krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/user/user_commands
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/user/user_commands')

-rw-r--r--

doc/html/user/user_commands/index.html

-rw-r--r--

doc/html/user/user_commands/kdestroy.html

-rw-r--r--

doc/html/user/user_commands/kinit.html

-rw-r--r--

doc/html/user/user_commands/klist.html

-rw-r--r--

doc/html/user/user_commands/kpasswd.html

-rw-r--r--

doc/html/user/user_commands/krb5-config.html

-rw-r--r--

doc/html/user/user_commands/ksu.html

162

-rw-r--r--

doc/html/user/user_commands/kswitch.html

-rw-r--r--

doc/html/user/user_commands/kvno.html

-rw-r--r--

doc/html/user/user_commands/sclient.html

10 files changed, 327 insertions, 303 deletions

diff --git a/doc/html/user/user_commands/index.html b/doc/html/user/user_commands/index.html
index 2c363b631787..812c62144b3c 100644
--- a/doc/html/user/user_commands/index.html
+++ b/doc/html/user/user_commands/index.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>User commands — MIT Kerberos Documentation</title>

+ <title>User commands — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="For users" href="../index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="id1"></span><h1>User commands<a class="headerlink" href="#user-commands" title="Permalink to this headline">¶</a></h1>

@@ -98,7 +96,7 @@

<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../user_config/index.html">User config files</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">User commands</a><ul>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">User commands</a><ul>

<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li>

<li class="toctree-l3"><a class="reference internal" href="kinit.html">kinit</a></li>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

@@ -140,8 +138,8 @@

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/kdestroy.html b/doc/html/user/user_commands/kdestroy.html
index c38e9d7685dd..b855a6ad9727 100644
--- a/doc/html/user/user_commands/kdestroy.html
+++ b/doc/html/user/user_commands/kdestroy.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kdestroy — MIT Kerberos Documentation</title>

+ <title>kdestroy — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="kdestroy-1"></span><h1>kdestroy<a class="headerlink" href="#kdestroy" title="Permalink to this headline">¶</a></h1>

@@ -70,11 +68,12 @@

<p><strong>kdestroy</strong>

[<strong>-A</strong>]

[<strong>-q</strong>]

-[<strong>-c</strong> <em>cache_name</em>]</p>

+[<strong>-c</strong> <em>cache_name</em>]

+[<strong>-p</strong> <em>princ_name</em>]</p>

</div>

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

-<p>The kdestroy utility destroys the user’s active Kerberos authorization

+<p>The kdestroy utility destroys the user’s active Kerberos authorization

tickets by overwriting and deleting the credentials cache that

contains them. If the credentials cache is not specified, the default

credentials cache is destroyed.</p>

@@ -84,10 +83,11 @@ credentials cache is destroyed.</p>

<dd>Destroys all caches in the collection, if a cache collection is

-available.</dd>

+available. May be used with the <strong>-c</strong> option to specify the

+collection to be destroyed.</dd>

<dd>Run quietly. Normally kdestroy beeps if it fails to destroy the

-user’s tickets. The <strong>-q</strong> flag suppresses this behavior.</dd>

+user’s tickets. The <strong>-q</strong> flag suppresses this behavior.</dd>

<dt><strong>-c</strong> <em>cache_name</em></dt>

<dd><p class="first">Use <em>cache_name</em> as the credentials (ticket) cache name and

location; if this option is not used, the default cache name and

@@ -96,6 +96,10 @@ location are used.</p>

<strong>KRB5CCNAME</strong> environment variable is set, its value is used to

name the default ticket cache.</p>

</dd>

+<dt><strong>-p</strong> <em>princ_name</em></dt>

+<dd>If a cache collection is available, destroy the cache for

+<em>princ_name</em> instead of the primary cache. May be used with the

+<strong>-c</strong> option to specify the collection to be searched.</dd>

</dl>

</div>

@@ -106,27 +110,19 @@ when you log out.</p>

</div>

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

-<p>kdestroy uses the following environment variable:</p>

-<dl class="docutils">

-<dt><strong>KRB5CCNAME</strong></dt>

-<dd>Location of the default Kerberos 5 credentials (ticket) cache, in

-the form <em>type</em>:<em>residual</em>. If no <em>type</em> prefix is present, the

-<strong>FILE</strong> type is assumed. The type of the default cache may

-determine the availability of a cache collection; for instance, a

-default cache of type <strong>DIR</strong> causes caches within the directory

-to be present in the collection.</dd>

-</dl>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt>

<dd>Default location of Kerberos 5 credentials cache</dd>

</dl>

</div>

-<p><a class="reference internal" href="kinit.html#kinit-1"><em>kinit</em></a>, <a class="reference internal" href="klist.html#klist-1"><em>klist</em></a></p>

+<p><a class="reference internal" href="kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -158,7 +154,7 @@ to be present in the collection.</dd>

<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../user_config/index.html">User config files</a></li>

<li class="toctree-l2 current"><a class="reference internal" href="index.html">User commands</a><ul class="current">

-<li class="toctree-l3 current"><a class="current reference internal" href="">kdestroy</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kdestroy</a></li>

<li class="toctree-l3"><a class="reference internal" href="kinit.html">kinit</a></li>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

@@ -199,8 +195,8 @@ to be present in the collection.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/kinit.html b/doc/html/user/user_commands/kinit.html
index e1dad27e9c59..53eccc9455be 100644
--- a/doc/html/user/user_commands/kinit.html
+++ b/doc/html/user/user_commands/kinit.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kinit — MIT Kerberos Documentation</title>

+ <title>kinit — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="kinit-1"></span><h1>kinit<a class="headerlink" href="#kinit" title="Permalink to this headline">¶</a></h1>

