-cts:normal +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +would start up kadmin so that by default it would generate +password\-derived keys for the \fBaes256\-cts\fP and \fBaes128\-cts\fP +encryption types, using a \fBnormal\fP salt. +.sp +To ensure that people who happen to pick the same password do not have +the same key, Kerberos 5 incorporates more information into the key +using something called a salt. The supported salt types are as +follows: +.TS +center; +|l|l|. +_ +T{ +normal +T} T{ +default for Kerberos Version 5 +T} +_ +T{ +v4 +T} T{ +the only type used by Kerberos Version 4 (no salt) +T} +_ +T{ +norealm +T} T{ +same as the default, without using realm information +T} +_ +T{ +onlyrealm +T} T{ +uses only realm information as the salt +T} +_ +T{ +afs3 +T} T{ +AFS version 3, only used for compatibility with Kerberos 4 in AFS +T} +_ +T{ +special +T} T{ +generate a random salt +T} +_ +.TE +.SH SAMPLE KDC.CONF FILE +.sp +Here\(aqs an example of a kdc.conf file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[kdcdefaults] + kdc_listen = 88 + kdc_tcp_listen = 88 +[realms] + ATHENA.MIT.EDU = { + kadmind_port = 749 + max_life = 12h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = aes256\-cts\-hmac\-sha1\-96 + supported_enctypes = aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal + database_module = openldap_ldapconf + } + +[logging] + kdc = FILE:/usr/local/var/krb5kdc/kdc.log + admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log + +[dbdefaults] + ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu + +[dbmodules] + openldap_ldapconf = { + db_library = kldap + disable_last_success = true + ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 + } +.ft P +.fi +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP +.SH SEE ALSO +.sp +\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man new file mode 100644 index 000000000000..47e1e369423e --- /dev/null +++ b/src/man/kdestroy.man @@ -0,0 +1,97 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDESTROY" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kdestroy \- destroy Kerberos tickets +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkdestroy\fP +[\fB\-A\fP] +[\fB\-q\fP] +[\fB\-c\fP \fIcache_name\fP] +.SH DESCRIPTION +.sp +The kdestroy utility destroys the user\(aqs active Kerberos authorization +tickets by overwriting and deleting the credentials cache that +contains them. If the credentials cache is not specified, the default +credentials cache is destroyed. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-A\fP +Destroys all caches in the collection, if a cache collection is +available. +.TP +.B \fB\-q\fP +Run quietly. Normally kdestroy beeps if it fails to destroy the +user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior. +.TP +.B \fB\-c\fP \fIcache_name\fP +Use \fIcache_name\fP as the credentials (ticket) cache name and +location; if this option is not used, the default cache name and +location are used. +.sp +The default credentials cache may vary between systems. If the +\fBKRB5CCNAME\fP environment variable is set, its value is used to +name the default ticket cache. +.UNINDENT +.SH NOTE +.sp +Most installations recommend that you place the kdestroy command in +your .logout file, so that your tickets are destroyed automatically +when you log out. +.SH ENVIRONMENT +.sp +kdestroy uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIklist(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kinit.man b/src/man/kinit.man new file mode 100644 index 000000000000..e257bd25ef91 --- /dev/null +++ b/src/man/kinit.man @@ -0,0 +1,258 @@ +.\" Man page generated from reStructuredText. +. +.TH "KINIT" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kinit \- obtain and cache Kerberos ticket-granting ticket +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkinit\fP +[\fB\-V\fP] +[\fB\-l\fP \fIlifetime\fP] +[\fB\-s\fP \fIstart_time\fP] +[\fB\-r\fP \fIrenewable_life\fP] +[\fB\-p\fP | \-\fBP\fP] +[\fB\-f\fP | \-\fBF\fP] +[\fB\-a\fP] +[\fB\-A\fP] +[\fB\-C\fP] +[\fB\-E\fP] +[\fB\-v\fP] +[\fB\-R\fP] +[\fB\-k\fP [\-\fBt\fP \fIkeytab_file\fP]] +[\fB\-c\fP \fIcache_name\fP] +[\fB\-n\fP] +[\fB\-S\fP \fIservice_name\fP] +[\fB\-I\fP \fIinput_ccache\fP] +[\fB\-T\fP \fIarmor_ccache\fP] +[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] +[\fIprincipal\fP] +.SH DESCRIPTION +.sp +kinit obtains and caches an initial ticket\-granting ticket for +\fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate +principal name based on existing credential cache contents or the +local username of the user invoking kinit. Some options modify the +choice of principal name. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-V\fP +display verbose output. +.TP +.B \fB\-l\fP \fIlifetime\fP +(\fIduration\fP string.) Requests a ticket with the lifetime +\fIlifetime\fP\&. +.sp +For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&. +.sp +If the \fB\-l\fP option is not specified, the default ticket lifetime +(configured by each site) is used. Specifying a ticket lifetime +longer than the maximum ticket lifetime (configured by each site) +will not override the configured maximum ticket lifetime. +.TP +.B \fB\-s\fP \fIstart_time\fP +(\fIduration\fP string.) Requests a postdated ticket. Postdated +tickets are issued with the \fBinvalid\fP flag set, and need to be +resubmitted to the KDC for validation before use. +.sp +\fIstart_time\fP specifies the duration of the delay before the ticket +can become valid. +.TP +.B \fB\-r\fP \fIrenewable_life\fP +(\fIduration\fP string.) Requests renewable tickets, with a total +lifetime of \fIrenewable_life\fP\&. +.TP +.B \fB\-f\fP +requests forwardable tickets. +.TP +.B \fB\-F\fP +requests non\-forwardable tickets. +.TP +.B \fB\-p\fP +requests proxiable tickets. +.TP +.B \fB\-P\fP +requests non\-proxiable tickets. +.TP +.B \fB\-a\fP +requests tickets restricted to the host\(aqs local address[es]. +.TP +.B \fB\-A\fP +requests tickets not restricted by address. +.TP +.B \fB\-C\fP +requests canonicalization of the principal name, and allows the +KDC to reply with a different client principal from the one +requested. +.TP +.B \fB\-E\fP +treats the principal name as an enterprise name (implies the +\fB\-C\fP option). +.TP +.B \fB\-v\fP +requests that the ticket\-granting ticket in the cache (with the +\fBinvalid\fP flag set) be passed to the KDC for validation. If the +ticket is within its requested time range, the cache is replaced +with the validated ticket. +.TP +.B \fB\-R\fP +requests renewal of the ticket\-granting ticket. Note that an +expired ticket cannot be renewed, even if the ticket is still +within its renewable life. +.sp +Note that renewable tickets that have expired as reported by +\fIklist(1)\fP may sometimes be renewed using this option, +because the KDC applies a grace period to account for client\-KDC +clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting. +.TP +.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] +requests a ticket, obtained from a key in the local host\(aqs keytab. +The location of the keytab may be specified with the \fB\-t\fP +\fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use +of the default client keytab; otherwise the default keytab will be +used. By default, a host ticket for the local host is requested, +but any principal may be specified. On a KDC, the special keytab +location \fBKDB:\fP can be used to indicate that kinit should open +the KDC database and look up the key directly. This permits an +administrator to obtain tickets as any principal that supports +authentication based on the key. +.TP +.B \fB\-n\fP +Requests anonymous processing. Two types of anonymous principals +are supported. +.sp +For fully anonymous Kerberos, configure pkinit on the KDC and +configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&. +Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP +(an empty principal name followed by the at\-sign and a realm +name). If permitted by the KDC, an anonymous ticket will be +returned. +.sp +A second form of anonymous tickets is supported; these +realm\-exposed tickets hide the identity of the client but not the +client\(aqs realm. For this mode, use \fBkinit \-n\fP with a normal +principal name. If supported by the KDC, the principal (but not +realm) will be replaced by the anonymous principal. +.sp +As of release 1.8, the MIT Kerberos KDC only supports fully +anonymous operation. +.UNINDENT +.sp +\fB\-I\fP \fIinput_ccache\fP +.INDENT 0.0 +.INDENT 3.5 +Specifies the name of a credentials cache that already contains a +ticket. When obtaining that ticket, if information about how that +ticket was obtained was also stored to the cache, that information +will be used to affect how new credentials are obtained, including +preselecting the same methods of authenticating to the KDC. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-T\fP \fIarmor_ccache\fP +Specifies the name of a credentials cache that already contains a +ticket. If supported by the KDC, this cache will be used to armor +the request, preventing offline dictionary attacks and allowing +the use of additional preauthentication mechanisms. Armoring also +makes sure that the response from the KDC is not modified in +transit. +.TP +.B \fB\-c\fP \fIcache_name\fP +use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache +location. If this option is not used, the default cache location +is used. +.sp +The default cache location may vary between systems. If the +\fBKRB5CCNAME\fP environment variable is set, its value is used to +locate the default cache. If a principal name is specified and +the type of the default cache supports a collection (such as the +DIR type), an existing cache containing credentials for the +principal is selected or a new one is created and becomes the new +primary cache. Otherwise, any existing contents of the default +cache are destroyed by kinit. +.TP +.B \fB\-S\fP \fIservice_name\fP +specify an alternate service name to use when getting initial +tickets. +.TP +.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] +specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be +interpreted by pre\-authentication modules. The acceptable +attribute and value values vary from module to module. This +option may be specified multiple times to specify multiple +attributes. If no value is specified, it is assumed to be "yes". +.sp +The following attributes are recognized by the PKINIT +pre\-authentication mechanism: +.INDENT 7.0 +.TP +.B \fBX509_user_identity\fP=\fIvalue\fP +specify where to find user\(aqs X509 identity information +.TP +.B \fBX509_anchors\fP=\fIvalue\fP +specify where to find trusted X509 anchor information +.TP +.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] +specify use of RSA, rather than the default Diffie\-Hellman +protocol +.UNINDENT +.UNINDENT +.SH ENVIRONMENT +.sp +kinit uses the following environment variables: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +Location of the default Kerberos 5 credentials cache, in the form +\fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP +type is assumed. The type of the default cache may determine the +availability of a cache collection; for instance, a default cache +of type \fBDIR\fP causes caches within the directory to be present +in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB@CCNAME@\fP +default location of Kerberos 5 credentials cache +.TP +.B \fB@KTNAME@\fP +default location for the local host\(aqs keytab. +.UNINDENT +.SH SEE ALSO +.sp +\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/klist.man b/src/man/klist.man new file mode 100644 index 000000000000..3080640dd97d --- /dev/null +++ b/src/man/klist.man @@ -0,0 +1,163 @@ +.\" Man page generated from reStructuredText. +. +.TH "KLIST" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +klist \- list cached Kerberos tickets +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBklist\fP +[\fB\-e\fP] +[[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]] +[\fB\-C\fP] +[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]] +[\fB\-V\fP] +[\fIcache_name\fP|\fIkeytab_name\fP] +.SH DESCRIPTION +.sp +klist lists the Kerberos principal and Kerberos tickets held in a +credentials cache, or the keys held in a keytab file. