krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/basic
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/basic')

-rw-r--r--

doc/html/basic/ccache_def.html

-rw-r--r--

doc/html/basic/date_format.html

-rw-r--r--

doc/html/basic/index.html

-rw-r--r--

doc/html/basic/keytab_def.html

-rw-r--r--

doc/html/basic/rcache_def.html

121

-rw-r--r--

doc/html/basic/stash_file_def.html

6 files changed, 186 insertions, 189 deletions

diff --git a/doc/html/basic/ccache_def.html b/doc/html/basic/ccache_def.html
index 0ba9c7215668..b2c4dca07438 100644
--- a/doc/html/basic/ccache_def.html
+++ b/doc/html/basic/ccache_def.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Credential cache — MIT Kerberos Documentation</title>

+ <title>Credential cache — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,24 +59,24 @@

- <div class="body">

+ <div class="body" role="main">

<span id="ccache-definition"></span><h1>Credential cache<a class="headerlink" href="#credential-cache" title="Permalink to this headline">¶</a></h1>

-<p>A credential cache (or “ccache”) holds Kerberos credentials while they

-remain valid and, generally, while the user’s session lasts, so that

+<p>A credential cache (or “ccache”) holds Kerberos credentials while they

+remain valid and, generally, while the user’s session lasts, so that

authenticating to a service multiple times (e.g., connecting to a web

-or mail server more than once) doesn’t require contacting the KDC

+or mail server more than once) doesn’t require contacting the KDC

every time.</p>

<p>A credential cache usually contains one initial ticket which is

obtained using a password or another form of identity verification.

If this ticket is a ticket-granting ticket, it can be used to obtain

additional credentials without the password. Because the credential

cache does not store the password, less long-term damage can be done

-to the user’s account if the machine is compromised.</p>

+to the user’s account if the machine is compromised.</p>

<p>A credentials cache stores a default client principal name, set when

the cache is created. This is the name shown at the top of the

-<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-A</em> output.</p>

+<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-A</em> output.</p>

<p>Each normal cache entry includes a service principal name, a client

principal name (which, in some ccache types, need not be the same as

the default), lifetime information, and flags, along with the

@@ -86,8 +84,8 @@ credential itself. There are also other entries, indicated by special

names, that store additional information.</p>

<h2>ccache types<a class="headerlink" href="#ccache-types" title="Permalink to this headline">¶</a></h2>

-<p>The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition"><em>keytab</em></a> and

-<a class="reference internal" href="rcache_def.html#rcache-definition"><em>replay cache</em></a> interfaces, uses <cite>TYPE:value</cite> strings to

+<p>The credential cache interface, like the <a class="reference internal" href="keytab_def.html#keytab-definition"><span class="std std-ref">keytab</span></a> and

+<a class="reference internal" href="rcache_def.html#rcache-definition"><span class="std std-ref">replay cache</span></a> interfaces, uses <cite>TYPE:value</cite> strings to

indicate the type of credential cache and any associated cache naming

data to use.</p>

<p>There are several kinds of credentials cache supported in the MIT

@@ -105,16 +103,23 @@ with multiple Kerberos realms and KDCs. For release 1.10 the

directory must already exist. In post-1.10 releases the

requirement is for parent directory to exist and the current

process must have permissions to create the directory if it does

-not exist. See <a class="reference internal" href="#col-ccache"><em>Collections of caches</em></a> for details. New in release 1.10.</p>

+not exist. See <a class="reference internal" href="#col-ccache"><span class="std std-ref">Collections of caches</span></a> for details. New in release 1.10.

+The following residual forms are supported:</p>

+<ul class="simple">

+<li>DIR:dirname</li>

+<li>DIR::dirpath/filename - a single cache within the directory</li>

+</ul>

+<p>Switching to a ccache of the latter type causes it to become the

+primary for the directory.</p>

</li>

<li><p class="first"><strong>FILE</strong> caches are the simplest and most portable. A simple flat

file format is used to store one credential after another. This is

the default ccache type if no type is specified in a ccache name.</p>

</li>

-<li><p class="first"><strong>KCM</strong> caches work by contacting a daemon process called <tt class="docutils literal"><span class="pre">kcm</span></tt>

-to perform cache operations. If the cache name is just <tt class="docutils literal"><span class="pre">KCM:</span></tt>,

+<li><p class="first"><strong>KCM</strong> caches work by contacting a daemon process called <code class="docutils literal"><span class="pre">kcm</span></code>

+to perform cache operations. If the cache name is just <code class="docutils literal"><span class="pre">KCM:</span></code>,

the default cache as determined by the KCM daemon will be used.