@@ -80,13 +78,14 @@

[<strong>-E</strong>]

[<strong>-v</strong>]

[<strong>-R</strong>]

-[<strong>-k</strong> [-<strong>t</strong> <em>keytab_file</em>]]

+[<strong>-k</strong> [<strong>-i</strong> | -<strong>t</strong> <em>keytab_file</em>]]

[<strong>-c</strong> <em>cache_name</em>]

[<strong>-n</strong>]

[<strong>-S</strong> <em>service_name</em>]

[<strong>-I</strong> <em>input_ccache</em>]

[<strong>-T</strong> <em>armor_ccache</em>]

[<strong>-X</strong> <em>attribute</em>[=<em>value</em>]]

+[<strong>–request-pac</strong> | <strong>–no-request-pac</strong>]

[<em>principal</em>]</p>

</div>

@@ -103,23 +102,23 @@ choice of principal name.</p>

<dd>display verbose output.</dd>

<dt><strong>-l</strong> <em>lifetime</em></dt>

-<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests a ticket with the lifetime

+<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests a ticket with the lifetime

<em>lifetime</em>.</p>

-<p>For example, <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5:30</span></tt> or <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5h30m</span></tt>.</p>

+<p>For example, <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5:30</span></code> or <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5h30m</span></code>.</p>

<p class="last">If the <strong>-l</strong> option is not specified, the default ticket lifetime

(configured by each site) is used. Specifying a ticket lifetime

longer than the maximum ticket lifetime (configured by each site)

will not override the configured maximum ticket lifetime.</p>

</dd>

<dt><strong>-s</strong> <em>start_time</em></dt>

-<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests a postdated ticket. Postdated

+<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests a postdated ticket. Postdated

tickets are issued with the <strong>invalid</strong> flag set, and need to be

resubmitted to the KDC for validation before use.</p>

<p class="last"><em>start_time</em> specifies the duration of the delay before the ticket

can become valid.</p>

</dd>

<dt><strong>-r</strong> <em>renewable_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests renewable tickets, with a total

+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests renewable tickets, with a total

lifetime of <em>renewable_life</em>.</dd>

<dd>requests forwardable tickets.</dd>

@@ -130,7 +129,7 @@ lifetime of <em>renewable_life</em>.</dd>

<dd>requests non-proxiable tickets.</dd>

-<dd>requests tickets restricted to the host’s local address[es].</dd>

+<dd>requests tickets restricted to the host’s local address[es].</dd>

<dd>requests tickets not restricted by address.</dd>

@@ -138,8 +137,7 @@ lifetime of <em>renewable_life</em>.</dd>

KDC to reply with a different client principal from the one

requested.</dd>

-<dd>treats the principal name as an enterprise name (implies the

-<strong>-C</strong> option).</dd>

+<dd>treats the principal name as an enterprise name.</dd>

<dd>requests that the ticket-granting ticket in the cache (with the

<strong>invalid</strong> flag set) be passed to the KDC for validation. If the

@@ -150,18 +148,18 @@ with the validated ticket.</dd>

expired ticket cannot be renewed, even if the ticket is still

within its renewable life.</p>

<p class="last">Note that renewable tickets that have expired as reported by

-<a class="reference internal" href="klist.html#klist-1"><em>klist</em></a> may sometimes be renewed using this option,

+<a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a> may sometimes be renewed using this option,

because the KDC applies a grace period to account for client-KDC

-clock skew. See <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>clockskew</strong> setting.</p>

+clock skew. See <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> <strong>clockskew</strong> setting.</p>

</dd>

<dt><strong>-k</strong> [<strong>-i</strong> | <strong>-t</strong> <em>keytab_file</em>]</dt>

-<dd>requests a ticket, obtained from a key in the local host’s keytab.

+<dd>requests a ticket, obtained from a key in the local host’s keytab.

The location of the keytab may be specified with the <strong>-t</strong>

<em>keytab_file</em> option, or with the <strong>-i</strong> option to specify the use

of the default client keytab; otherwise the default keytab will be

used. By default, a host ticket for the local host is requested,

but any principal may be specified. On a KDC, the special keytab

-location <tt class="docutils literal"><span class="pre">KDB:</span></tt> can be used to indicate that kinit should open

+location <code class="docutils literal"><span class="pre">KDB:</span></code> can be used to indicate that kinit should open

the KDC database and look up the key directly. This permits an

administrator to obtain tickets as any principal that supports

authentication based on the key.</dd>

@@ -169,14 +167,14 @@ authentication based on the key.</dd>

<dd><p class="first">Requests anonymous processing. Two types of anonymous principals

are supported.</p>

<p>For fully anonymous Kerberos, configure pkinit on the KDC and

-configure <strong>pkinit_anchors</strong> in the client’s <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.

-Then use the <strong>-n</strong> option with a principal of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt>

+configure <strong>pkinit_anchors</strong> in the client’s <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.