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-e\fP +Displays the encryption types of the session key and the ticket +for each credential in the credential cache, or each key in the +keytab file. +.TP +.B \fB\-l\fP +If a cache collection is available, displays a table summarizing +the caches present in the collection. +.TP +.B \fB\-A\fP +If a cache collection is available, displays the contents of all +of the caches in the collection. +.TP +.B \fB\-c\fP +List tickets held in a credentials cache. This is the default if +neither \fB\-c\fP nor \fB\-k\fP is specified. +.TP +.B \fB\-f\fP +Shows the flags present in the credentials, using the following +abbreviations: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +F Forwardable +f forwarded +P Proxiable +p proxy +D postDateable +d postdated +R Renewable +I Initial +i invalid +H Hardware authenticated +A preAuthenticated +T Transit policy checked +O Okay as delegate +a anonymous +.ft P +.fi +.UNINDENT +.UNINDENT +.TP +.B \fB\-s\fP +Causes klist to run silently (produce no output). klist will exit +with status 1 if the credentials cache cannot be read or is +expired, and with status 0 otherwise. +.TP +.B \fB\-a\fP +Display list of addresses in credentials. +.TP +.B \fB\-n\fP +Show numeric addresses instead of reverse\-resolving addresses. +.TP +.B \fB\-C\fP +List configuration data that has been stored in the credentials +cache when klist encounters it. By default, configuration data +is not listed. +.TP +.B \fB\-k\fP +List keys held in a keytab file. +.TP +.B \fB\-i\fP +In combination with \fB\-k\fP, defaults to using the default client +keytab instead of the default acceptor keytab, if no name is +given. +.TP +.B \fB\-t\fP +Display the time entry timestamps for each keytab entry in the +keytab file. +.TP +.B \fB\-K\fP +Display the value of the encryption key in each keytab entry in +the keytab file. +.TP +.B \fB\-V\fP +Display the Kerberos version number and exit. +.UNINDENT +.sp +If \fIcache_name\fP or \fIkeytab_name\fP is not specified, klist will display +the credentials in the default credentials cache or keytab file as +appropriate. If the \fBKRB5CCNAME\fP environment variable is set, its +value is used to locate the default ticket cache. +.SH ENVIRONMENT +.sp +klist uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache +.TP +.B \fB@KTNAME@\fP +Default location for the local host\(aqs keytab file. +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man new file mode 100644 index 000000000000..b7bb0a32fc5a --- /dev/null +++ b/src/man/kpasswd.man @@ -0,0 +1,64 @@ +.\" Man page generated from reStructuredText. +. +.TH "KPASSWD" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kpasswd \- change a user's Kerberos password +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkpasswd\fP [\fIprincipal\fP] +.SH DESCRIPTION +.sp +The kpasswd command is used to change a Kerberos principal\(aqs password. +kpasswd first prompts for the current Kerberos password, then prompts +the user twice for the new password, and the password is changed. +.sp +If the principal is governed by a policy that specifies the length +and/or number of character classes required in the new password, the +new password must conform to the policy. (The five character classes +are lower case, upper case, numbers, punctuation, and all other +characters.) +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fIprincipal\fP +Change the password for the Kerberos principal principal. +Otherwise, kpasswd uses the principal name from an existing ccache +if there is one; if not, the principal is derived from the +identity of the user invoking the kpasswd command. +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kprop.man b/src/man/kprop.man new file mode 100644 index 000000000000..9d3e2033c38c --- /dev/null +++ b/src/man/kprop.man @@ -0,0 +1,84 @@ +.\" Man page generated from reStructuredText. +. +.TH "KPROP" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kprop \- propagate a Kerberos V5 principal database to a slave server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkprop\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-f\fP \fIfile\fP] +[\fB\-d\fP] +[\fB\-P\fP \fIport\fP] +[\fB\-s\fP \fIkeytab\fP] +\fIslave_host\fP +.SH DESCRIPTION +.sp +kprop is used to securely propagate a Kerberos V5 database dump file +from the master Kerberos server to a slave Kerberos server, which is +specified by \fIslave_host\fP\&. The dump file must be created by +\fIkdb5_util(8)\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the realm of the master server. +.TP +.B \fB\-f\fP \fIfile\fP +Specifies the filename where the dumped principal database file is +to be found; by default the dumped database file is normally +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&. +.TP +.B \fB\-P\fP \fIport\fP +Specifies the port to use to contact the \fIkpropd(8)\fP server +on the remote host. +.TP +.B \fB\-d\fP +Prints debugging information. +.TP +.B \fB\-s\fP \fIkeytab\fP +Specifies the location of the keytab file. +.UNINDENT +.SH ENVIRONMENT +.sp +\fIkprop\fP uses the following environment variable: +.INDENT 0.0 +.IP \(bu 2 +\fBKRB5_CONFIG\fP +.UNINDENT +.SH SEE ALSO +.sp +\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kpropd.man b/src/man/kpropd.man new file mode 100644 index 000000000000..9048f8fd5d92 --- /dev/null +++ b/src/man/kpropd.man @@ -0,0 +1,161 @@ +.\" Man page generated from reStructuredText. +. +.TH "KPROPD" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kpropd \- Kerberos V5 slave KDC update server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkpropd\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-A\fP \fIadmin_server\fP] +[\fB\-a\fP \fIacl_file\fP] +[\fB\-f\fP \fIslave_dumpfile\fP] +[\fB\-F\fP \fIprincipal_database\fP] +[\fB\-p\fP \fIkdb5_util_prog\fP] +[\fB\-P\fP \fIport\fP] +[\fB\-d\fP] +[\fB\-t\fP] +.SH DESCRIPTION +.sp +The \fIkpropd\fP command runs on the slave KDC server. It listens for +update requests made by the \fIkprop(8)\fP program. If incremental +propagation is enabled, it periodically requests incremental updates +from the master KDC. +.sp +When the slave receives a kprop request from the master, kpropd +accepts the dumped KDC database and places it in a file, and then runs +\fIkdb5_util(8)\fP to load the dumped database into the active +database which is used by \fIkrb5kdc(8)\fP\&. This allows the master +Kerberos server to use \fIkprop(8)\fP to propagate its database to +the slave servers. Upon a successful download of the KDC database +file, the slave Kerberos server will have an up\-to\-date KDC database. +.sp +Where incremental propagation is not used, kpropd is commonly invoked +out of inetd(8) as a nowait service. This is done by adding a line to +the \fB/etc/inetd.conf\fP file which looks like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +kpropd can also run as a standalone daemon, backgrounding itself and +waiting for connections on port 754 (or the port specified with the +\fB\-P\fP option if given). Standalone mode is required for incremental +propagation. Starting in release 1.11, kpropd automatically detects +whether it was run from inetd and runs in standalone mode if it is +not. Prior to release 1.11, the \fB\-S\fP option is required to run +kpropd in standalone mode; this option is now accepted for backward +compatibility but does nothing. +.sp +Incremental propagation may be enabled with the \fBiprop_enable\fP +variable in \fIkdc.conf(5)\fP\&. If incremental propagation is +enabled, the slave periodically polls the master KDC for updates, at +an interval determined by the \fBiprop_slave_poll\fP variable. If the +slave receives updates, kpropd updates its log file with any updates +from the master. \fIkproplog(8)\fP can be used to view a summary of +the update entry log on the slave KDC. If incremental propagation is +enabled, the principal \fBkiprop/slavehostname@REALM\fP (where +\fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the +name of the Kerberos realm) must be present in the slave\(aqs keytab +file. +.sp +\fIkproplog(8)\fP can be used to force full replication when iprop is +enabled. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the realm of the master server. +.TP +.B \fB\-A\fP \fIadmin_server\fP +Specifies the server to be contacted for incremental updates; by +default, the master admin server is contacted. +.TP +.B \fB\-f\fP \fIfile\fP +Specifies the filename where the dumped principal database file is +to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&. +.TP +.B \fB\-p\fP +Allows the user to specify the pathname to the \fIkdb5_util(8)\fP +program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&. +.TP +.B \fB\-d\fP +Turn on debug mode. In this mode, kpropd will not detach +itself from the current job and run in the background. Instead, +it will run in the foreground and print out debugging messages +during the database propagation. +.TP +.B \fB\-t\fP +In standalone mode without incremental propagation, exit after one +dump file is received. In incremental propagation mode, exit as +soon as the database is up to date, or if the master returns an +error. +.TP +.B \fB\-P\fP +Allow for an alternate port number for kpropd to listen on. This +is only useful in combination with the \fB\-S\fP option. +.TP +.B \fB\-a\fP \fIacl_file\fP +Allows the user to specify the path to the kpropd.acl file; by +default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&. +.UNINDENT +.SH ENVIRONMENT +.sp +kpropd uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +\fBKRB5_CONFIG\fP +.IP \(bu 2 +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B kpropd.acl +Access file for kpropd; the default location is +\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line +containing the principal of a host from which the local machine +will allow Kerberos database propagation via \fIkprop(8)\fP\&. +.UNINDENT +.SH SEE ALSO +.sp +\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kproplog.man b/src/man/kproplog.man new file mode 100644 index 000000000000..eaf6a21954bc --- /dev/null +++ b/src/man/kproplog.man @@ -0,0 +1,117 @@ +.\" Man page generated from reStructuredText. +. +.TH "KPROPLOG" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kproplog \- display the contents of the Kerberos principal update log +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] +\fBkproplog\fP [\-R] +.SH DESCRIPTION +.sp +The kproplog command displays the contents of the KDC database update +log to standard output. It can be used to keep track of incremental +updates to the principal database. The update log file contains the +update log maintained by the \fIkadmind(8)\fP process on the master +KDC server and the \fIkpropd(8)\fP process on the slave KDC servers. +When updates occur, they are logged to this file. Subsequently any +KDC slave configured for incremental updates will request the current +data from the master KDC and update their log file with any updates +returned. +.sp +The kproplog command requires read access to the update log file. It +will display update entries only for the KDC it runs on. +.sp +If no options are specified, kproplog displays a summary of the update +log. If invoked on the master, kproplog also displays all of the +update entries. If invoked on a slave KDC server, kproplog displays +only a summary of the updates, which includes the serial number of the +last update received and the associated time stamp of the last update. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-R\fP +Reset the update log. This forces full resynchronization. If used +on a slave then that slave will request a full resync. If used on +the master then all slaves will request full resyncs. +.TP +.B \fB\-h\fP +Display a summary of the update log. This information includes +the database version number, state of the database, the number of +updates in the log, the time stamp of the first and last update, +and the version number of the first and last update entry. +.TP +.B \fB\-e\fP \fInum\fP +Display the last \fInum\fP update entries in the log. This is useful +when debugging synchronization between KDC servers. +.TP +.B \fB\-v\fP +Display individual attributes per update. An example of the +output generated for one entry: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +Update Entry + Update serial # : 4 + Update operation : Add + Update principal : test@EXAMPLE.COM + Update size : 424 + Update committed : True + Update time stamp : Fri Feb 20 23:37:42 2004 + Attributes changed : 6 + Principal + Key data + Password last changed + Modifying principal + Modification time + TL data +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH ENVIRONMENT +.sp +kproplog uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH SEE ALSO +.sp +\fIkpropd(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man new file mode 100644 index 000000000000..c9d2724ac1bd --- /dev/null +++ b/src/man/krb5-config.man @@ -0,0 +1,141 @@ +.\" Man page generated from reStructuredText. +. +.TH "KRB5-CONFIG" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +krb5-config \- tool for linking against MIT Kerberos libraries +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkrb5\-config\fP +[\fB\-\fP\fB\-help\fP | \fB\-\fP\fB\-all\fP | \fB\-\fP\fB\-version\fP | \fB\-\fP\fB\-vendor\fP | \fB\-\fP\fB\-prefix\fP | \fB\-\fP\fB\-exec\-prefix\fP | \fB\-\fP\fB\-defccname\fP | \fB\-\fP\fB\-defktname\fP | \fB\-\fP\fB\-defcktname\fP | \fB\-\fP\fB\-cflags\fP | \fB\-\fP\fB\-libs\fP [\fIlibraries\fP]] +.SH DESCRIPTION +.sp +krb5\-config tells the application programmer what flags to use to compile +and link programs against the installed Kerberos libraries. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-\fP\fB\-help\fP +prints a usage message. This is the default behavior when no options +are specified. +.TP +.B \fB\-\fP\fB\-all\fP +prints the version, vendor, prefix, and exec\-prefix. +.TP +.B \fB\-\fP\fB\-version\fP +prints the version number of the Kerberos installation. +.TP +.B \fB\-\fP\fB\-vendor\fP +prints the name of the vendor of the Kerberos installation. +.TP +.B \fB\-\fP\fB\-prefix\fP +prints the prefix for which the Kerberos installation was built. +.TP +.B \fB\-\fP\fB\-exec\-prefix\fP +prints the prefix for executables for which the Kerberos installation +was built. +.TP +.B \fB\-\fP\fB\-defccname\fP +prints the built\-in default credentials cache location. +.TP +.B \fB\-\fP\fB\-defktname\fP +prints the built\-in default keytab location. +.TP +.B \fB\-\fP\fB\-defcktname\fP +prints the built\-in default client (initiator) keytab location. +.TP +.B \fB\-\fP\fB\-cflags\fP +prints the compilation flags used to build the Kerberos installation. +.TP +.