-Newly created caches must generally be named <tt class="docutils literal"><span class="pre">KCM:uid:name</span></tt>,

+Newly created caches must generally be named <code class="docutils literal"><span class="pre">KCM:uid:name</span></code>,

where <em>uid</em> is the effective user ID of the running process.</p>

<p>KCM client support is new in release 1.13. A KCM daemon has not

yet been implemented in MIT krb5, but the client will interoperate

@@ -143,11 +148,11 @@ logs out, until the cache credentials expire. This type of

ccache requires support from the kernel; otherwise, it will fall

back to the user keyring.</li>

</ul>

-<p>See <a class="reference internal" href="#col-ccache"><em>Collections of caches</em></a> for details.</p>

+<p>See <a class="reference internal" href="#col-ccache"><span class="std std-ref">Collections of caches</span></a> for details.</p>

</li>

-<li><p class="first"><strong>MEMORY</strong> caches are for storage of credentials that don’t need to

+<li><p class="first"><strong>MEMORY</strong> caches are for storage of credentials that don’t need to

be made available outside of the current process. For example, a

-memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to store the

+memory ccache is used by <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to store the

administrative ticket used to contact the admin server. Memory

ccaches are faster than file ccaches and are automatically

destroyed when the process exits.</p>

@@ -174,18 +179,18 @@ Collections are supported by the <strong>KCM</strong> ccache type in release 1.1

<h3>Tool alterations to use cache collection<a class="headerlink" href="#tool-alterations-to-use-cache-collection" title="Permalink to this headline">¶</a></h3>

-<li><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> <em>-A</em> will destroy all caches in the collection.</li>

-<li>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>

+<li><a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a> <em>-A</em> will destroy all caches in the collection.</li>

+<li>If the default cache type supports switching, <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>

<em>princname</em> will search the collection for a matching cache and

store credentials there, or will store credentials in a new unique

cache of the default type if no existing cache for the principal

exists. Either way, kinit will switch to the selected cache.</li>

-<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-l</em> will list the caches in the collection.</li>

-<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> <em>-A</em> will show the content of all caches in the

+<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-l</em> will list the caches in the collection.</li>

+<li><a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> <em>-A</em> will show the content of all caches in the

collection.</li>

-<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><em>kswitch</em></a> <em>-p princname</em> will search the collection for a

+<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><span class="std std-ref">kswitch</span></a> <em>-p princname</em> will search the collection for a

matching cache and switch to it.</li>

-<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><em>kswitch</em></a> <em>-c cachename</em> will switch to a specified cache.</li>

+<li><a class="reference internal" href="../user/user_commands/kswitch.html#kswitch-1"><span class="std std-ref">kswitch</span></a> <em>-c cachename</em> will switch to a specified cache.</li>

</ul>

</div>

@@ -195,9 +200,9 @@ matching cache and switch to it.</li>

descending order of priority:</p>

<li>The <strong>KRB5CCNAME</strong> environment variable. For example,

-<tt class="docutils literal"><span class="pre">KRB5CCNAME=DIR:/mydir/</span></tt>.</li>

-<li>The <strong>default_ccache_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</li>

-<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFCCNAME</em></a>.</li>

+<code class="docutils literal"><span class="pre">KRB5CCNAME=DIR:/mydir/</span></code>.</li>

+<li>The <strong>default_ccache_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</li>

+<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a>.</li>

</ol>

</div>

@@ -230,9 +235,7 @@ descending order of priority:</p>

<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>

<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>

<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">

-<li class="toctree-l2 current"><a class="current reference internal" href="">Credential cache</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">Credential cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>

@@ -262,8 +265,8 @@ descending order of priority:</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/basic/date_format.html b/doc/html/basic/date_format.html
index fb36f7d1a9cd..ebd4413b5780 100644
--- a/doc/html/basic/date_format.html
+++ b/doc/html/basic/date_format.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Supported date and time formats — MIT Kerberos Documentation</title>

+ <title>Supported date and time formats — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="datetime"></span><h1>Supported date and time formats<a class="headerlink" href="#supported-date-and-time-formats" title="Permalink to this headline">¶</a></h1>