+Then use the <strong>-n</strong> option with a principal of the form <code class="docutils literal"><span class="pre">@REALM</span></code>

(an empty principal name followed by the at-sign and a realm

name). If permitted by the KDC, an anonymous ticket will be

returned.</p>

<p>A second form of anonymous tickets is supported; these

realm-exposed tickets hide the identity of the client but not the

-client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></tt> with a normal

+client’s realm. For this mode, use <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></code> with a normal

principal name. If supported by the KDC, the principal (but not

realm) will be replaced by the anonymous principal.</p>

<p class="last">As of release 1.8, the MIT Kerberos KDC only supports fully

@@ -219,46 +217,46 @@ tickets.</dd>

interpreted by pre-authentication modules. The acceptable

attribute and value values vary from module to module. This

option may be specified multiple times to specify multiple

-attributes. If no value is specified, it is assumed to be “yes”.</p>

+attributes. If no value is specified, it is assumed to be “yes”.</p>

<p>The following attributes are recognized by the PKINIT

pre-authentication mechanism:</p>

<dt><strong>X509_user_identity</strong>=<em>value</em></dt>

-<dd>specify where to find user’s X509 identity information</dd>

+<dd>specify where to find user’s X509 identity information</dd>

<dt><strong>X509_anchors</strong>=<em>value</em></dt>

<dd>specify where to find trusted X509 anchor information</dd>

<dt><strong>flag_RSA_PROTOCOL</strong>[<strong>=yes</strong>]</dt>

<dd>specify use of RSA, rather than the default Diffie-Hellman

protocol</dd>

+<dt><strong>disable_freshness</strong>[<strong>=yes</strong>]</dt>

+<dd>disable sending freshness tokens (for testing purposes only)</dd>

</dl>

</dd>

+<dt><strong>–request-pac</strong> | <strong>–no-request-pac</strong></dt>

+<dd>mutually exclusive. If <strong>–request-pac</strong> is set, ask the KDC to

+include a PAC in authdata; if <strong>–no-request-pac</strong> is set, ask the

+KDC not to include a PAC; if neither are set, the KDC will follow

+its default, which is typically is to include a PAC if doing so is

+supported.</dd>

</dl>

</div>

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

-<p>kinit uses the following environment variables:</p>

-<dl class="docutils">

-<dt><strong>KRB5CCNAME</strong></dt>

-<dd>Location of the default Kerberos 5 credentials cache, in the form

-<em>type</em>:<em>residual</em>. If no <em>type</em> prefix is present, the <strong>FILE</strong>

-type is assumed. The type of the default cache may determine the

-availability of a cache collection; for instance, a default cache

-of type <strong>DIR</strong> causes caches within the directory to be present

-in the collection.</dd>

-</dl>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt>

<dd>default location of Kerberos 5 credentials cache</dd>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a></dt>

-<dd>default location for the local host’s keytab.</dd>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a></dt>

+<dd>default location for the local host’s keytab.</dd>

</dl>

</div>

-<p><a class="reference internal" href="klist.html#klist-1"><em>klist</em></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, kerberos(1)</p>

+<p><a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -290,7 +288,7 @@ in the collection.</dd>

<li class="toctree-l2"><a class="reference internal" href="../user_config/index.html">User config files</a></li>

<li class="toctree-l2 current"><a class="reference internal" href="index.html">User commands</a><ul class="current">

<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">kinit</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kinit</a></li>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

@@ -330,8 +328,8 @@ in the collection.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/klist.html b/doc/html/user/user_commands/klist.html
index 0dfb589d1cc6..dcc3961a0379 100644
--- a/doc/html/user/user_commands/klist.html
+++ b/doc/html/user/user_commands/klist.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>klist — MIT Kerberos Documentation</title>

+ <title>klist — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="klist-1"></span><h1>klist<a class="headerlink" href="#klist" title="Permalink to this headline">¶</a></h1>

@@ -71,8 +69,9 @@

[<strong>-e</strong>]

[[<strong>-c</strong>] [<strong>-l</strong>] [<strong>-A</strong>] [<strong>-f</strong>] [<strong>-s</strong>] [<strong>-a</strong> [<strong>-n</strong>]]]

[<strong>-C</strong>]

-[<strong>-k</strong> [<strong>-t</strong>] [<strong>-K</strong>]]

+[<strong>-k</strong> [<strong>-i</strong>] [<strong>-t</strong>] [<strong>-K</strong>]]

[<strong>-V</strong>]

+[<strong>-d</strong>]

[<em>cache_name</em>|<em>keytab_name</em>]</p>

</div>

@@ -99,20 +98,20 @@ neither <strong>-c</strong> nor <strong>-k</strong> is specified.</dd>

<dd><p class="first">Shows the flags present in the credentials, using the following

abbreviations:</p>

-<div class="last highlight-python"><div class="highlight"><pre>F Forwardable

-f forwarded

-P Proxiable

-p proxy

-D postDateable

-d postdated

-R Renewable

-I Initial

-i invalid

-H Hardware authenticated

-A preAuthenticated

-T Transit policy checked

-O Okay as delegate

-a anonymous

+<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">F</span> <span class="n">Forwardable</span>

+<span class="n">f</span> <span class="n">forwarded</span>

+<span class="n">P</span> <span class="n">Proxiable</span>

+<span class="n">p</span> <span class="n">proxy</span>

+<span class="n">D</span> <span class="n">postDateable</span>

+<span class="n">d</span> <span class="n">postdated</span>

+<span class="n">R</span> <span class="n">Renewable</span>

+<span class="n">I</span> <span class="n">Initial</span>

+<span class="n">i</span> <span class="n">invalid</span>

+<span class="n">H</span> <span class="n">Hardware</span> <span class="n">authenticated</span>

+<span class="n">A</span> <span class="n">preAuthenticated</span>

+<span class="n">T</span> <span class="n">Transit</span> <span class="n">policy</span> <span class="n">checked</span>

+<span class="n">O</span> <span class="n">Okay</span> <span class="k">as</span> <span class="n">delegate</span>

+<span class="n">a</span> <span class="n">anonymous</span>

</pre></div>

</div>

</dd>

@@ -140,6 +139,8 @@ keytab file.</dd>

<dd>Display the value of the encryption key in each keytab entry in

the keytab file.</dd>

+<dt><strong>-d</strong></dt>

+<dd>Display the authdata types (if any) for each entry.</dd>

<dd>Display the Kerberos version number and exit.</dd>

</dl>

@@ -150,29 +151,21 @@ value is used to locate the default ticket cache.</p>

</div>

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

-<p>klist uses the following environment variable:</p>

-<dl class="docutils">

-<dt><strong>KRB5CCNAME</strong></dt>

-<dd>Location of the default Kerberos 5 credentials (ticket) cache, in

-the form <em>type</em>:<em>residual</em>. If no <em>type</em> prefix is present, the