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP] +prints the compiler options needed to link against \fIlibrary\fP\&. +Allowed values for \fIlibrary\fP are: +.TS +center; +|l|l|. +_ +T{ +krb5 +T} T{ +Kerberos 5 applications (default) +T} +_ +T{ +gssapi +T} T{ +GSSAPI applications with Kerberos 5 bindings +T} +_ +T{ +kadm\-client +T} T{ +Kadmin client +T} +_ +T{ +kadm\-server +T} T{ +Kadmin server +T} +_ +T{ +kdb +T} T{ +Applications that access the Kerberos database +T} +_ +.TE +.UNINDENT +.SH EXAMPLES +.sp +krb5\-config is particularly useful for compiling against a Kerberos +installation that was installed in a non\-standard location. For example, +a Kerberos installation that is installed in \fB/opt/krb5/\fP but uses +libraries in \fB/usr/local/lib/\fP for text localization would produce +the following output: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% krb5\-config \-\-libs krb5 +\-L/opt/krb5/lib \-Wl,\-rpath \-Wl,/opt/krb5/lib \-L/usr/local/lib \-lkrb5 \-lk5crypto \-lcom_err +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +kerberos(1), cc(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man new file mode 100644 index 000000000000..4e350bd72351 --- /dev/null +++ b/src/man/krb5.conf.man @@ -0,0 +1,1462 @@ +.\" Man page generated from reStructuredText. +. +.TH "KRB5.CONF" "5" " " "1.15.1" "MIT Kerberos" +.SH NAME +krb5.conf \- Kerberos configuration file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.sp +The krb5.conf file contains Kerberos configuration information, +including the locations of KDCs and admin servers for the Kerberos +realms of interest, defaults for the current realm and for Kerberos +applications, and mappings of hostnames onto Kerberos realms. +Normally, you should install your krb5.conf file in the directory +\fB/etc\fP\&. You can override the default location by setting the +environment variable \fBKRB5_CONFIG\fP\&. Multiple colon\-separated +filenames may be specified in \fBKRB5_CONFIG\fP; all files which are +present will be read. Starting in release 1.14, directory names can +also be specified in \fBKRB5_CONFIG\fP; all files within the directory +whose names consist solely of alphanumeric characters, dashes, or +underscores will be read. +.SH STRUCTURE +.sp +The krb5.conf file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. Each +section may contain zero or more relations, of the form: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +foo = bar +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +or: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +fubar = { + foo = bar + baz = quux +} +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP +value for the tag. This means that neither the remainder of this +configuration file nor any other configuration file will be checked +for any other values for this tag. +.sp +For example, if you have the following lines: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +foo = bar* +foo = baz +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +then the second value of \fBfoo\fP (\fBbaz\fP) would never be read. +.sp +The krb5.conf file can include other files using either of the +following directives at the beginning of a line: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +include FILENAME +includedir DIRNAME +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or +directory must exist and be readable. Including a directory includes +all files within the directory whose names consist solely of +alphanumeric characters, dashes, or underscores. Starting in release +1.15, files with names ending in ".conf" are also included. Included +profile files are syntactically independent of their parents, so each +included file must begin with a section header. +.sp +The krb5.conf file can specify that configuration should be obtained +from a loadable module, rather than the file itself, using the +following directive at the beginning of a line before any section +headers: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +module MODULEPATH:RESIDUAL +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fIMODULEPATH\fP may be relative to the library path of the krb5 +installation, or it may be an absolute path. \fIRESIDUAL\fP is provided +to the module at initialization time. If krb5.conf uses a module +directive, \fIkdc.conf(5)\fP should also use one if it exists. +.SH SECTIONS +.sp +The krb5.conf file may contain the following sections: +.TS +center; +|l|l|. +_ +T{ +\fI\%[libdefaults]\fP +T} T{ +Settings used by the Kerberos V5 library +T} +_ +T{ +\fI\%[realms]\fP +T} T{ +Realm\-specific contact information and settings +T} +_ +T{ +\fI\%[domain_realm]\fP +T} T{ +Maps server hostnames to Kerberos realms +T} +_ +T{ +\fI\%[capaths]\fP +T} T{ +Authentication paths for non\-hierarchical cross\-realm +T} +_ +T{ +\fI\%[appdefaults]\fP +T} T{ +Settings used by some Kerberos V5 applications +T} +_ +T{ +\fI\%[plugins]\fP +T} T{ +Controls plugin module registration +T} +_ +.TE +.sp +Additionally, krb5.conf may include any of the relations described in +\fIkdc.conf(5)\fP, but it is not a recommended practice. +.SS [libdefaults] +.sp +The libdefaults section may contain any of the following relations: +.INDENT 0.0 +.TP +.B \fBallow_weak_crypto\fP +If this flag is set to false, then weak encryption types (as noted +in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered +out of the lists \fBdefault_tgs_enctypes\fP, +\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default +value for this tag is false, which may cause authentication +failures in existing Kerberos infrastructures that do not support +strong crypto. Users in affected environments should set this tag +to true until their infrastructure adopts stronger ciphers. +.TP +.B \fBap_req_checksum_type\fP +An integer which specifies the type of AP\-REQ checksum to use in +authenticators. This variable should be unset so the appropriate +checksum for the encryption key in use will be used. This can be +set if backward compatibility requires a specific checksum type. +See the \fBkdc_req_checksum_type\fP configuration option for the +possible values and their meanings. +.TP +.B \fBcanonicalize\fP +If this flag is set to true, initial ticket requests to the KDC +will request canonicalization of the client principal name, and +answers with different client principals than the requested +principal will be accepted. The default value is false. +.TP +.B \fBccache_type\fP +This parameter determines the format of credential cache types +created by \fIkinit(1)\fP or other programs. The default value +is 4, which represents the most current format. Smaller values +can be used for compatibility with very old implementations of +Kerberos which interact with credential caches on the same host. +.TP +.B \fBclockskew\fP +Sets the maximum allowable amount of clockskew in seconds that the +library will tolerate before assuming that a Kerberos message is +invalid. The default value is 300 seconds, or five minutes. +.sp +The clockskew setting is also used when evaluating ticket start +and expiration times. For example, tickets that have reached +their expiration time can still be used (and renewed if they are +renewable tickets) if they have been expired for a shorter +duration than the \fBclockskew\fP setting. +.TP +.B \fBdefault_ccache_name\fP +This relation specifies the name of the default credential cache. +The default is \fB@CCNAME@\fP\&. This relation is subject to parameter +expansion (see below). New in release 1.11. +.TP +.B \fBdefault_client_keytab_name\fP +This relation specifies the name of the default keytab for +obtaining client credentials. The default is \fB@CKTNAME@\fP\&. This +relation is subject to parameter expansion (see below). +New in release 1.11. +.TP +.B \fBdefault_keytab_name\fP +This relation specifies the default keytab name to be used by +application servers such as sshd. The default is \fB@KTNAME@\fP\&. This +relation is subject to parameter expansion (see below). +.TP +.B \fBdefault_realm\fP +Identifies the default Kerberos realm for the client. Set its +value to your Kerberos realm. If this value is not set, then a +realm must be specified with every Kerberos principal when +invoking programs such as \fIkinit(1)\fP\&. +.TP +.B \fBdefault_tgs_enctypes\fP +Identifies the supported list of session key encryption types that +the client should request when making a TGS\-REQ, in order of +preference from highest to lowest. The list may be delimited with +commas or whitespace. See \fIEncryption_types\fP in +\fIkdc.conf(5)\fP for a list of the accepted values for this tag. +The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types +will be implicitly removed from this list if the value of +\fBallow_weak_crypto\fP is false. +.sp +Do not set this unless required for specific backward +compatibility purposes; stale values of this setting can prevent +clients from taking advantage of new stronger enctypes when the +libraries are upgraded. +.TP +.B \fBdefault_tkt_enctypes\fP +Identifies the supported list of session key encryption types that +the client should request when making an AS\-REQ, in order of +preference from highest to lowest. The format is the same as for +default_tgs_enctypes. The default value for this tag is +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +removed from this list if the value of \fBallow_weak_crypto\fP is +false. +.sp +Do not set this unless required for specific backward +compatibility purposes; stale values of this setting can prevent +clients from taking advantage of new stronger enctypes when the +libraries are upgraded. +.TP +.B \fBdns_canonicalize_hostname\fP +Indicate whether name lookups will be used to canonicalize +hostnames for use in service principal names. Setting this flag +to false can improve security by reducing reliance on DNS, but +means that short hostnames will not be canonicalized to +fully\-qualified hostnames. The default value is true. +.TP +.B \fBdns_lookup_kdc\fP +Indicate whether DNS SRV records should be used to locate the KDCs +and other servers for a realm, if they are not listed in the +krb5.conf information for the realm. (Note that the admin_server +entry must be in the krb5.conf realm information in order to +contact kadmind, because the DNS implementation for kadmin is +incomplete.) +.sp +Enabling this option does open up a type of denial\-of\-service +attack, if someone spoofs the DNS records and redirects you to +another server. However, it\(aqs no worse than a denial of service, +because that fake KDC will be unable to decode anything you send +it (besides the initial ticket request, which has no encrypted +data), and anything the fake KDC sends will not be trusted without +verification using some secret that it won\(aqt know. +.TP +.B \fBdns_uri_lookup\fP +Indicate whether DNS URI records should be used to locate the KDCs +and other servers for a realm, if they are not listed in the +krb5.conf information for the realm. SRV records are used as a +fallback if no URI records were found. The default value is true. +New in release 1.15. +.TP +.B \fBerr_fmt\fP +This relation allows for custom error message formatting. If a +value is set, error messages will be formatted by substituting a +normal error message for %M and an error code for %C in the value. +.TP +.B \fBextra_addresses\fP +This allows a computer to use multiple local addresses, in order +to allow Kerberos to work in a network that uses NATs while still +using address\-restricted tickets. The addresses should be in a +comma\-separated list. This option has no effect if +\fBnoaddresses\fP is true. +.TP +.B \fBforwardable\fP +If this flag is true, initial tickets will be forwardable by +default, if allowed by the KDC. The default value is false. +.TP +.B \fBignore_acceptor_hostname\fP +When accepting GSSAPI or krb5 security contexts for host\-based +service principals, ignore any hostname passed by the calling +application, and allow clients to authenticate to any service +principal in the keytab matching the service name and realm name +(if given). This option can improve the administrative +flexibility of server applications on multihomed hosts, but could +compromise the security of virtual hosting environments. The +default value is false. New in release 1.10. +.TP +.B \fBk5login_authoritative\fP +If this flag is true, principals must be listed in a local user\(aqs +k5login file to be granted login access, if a \fI\&.k5login(5)\fP +file exists. If this flag is false, a principal may still be +granted login access through other mechanisms even if a k5login +file exists but does not list the principal. The default value is +true. +.TP +.B \fBk5login_directory\fP +If set, the library will look for a local user\(aqs k5login file +within the named directory, with a filename corresponding to the +local username. If not set, the library will look for k5login +files in the user\(aqs home directory, with the filename .k5login. +For security reasons, .k5login files