@@ -103,13 +101,13 @@ configuration files and user commands. The allowed formats are:</p>

<p class="last">The time interval should not exceed 2147483647 seconds.</p>

</div>

<p>Examples:</p>

-<div class="highlight-python"><div class="highlight"><pre>Request a ticket valid for one hour, five hours, 30 minutes

-and 10 days respectively:

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Request</span> <span class="n">a</span> <span class="n">ticket</span> <span class="n">valid</span> <span class="k">for</span> <span class="n">one</span> <span class="n">hour</span><span class="p">,</span> <span class="n">five</span> <span class="n">hours</span><span class="p">,</span> <span class="mi">30</span> <span class="n">minutes</span>

+<span class="ow">and</span> <span class="mi">10</span> <span class="n">days</span> <span class="n">respectively</span><span class="p">:</span>

- kinit -l 3600

- kinit -l 5:00

- kinit -l 30m

- kinit -l "10d 0h 0m 0s"

+ <span class="n">kinit</span> <span class="o">-</span><span class="n">l</span> <span class="mi">3600</span>

+ <span class="n">kinit</span> <span class="o">-</span><span class="n">l</span> <span class="mi">5</span><span class="p">:</span><span class="mi">00</span>

+ <span class="n">kinit</span> <span class="o">-</span><span class="n">l</span> <span class="mi">30</span><span class="n">m</span>

+ <span class="n">kinit</span> <span class="o">-</span><span class="n">l</span> <span class="s2">"10d 0h 0m 0s"</span>

</pre></div>

</div>

@@ -126,7 +124,7 @@ strings are:</p>

</colgroup>

-<tr class="row-odd"><th class="head"> </th>

+<tr class="row-odd"><th class="head"> </th>

<th class="head">Format</th>

<th class="head">Example</th>

</tr>

@@ -165,14 +163,14 @@ time</td>

</tbody>

</table>

</div></blockquote>

-<p>(See <a class="reference internal" href="#abbreviation"><em>Abbreviations used in this document</em></a>.)</p>

+<p>(See <a class="reference internal" href="#abbreviation"><span class="std std-ref">Abbreviations used in this document</span></a>.)</p>

<p>Examples:</p>

-<div class="highlight-python"><div class="highlight"><pre>Create a principal that expires on the date indicated:

- addprinc test1 -expire "3/27/12 10:00:07 EST"

- addprinc test2 -expire "January 23, 2015 10:05pm"

- addprinc test3 -expire "22:00 GMT"

-Add a principal that will expire in 30 minutes:

- addprinc test4 -expire "30 minutes"

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Create</span> <span class="n">a</span> <span class="n">principal</span> <span class="n">that</span> <span class="n">expires</span> <span class="n">on</span> <span class="n">the</span> <span class="n">date</span> <span class="n">indicated</span><span class="p">:</span>

+ <span class="n">addprinc</span> <span class="n">test1</span> <span class="o">-</span><span class="n">expire</span> <span class="s2">"3/27/12 10:00:07 EST"</span>

+ <span class="n">addprinc</span> <span class="n">test2</span> <span class="o">-</span><span class="n">expire</span> <span class="s2">"January 23, 2015 10:05pm"</span>

+ <span class="n">addprinc</span> <span class="n">test3</span> <span class="o">-</span><span class="n">expire</span> <span class="s2">"22:00 GMT"</span>

+<span class="n">Add</span> <span class="n">a</span> <span class="n">principal</span> <span class="n">that</span> <span class="n">will</span> <span class="n">expire</span> <span class="ow">in</span> <span class="mi">30</span> <span class="n">minutes</span><span class="p">:</span>

+ <span class="n">addprinc</span> <span class="n">test4</span> <span class="o">-</span><span class="n">expire</span> <span class="s2">"30 minutes"</span>

</pre></div>

</div>

@@ -213,7 +211,7 @@ before 2015</td>

</tr>

-<td rowspan="2">8 o’clock in

+<td rowspan="2">8 o’clock in

the evening</td>

</tr>

<tr class="row-even"><td>hhmmss</td>

@@ -222,10 +220,10 @@ the evening</td>

</tbody>

</table>

</div></blockquote>

-<p>(See <a class="reference internal" href="#abbreviation"><em>Abbreviations used in this document</em></a>.)</p>