-<strong>FILE</strong> type is assumed. The type of the default cache may

-determine the availability of a cache collection; for instance, a

-default cache of type <strong>DIR</strong> causes caches within the directory

-to be present in the collection.</dd>

-</dl>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt>

<dd>Default location of Kerberos 5 credentials cache</dd>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a></dt>

-<dd>Default location for the local host’s keytab file.</dd>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a></dt>

+<dd>Default location for the local host’s keytab file.</dd>

</dl>

</div>

-<p><a class="reference internal" href="kinit.html#kinit-1"><em>kinit</em></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><em>kdestroy</em></a></p>

+<p><a class="reference internal" href="kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -205,7 +198,7 @@ to be present in the collection.</dd>

<li class="toctree-l2 current"><a class="reference internal" href="index.html">User commands</a><ul class="current">

<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li>

<li class="toctree-l3"><a class="reference internal" href="kinit.html">kinit</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">klist</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">klist</a></li>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

@@ -244,8 +237,8 @@ to be present in the collection.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/kpasswd.html b/doc/html/user/user_commands/kpasswd.html
index 824cae0dac3b..af3b2dd019dc 100644
--- a/doc/html/user/user_commands/kpasswd.html
+++ b/doc/html/user/user_commands/kpasswd.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kpasswd — MIT Kerberos Documentation</title>

+ <title>kpasswd — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="kpasswd-1"></span><h1>kpasswd<a class="headerlink" href="#kpasswd" title="Permalink to this headline">¶</a></h1>

@@ -71,7 +69,7 @@

</div>

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

-<p>The kpasswd command is used to change a Kerberos principal’s password.

+<p>The kpasswd command is used to change a Kerberos principal’s password.

kpasswd first prompts for the current Kerberos password, then prompts

the user twice for the new password, and the password is changed.</p>

<p>If the principal is governed by a policy that specifies the length

@@ -90,9 +88,14 @@ if there is one; if not, the principal is derived from the

identity of the user invoking the kpasswd command.</dd>

</dl>

</div>

+<div class="section" id="environment">

+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

+</div>

-<p><a class="reference internal" href="../../admin/admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="../../admin/admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p>

+<p><a class="reference internal" href="../../admin/admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../admin/admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -108,6 +111,7 @@ identity of the user invoking the kpasswd command.</dd>

<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>

<li><a class="reference internal" href="#description">DESCRIPTION</a></li>

<li><a class="reference internal" href="#options">OPTIONS</a></li>

+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>

</ul>

</li>

@@ -124,7 +128,7 @@ identity of the user invoking the kpasswd command.</dd>

<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li>

<li class="toctree-l3"><a class="reference internal" href="kinit.html">kinit</a></li>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">kpasswd</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kpasswd</a></li>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li>

@@ -162,8 +166,8 @@ identity of the user invoking the kpasswd command.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/krb5-config.html b/doc/html/user/user_commands/krb5-config.html
index 6a8b44c4dfc3..80a50d33cf60 100644
--- a/doc/html/user/user_commands/krb5-config.html
+++ b/doc/html/user/user_commands/krb5-config.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>krb5-config — MIT Kerberos Documentation</title>

+ <title>krb5-config — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="krb5-config-1"></span><h1>krb5-config<a class="headerlink" href="#krb5-config" title="Permalink to this headline">¶</a></h1>

@@ -133,17 +131,17 @@ Allowed values for <em>library</em> are:</p>

<h2>EXAMPLES<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h2>

<p>krb5-config is particularly useful for compiling against a Kerberos

installation that was installed in a non-standard location. For example,

-a Kerberos installation that is installed in <tt class="docutils literal"><span class="pre">/opt/krb5/</span></tt> but uses

-libraries in <tt class="docutils literal"><span class="pre">/usr/local/lib/</span></tt> for text localization would produce

+a Kerberos installation that is installed in <code class="docutils literal"><span class="pre">/opt/krb5/</span></code> but uses

+libraries in <code class="docutils literal"><span class="pre">/usr/local/lib/</span></code> for text localization would produce

the following output:</p>

-<div class="highlight-python"><div class="highlight"><pre>shell% krb5-config --libs krb5

--L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">krb5</span><span class="o">-</span><span class="n">config</span> <span class="o">--</span><span class="n">libs</span> <span class="n">krb5</span>

+<span class="o">-</span><span class="n">L</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">lib</span> <span class="o">-</span><span class="n">Wl</span><span class="p">,</span><span class="o">-</span><span class="n">rpath</span> <span class="o">-</span><span class="n">Wl</span><span class="p">,</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">krb5</span><span class="o">/</span><span class="n">lib</span> <span class="o">-</span><span class="n">L</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">lib</span> <span class="o">-</span><span class="n">lkrb5</span> <span class="o">-</span><span class="n">lk5crypto</span> <span class="o">-</span><span class="n">lcom_err</span>

</pre></div>

</div>

-<p>kerberos(1), cc(1)</p>

+<p><a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, cc(1)</p>

</div>

@@ -177,7 +175,7 @@ the following output:</p>

<li class="toctree-l3"><a class="reference internal" href="kinit.html">kinit</a></li>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">krb5-config</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5-config</a></li>