must be owned by +the local user or by root. +.TP +.B \fBkcm_mach_service\fP +On OS X only, determines the name of the bootstrap service used to +contact the KCM daemon for the KCM credential cache type. If the +value is \fB\-\fP, Mach RPC will not be used to contact the KCM +daemon. The default value is \fBorg.h5l.kcm\fP\&. +.TP +.B \fBkcm_socket\fP +Determines the path to the Unix domain socket used to access the +KCM daemon for the KCM credential cache type. If the value is +\fB\-\fP, Unix domain sockets will not be used to contact the KCM +daemon. The default value is +\fB/var/run/.heim_org.h5l.kcm\-socket\fP\&. +.TP +.B \fBkdc_default_options\fP +Default KDC options (Xored for multiple values) when requesting +initial tickets. By default it is set to 0x00000010 +(KDC_OPT_RENEWABLE_OK). +.TP +.B \fBkdc_timesync\fP +Accepted values for this relation are 1 or 0. If it is nonzero, +client machines will compute the difference between their time and +the time returned by the KDC in the timestamps in the tickets and +use this value to correct for an inaccurate system clock when +requesting service tickets or authenticating to services. This +corrective factor is only used by the Kerberos library; it is not +used to change the system clock. The default value is 1. +.TP +.B \fBkdc_req_checksum_type\fP +An integer which specifies the type of checksum to use for the KDC +requests, for compatibility with very old KDC implementations. +This value is only used for DES keys; other keys use the preferred +checksum type for those keys. +.sp +The possible values and their meanings are as follows. +.TS +center; +|l|l|. +_ +T{ +1 +T} T{ +CRC32 +T} +_ +T{ +2 +T} T{ +RSA MD4 +T} +_ +T{ +3 +T} T{ +RSA MD4 DES +T} +_ +T{ +4 +T} T{ +DES CBC +T} +_ +T{ +7 +T} T{ +RSA MD5 +T} +_ +T{ +8 +T} T{ +RSA MD5 DES +T} +_ +T{ +9 +T} T{ +NIST SHA +T} +_ +T{ +12 +T} T{ +HMAC SHA1 DES3 +T} +_ +T{ +\-138 +T} T{ +Microsoft MD5 HMAC checksum type +T} +_ +.TE +.TP +.B \fBnoaddresses\fP +If this flag is true, requests for initial tickets will not be +made with address restrictions set, allowing the tickets to be +used across NATs. The default value is true. +.TP +.B \fBpermitted_enctypes\fP +Identifies all encryption types that are permitted for use in +session key encryption. The default value for this tag is +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +removed from this list if the value of \fBallow_weak_crypto\fP is +false. +.TP +.B \fBplugin_base_dir\fP +If set, determines the base directory where krb5 plugins are +located. The default value is the \fBkrb5/plugins\fP subdirectory +of the krb5 library directory. +.TP +.B \fBpreferred_preauth_types\fP +This allows you to set the preferred preauthentication types which +the client will attempt before others which may be advertised by a +KDC. The default value for this setting is "17, 16, 15, 14", +which forces libkrb5 to attempt to use PKINIT if it is supported. +.TP +.B \fBproxiable\fP +If this flag is true, initial tickets will be proxiable by +default, if allowed by the KDC. The default value is false. +.TP +.B \fBrdns\fP +If this flag is true, reverse name lookup will be used in addition +to forward name lookup to canonicalizing hostnames for use in +service principal names. If \fBdns_canonicalize_hostname\fP is set +to false, this flag has no effect. The default value is true. +.TP +.B \fBrealm_try_domains\fP +Indicate whether a host\(aqs domain components should be used to +determine the Kerberos realm of the host. The value of this +variable is an integer: \-1 means not to search, 0 means to try the +host\(aqs domain itself, 1 means to also try the domain\(aqs immediate +parent, and so forth. The library\(aqs usual mechanism for locating +Kerberos realms is used to determine whether a domain is a valid +realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is +set. The default is not to search domain components. +.TP +.B \fBrenew_lifetime\fP +(\fIduration\fP string.) Sets the default renewable lifetime +for initial ticket requests. The default value is 0. +.TP +.B \fBsafe_checksum_type\fP +An integer which specifies the type of checksum to use for the +KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For +compatibility with applications linked against DCE version 1.1 or +earlier Kerberos libraries, use a value of 3 to use the RSA MD4 +DES instead. This field is ignored when its value is incompatible +with the session key type. See the \fBkdc_req_checksum_type\fP +configuration option for the possible values and their meanings. +.TP +.B \fBticket_lifetime\fP +(\fIduration\fP string.) Sets the default lifetime for initial +ticket requests. The default value is 1 day. +.TP +.B \fBudp_preference_limit\fP +When sending a message to the KDC, the library will try using TCP +before UDP if the size of the message is above +\fBudp_preference_limit\fP\&. If the message is smaller than +\fBudp_preference_limit\fP, then UDP will be tried before TCP. +Regardless of the size, both protocols will be tried if the first +attempt fails. +.TP +.B \fBverify_ap_req_nofail\fP +If this flag is true, then an attempt to verify initial +credentials will fail if the client machine does not have a +keytab. The default value is false. +.UNINDENT +.SS [realms] +.sp +Each tag in the [realms] section of the file is the name of a Kerberos +realm. The value of the tag is a subsection with relations that +define the properties of that particular realm. For each realm, the +following tags may be specified in the realm\(aqs subsection: +.INDENT 0.0 +.TP +.B \fBadmin_server\fP +Identifies the host where the administration server is running. +Typically, this is the master Kerberos server. This tag must be +given a value in order to communicate with the \fIkadmind(8)\fP +server for the realm. +.TP +.B \fBauth_to_local\fP +This tag allows you to set a general rule for mapping principal +names to local user names. It will be used if there is not an +explicit mapping for the principal name that is being +translated. The possible values are: +.INDENT 7.0 +.TP +.B \fBRULE:\fP\fIexp\fP +The local name will be formulated from \fIexp\fP\&. +.sp +The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. +The integer \fIn\fP indicates how many components the target +principal should have. If this matches, then a string will be +formed from \fIstring\fP, substituting the realm of the principal +for \fB$0\fP and the \fIn\fP\(aqth component of the principal for +\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then +\fB[2:$2$1foo]\fP would result in the string +\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then +the \fBs//[g]\fP substitution command will be run over the +string. The optional \fBg\fP will cause the substitution to be +global over the \fIstring\fP, instead of replacing only the first +match in the \fIstring\fP\&. +.TP +.B \fBDEFAULT\fP +The principal name will be used as the local user name. If +the principal has more than one component or is not in the +default realm, this rule is not applicable and the conversion +will fail. +.UNINDENT +.sp +For example: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + ATHENA.MIT.EDU = { + auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ + auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// + auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ + auto_to_local = DEFAULT + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +would result in any principal without \fBroot\fP or \fBadmin\fP as the +second component to be translated with the default rule. A +principal with a second component of \fBadmin\fP will become its +first component. \fBroot\fP will be used as the local name for any +principal with a second component of \fBroot\fP\&. The exception to +these two rules are any principals \fBjohndoe/*\fP, which will +always get the local name \fBguest\fP\&. +.TP +.B \fBauth_to_local_names\fP +This subsection allows you to set explicit mappings from principal +names to local user names. The tag is the mapping name, and the +value is the corresponding local user name. +.TP +.B \fBdefault_domain\fP +This tag specifies the domain used to expand hostnames when +translating Kerberos 4 service principals to Kerberos 5 principals +(for example, when converting \fBrcmd.hostname\fP to +\fBhost/hostname.domain\fP). +.TP +.B \fBhttp_anchors\fP +When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag +can be used to specify the location of the CA certificate which should be +trusted to issue the certificate for a proxy server. If left unspecified, +the system\-wide default set of CA certificates is used. +.sp +The syntax for values is similar to that of values for the +\fBpkinit_anchors\fP tag: +.sp +\fBFILE:\fP \fIfilename\fP +.sp +\fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. +.sp +\fBDIR:\fP \fIdirname\fP +.sp +\fIdirname\fP is assumed to be an directory which contains CA certificates. +All files in the directory will be examined; if they contain certificates +(in PEM format), they will be used. +.sp +\fBENV:\fP \fIenvvar\fP +.sp +\fIenvvar\fP specifies the name of an environment variable which has been set +to a value conforming to one of the previous values. For example, +\fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has +been set to \fBFILE:/tmp/my_proxy.pem\fP\&. +.TP +.B \fBkdc\fP +The name or address of a host running a KDC for that realm. An +optional port number, separated from the hostname by a colon, may +be included. If the name or address contains colons (for example, +if it is an IPv6 address), enclose it in square brackets to +distinguish the colon from a port separator. For your computer to +be able to communicate with the KDC for each realm, this tag must +be given a value in each realm subsection in the configuration +file, or there must be DNS SRV records specifying the KDCs. +.TP +.B \fBkpasswd_server\fP +Points to the server where all the password changes are performed. +If there is no such entry, the port 464 on the \fBadmin_server\fP +host will be tried. +.TP +.B \fBmaster_kdc\fP +Identifies the master KDC(s). Currently, this tag is used in only +one case: If an attempt to get credentials fails because of an +invalid password, the client software will attempt to contact the +master KDC, in case the user\(aqs password has just been changed, and +the updated database has not been propagated to the slave servers +yet. +.TP +.B \fBv4_instance_convert\fP +This subsection allows the administrator to configure exceptions +to the \fBdefault_domain\fP mapping rule. It contains V4 instances +(the tag name) which should be translated to some specific +hostname (the tag value) as the second component in a Kerberos V5 +principal name. +.TP +.B \fBv4_realm\fP +This relation is used by the krb524 library routines when +converting a V5 principal name to a V4 principal name. It is used +when the V4 realm name and the V5 realm name are not the same, but +still share the same principal names and passwords. The tag value +is the Kerberos V4 realm name. +.UNINDENT +.SS [domain_realm] +.sp +The [domain_realm] section provides a translation from a domain name +or hostname to a Kerberos realm name. The tag name can be a host name +or domain name, where domain names are indicated by a prefix of a +period (\fB\&.\fP). The value of the relation is the Kerberos realm name +for that particular host or domain. A host name relation implicitly +provides the corresponding domain name relation, unless an explicit domain +name relation is provided. The Kerberos realm may be +identified either in the \fI\%realms\fP section or using DNS SRV records. +Host names and domain names should be in lower case. For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[domain_realm] + crash.mit.edu = TEST.ATHENA.MIT.EDU + .dev.mit.edu = TEST.ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +maps the host with the name \fBcrash.mit.edu\fP into the +\fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the +domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not +the host with the name \fBdev.mit.edu\fP\&. That host is matched +by the third entry, which maps the host \fBmit.edu\fP and all hosts +under the domain \fBmit.edu\fP that do not match a preceding rule +into the realm \fBATHENA.MIT.EDU\fP\&. +.sp +If no translation entry applies to a hostname used for a service +principal for a service ticket request, the library will try to get a +referral to the appropriate realm from the client realm\(aqs KDC. If +that does not succeed, the host\(aqs realm is considered to be the +hostname\(aqs domain portion converted to uppercase, unless the +\fBrealm_try_domains\fP setting in [libdefaults] causes a different +parent domain to be used. +.SS [capaths] +.sp +In order to perform direct (non\-hierarchical) cross\-realm +authentication, configuration is needed to determine the +authentication paths between realms. +.sp +A client will use this section to find the authentication path between +its realm and the realm of the server. The server will use this +section to verify the authentication path used by the client, by +checking the transited field of the received ticket. +.sp +There is a tag for each participating client realm, and each tag has +subtags for each of the server realms. The value of the subtags is an +intermediate realm which may participate in the cross\-realm +authentication. The subtags may be repeated if there is more then one +intermediate realm. A value of "." means that the two realms share +keys directly, and no intermediate realms should be allowed to +participate. +.sp +Only those entries which will be needed on the client or the server +need to be present. A client needs a tag for its local realm with +subtags for all the realms of servers it will need to authenticate to. +A server needs a tag for each realm of the clients it will serve, with +a subtag of the server realm. +.sp +For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to +use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub +realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP +but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems +would look like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[capaths] + ANL.GOV = { + TEST.ANL.GOV = . + PNL.GOV = ES.NET + NERSC.GOV = ES.NET + ES.NET = . + } + TEST.ANL.GOV = { + ANL.GOV = . + } + PNL.GOV = { + ANL.GOV = ES.NET + } + NERSC.GOV = { + ANL.GOV = ES.NET + } + ES.NET = { + ANL.GOV = . + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The [capaths] section of the configuration file used on \fBNERSC.GOV\fP +systems would look like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[capaths] + NERSC.GOV = { + ANL.GOV = ES.NET + TEST.ANL.GOV = ES.NET + TEST.ANL.GOV = ANL.GOV + PNL.GOV = ES.NET + ES.NET = . + } + ANL.GOV = { + NERSC.GOV = ES.NET + } + PNL.GOV = { + NERSC.GOV = ES.NET + } + ES.NET = { + NERSC.GOV = . + } + TEST.ANL.GOV = { + NERSC.GOV = ANL.GOV + NERSC.GOV = ES.NET + } +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When a subtag is used more than once within a tag, clients will use +the order of values to determine the path. The order of values is not +important to servers. +.SS [appdefaults] +.sp +Each tag in the [appdefaults] section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application[s]. The +value of the tag defines the default behaviors for that application. +.sp +For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[appdefaults] + telnet = { + ATHENA.MIT.EDU = { + option1 = false + } + } + telnet = { + option1 = true + option2 = true + } + ATHENA.MIT.EDU = { + option2 = false + } + option2 = true +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The above four ways of specifying the value of an option are shown in +order of decreasing precedence. In this example, if telnet is running +in the realm EXAMPLE.COM, it should, by default, have option1 and +option2 set to true. However, a telnet program in the realm +\fBATHENA.MIT.EDU\fP should have \fBoption1\fP set to false and +\fBoption2\fP set to true. Any other programs in ATHENA.MIT.EDU should +have \fBoption2\fP set to false by default. Any programs running in +other realms should have \fBoption2\fP set to true. +.sp +The list of specifiable options for each application may be found in +that application\(aqs man pages. The application defaults specified here +are overridden by those specified in the \fI\%realms\fP section. +.SS [plugins] +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.IP \(bu 2 +\fI\%pwqual\fP interface +.IP \(bu 2 +\fI\%kadm5_hook\fP interface +.IP \(bu 2 +\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces +.UNINDENT +.UNINDENT +.UNINDENT +.sp +Tags in the [plugins] section can be used to register dynamic plugin +modules and to turn modules on and off. Not every krb5 pluggable +interface uses the [plugins] section; the ones that do are documented +here. +.sp +New in release 1.9. +.sp +Each pluggable interface corresponds to a subsection of [plugins]. +All subsections support the same tags: +.INDENT 0.0 +.TP +.B \fBdisable\fP +This tag may have multiple values. If there are values for this +tag, then the named modules will be disabled for the pluggable +interface. +.TP +.B \fBenable_only\fP +This tag may have multiple values. If there are values for this +tag, then only the named modules will be enabled for the pluggable +interface. +.TP +.B \fBmodule\fP +This tag may have multiple values. Each value is a string of the +form \fBmodulename:pathname\fP, which causes the shared object +located at \fIpathname\fP to be registered as a dynamic module named +\fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an +absolute path, it will be treated as relative to the +\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&. +.UNINDENT +.sp +For pluggable interfaces where module order matters, modules +registered with a \fBmodule\fP tag normally come first, in the order +they are registered, followed by built\-in modules in the order they +are documented below. If \fBenable_only\fP tags are used, then the +order of those tags overrides the normal module order. +.sp +The following subsections are currently supported within the [plugins] +section: +.SS ccselect interface +.sp +The ccselect subsection controls modules for credential cache +selection within a cache collection. In addition to any registered +dynamic modules, the following built\-in modules exist (and may be +disabled with the disable tag): +.INDENT 0.0 +.TP +.B \fBk5identity\fP +Uses a .k5identity file in the user\(aqs home directory to select a +client principal +.TP +.B \fBrealm\fP +Uses the service realm to guess an appropriate cache from the +collection +.UNINDENT +.SS pwqual interface +.sp +The pwqual subsection controls modules for the password quality +interface, which is used to reject weak passwords when passwords are +changed. The following built\-in modules exist for this interface: +.INDENT 0.0 +.TP +.B \fBdict\fP +Checks against the realm dictionary file +.TP +.B \fBempty\fP +Rejects empty passwords +.TP +.B \fBhesiod\fP +Checks against user information stored in Hesiod (only if Kerberos +was built with Hesiod support) +.TP +.B \fBprinc\fP +Checks against components of the principal name +.UNINDENT +.SS kadm5_hook interface +.sp +The kadm5_hook interface provides plugins with information on +principal creation, modification, password changes and deletion. This +interface can be used to write a plugin to synchronize MIT Kerberos +with another database such as Active Directory. No plugins are built +in for this interface. +.SS clpreauth and kdcpreauth interfaces +.sp +The clpreauth and kdcpreauth interfaces allow plugin modules to +provide client and KDC preauthentication mechanisms. The following +built\-in modules exist for these interfaces: +.INDENT 0.0 +.TP +.B \fBpkinit\fP +This module implements the PKINIT preauthentication mechanism. +.TP +.B \fBencrypted_challenge\fP +This module implements the encrypted challenge FAST factor. +.TP +.B \fBencrypted_timestamp\fP +This module implements the encrypted timestamp mechanism. +.UNINDENT +.SS hostrealm interface +.sp +The hostrealm section (introduced in release 1.12) controls modules +for the host\-to\-realm interface, which affects the local mapping of +hostnames to realm names and the choice of default realm. The following +built\-in modules exist for this interface: +.INDENT 0.0 +.TP +.B \fBprofile\fP +This module consults the [domain_realm] section of the profile for +authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP +variable for the default realm. +.TP +.B \fBdns\fP +This module looks for DNS records for fallback host\-to\-realm +mappings and the default realm. It only operates if the +\fBdns_lookup_realm\fP variable is set to true. +.TP +.B \fBdomain\fP +This module applies heuristics for fallback host\-to\-realm +mappings. It implements the \fBrealm_try_domains\fP variable, and +uses the uppercased parent domain of the hostname if that does not +produce a result. +.UNINDENT +.SS localauth interface +.sp +The localauth section (introduced in release 1.12) controls modules +for the local authorization interface, which affects the relationship +between Kerberos principals and local system accounts. The following +built\-in modules exist for this interface: +.INDENT 0.0 +.TP +.B \fBdefault\fP +This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP +values. +.TP +.B \fBrule\fP +This module implements the \fBRULE\fP type for \fBauth_to_local\fP +values. +.TP +.B \fBnames\fP +This module looks for an \fBauth_to_local_names\fP mapping for the +principal name. +.TP +.B \fBauth_to_local\fP +This module processes \fBauth_to_local\fP values in the default +realm\(aqs section, and applies the default method if no +\fBauth_to_local\fP values exist. +.TP +.B \fBk5login\fP +This module authorizes a principal to a local account according to +the account\(aqs \fI\&.k5login(5)\fP file. +.TP +.B \fBan2ln\fP +This module authorizes a principal to a local account if the +principal name maps to the local account name. +.UNINDENT +.SH PKINIT OPTIONS +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +The following are PKINIT\-specific options. These values may +be specified in [libdefaults] as global defaults, or within +a realm\-specific subsection of [libdefaults], or may be +specified as realm\-specific values in the [realms] section. +A realm\-specific value overrides, not adds to, a generic +[libdefaults] specification. The search order is: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.IP 1. 3 +realm\-specific subsection of [libdefaults]: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + EXAMPLE.COM = { + pkinit_anchors = FILE:/usr/local/example.com.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 2. 3 +realm\-specific value in the [realms] section: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[realms] + OTHERREALM.ORG = { + pkinit_anchors = FILE:/usr/local/otherrealm.org.crt + } +.ft P +.fi +.UNINDENT +.UNINDENT +.IP 3. 3 +generic value in the [libdefaults] section: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS Specifying PKINIT identity information +.sp +The syntax for specifying Public Key identity, trust, and revocation +information for PKINIT is as follows: +.INDENT 0.0 +.TP +.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] +This option has context\-specific behavior. +.sp +In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP +specifies the name of a PEM\-format file containing the user\(aqs +certificate. If \fIkeyfilename\fP is not specified, the user\(aqs +private key is expected to be in \fIfilename\fP as well. Otherwise, +\fIkeyfilename\fP is the name of the file containing the private key. +.sp +In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to +be the name of an OpenSSL\-style ca\-bundle file. +.TP +.B \fBDIR:\fP\fIdirname\fP +This option has context\-specific behavior. +.sp +In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP +specifies a directory with files named \fB*.crt\fP and \fB*.key\fP +where the first part of the file name is the same for matching +pairs of certificate and private key files. When a file with a +name ending with \fB\&.crt\fP is found, a matching file ending with +\fB\&.key\fP is assumed to contain the private key. If no such file +is found, then the certificate in the \fB\&.crt\fP is not used. +.sp +In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to +be an OpenSSL\-style hashed CA directory where each CA cert is +stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure +is encouraged, but all files in the directory will be examined and +if they contain certificates (in PEM format), they will be used. +.sp +In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style +hashed CA directory where each revocation list is stored in a file +named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, +but all files in the directory will be examined and if they +contain a revocation list (in PEM format), they will be used. +.TP +.B \fBPKCS12:\fP\fIfilename\fP +\fIfilename\fP is the name of a PKCS #12 format file, containing the +user\(aqs certificate and private key. +.TP +.