krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/install_clients.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/admin/install_clients.html')

-rw-r--r--

doc/html/admin/install_clients.html

1 files changed, 27 insertions, 26 deletions

diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html
index 9c4fabbd0f03..86f472039879 100644
--- a/doc/html/admin/install_clients.html
+++ b/doc/html/admin/install_clients.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title>

+ <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Installation guide" href="install.html" />

</head>

@@ -61,16 +59,16 @@

- <div class="body">

+ <div class="body" role="main">

<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Permalink to this headline">¶</a></h1>

-<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>,

-<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>. All of

-these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><em>BINDIR</em></a>.</p>

+<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>,

+<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>. All of

+these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">BINDIR</span></a>.</p>

<p>You can often integrate Kerberos with the login system on client

machines, typically through the use of PAM. The details vary by

-operating system, and should be covered in your operating system’s

+operating system, and should be covered in your operating system’s

documentation. If you do this, you will need to make sure your users

know to use their Kerberos passwords when they log in.</p>

<p>You will also need to educate your users to use the ticket management

@@ -80,12 +78,12 @@ typically through PAM), you will need to educate users to use kpasswd

in place of its non-Kerberos counterparts passwd.</p>

<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Permalink to this headline">¶</a></h2>

-<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.

+<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.

At a minimum, it should define a <strong>default_realm</strong> setting in

-<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>. If you are not using DNS SRV records

-(<a class="reference internal" href="realm_config.html#kdc-hostnames"><em>Hostnames for KDCs</em></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><em>KDC Discovery</em></a>), it must

-also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section containing information for your

-realm’s KDCs.</p>

+<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>. If you are not using DNS SRV records

+(<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), it must

+also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section containing information for your

+realm’s KDCs.</p>

<p>Consider setting <strong>rdns</strong> to false in order to reduce your dependence

on precisely correct DNS information for service hostnames. Turning

this flag off means that service hostnames will be canonicalized

@@ -96,7 +94,7 @@ true for historical reasons only.</p>

<p>If you anticipate users frequently logging into remote hosts

(e.g., using ssh) using forwardable credentials, consider setting

<strong>forwardable</strong> to true so that users obtain forwardable tickets by

-default. Otherwise users will need to use <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-f</span></tt> to get

+default. Otherwise users will need to use <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-f</span></code> to get

forwardable tickets.</p>

<p>Consider adjusting the <strong>ticket_lifetime</strong> setting to match the likely

length of sessions for your users. For instance, if most of your

@@ -104,12 +102,12 @@ users will be logging in for an eight-hour workday, you could set the

default to ten hours so that tickets obtained in the morning expire

shortly after the end of the workday. Users can still manually

request longer tickets when necessary, up to the maximum allowed by

-each user’s principal record on the KDC.</p>

+each user’s principal record on the KDC.</p>

<p>If a client host may access services in different realms, it may be

-useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> mapping so that clients know

+useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> mapping so that clients know

which hosts belong to which realms. However, if your clients and KDC

are running release 1.7 or later, it is also reasonable to leave this

-section out on client machines and just define it in the KDC’s

+section out on client machines and just define it in the KDC’s

krb5.conf.</p>

</div>

@@ -135,13 +133,14 @@ krb5.conf.</p>

<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">

<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current">

<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">Installing and configuring UNIX client machines</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing and configuring UNIX client machines</a></li>

<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li>

</ul>

</li>

<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>

<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>

<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>

+<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>

<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>

<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>

<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>

@@ -149,6 +148,8 @@ krb5.conf.</p>

<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>

<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>

<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>

<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>

<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>

<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>

@@ -188,8 +189,8 @@ krb5.conf.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>