<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li>

@@ -214,8 +212,8 @@ the following output:</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_commands/ksu.html b/doc/html/user/user_commands/ksu.html
index fe58258b985d..90d1b69e1487 100644
--- a/doc/html/user/user_commands/ksu.html
+++ b/doc/html/user/user_commands/ksu.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>ksu — MIT Kerberos Documentation</title>

+ <title>ksu — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

@@ -73,11 +71,12 @@

[ <strong>-c</strong> <em>source_cache_name</em> ]

[ <strong>-k</strong> ]

[ <strong>-r</strong> time ]

-[ <strong>-pf</strong> ]

+[ <strong>-p</strong> | <strong>-P</strong>]

+[ <strong>-f</strong> | <strong>-F</strong>]

[ <strong>-l</strong> <em>lifetime</em> ]

[ <strong>-z | Z</strong> ]

[ <strong>-q</strong> ]

-[ <strong>-e</strong> <em>command</em> [ args ... ] ] [ <strong>-a</strong> [ args ... ] ]</p>

+[ <strong>-e</strong> <em>command</em> [ args … ] ] [ <strong>-a</strong> [ args … ] ]</p>

</div>

<h2>REQUIREMENTS<a class="headerlink" href="#requirements" title="Permalink to this headline">¶</a></h2>

@@ -92,10 +91,10 @@ the target user, and the other is to create a new security context.</p>

<p>For the sake of clarity, all references to and attributes of

-the user invoking the program will start with “source”

-(e.g., “source user”, “source cache”, etc.).</p>

+the user invoking the program will start with “source”

+(e.g., “source user”, “source cache”, etc.).</p>

<p class="last">Likewise, all references to and attributes of the target

-account will start with “target”.</p>

+account will start with “target”.</p>

</div>

@@ -103,19 +102,19 @@ account will start with “target”.</p>

<p>To fulfill the first mission, ksu operates in two phases:

authentication and authorization. Resolving the target principal name

is the first step in authentication. The user can either specify his

-principal name with the <strong>-n</strong> option (e.g., <tt class="docutils literal"><span class="pre">-n</span> <span class="pre">jqpublic@USC.EDU</span></tt>)

+principal name with the <strong>-n</strong> option (e.g., <code class="docutils literal"><span class="pre">-n</span> <span class="pre">jqpublic@USC.EDU</span></code>)

or a default principal name will be assigned using a heuristic

described in the OPTIONS section (see <strong>-n</strong> option). The target user

name must be the first argument to ksu; if not specified root is the

-default. If <tt class="docutils literal"><span class="pre">.</span></tt> is specified then the target user will be the

-source user (e.g., <tt class="docutils literal"><span class="pre">ksu</span> <span class="pre">.</span></tt>). If the source user is root or the

+default. If <code class="docutils literal"><span class="pre">.</span></code> is specified then the target user will be the

+source user (e.g., <code class="docutils literal"><span class="pre">ksu</span> <span class="pre">.</span></code>). If the source user is root or the

target user is the source user, no authentication or authorization

takes place. Otherwise, ksu looks for an appropriate Kerberos ticket

in the source cache.</p>

<p>The ticket can either be for the end-server or a ticket granting

-ticket (TGT) for the target principal’s realm. If the ticket for the

-end-server is already in the cache, it’s decrypted and verified. If

-it’s not in the cache but the TGT is, the TGT is used to obtain the

+ticket (TGT) for the target principal’s realm. If the ticket for the

+end-server is already in the cache, it’s decrypted and verified. If

+it’s not in the cache but the TGT is, the TGT is used to obtain the

ticket for the end-server. The end-server ticket is then verified.

If neither ticket is in the cache, but ksu is compiled with the

<strong>GET_TGT_VIA_PASSWD</strong> define, the user will be prompted for a

@@ -131,14 +130,14 @@ invoked without the <strong>-e</strong> option. For a description of the <stron

option, see the OPTIONS section.</p>

<p>Upon successful authentication, ksu checks whether the target

principal is authorized to access the target account. In the target

-user’s home directory, ksu attempts to access two authorization files:

-<a class="reference internal" href="../user_config/k5login.html#k5login-5"><em>.k5login</em></a> and .k5users. In the .k5login file each line

+user’s home directory, ksu attempts to access two authorization files:

+<a class="reference internal" href="../user_config/k5login.html#k5login-5"><span class="std std-ref">.k5login</span></a> and .k5users. In the .k5login file each line

contains the name of a principal that is authorized to access the

account.</p>

<p>For example:</p>

-<div class="highlight-python"><div class="highlight"><pre>jqpublic@USC.EDU

-jqpublic/secure@USC.EDU

-jqpublic/admin@USC.EDU

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">jqpublic</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span>

+<span class="n">jqpublic</span><span class="o">/</span><span class="n">secure</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span>

+<span class="n">jqpublic</span><span class="o">/</span><span class="n">admin</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span>

</pre></div>

</div>

<p>The format of .k5users is the same, except the principal name may be

@@ -147,7 +146,7 @@ execute (see the <strong>-e</strong> option in the OPTIONS section for details).