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] +All keyword/values are optional. \fImodname\fP specifies the location +of a library implementing PKCS #11. If a value is encountered +with no keyword, it is assumed to be the \fImodname\fP\&. If no +module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. +\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of +a particular smard card reader or token if there is more than one +available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to +force the selection of a particular certificate on the device. +See the \fBpkinit_cert_match\fP configuration option for more ways +to select a particular certificate to use for PKINIT. +.TP +.B \fBENV:\fP\fIenvvar\fP +\fIenvvar\fP specifies the name of an environment variable which has +been set to a value conforming to one of the previous values. For +example, \fBENV:X509_PROXY\fP, where environment variable +\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. +.UNINDENT +.SS PKINIT krb5.conf options +.INDENT 0.0 +.TP +.B \fBpkinit_anchors\fP +Specifies the location of trusted anchor (root) certificates which +the client trusts to sign KDC certificates. This option may be +specified multiple times. These values from the config file are +not used if the user specifies X509_anchors on the command line. +.TP +.B \fBpkinit_cert_match\fP +Specifies matching rules that the client certificate must match +before it is used to attempt PKINIT authentication. If a user has +multiple certificates available (on a smart card, or via other +media), there must be exactly one certificate chosen before +attempting PKINIT authentication. This option may be specified +multiple times. All the available certificates are checked +against each rule in order until there is a match of exactly one +certificate. +.sp +The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP +string representations from the certificate Subject DN and Issuer +DN values. +.sp +The syntax of the matching rules is: +.INDENT 7.0 +.INDENT 3.5 +[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... +.UNINDENT +.UNINDENT +.sp +where: +.INDENT 7.0 +.TP +.B \fIrelation\-operator\fP +can be either \fB&&\fP, meaning all component rules must match, +or \fB||\fP, meaning only one component rule must match. The +default is \fB&&\fP\&. +.TP +.B \fIcomponent\-rule\fP +can be one of the following. Note that there is no +punctuation or whitespace between component rules. +.INDENT 7.0 +.INDENT 3.5 +.nf +\fB<SUBJECT>\fP\fIregular\-expression\fP +\fB<ISSUER>\fP\fIregular\-expression\fP +\fB<SAN>\fP\fIregular\-expression\fP +\fB<EKU>\fP\fIextended\-key\-usage\-list\fP +\fB<KU>\fP\fIkey\-usage\-list\fP +.fi +.sp +.UNINDENT +.UNINDENT +.sp +\fIextended\-key\-usage\-list\fP is a comma\-separated list of +required Extended Key Usage values. All values in the list +must be present in the certificate. Extended Key Usage values +can be: +.INDENT 7.0 +.IP \(bu 2 +pkinit +.IP \(bu 2 +msScLogin +.IP \(bu 2 +clientAuth +.IP \(bu 2 +emailProtection +.UNINDENT +.sp +\fIkey\-usage\-list\fP is a comma\-separated list of required Key +Usage values. All values in the list must be present in the +certificate. Key Usage values can be: +.INDENT 7.0 +.IP \(bu 2 +digitalSignature +.IP \(bu 2 +keyEncipherment +.UNINDENT +.UNINDENT +.sp +Examples: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM +pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.* +pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature +.ft P +.fi +.UNINDENT +.UNINDENT +.TP +.B \fBpkinit_eku_checking\fP +This option specifies what Extended Key Usage value the KDC +certificate presented to the client must contain. (Note that if +the KDC certificate has the pkinit SubjectAlternativeName encoded +as the Kerberos TGS name, EKU checking is not necessary since the +issuing CA has certified this as a KDC certificate.) The values +recognized in the krb5.conf file are: +.INDENT 7.0 +.TP +.B \fBkpKDC\fP +This is the default value and specifies that the KDC must have +the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. +.TP +.B \fBkpServerAuth\fP +If \fBkpServerAuth\fP is specified, a KDC certificate with the +id\-kp\-serverAuth EKU will be accepted. This key usage value +is used in most commercially issued server certificates. +.TP +.B \fBnone\fP +If \fBnone\fP is specified, then the KDC certificate will not be +checked to verify it has an acceptable EKU. The use of this +option is not recommended. +.UNINDENT +.TP +.B \fBpkinit_dh_min_bits\fP +Specifies the size of the Diffie\-Hellman key the client will +attempt to use. The acceptable values are 1024, 2048, and 4096. +The default is 2048. +.TP +.B \fBpkinit_identities\fP +Specifies the location(s) to be used to find the user\(aqs X.509 +identity information. This option may be specified multiple +times. Each value is attempted in order until identity +information is found and authentication is attempted. Note that +these values are not used if the user specifies +\fBX509_user_identity\fP on the command line. +.TP +.B \fBpkinit_kdc_hostname\fP +The presense of this option indicates that the client is willing +to accept a KDC certificate with a dNSName SAN (Subject +Alternative Name) rather than requiring the id\-pkinit\-san as +defined in \fI\%RFC 4556\fP\&. This option may be specified multiple +times. Its value should contain the acceptable hostname for the +KDC (as contained in its certificate). +.TP +.B \fBpkinit_pool\fP +Specifies the location of intermediate certificates which may be +used by the client to complete the trust chain between a KDC +certificate and a trusted anchor. This option may be specified +multiple times. +.TP +.B \fBpkinit_require_crl_checking\fP +The default certificate verification process will always check the +available revocation information to see if a certificate has been +revoked. If a match is found for the certificate in a CRL, +verification fails. If the certificate being verified is not +listed in a CRL, or there is no CRL present for its issuing CA, +and \fBpkinit_require_crl_checking\fP is false, then verification +succeeds. +.sp +However, if \fBpkinit_require_crl_checking\fP is true and there is +no CRL information available for the issuing CA, then verification +fails. +.sp +\fBpkinit_require_crl_checking\fP should be set to true if the +policy is such that up\-to\-date CRLs must be present for every CA. +.TP +.B \fBpkinit_revoke\fP +Specifies the location of Certificate Revocation List (CRL) +information to be used by the client when verifying the validity +of the KDC certificate presented. This option may be specified +multiple times. +.UNINDENT +.SH PARAMETER EXPANSION +.sp +Starting with release 1.11, several variables, such as +\fBdefault_keytab_name\fP, allow parameters to be expanded. +Valid parameters are: +.INDENT 0.0 +.INDENT 3.5 +.TS +center; +|l|l|. +_ +T{ +%{TEMP} +T} T{ +Temporary directory +T} +_ +T{ +%{uid} +T} T{ +Unix real UID or Windows SID +T} +_ +T{ +%{euid} +T} T{ +Unix effective user ID or Windows SID +T} +_ +T{ +%{USERID} +T} T{ +Same as %{uid} +T} +_ +T{ +%{null} +T} T{ +Empty string +T} +_ +T{ +%{LIBDIR} +T} T{ +Installation library directory +T} +_ +T{ +%{BINDIR} +T} T{ +Installation binary directory +T} +_ +T{ +%{SBINDIR} +T} T{ +Installation admin binary directory +T} +_ +T{ +%{username} +T} T{ +(Unix) Username of effective user ID +T} +_ +T{ +%{APPDATA} +T} T{ +(Windows) Roaming application data for current user +T} +_ +T{ +%{COMMON_APPDATA} +T} T{ +(Windows) Application data for all users +T} +_ +T{ +%{LOCAL_APPDATA} +T} T{ +(Windows) Local application data for current user +T} +_ +T{ +%{SYSTEM} +T} T{ +(Windows) Windows system folder +T} +_ +T{ +%{WINDOWS} +T} T{ +(Windows) Windows folder +T} +_ +T{ +%{USERCONFIG} +T} T{ +(Windows) Per\-user MIT krb5 config file directory +T} +_ +T{ +%{COMMONCONFIG} +T} T{ +(Windows) Common MIT krb5 config file directory +T} +_ +.TE +.UNINDENT +.UNINDENT +.SH SAMPLE KRB5.CONF FILE +.sp +Here is an example of a generic krb5.conf file: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +[libdefaults] + default_realm = ATHENA.MIT.EDU + dns_lookup_kdc = true + dns_lookup_realm = false + +[realms] + ATHENA.MIT.EDU = { + kdc = kerberos.mit.edu + kdc = kerberos\-1.mit.edu + kdc = kerberos\-2.mit.edu + admin_server = kerberos.mit.edu + master_kdc = kerberos.mit.edu + } + EXAMPLE.COM = { + kdc = kerberos.example.com + kdc = kerberos\-1.example.com + admin_server = kerberos.example.com + } + +[domain_realm] + mit.edu = ATHENA.MIT.EDU + +[capaths] + ATHENA.MIT.EDU = { + EXAMPLE.COM = . + } + EXAMPLE.COM = { + ATHENA.MIT.EDU = . + } +.ft P +.fi +.UNINDENT +.UNINDENT +.SH FILES +.sp +\fB/etc/krb5.conf\fP +.SH SEE ALSO +.sp +syslog(3) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man new file mode 100644 index 000000000000..873014650b27 --- /dev/null +++ b/src/man/krb5kdc.man @@ -0,0 +1,155 @@ +.\" Man page generated from reStructuredText. +. +.TH "KRB5KDC" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +krb5kdc \- Kerberos V5 KDC +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkrb5kdc\fP +[\fB\-x\fP \fIdb_args\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-k\fP \fIkeytype\fP] +[\fB\-M\fP \fImkeyname\fP] +[\fB\-p\fP \fIportnum\fP] +[\fB\-m\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-n\fP] +[\fB\-w\fP \fInumworkers\fP] +[\fB\-P\fP \fIpid_file\fP] +[\fB\-T\fP \fItime_offset\fP] +.SH DESCRIPTION +.sp +krb5kdc is the Kerberos version 5 Authentication Service and Key +Distribution Center (AS/KDC). +.SH OPTIONS +.sp +The \fB\-r\fP \fIrealm\fP option specifies the realm for which the server +should provide service. +.sp +The \fB\-d\fP \fIdbname\fP option specifies the name under which the +principal database can be found. This option does not apply to the +LDAP database. +.sp +The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key +to be entered manually as a password when \fB\-m\fP is given; the default +is \fBdes\-cbc\-crc\fP\&. +.sp +The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the +master key in the database (usually \fBK/M\fP in the KDC\(aqs realm). +.sp +The \fB\-m\fP option specifies that the master database password should +be fetched from the keyboard rather than from a stash file. +.sp +The \fB\-n\fP option specifies that the KDC does not put itself in the +background and does not disassociate itself from the terminal. In +normal operation, you should always allow the KDC to place itself in +the background. +.sp +The \fB\-P\fP \fIpid_file\fP option tells the KDC to write its PID into +\fIpid_file\fP after it starts up. This can be used to identify whether +the KDC is still running and to allow init scripts to stop the correct +process. +.sp +The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers +which the KDC should listen on for Kerberos version 5 requests, as a +comma\-separated list. This value overrides the UDP port numbers +specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but +may be overridden by realm\-specific values. If no value is given from +any source, the default port is 88. +.sp +The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP +processes to listen to the KDC ports and process requests in parallel. +The top level KDC process (whose pid is recorded in the pid file if +the \fB\-P\fP option is also given) acts as a supervisor. The supervisor +will relay SIGHUP signals to the worker subprocesses, and will +terminate the worker subprocess if the it is itself terminated or if +any other worker process exits. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +On operating systems which do not have \fIpktinfo\fP support, +using worker processes will prevent the KDC from listening +for UDP packets on network interfaces created after the KDC +starts. +.UNINDENT +.UNINDENT +.sp +The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. +See \fIDatabase Options\fP in \fIkadmin(1)\fP for +supported arguments. +.sp +The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which +the KDC will operate under. It is intended only for testing purposes. +.SH EXAMPLE +.sp +The KDC may service requests for multiple realms (maximum 32 realms). +The realms are listed on the command line. Per\-realm options that can +be specified on the command line pertain for each realm that follows +it and are superseded by subsequent definitions of the same option. +.sp +For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +specifies that the KDC listen on port 2001 for REALM1 and on port 2002 +for REALM2 and REALM3. Additionally, per\-realm parameters may be +specified in the \fIkdc.conf(5)\fP file. The location of this file +may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable. +Per\-realm parameters specified in this file take precedence over +options specified on the command line. See the \fIkdc.conf(5)\fP +description for further details. +.SH ENVIRONMENT +.sp +krb5kdc uses the following environment variables: +.INDENT 0.0 +.IP \(bu 2 +\fBKRB5_CONFIG\fP +.IP \(bu 2 +\fBKRB5_KDC_PROFILE\fP +.UNINDENT +.SH SEE ALSO +.sp +\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP, +\fIkdb5_ldap_util(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/ksu.man b/src/man/ksu.man new file mode 100644 index 000000000000..2a0328e8435c --- /dev/null +++ b/src/man/ksu.man @@ -0,0 +1,461 @@ +.\" Man page generated from reStructuredText. +. +.TH "KSU" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +ksu \- Kerberized super-user +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBksu\fP +[ \fItarget_user\fP ] +[ \fB\-n\fP \fItarget_principal_name\fP ] +[ \fB\-c\fP \fIsource_cache_name\fP ] +[ \fB\-k\fP ] +[ \fB\-r\fP time ] +[ \fB\-pf\fP ] +[ \fB\-l\fP \fIlifetime\fP ] +[ \fB\-z | Z\fP ] +[ \fB\-q\fP ] +[ \fB\-e\fP \fIcommand\fP [ args ... ] ] [ \fB\-a\fP [ args ... ] ] +.SH REQUIREMENTS +.sp +Must have Kerberos version 5 installed to compile ksu. Must have a +Kerberos version 5 server running to use ksu. +.SH DESCRIPTION +.sp +ksu is a Kerberized version of the su program that has two missions: +one is to securely change the real and effective user ID to that of +the target user, and the other is to create a new security context. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +For the sake of clarity, all references to and attributes of +the user invoking the program will start with "source" +(e.g., "source user", "source cache", etc.). +.sp +Likewise, all references to and attributes of the target +account will start with "target". +.UNINDENT +.UNINDENT +.SH AUTHENTICATION +.sp +To fulfill the first mission, ksu operates in two phases: +authentication and authorization. Resolving the target principal name +is the first step in authentication. The user can either specify his +principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP) +or a default principal name will be assigned using a heuristic +described in the OPTIONS section (see \fB\-n\fP option). The target user +name must be the first argument to ksu; if not specified root is the +default. If \fB\&.