krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/user/pwd_mgmt.html
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/user/pwd_mgmt.html')

-rw-r--r--

doc/html/user/pwd_mgmt.html

1 files changed, 39 insertions, 45 deletions

diff --git a/doc/html/user/pwd_mgmt.html b/doc/html/user/pwd_mgmt.html
index 99c09d72a0e2..ccb2a4046e3d 100644
--- a/doc/html/user/pwd_mgmt.html
+++ b/doc/html/user/pwd_mgmt.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>Password management — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../_static/jquery.js"></script>

- <script type="text/javascript" src="../_static/underscore.js"></script>

- <script type="text/javascript" src="../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../_static/kerb.css" />

+ <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>

+ <script src="../_static/jquery.js"></script>

+ <script src="../_static/underscore.js"></script>

+ <script src="../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,7 +52,7 @@

- <div class="section" id="password-management">

+ <section id="password-management">

<h1>Password management<a class="headerlink" href="#password-management" title="Permalink to this headline">¶</a></h1>

<p>Your password is the only way Kerberos has of verifying your identity.

If someone finds out your password, that person can masquerade as

@@ -74,15 +65,15 @@ account to someone else, you can do so through Kerberos (see

including your system administrator, for any reason. You should

change your password frequently, particularly any time you think

someone may have found out what it is.</p>

-<div class="section" id="changing-your-password">

+<section id="changing-your-password">

<h2>Changing your password<a class="headerlink" href="#changing-your-password" title="Permalink to this headline">¶</a></h2>

<p>To change your Kerberos password, use the <a class="reference internal" href="user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> command.

It will ask you for your old password (to prevent someone else from

walking up to your computer when you’re not there and changing your

password), and then prompt you for the new one twice. (The reason you

have to type it twice is to make sure you have typed it correctly.)

-For example, user <code class="docutils literal"><span class="pre">david</span></code> would do the following:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

+For example, user <code class="docutils literal notranslate"><span class="pre">david</span></code> would do the following:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

<span class="n">Password</span> <span class="k">for</span> <span class="n">david</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">your</span> <span class="n">old</span> <span class="n">password</span><span class="o">.</span>

<span class="n">Enter</span> <span class="n">new</span> <span class="n">password</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">your</span> <span class="n">new</span> <span class="n">password</span><span class="o">.</span>

<span class="n">Enter</span> <span class="n">it</span> <span class="n">again</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">new</span> <span class="n">password</span> <span class="n">again</span><span class="o">.</span>

@@ -90,9 +81,9 @@ For example, user <code class="docutils literal"><span class="pre">david</span><

<span class="n">shell</span><span class="o">%</span>

</pre></div>

</div>

-<p>If <code class="docutils literal"><span class="pre">david</span></code> typed the incorrect old password, he would get the

+<p>If <code class="docutils literal notranslate"><span class="pre">david</span></code> typed the incorrect old password, he would get the

following message:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

<span class="n">Password</span> <span class="k">for</span> <span class="n">david</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">incorrect</span> <span class="n">old</span> <span class="n">password</span><span class="o">.</span>

<span class="n">kpasswd</span><span class="p">:</span> <span class="n">Password</span> <span class="n">incorrect</span> <span class="k">while</span> <span class="n">getting</span> <span class="n">initial</span> <span class="n">ticket</span>

<span class="n">shell</span><span class="o">%</span>

@@ -100,7 +91,7 @@ following message:</p>

</div>

<p>If you make a mistake and don’t type the new password the same way

twice, kpasswd will ask you to try again:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kpasswd</span>

<span class="n">Password</span> <span class="k">for</span> <span class="n">david</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">old</span> <span class="n">password</span><span class="o">.</span>

<span class="n">Enter</span> <span class="n">new</span> <span class="n">password</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">the</span> <span class="n">new</span> <span class="n">password</span><span class="o">.</span>

<span class="n">Enter</span> <span class="n">it</span> <span class="n">again</span><span class="p">:</span> <span class="o"><-</span> <span class="n">Type</span> <span class="n">a</span> <span class="n">different</span> <span class="n">new</span> <span class="n">password</span><span class="o">.</span>

@@ -114,8 +105,8 @@ this might be anywhere from a few minutes to an hour or more. If you

need to get new Kerberos tickets shortly after changing your password,

try the new password. If the new password doesn’t work, try again

using the old one.</p>

-</div>

-<div class="section" id="granting-access-to-your-account">

+</section>

+<section id="granting-access-to-your-account">

<span id="grant-access"></span><h2>Granting access to your account<a class="headerlink" href="#granting-access-to-your-account" title="Permalink to this headline">¶</a></h2>

<p>If you need to give someone access to log into your account, you can

do so through Kerberos, without telling the person your password.

@@ -123,11 +114,11 @@ Simply create a file called <a class="reference internal" href="user_config/k5lo

This file should contain the Kerberos principal of each person to whom

you wish to give access. Each principal must be on a separate line.

Here is a sample .k5login file:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

<span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span>

</pre></div>

</div>

-<p>This file would allow the users <code class="docutils literal"><span class="pre">jennifer</span></code> and <code class="docutils literal"><span class="pre">david</span></code> to use your

+<p>This file would allow the users <code class="docutils literal notranslate"><span class="pre">jennifer</span></code> and <code class="docutils literal notranslate"><span class="pre">david</span></code> to use your

user ID, provided that they had Kerberos tickets in their respective

realms. If you will be logging into other hosts across a network, you

will want to include your own Kerberos principal in your .k5login file

@@ -135,14 +126,14 @@ on each of these hosts.</p>

<p>Using a .k5login file is much safer than giving out your password,

because:</p>

-<li>You can take access away any time simply by removing the principal

-from your .k5login file.</li>

-<li>Although the user has full access to your account on one particular

+<li><p>You can take access away any time simply by removing the principal

+from your .k5login file.</p></li>

+<li><p>Although the user has full access to your account on one particular

host (or set of hosts if your .k5login file is shared, e.g., over

-NFS), that user does not inherit your network privileges.</li>

-<li>Kerberos keeps a log of who obtains tickets, so a system

+NFS), that user does not inherit your network privileges.</p></li>

+<li><p>Kerberos keeps a log of who obtains tickets, so a system

administrator could find out, if necessary, who was capable of using

-your user ID at a particular time.</li>

+your user ID at a particular time.</p></li>

</ul>

<p>One common application is to have a .k5login file in root’s home

directory, giving root access to that machine to the Kerberos

@@ -150,19 +141,21 @@ principals listed. This allows system administrators to allow users

to become root locally, or to log in remotely as root, without their

having to give out the root password, and without anyone having to

type the root password over the network.</p>

-</div>

-<div class="section" id="password-quality-verification">

+</section>

+<section id="password-quality-verification">

<h2>Password quality verification<a class="headerlink" href="#password-quality-verification" title="Permalink to this headline">¶</a></h2>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">Password management</a><ul>

@@ -204,6 +197,7 @@ type the root password over the network.</p>

</form>

</div>

</div>

@@ -211,8 +205,8 @@ type the root password over the network.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>