<p>Thus if the target principal name is found in the .k5login file the

source user is authorized to access the target account. Otherwise ksu

looks in the .k5users file. If the target principal name is found

-without any trailing commands or followed only by <tt class="docutils literal"><span class="pre">*</span></tt> then the

+without any trailing commands or followed only by <code class="docutils literal"><span class="pre">*</span></code> then the

source user is authorized. If either .k5login or .k5users exist but

an appropriate entry for the target principal does not exist then

access is denied. If neither file exists then the principal will be

@@ -160,10 +159,10 @@ rules. Otherwise, authorization fails.</p>

similar fashion to su. The environment is unmodified with the

exception of USER, HOME and SHELL variables. If the target user is

not root, USER gets set to the target user name. Otherwise USER

-remains unchanged. Both HOME and SHELL are set to the target login’s

+remains unchanged. Both HOME and SHELL are set to the target login’s

default values. In addition, the environment variable <strong>KRB5CCNAME</strong>

gets set to the name of the target cache. The real and effective user

-ID are changed to that of the target user. The target user’s shell is

+ID are changed to that of the target user. The target user’s shell is

then invoked (the shell name is specified in the password file). Upon

termination of the shell, ksu deletes the target cache (unless ksu is

invoked with the <strong>-k</strong> option). This is implemented by first doing a

@@ -197,7 +196,7 @@ wrong password is typed in, ksu fails.</p>

<p class="last">During authentication, only the tickets that could be

-obtained without providing a password are cached in in the

+obtained without providing a password are cached in the

source cache.</p>

</div>

@@ -214,10 +213,10 @@ assigned via the following heuristic:</p>

<p>If the target user is the source user the default principal name

is set to the default principal of the source cache. If the

cache does not exist then the default principal name is set to

-<tt class="docutils literal"><span class="pre">target_user@local_realm</span></tt>. If the source and target users are

-different and neither <tt class="docutils literal"><span class="pre">~target_user/.k5users</span></tt> nor

-<tt class="docutils literal"><span class="pre">~target_user/.k5login</span></tt> exist then the default principal name

-is <tt class="docutils literal"><span class="pre">target_user_login_name@local_realm</span></tt>. Otherwise, starting

+<code class="docutils literal"><span class="pre">target_user@local_realm</span></code>. If the source and target users are

+different and neither <code class="docutils literal"><span class="pre">~target_user/.k5users</span></code> nor

+<code class="docutils literal"><span class="pre">~target_user/.k5login</span></code> exist then the default principal name

+is <code class="docutils literal"><span class="pre">target_user_login_name@local_realm</span></code>. Otherwise, starting

with the first principal listed below, ksu checks if the

principal is authorized to access the target account and whether

there is a legitimate ticket for that principal in the source

@@ -238,31 +237,31 @@ follows:</p>

<p>For each candidate in the above list, select an authorized

principal that has the same realm name and first part of the

principal name equal to the prefix of the candidate. For

-example if candidate a) is <tt class="docutils literal"><span class="pre">jqpublic@ISI.EDU</span></tt> and

-<tt class="docutils literal"><span class="pre">jqpublic/secure@ISI.EDU</span></tt> is authorized to access the target

+example if candidate a) is <code class="docutils literal"><span class="pre">jqpublic@ISI.EDU</span></code> and

+<code class="docutils literal"><span class="pre">jqpublic/secure@ISI.EDU</span></code> is authorized to access the target

account then the default principal is set to

-<tt class="docutils literal"><span class="pre">jqpublic/secure@ISI.EDU</span></tt>.</p>

+<code class="docutils literal"><span class="pre">jqpublic/secure@ISI.EDU</span></code>.</p>

</li>

<li><p class="first">Case 2: source user is root.</p>

<p>If the target user is non-root then the default principal name

-is <tt class="docutils literal"><span class="pre">target_user@local_realm</span></tt>. Else, if the source cache

+is <code class="docutils literal"><span class="pre">target_user@local_realm</span></code>. Else, if the source cache

exists the default principal name is set to the default

principal of the source cache. If the source cache does not

-exist, default principal name is set to <tt class="docutils literal"><span class="pre">root\@local_realm</span></tt>.</p>

+exist, default principal name is set to <code class="docutils literal"><span class="pre">root\@local_realm</span></code>.</p>

</li>

</ul>

</dd>

</dl>

<p><strong>-c</strong> <em>source_cache_name</em></p>

-<div><p>Specify source cache name (e.g., <tt class="docutils literal"><span class="pre">-c</span> <span class="pre">FILE:/tmp/my_cache</span></tt>). If

+<div><p>Specify source cache name (e.g., <code class="docutils literal"><span class="pre">-c</span> <span class="pre">FILE:/tmp/my_cache</span></code>). If

<strong>-c</strong> option is not used then the name is obtained from

<strong>KRB5CCNAME</strong> environment variable. If <strong>KRB5CCNAME</strong> is not

-defined the source cache name is set to <tt class="docutils literal"><span class="pre">krb5cc_<source</span> <span class="pre">uid></span></tt>.

-The target cache name is automatically set to <tt class="docutils literal"><span class="pre">krb5cc_<target</span>

-<span class="pre">uid>.(gen_sym())</span></tt>, where gen_sym generates a new number such that

+defined the source cache name is set to <code class="docutils literal"><span class="pre">krb5cc_<source</span> <span class="pre">uid></span></code>.

+The target cache name is automatically set to <code class="docutils literal"><span class="pre">krb5cc_<target</span>

+<span class="pre">uid>.(gen_sym())</span></code>, where gen_sym generates a new number such that

the resulting cache does not already exist. For example:</p>

-<div class="highlight-python"><div class="highlight"><pre>krb5cc_1984.2

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5cc_1984</span><span class="o">.</span><span class="mi">2</span>

</pre></div>

</div>

</div></blockquote>

@@ -278,7 +277,7 @@ name. Use the <strong>-n</strong> option if you want the tickets for other then

the default principal. Note that the <strong>-z</strong> option is mutually

exclusive with the <strong>-Z</strong> option.</dd>

-<dd>Don’t copy any tickets from the source cache to the target cache.

+<dd>Don’t copy any tickets from the source cache to the target cache.