+<p>(See <a class="reference internal" href="#abbreviation"><span class="std std-ref">Abbreviations used in this document</span></a>.)</p>

<p>Example:</p>

-<div class="highlight-python"><div class="highlight"><pre>Set the default expiration date to July 27, 2012 at 20:30

-default_principal_expiration = 20120727203000

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Set</span> <span class="n">the</span> <span class="n">default</span> <span class="n">expiration</span> <span class="n">date</span> <span class="n">to</span> <span class="n">July</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">2012</span> <span class="n">at</span> <span class="mi">20</span><span class="p">:</span><span class="mi">30</span>

+<span class="n">default_principal_expiration</span> <span class="o">=</span> <span class="mi">20120727203000</span>

</pre></div>

</div>

@@ -289,9 +287,7 @@ enclose it in double quotes;</li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">Supported date and time formats</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">Supported date and time formats</a></li>

</ul>

</li>

<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>

@@ -317,8 +313,8 @@ enclose it in double quotes;</li>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/basic/index.html b/doc/html/basic/index.html
index 195eec908e5d..9c860c4ebbbe 100644
--- a/doc/html/basic/index.html
+++ b/doc/html/basic/index.html

@@ -1,32 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>Kerberos V5 concepts — MIT Kerberos Documentation</title>

+ <title>Kerberos V5 concepts — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

</head>

@@ -60,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="basic-concepts"></span><h1>Kerberos V5 concepts<a class="headerlink" href="#kerberos-v5-concepts" title="Permalink to this headline">¶</a></h1>

@@ -94,7 +93,7 @@

<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>

<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>

<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>

-<li class="toctree-l1 current"><a class="current reference internal" href="">Kerberos V5 concepts</a><ul>

+<li class="toctree-l1 current"><a class="current reference internal" href="#">Kerberos V5 concepts</a><ul>

<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

@@ -125,8 +124,8 @@

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/basic/keytab_def.html b/doc/html/basic/keytab_def.html
index b0d72332a0bd..9f7527fcac2e 100644
--- a/doc/html/basic/keytab_def.html
+++ b/doc/html/basic/keytab_def.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>keytab — MIT Kerberos Documentation</title>

+ <title>keytab — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,31 +59,29 @@

- <div class="body">

+ <div class="body" role="main">

<span id="keytab-definition"></span><h1>keytab<a class="headerlink" href="#keytab" title="Permalink to this headline">¶</a></h1>

-<p>A keytab (short for “key table”) stores long-term keys for one or more

+<p>A keytab (short for “key table”) stores long-term keys for one or more

principals. Keytabs are normally represented by files in a standard

format, although in rare cases they can be represented in other ways.

Keytabs are used most often to allow server applications to accept

authentications from clients, but can also be used to obtain initial

credentials for client applications.</p>

-<p>Keytabs are named using the format <em>type</em><tt class="docutils literal"><span class="pre">:</span></tt><em>value</em>. Usually

-<em>type</em> is <tt class="docutils literal"><span class="pre">FILE</span></tt> and <em>value</em> is the absolute pathname of the file.

-Other possible values for <em>type</em> are <tt class="docutils literal"><span class="pre">SRVTAB</span></tt>, which indicates a

-file in the deprecated Kerberos 4 srvtab format, and <tt class="docutils literal"><span class="pre">MEMORY</span></tt>, which

-indicates a temporary keytab stored in the memory of the current

-process.</p>

+<p>Keytabs are named using the format <em>type</em><code class="docutils literal"><span class="pre">:</span></code><em>value</em>. Usually

+<em>type</em> is <code class="docutils literal"><span class="pre">FILE</span></code> and <em>value</em> is the absolute pathname of the file.

+The other possible value for <em>type</em> is <code class="docutils literal"><span class="pre">MEMORY</span></code>, which indicates a

+temporary keytab stored in the memory of the current process.</p>

<p>A keytab contains one or more entries, where each entry consists of a

timestamp (indicating when the entry was written to the keytab), a

principal name, a key version number, an encryption type, and the

encryption key itself.</p>

-<p>A keytab can be displayed using the <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a> command with the

-<tt class="docutils literal"><span class="pre">-k</span></tt> option. Keytabs can be created or appended to by extracting

-keys from the KDC database using the <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#ktadd"><em>ktadd</em></a>