\fP is specified then the target user will be the +source user (e.g., \fBksu .\fP). If the source user is root or the +target user is the source user, no authentication or authorization +takes place. Otherwise, ksu looks for an appropriate Kerberos ticket +in the source cache. +.sp +The ticket can either be for the end\-server or a ticket granting +ticket (TGT) for the target principal\(aqs realm. If the ticket for the +end\-server is already in the cache, it\(aqs decrypted and verified. If +it\(aqs not in the cache but the TGT is, the TGT is used to obtain the +ticket for the end\-server. The end\-server ticket is then verified. +If neither ticket is in the cache, but ksu is compiled with the +\fBGET_TGT_VIA_PASSWD\fP define, the user will be prompted for a +Kerberos password which will then be used to get a TGT. If the user +is logged in remotely and does not have a secure channel, the password +may be exposed. If neither ticket is in the cache and +\fBGET_TGT_VIA_PASSWD\fP is not defined, authentication fails. +.SH AUTHORIZATION +.sp +This section describes authorization of the source user when ksu is +invoked without the \fB\-e\fP option. For a description of the \fB\-e\fP +option, see the OPTIONS section. +.sp +Upon successful authentication, ksu checks whether the target +principal is authorized to access the target account. In the target +user\(aqs home directory, ksu attempts to access two authorization files: +\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line +contains the name of a principal that is authorized to access the +account. +.sp +For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +jqpublic@USC.EDU +jqpublic/secure@USC.EDU +jqpublic/admin@USC.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The format of .k5users is the same, except the principal name may be +followed by a list of commands that the principal is authorized to +execute (see the \fB\-e\fP option in the OPTIONS section for details). +.sp +Thus if the target principal name is found in the .k5login file the +source user is authorized to access the target account. Otherwise ksu +looks in the .k5users file. If the target principal name is found +without any trailing commands or followed only by \fB*\fP then the +source user is authorized. If either .k5login or .k5users exist but +an appropriate entry for the target principal does not exist then +access is denied. If neither file exists then the principal will be +granted access to the account according to the aname\->lname mapping +rules. Otherwise, authorization fails. +.SH EXECUTION OF THE TARGET SHELL +.sp +Upon successful authentication and authorization, ksu proceeds in a +similar fashion to su. The environment is unmodified with the +exception of USER, HOME and SHELL variables. If the target user is +not root, USER gets set to the target user name. Otherwise USER +remains unchanged. Both HOME and SHELL are set to the target login\(aqs +default values. In addition, the environment variable \fBKRB5CCNAME\fP +gets set to the name of the target cache. The real and effective user +ID are changed to that of the target user. The target user\(aqs shell is +then invoked (the shell name is specified in the password file). Upon +termination of the shell, ksu deletes the target cache (unless ksu is +invoked with the \fB\-k\fP option). This is implemented by first doing a +fork and then an exec, instead of just exec, as done by su. +.SH CREATING A NEW SECURITY CONTEXT +.sp +ksu can be used to create a new security context for the target +program (either the target shell, or command specified via the \fB\-e\fP +option). The target program inherits a set of credentials from the +source user. By default, this set includes all of the credentials in +the source cache plus any additional credentials obtained during +authentication. The source user is able to limit the credentials in +this set by using \fB\-z\fP or \fB\-Z\fP option. \fB\-z\fP restricts the copy +of tickets from the source cache to the target cache to only the +tickets where client == the target principal name. The \fB\-Z\fP option +provides the target user with a fresh target cache (no creds in the +cache). Note that for security reasons, when the source user is root +and target user is non\-root, \fB\-z\fP option is the default mode of +operation. +.sp +While no authentication takes place if the source user is root or is +the same as the target user, additional tickets can still be obtained +for the target cache. If \fB\-n\fP is specified and no credentials can +be copied to the target cache, the source user is prompted for a +Kerberos password (unless \fB\-Z\fP specified or \fBGET_TGT_VIA_PASSWD\fP +is undefined). If successful, a TGT is obtained from the Kerberos +server and stored in the target cache. Otherwise, if a password is +not provided (user hit return) ksu continues in a normal mode of +operation (the target cache will not contain the desired TGT). If the +wrong password is typed in, ksu fails. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +During authentication, only the tickets that could be +obtained without providing a password are cached in in the +source cache. +.UNINDENT +.UNINDENT +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-n\fP \fItarget_principal_name\fP +Specify a Kerberos target principal name. Used in authentication +and authorization phases of ksu. +.sp +If ksu is invoked without \fB\-n\fP, a default principal name is +assigned via the following heuristic: +.INDENT 7.0 +.IP \(bu 2 +Case 1: source user is non\-root. +.sp +If the target user is the source user the default principal name +is set to the default principal of the source cache. If the +cache does not exist then the default principal name is set to +\fBtarget_user@local_realm\fP\&. If the source and target users are +different and neither \fB~target_user/.k5users\fP nor +\fB~target_user/.k5login\fP exist then the default principal name +is \fBtarget_user_login_name@local_realm\fP\&. Otherwise, starting +with the first principal listed below, ksu checks if the +principal is authorized to access the target account and whether +there is a legitimate ticket for that principal in the source +cache. If both conditions are met that principal becomes the +default target principal, otherwise go to the next principal. +.INDENT 2.0 +.IP a. 3 +default principal of the source cache +.IP b. 3 +target_user@local_realm +.IP c. 3 +source_user@local_realm +.UNINDENT +.sp +If a\-c fails try any principal for which there is a ticket in +the source cache and that is authorized to access the target +account. If that fails select the first principal that is +authorized to access the target account from the above list. If +none are authorized and ksu is configured with +\fBPRINC_LOOK_AHEAD\fP turned on, select the default principal as +follows: +.sp +For each candidate in the above list, select an authorized +principal that has the same realm name and first part of the +principal name equal to the prefix of the candidate. For +example if candidate a) is \fBjqpublic@ISI.EDU\fP and +\fBjqpublic/secure@ISI.EDU\fP is authorized to access the target +account then the default principal is set to +\fBjqpublic/secure@ISI.EDU\fP\&. +.IP \(bu 2 +Case 2: source user is root. +.sp +If the target user is non\-root then the default principal name +is \fBtarget_user@local_realm\fP\&. Else, if the source cache +exists the default principal name is set to the default +principal of the source cache. If the source cache does not +exist, default principal name is set to \fBroot\e@local_realm\fP\&. +.UNINDENT +.UNINDENT +.sp +\fB\-c\fP \fIsource_cache_name\fP +.INDENT 0.0 +.INDENT 3.5 +Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If +\fB\-c\fP option is not used then the name is obtained from +\fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not +defined the source cache name is set to \fBkrb5cc_<source uid>\fP\&. +The target cache name is automatically set to \fBkrb5cc_<target +uid>.(gen_sym())\fP, where gen_sym generates a new number such that +the resulting cache does not already exist. For example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +krb5cc_1984.2 +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-k\fP +Do not delete the target cache upon termination of the target +shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes +the target cache. +.TP +.B \fB\-z\fP +Restrict the copy of tickets from the source cache to the target +cache to only the tickets where client == the target principal +name. Use the \fB\-n\fP option if you want the tickets for other then +the default principal. Note that the \fB\-z\fP option is mutually +exclusive with the \fB\-Z\fP option. +.TP +.B \fB\-Z\fP +Don\(aqt copy any tickets from the source cache to the target cache. +Just create a fresh target cache, where the default principal name +of the cache is initialized to the target principal name. Note +that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP +option. +.TP +.B \fB\-q\fP +Suppress the printing of status messages. +.UNINDENT +.sp +Ticket granting ticket options: +.INDENT 0.0 +.TP +.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP +The ticket granting ticket options only apply to the case where +there are no appropriate tickets in the cache to authenticate the +source user. In this case if ksu is configured to prompt users +for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the +ticket granting ticket options that are specified will be used +when getting a ticket granting ticket from the Kerberos server. +.TP +.B \fB\-l\fP \fIlifetime\fP +(\fIduration\fP string.) Specifies the lifetime to be requested +for the ticket; if this option is not specified, the default ticket +lifetime (12 hours) is used instead. +.TP +.B \fB\-r\fP \fItime\fP +(\fIduration\fP string.) Specifies that the \fBrenewable\fP option +should be requested for the ticket, and specifies the desired +total lifetime of the ticket. +.TP +.B \fB\-p\fP +specifies that the \fBproxiable\fP option should be requested for +the ticket. +.TP +.B \fB\-f\fP +option specifies that the \fBforwardable\fP option should be +requested for the ticket. +.TP +.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...] +ksu proceeds exactly the same as if it was invoked without the +\fB\-e\fP option, except instead of executing the target shell, ksu +executes the specified command. Example of usage: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +ksu bob \-e ls \-lag +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The authorization algorithm for \fB\-e\fP is as follows: +.sp +If the source user is root or source user == target user, no +authorization takes place and the command is executed. If source +user id != 0, and \fB~target_user/.k5users\fP file does not exist, +authorization fails. Otherwise, \fB~target_user/.k5users\fP file +must have an appropriate entry for target principal to get +authorized. +.sp +The .k5users file format: +.sp +A single principal entry on each line that may be followed by a +list of commands that the principal is authorized to execute. A +principal name followed by a \fB*\fP means that the user is +authorized to execute any command. Thus, in the following +example: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +jqpublic@USC.EDU ls mail /local/kerberos/klist +jqpublic/secure@USC.EDU * +jqpublic/admin@USC.