Just create a fresh target cache, where the default principal name

of the cache is initialized to the target principal name. Note

that the <strong>-Z</strong> option is mutually exclusive with the <strong>-z</strong>

@@ -288,7 +287,7 @@ option.</dd>

</dl>

<p>Ticket granting ticket options:</p>

-<dt><strong>-l</strong> <em>lifetime</em> <strong>-r</strong> <em>time</em> <strong>-pf</strong></dt>

+<dt><strong>-l</strong> <em>lifetime</em> <strong>-r</strong> <em>time</em> <strong>-p</strong> <strong>-P</strong> <strong>-f</strong> <strong>-F</strong></dt>

<dd>The ticket granting ticket options only apply to the case where

there are no appropriate tickets in the cache to authenticate the

source user. In this case if ksu is configured to prompt users

@@ -296,58 +295,66 @@ for a Kerberos password (<strong>GET_TGT_VIA_PASSWD</strong> is defined), the

ticket granting ticket options that are specified will be used

when getting a ticket granting ticket from the Kerberos server.</dd>

<dt><strong>-l</strong> <em>lifetime</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the lifetime to be requested

+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies the lifetime to be requested

for the ticket; if this option is not specified, the default ticket

lifetime (12 hours) is used instead.</dd>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies that the <strong>renewable</strong> option

+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Specifies that the <strong>renewable</strong> option

should be requested for the ticket, and specifies the desired

total lifetime of the ticket.</dd>

<dd>specifies that the <strong>proxiable</strong> option should be requested for

the ticket.</dd>

+<dt><strong>-P</strong></dt>

+<dd>specifies that the <strong>proxiable</strong> option should not be requested

+for the ticket, even if the default configuration is to ask for

+proxiable tickets.</dd>

<dd>option specifies that the <strong>forwardable</strong> option should be

requested for the ticket.</dd>

-<dt><strong>-e</strong> <em>command</em> [<em>args</em> ...]</dt>

+<dt><strong>-F</strong></dt>

+<dd>option specifies that the <strong>forwardable</strong> option should not be

+requested for the ticket, even if the default configuration is to

+ask for forwardable tickets.</dd>

+<dt><strong>-e</strong> <em>command</em> [<em>args</em> …]</dt>

<dd><p class="first">ksu proceeds exactly the same as if it was invoked without the

<strong>-e</strong> option, except instead of executing the target shell, ksu

executes the specified command. Example of usage:</p>

-<div class="highlight-python"><div class="highlight"><pre>ksu bob -e ls -lag

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ksu</span> <span class="n">bob</span> <span class="o">-</span><span class="n">e</span> <span class="n">ls</span> <span class="o">-</span><span class="n">lag</span>

</pre></div>

</div>

<p>The authorization algorithm for <strong>-e</strong> is as follows:</p>

<p>If the source user is root or source user == target user, no

authorization takes place and the command is executed. If source

-user id != 0, and <tt class="docutils literal"><span class="pre">~target_user/.k5users</span></tt> file does not exist,

-authorization fails. Otherwise, <tt class="docutils literal"><span class="pre">~target_user/.k5users</span></tt> file

+user id != 0, and <code class="docutils literal"><span class="pre">~target_user/.k5users</span></code> file does not exist,

+authorization fails. Otherwise, <code class="docutils literal"><span class="pre">~target_user/.k5users</span></code> file

must have an appropriate entry for target principal to get

authorized.</p>

<p>The .k5users file format:</p>

<p>A single principal entry on each line that may be followed by a

list of commands that the principal is authorized to execute. A

-principal name followed by a <tt class="docutils literal"><span class="pre">*</span></tt> means that the user is

+principal name followed by a <code class="docutils literal"><span class="pre">*</span></code> means that the user is

authorized to execute any command. Thus, in the following

example:</p>

-<div class="highlight-python"><div class="highlight"><pre>jqpublic@USC.EDU ls mail /local/kerberos/klist

-jqpublic/secure@USC.EDU *

-jqpublic/admin@USC.EDU

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">jqpublic</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ls</span> <span class="n">mail</span> <span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">klist</span>

+<span class="n">jqpublic</span><span class="o">/</span><span class="n">secure</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span>

+<span class="n">jqpublic</span><span class="o">/</span><span class="n">admin</span><span class="nd">@USC</span><span class="o">.</span><span class="n">EDU</span>

</pre></div>

</div>

-<p><tt class="docutils literal"><span class="pre">jqpublic@USC.EDU</span></tt> is only authorized to execute <tt class="docutils literal"><span class="pre">ls</span></tt>,

-<tt class="docutils literal"><span class="pre">mail</span></tt> and <tt class="docutils literal"><span class="pre">klist</span></tt> commands. <tt class="docutils literal"><span class="pre">jqpublic/secure@USC.EDU</span></tt> is

-authorized to execute any command. <tt class="docutils literal"><span class="pre">jqpublic/admin@USC.EDU</span></tt> is

+<p><code class="docutils literal"><span class="pre">jqpublic@USC.EDU</span></code> is only authorized to execute <code class="docutils literal"><span class="pre">ls</span></code>,

+<code class="docutils literal"><span class="pre">mail</span></code> and <code class="docutils literal"><span class="pre">klist</span></code> commands. <code class="docutils literal"><span class="pre">jqpublic/secure@USC.EDU</span></code> is

+authorized to execute any command. <code class="docutils literal"><span class="pre">jqpublic/admin@USC.EDU</span></code> is

not authorized to execute any command. Note, that

-<tt class="docutils literal"><span class="pre">jqpublic/admin@USC.EDU</span></tt> is authorized to execute the target

+<code class="docutils literal"><span class="pre">jqpublic/admin@USC.EDU</span></code> is authorized to execute the target

shell (regular ksu, without the <strong>-e</strong> option) but

-<tt class="docutils literal"><span class="pre">jqpublic@USC.EDU</span></tt> is not.</p>