-command. Keytabs can be manipulated using the <a class="reference internal" href="../admin/admin_commands/ktutil.html#ktutil-1"><em>ktutil</em></a> and

-<a class="reference internal" href="../admin/admin_commands/k5srvutil.html#k5srvutil-1"><em>k5srvutil</em></a> commands.</p>

+<p>A keytab can be displayed using the <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> command with the

+<code class="docutils literal"><span class="pre">-k</span></code> option. Keytabs can be created or appended to by extracting

+keys from the KDC database using the <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <a class="reference internal" href="../admin/admin_commands/kadmin_local.html#ktadd"><span class="std std-ref">ktadd</span></a>

+command. Keytabs can be manipulated using the <a class="reference internal" href="../admin/admin_commands/ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a> and

+<a class="reference internal" href="../admin/admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a> commands.</p>

<h2>Default keytab<a class="headerlink" href="#default-keytab" title="Permalink to this headline">¶</a></h2>

<p>The default keytab is used by server applications if the application

@@ -93,8 +89,8 @@ does not request a specific keytab. The name of the default keytab is

determined by the following, in decreasing order of preference:</p>

<li>The <strong>KRB5_KTNAME</strong> environment variable.</li>

-<li>The <strong>default_keytab_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</li>

-<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.</li>

+<li>The <strong>default_keytab_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</li>

+<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>.</li>

</ol>

</div>

@@ -108,8 +104,8 @@ decreasing order of preference:</p>

<li>The <strong>KRB5_CLIENT_KTNAME</strong> environment variable.</li>

<li>The <strong>default_client_keytab_name</strong> profile variable in

-<a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</li>

-<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFCKTNAME</em></a>.</li>

+<a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</li>

+<li>The hardcoded default, <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a>.</li>

</ol>

</div>

@@ -139,9 +135,7 @@ decreasing order of preference:</p>

<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>

<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">

<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">keytab</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>

<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li>

@@ -170,8 +164,8 @@ decreasing order of preference:</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/basic/rcache_def.html b/doc/html/basic/rcache_def.html
index 379fc49c8818..63a1480913f5 100644
--- a/doc/html/basic/rcache_def.html
+++ b/doc/html/basic/rcache_def.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>replay cache — MIT Kerberos Documentation</title>

+ <title>replay cache — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,16 +59,16 @@

- <div class="body">

+ <div class="body" role="main">

<span id="rcache-definition"></span><h1>replay cache<a class="headerlink" href="#replay-cache" title="Permalink to this headline">¶</a></h1>

-<p>A replay cache (or “rcache”) keeps track of all authenticators

+<p>A replay cache (or “rcache”) keeps track of all authenticators

recently presented to a service. If a duplicate authentication

request is detected in the replay cache, an error message is sent to

the application program.</p>

<p>The replay cache interface, like the credential cache and

-<a class="reference internal" href="keytab_def.html#keytab-definition"><em>keytab</em></a> interfaces, uses <cite>type:value</cite> strings to

+<a class="reference internal" href="keytab_def.html#keytab-definition"><span class="std std-ref">keytab</span></a> interfaces, uses <cite>type:residual</cite> strings to

indicate the type of replay cache and any associated cache naming

data to use.</p>

@@ -80,28 +78,28 @@ where a message is sent containing an authenticator, which establishes

the encryption key that the client will use for talking to the

service. But nothing about that prevents an eavesdropper from

recording the messages sent by the client, establishing a new

-connection, and re-sending or “replaying” the same messages; the

+connection, and re-sending or “replaying” the same messages; the

replayed authenticator will establish the same encryption key for the

new session, and the following messages will be decrypted and

-processed. The attacker may not know what the messages say, and can’t

+processed. The attacker may not know what the messages say, and can’t

generate new messages under the same encryption key, but in some

instances it may be harmful to the user (or helpful to the attacker)

to cause the server to see the same messages again a second time. For

-example, if the legitimate client sends “delete first message in

-mailbox”, a replay from an attacker may delete another, different

-“first” message. (Protocol design to guard against such problems has

-been discussed in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-10"><strong>RFC 4120</strong></a>.)</p>

+example, if the legitimate client sends “delete first message in

+mailbox”, a replay from an attacker may delete another, different

+“first” message. (Protocol design to guard against such problems has

+been discussed in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4120.html#section-10"><strong>RFC 4120#section-10</strong></a>.)</p>