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fBjqpublic@USC.EDU\fP is only authorized to execute \fBls\fP, +\fBmail\fP and \fBklist\fP commands. \fBjqpublic/secure@USC.EDU\fP is +authorized to execute any command. \fBjqpublic/admin@USC.EDU\fP is +not authorized to execute any command. Note, that +\fBjqpublic/admin@USC.EDU\fP is authorized to execute the target +shell (regular ksu, without the \fB\-e\fP option) but +\fBjqpublic@USC.EDU\fP is not. +.sp +The commands listed after the principal name must be either a full +path names or just the program name. In the second case, +\fBCMD_PATH\fP specifying the location of authorized programs must +be defined at the compilation time of ksu. Which command gets +executed? +.sp +If the source user is root or the target user is the source user +or the user is authorized to execute any command (\fB*\fP entry) +then command can be either a full or a relative path leading to +the target program. Otherwise, the user must specify either a +full path or just the program name. +.TP +.B \fB\-a\fP \fIargs\fP +Specify arguments to be passed to the target shell. Note that all +flags and parameters following \-a will be passed to the shell, +thus all options intended for ksu must precede \fB\-a\fP\&. +.sp +The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if +used as follows: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +\-a \-c [command [arguments]]. +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +\fB\-c\fP is interpreted by the c\-shell to execute the command. +.UNINDENT +.SH INSTALLATION INSTRUCTIONS +.sp +ksu can be compiled with the following four flags: +.INDENT 0.0 +.TP +.B \fBGET_TGT_VIA_PASSWD\fP +In case no appropriate tickets are found in the source cache, the +user will be prompted for a Kerberos password. The password is +then used to get a ticket granting ticket from the Kerberos +server. The danger of configuring ksu with this macro is if the +source user is logged in remotely and does not have a secure +channel, the password may get exposed. +.TP +.B \fBPRINC_LOOK_AHEAD\fP +During the resolution of the default principal name, +\fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in +the .k5users file as described in the OPTIONS section +(see \fB\-n\fP option). +.TP +.B \fBCMD_PATH\fP +Specifies a list of directories containing programs that users are +authorized to execute (via .k5users file). +.TP +.B \fBHAVE_GETUSERSHELL\fP +If the source user is non\-root, ksu insists that the target user\(aqs +shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is +called to obtain the names of "legal shells". Note that the +target user\(aqs shell is obtained from the passwd file. +.UNINDENT +.sp +Sample configuration: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin" +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +ksu should be owned by root and have the set user id bit turned on. +.sp +ksu attempts to get a ticket for the end server just as Kerberized +telnet and rlogin. Thus, there must be an entry for the server in the +Kerberos database (e.g., \fBhost/nii.isi.edu@ISI.EDU\fP). The keytab +file must be in an appropriate location. +.SH SIDE EFFECTS +.sp +ksu deletes all expired tickets from the source cache. +.SH AUTHOR OF KSU +.sp +GENNADY (ARI) MEDVINSKY +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kswitch.man b/src/man/kswitch.man new file mode 100644 index 000000000000..d8d925cbceac --- /dev/null +++ b/src/man/kswitch.man @@ -0,0 +1,79 @@ +.\" Man page generated from reStructuredText. +. +.TH "KSWITCH" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kswitch \- switch primary ticket cache +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkswitch\fP +{\fB\-c\fP \fIcachename\fP|\fB\-p\fP \fIprincipal\fP} +.SH DESCRIPTION +.sp +kswitch makes the specified credential cache the primary cache for the +collection, if a cache collection is available. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-c\fP \fIcachename\fP +Directly specifies the credential cache to be made primary. +.TP +.B \fB\-p\fP \fIprincipal\fP +Causes the cache collection to be searched for a cache containing +credentials for \fIprincipal\fP\&. If one is found, that collection is +made primary. +.UNINDENT +.SH ENVIRONMENT +.sp +kswitch uses the following environment variables: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +Location of the default Kerberos 5 credentials (ticket) cache, in +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the +\fBFILE\fP type is assumed. The type of the default cache may +determine the availability of a cache collection; for instance, a +default cache of type \fBDIR\fP causes caches within the directory +to be present in the collection. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB@CCNAME@\fP +Default location of Kerberos 5 credentials cache +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/ktutil.man b/src/man/ktutil.man new file mode 100644 index 000000000000..6a119e7550ad --- /dev/null +++ b/src/man/ktutil.man @@ -0,0 +1,173 @@ +.\" Man page generated from reStructuredText. +. +.TH "KTUTIL" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +ktutil \- Kerberos keytab file maintenance utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBktutil\fP +.SH DESCRIPTION +.sp +The ktutil command invokes a command interface from which an +administrator can read, write, or edit entries in a keytab or Kerberos +V4 srvtab file. +.SH COMMANDS +.SS list +.INDENT 0.0 +.INDENT 3.5 +\fBlist\fP +.UNINDENT +.UNINDENT +.sp +Displays the current keylist. +.sp +Alias: \fBl\fP +.SS read_kt +.INDENT 0.0 +.INDENT 3.5 +\fBread_kt\fP \fIkeytab\fP +.UNINDENT +.UNINDENT +.sp +Read the Kerberos V5 keytab file \fIkeytab\fP into the current keylist. +.sp +Alias: \fBrkt\fP +.SS read_st +.INDENT 0.0 +.INDENT 3.5 +\fBread_st\fP \fIsrvtab\fP +.UNINDENT +.UNINDENT +.sp +Read the Kerberos V4 srvtab file \fIsrvtab\fP into the current keylist. +.sp +Alias: \fBrst\fP +.SS write_kt +.INDENT 0.0 +.INDENT 3.5 +\fBwrite_kt\fP \fIkeytab\fP +.UNINDENT +.UNINDENT +.sp +Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&. +.sp +Alias: \fBwkt\fP +.SS write_st +.INDENT 0.0 +.INDENT 3.5 +\fBwrite_st\fP \fIsrvtab\fP +.UNINDENT +.UNINDENT +.sp +Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&. +.sp +Alias: \fBwst\fP +.SS clear_list +.INDENT 0.0 +.INDENT 3.5 +\fBclear_list\fP +.UNINDENT +.UNINDENT +.sp +Clear the current keylist. +.sp +Alias: \fBclear\fP +.SS delete_entry +.INDENT 0.0 +.INDENT 3.5 +\fBdelete_entry\fP \fIslot\fP +.UNINDENT +.UNINDENT +.sp +Delete the entry in slot number \fIslot\fP from the current keylist. +.sp +Alias: \fBdelent\fP +.SS add_entry +.INDENT 0.0 +.INDENT 3.5 +\fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP +\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP +.UNINDENT +.UNINDENT +.sp +Add \fIprincipal\fP to keylist using key or password. +.sp +Alias: \fBaddent\fP +.SS list_requests +.INDENT 0.0 +.INDENT 3.5 +\fBlist_requests\fP +.UNINDENT +.UNINDENT +.sp +Displays a listing of available commands. +.sp +Aliases: \fBlr\fP, \fB?\fP +.SS quit +.INDENT 0.0 +.INDENT 3.5 +\fBquit\fP +.UNINDENT +.UNINDENT +.sp +Quits ktutil. +.sp +Aliases: \fBexit\fP, \fBq\fP +.SH EXAMPLE +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e + aes128\-cts\-hmac\-sha1\-96 +Password for alice@BLEEP.COM: +ktutil: add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e + aes256\-cts\-hmac\-sha1\-96 +Password for alice@BLEEP.COM: +ktutil: write_kt keytab +ktutil: +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP, \fIkdb5_util(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kvno.man b/src/man/kvno.man new file mode 100644 index 000000000000..4d510ca51f21 --- /dev/null +++ b/src/man/kvno.man @@ -0,0 +1,109 @@ +.\" Man page generated from reStructuredText. +. +.TH "KVNO" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +kvno \- print key version numbers of Kerberos principals +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkvno\fP +[\fB\-c\fP \fIccache\fP] +[\fB\-e\fP \fIetype\fP] +[\fB\-q\fP] +[\fB\-h\fP] +[\fB\-P\fP] +[\fB\-S\fP \fIsname\fP] +[\fB\-U\fP \fIfor_user\fP] +\fIservice1 service2\fP ... +.SH DESCRIPTION +.sp +kvno acquires a service ticket for the specified Kerberos principals +and prints out the key version numbers of each. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-c\fP \fIccache\fP +Specifies the name of a credentials cache to use (if not the +default) +.TP +.B \fB\-e\fP \fIetype\fP +Specifies the enctype which will be requested for the session key +of all the services named on the command line. This is useful in +certain backward compatibility situations. +.TP +.B \fB\-q\fP +Suppress printing output when successful. If a service ticket +cannot be obtained, an error message will still be printed and +kvno will exit with nonzero status. +.TP +.B \fB\-h\fP +Prints a usage statement and exits. +.TP +.B \fB\-P\fP +Specifies that the \fIservice1 service2\fP ... arguments are to be +treated as services for which credentials should be acquired using +constrained delegation. This option is only valid when used in +conjunction with protocol transition. +.TP +.B \fB\-S\fP \fIsname\fP +Specifies that the \fIservice1 service2\fP ... arguments are +interpreted as hostnames, and the service principals are to be +constructed from those hostnames and the service name \fIsname\fP\&. +The service hostnames will be canonicalized according to the usual +rules for constructing service principals. +.TP +.B \fB\-U\fP \fIfor_user\fP +Specifies that protocol transition (S4U2Self) is to be used to +acquire a ticket on behalf of \fIfor_user\fP\&. If constrained +delegation is not requested, the service name must match the +credentials cache client principal. +.UNINDENT +.SH ENVIRONMENT +.sp +kvno uses the following environment variable: +.INDENT 0.0 +.TP +.B \fBKRB5CCNAME\fP +Location of the credentials (ticket) cache. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B \fB@CCNAME@\fP +Default location of the credentials cache +.UNINDENT +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIkdestroy(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/sclient.man b/src/man/sclient.man new file mode 100644 index 000000000000..1d5c4c5e7048 --- /dev/null +++ b/src/man/sclient.man @@ -0,0 +1,50 @@ +.\" Man page generated from reStructuredText. +. +.TH "SCLIENT" "1" " " "1.15.1" "MIT Kerberos" +.SH NAME +sclient \- sample Kerberos version 5 client +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsclient\fP \fIremotehost\fP +.SH DESCRIPTION +.sp +sclient is a sample application, primarily useful for testing +purposes. It contacts a sample server \fIsserver(8)\fP and +authenticates to it using Kerberos version 5 tickets, then displays +the server\(aqs response. +.SH SEE ALSO +.sp +\fIkinit(1)\fP, \fIsserver(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/sserver.man b/src/man/sserver.man new file mode 100644 index 000000000000..514128018c36 --- /dev/null +++ b/src/man/sserver.man @@ -0,0 +1,194 @@ +.\" Man page generated from reStructuredText. +. +.TH "SSERVER" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +sserver \- sample Kerberos version 5 server +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBsserver\fP +[ \fB\-p\fP \fIport\fP ] +[ \fB\-S\fP \fIkeytab\fP ] +[ \fIserver_port\fP ] +.SH DESCRIPTION +.sp +sserver and \fIsclient(1)\fP are a simple demonstration client/server +application. When sclient connects to sserver, it performs a Kerberos +authentication, and then sserver returns to sclient the Kerberos +principal which was used for the Kerberos authentication. It makes a +good test that Kerberos has been successfully installed on a machine. +.sp +The service name used by sserver and sclient is sample. Hence, +sserver will require that there be a keytab entry for the service +\fBsample/hostname.domain.name@REALM.NAME\fP\&. This keytab is generated +using the \fIkadmin(1)\fP program. The keytab file is usually +installed as \fB@KTNAME@\fP\&. +.sp +The \fB\-S\fP option allows for a different keytab than the default. +.sp +sserver is normally invoked out of inetd(8), using a line in +\fB/etc/inetd.conf\fP that looks like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sample stream tcp nowait root /usr/local/sbin/sserver sserver +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +Since \fBsample\fP is normally not a port defined in \fB/etc/services\fP, +you will usually have to add a line to \fB/etc/services\fP which looks +like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sample 13135/tcp +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When using sclient, you will first have to have an entry in the +Kerberos database, by using \fIkadmin(1)\fP, and then you have to get +Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running +the sclient program on a different host than the sserver it will be +connecting to, be sure that both hosts have an entry in /etc/services +for the sample tcp port, and that the same port number is in both +files. +.sp +When you run sclient you should see something like this: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sendauth succeeded, reply is: +reply len 32, contents: +You are nlgilman@JIMI.MIT.EDU +.ft P +.fi +.UNINDENT +.UNINDENT +.SH COMMON ERROR MESSAGES +.INDENT 0.0 +.IP 1. 3 +kinit returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +kinit: Client not found in Kerberos database while getting + initial credentials +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that you didn\(aqt create an entry for your username in the +Kerberos database. +.IP 2. 3 +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +unknown service sample/tcp; check /etc/services +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that you don\(aqt have an entry in /etc/services for the +sample tcp port. +.IP 3. 3 +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +connect: Connection refused +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This probably means you didn\(aqt edit /etc/inetd.conf correctly, or +you didn\(aqt restart inetd after editing inetd.conf. +.IP 4. 3 +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +sclient: Server not found in Kerberos database while using + sendauth +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This means that the \fBsample/hostname@LOCAL.REALM\fP service was not +defined in the Kerberos database; it should be created using +\fIkadmin(1)\fP, and a keytab file needs to be generated to make +the key for that service principal available for sclient. +.IP 5. 3 +sclient returns the error: +.INDENT 3.0 +.INDENT 3.5 +.sp +.nf +.ft C +sendauth rejected, error reply is: + "No such file or directory" +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +This probably means sserver couldn\(aqt find the keytab file. It was +probably not installed in the proper directory. +.UNINDENT +.SH SEE ALSO +.sp +\fIsclient(1)\fP, services(5), inetd(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. |