<p>Even if one protocol uses further protection to verify that the client

side of the connection actually knows the encryption keys (and thus is

presumably a legitimate user), if another service uses the same

service principal name, it may be possible to record an authenticator

-used with the first protocol and “replay” it against the second.</p>

+used with the first protocol and “replay” it against the second.</p>

<p>The replay cache mitigates these attacks somewhat, by keeping track of

authenticators that have been seen until their five-minute window

expires. Different authenticators generated by multiple connections

from the same legitimate client will generally have different

timestamps, and thus will not be considered the same.</p>

-<p>This mechanism isn’t perfect. If a message is sent to one application

+<p>This mechanism isn’t perfect. If a message is sent to one application

server but a man-in-the-middle attacker can prevent it from actually

arriving at that server, the attacker could then use the authenticator

(once!) against a different service on the same host. This could be a

@@ -113,39 +111,50 @@ additional messages), or if the simple act of presenting the

authenticator triggers some interesting action in the service being

attacked.</p>

</div>

-<div class="section" id="default-rcache-type">

-<h2>Default rcache type<a class="headerlink" href="#default-rcache-type" title="Permalink to this headline">¶</a></h2>

-<p>There is currently only one implemented kind of replay cache, called

-<strong>dfl</strong>. It stores replay data in one file, occasionally rewriting it

-to purge old, expired entries.</p>

-<p>The default type can be overridden by the <strong>KRB5RCACHETYPE</strong>

-environment variable.</p>

-<p>The placement of the replay cache file is determined by the following:</p>

+<div class="section" id="replay-cache-types">

+<h2>Replay cache types<a class="headerlink" href="#replay-cache-types" title="Permalink to this headline">¶</a></h2>

+<p>Unlike the credential cache and keytab interfaces, replay cache types

+are in lowercase. The following types are defined:</p>

-<li>The <strong>KRB5RCACHEDIR</strong> environment variable;</li>

-<li>If KRB5RCACHEDIR is unspecified, on UNIX, the library

-will fall back to the environment variable <strong>TMPDIR</strong>, and then to

-a temporary directory determined at configuration time such as

-<em>/tmp</em> or <em>/var/tmp</em>; on Windows, it will check the environment

-variables <em>TEMP</em> and <em>TMP</em>, and fall back to the directory C:\.</li>

+<li><strong>none</strong> disables the replay cache. The residual value is ignored.</li>

+<li><strong>file2</strong> (new in release 1.18) uses a hash-based format to store

+replay records. The file may grow to accommodate hash collisions.

+The residual value is the filename.</li>

+<li><strong>dfl</strong> is the default type if no environment variable or

+configuration specifies a different type. It stores replay data in

+a file2 replay cache with a filename based on the effective uid.

+The residual value is ignored.</li>

</ol>

+<p>For the dfl type, the location of the replay cache file is determined

+as follows:</p>

+<ol class="arabic simple">

+<li>The directory is taken from the <strong>KRB5RCACHEDIR</strong> environment

+variable, or the <strong>TMPDIR</strong> environment variable, or a temporary

+directory determined at configuration time such as <code class="docutils literal"><span class="pre">/var/tmp</span></code>, in

+descending order of preference.</li>

+<li>The filename is <code class="docutils literal"><span class="pre">krb5_EUID.rcache2</span></code> where EUID is the effective

+uid of the process.</li>

+<li>The file is opened without following symbolic links, and ownership

+of the file is verified to match the effective uid.</li>

+</ol>

+<p>On Windows, the directory for the dfl type is the local appdata

+directory, unless overridden by the <strong>KRB5RCACHEDIR</strong> environment

+variable. The filename on Windows is <code class="docutils literal"><span class="pre">krb5.rcache2</span></code>, and the file

+is opened normally.</p>

</div>

-<div class="section" id="performance-issues">

-<h2>Performance issues<a class="headerlink" href="#performance-issues" title="Permalink to this headline">¶</a></h2>

-<p>Several known minor performance issues that may occur when replay

-cache is enabled on the Kerberos system include: delays due to writing

-the authenticator data to disk slowing down response time for very

-heavily loaded servers, and delays during the rewrite that may be

-unacceptable to high-performance services.</p>

-<p>For use cases where replays are adequately defended against for all

-protocols using a given service principal name, or where performance

-or other considerations outweigh the risk of replays, the special

-replay cache type “none” can be specified:</p>

-<div class="highlight-python"><div class="highlight"><pre><span class="n">KRB5RCACHETYPE</span><span class="o">=</span><span class="n">none</span>

-</pre></div>

-</div>

-<p>It doesn’t record any information about authenticators, and reports

-that any authenticator seen is not a replay.</p>

+<div class="section" id="default-replay-cache-name">

+<h2>Default replay cache name<a class="headerlink" href="#default-replay-cache-name" title="Permalink to this headline">¶</a></h2>

+<p>The default replay cache name is determined by the following, in

+descending order of priority:</p>

+<ol class="arabic simple">

+<li>The <strong>KRB5RCACHENAME</strong> environment variable (new in release 1.18).</li>

+<li>The <strong>KRB5RCACHETYPE</strong> environment variable. If this variable is

+set, the residual value is empty.</li>

+<li>The <strong>default_rcache_name</strong> profile variable in <a class="reference internal" href="../admin/conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>

+(new in release 1.18).</li>

+<li>If none of the above are set, the default replay cache name is

+<code class="docutils literal"><span class="pre">dfl:</span></code>.</li>

+</ol>

</div>

@@ -159,8 +168,8 @@ that any authenticator seen is not a replay.</p>

<ul>

<li><a class="reference internal" href="#">replay cache</a><ul>

<li><a class="reference internal" href="#background-information">Background information</a></li>

-<li><a class="reference internal" href="#default-rcache-type">Default rcache type</a></li>

-<li><a class="reference internal" href="#performance-issues">Performance issues</a></li>

+<li><a class="reference internal" href="#replay-cache-types">Replay cache types</a></li>

+<li><a class="reference internal" href="#default-replay-cache-name">Default replay cache name</a></li>

</ul>

</li>

</ul>

@@ -176,9 +185,7 @@ that any authenticator seen is not a replay.</p>

<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">

<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">replay cache</a><ul class="simple">

-</ul>

-</li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">replay cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>

<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li>

</ul>

@@ -206,8 +213,8 @@ that any authenticator seen is not a replay.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>

diff --git a/doc/html/basic/stash_file_def.html b/doc/html/basic/stash_file_def.html
index f227b7d25263..37f0b500a44f 100644
--- a/doc/html/basic/stash_file_def.html
+++ b/doc/html/basic/stash_file_def.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>stash file — MIT Kerberos Documentation</title>

+ <title>stash file — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Kerberos V5 concepts" href="index.html" />

</head>

@@ -61,19 +59,19 @@

- <div class="body">

+ <div class="body" role="main">

<span id="stash-definition"></span><h1>stash file<a class="headerlink" href="#stash-file" title="Permalink to this headline">¶</a></h1>

<p>The stash file is a local copy of the master key that resides in

-encrypted form on the KDC’s local disk. The stash file is used to

+encrypted form on the KDC’s local disk. The stash file is used to

authenticate the KDC to itself automatically before starting the

-<a class="reference internal" href="../admin/admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> and <a class="reference internal" href="../admin/admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemons (e.g., as part of the

-machine’s boot sequence). The stash file, like the keytab file (see

-<a class="reference internal" href="../admin/install_appl_srv.html#keytab-file"><em>The keytab file</em></a>) is a potential point-of-entry for a break-in, and

+<a class="reference internal" href="../admin/admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="../admin/admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemons (e.g., as part of the

+machine’s boot sequence). The stash file, like the keytab file (see

+<a class="reference internal" href="../admin/install_appl_srv.html#keytab-file"><span class="std std-ref">The keytab file</span></a>) is a potential point-of-entry for a break-in, and

if compromised, would allow unrestricted access to the Kerberos

database. If you choose to install a stash file, it should be

-readable only by root, and should exist only on the KDC’s local disk.

+readable only by root, and should exist only on the KDC’s local disk.

The file should not be part of any backup of the machine, unless

access to the backup data is secured as tightly as access to the

master password itself.</p>

@@ -107,7 +105,7 @@ This means that the KDC will not be able to start automatically, such as after a

<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li>

<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>

<li class="toctree-l2"><a class="reference internal" href="rcache_def.html">replay cache</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">stash file</a></li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">stash file</a></li>

<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li>

</ul>

</li>

@@ -134,8 +132,8 @@ This means that the KDC will not be able to start automatically, such as after a

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>