+<code class="docutils literal"><span class="pre">jqpublic@USC.EDU</span></code> is not.</p>

<p>The commands listed after the principal name must be either a full

path names or just the program name. In the second case,

<strong>CMD_PATH</strong> specifying the location of authorized programs must

be defined at the compilation time of ksu. Which command gets

executed?</p>

<p class="last">If the source user is root or the target user is the source user

-or the user is authorized to execute any command (<tt class="docutils literal"><span class="pre">*</span></tt> entry)

+or the user is authorized to execute any command (<code class="docutils literal"><span class="pre">*</span></code> entry)

then command can be either a full or a relative path leading to

the target program. Otherwise, the user must specify either a

full path or just the program name.</p>

@@ -358,7 +365,7 @@ flags and parameters following -a will be passed to the shell,

thus all options intended for ksu must precede <strong>-a</strong>.</p>

<p>The <strong>-a</strong> option can be used to simulate the <strong>-e</strong> option if

used as follows:</p>

-<div class="highlight-python"><div class="highlight"><pre>-a -c [command [arguments]].

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">c</span> <span class="p">[</span><span class="n">command</span> <span class="p">[</span><span class="n">arguments</span><span class="p">]]</span><span class="o">.</span>

</pre></div>

</div>

<p class="last"><strong>-c</strong> is interpreted by the c-shell to execute the command.</p>

@@ -385,19 +392,19 @@ the .k5users file as described in the OPTIONS section

<dd>Specifies a list of directories containing programs that users are

authorized to execute (via .k5users file).</dd>

<dt><strong>HAVE_GETUSERSHELL</strong></dt>

-<dd>If the source user is non-root, ksu insists that the target user’s

-shell to be invoked is a “legal shell”. <em>getusershell(3)</em> is

-called to obtain the names of “legal shells”. Note that the

-target user’s shell is obtained from the passwd file.</dd>

+<dd>If the source user is non-root, ksu insists that the target user’s

+shell to be invoked is a “legal shell”. <em>getusershell(3)</em> is

+called to obtain the names of “legal shells”. Note that the

+target user’s shell is obtained from the passwd file.</dd>

</dl>

<p>Sample configuration:</p>

-<div class="highlight-python"><div class="highlight"><pre>KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">KSU_OPTS</span> <span class="o">=</span> <span class="o">-</span><span class="n">DGET_TGT_VIA_PASSWD</span> <span class="o">-</span><span class="n">DPRINC_LOOK_AHEAD</span> <span class="o">-</span><span class="n">DCMD_PATH</span><span class="o">=</span><span class="s1">'"/bin /usr/ucb /local/bin"</span>

</pre></div>

</div>

<p>ksu should be owned by root and have the set user id bit turned on.</p>

<p>ksu attempts to get a ticket for the end server just as Kerberized

telnet and rlogin. Thus, there must be an entry for the server in the

-Kerberos database (e.g., <tt class="docutils literal"><span class="pre">host/nii.isi.edu@ISI.EDU</span></tt>). The keytab

+Kerberos database (e.g., <code class="docutils literal"><span class="pre">host/nii.isi.edu@ISI.EDU</span></code>). The keytab

file must be in an appropriate location.</p>

</div>

@@ -408,6 +415,15 @@ file must be in an appropriate location.</p>

<h2>AUTHOR OF KSU<a class="headerlink" href="#author-of-ksu" title="Permalink to this headline">¶</a></h2>

<p>GENNADY (ARI) MEDVINSKY</p>

</div>

+<div class="section" id="environment">

+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

+</div>

+<div class="section" id="see-also">

+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>

+<p><a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, <a class="reference internal" href="kinit.html#kinit-1"><span class="std std-ref">kinit</span></a></p>

+</div>

</div>

@@ -430,6 +446,8 @@ file must be in an appropriate location.</p>

<li><a class="reference internal" href="#installation-instructions">INSTALLATION INSTRUCTIONS</a></li>

<li><a class="reference internal" href="#side-effects">SIDE EFFECTS</a></li>

<li><a class="reference internal" href="#author-of-ksu">AUTHOR OF KSU</a></li>

+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>

+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>

</ul>

</li>

</ul>

@@ -447,7 +465,7 @@ file must be in an appropriate location.</p>

<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">ksu</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">ksu</a></li>

<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li>

<li class="toctree-l3"><a class="reference internal" href="sclient.html">sclient</a></li>

@@ -483,8 +501,8 @@ file must be in an appropriate location.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>

diff --git a/doc/html/user/user_commands/kswitch.html b/doc/html/user/user_commands/kswitch.html
index c141ef3eb6c3..ce52574b1221 100644
--- a/doc/html/user/user_commands/kswitch.html
+++ b/doc/html/user/user_commands/kswitch.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kswitch — MIT Kerberos Documentation</title>

+ <title>kswitch — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="kswitch-1"></span><h1>kswitch<a class="headerlink" href="#kswitch" title="Permalink to this headline">¶</a></h1>

@@ -88,27 +86,20 @@ made primary.</dd>

</div>

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

-<p>kswitch uses the following environment variables:</p>

-<dl class="docutils">

-<dt><strong>KRB5CCNAME</strong></dt>

-<dd>Location of the default Kerberos 5 credentials (ticket) cache, in

-the form <em>type</em>:<em>residual</em>. If no <em>type</em> prefix is present, the

-<strong>FILE</strong> type is assumed. The type of the default cache may

-determine the availability of a cache collection; for instance, a

-default cache of type <strong>DIR</strong> causes caches within the directory

-to be present in the collection.</dd>

-</dl>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt>

<dd>Default location of Kerberos 5 credentials cache</dd>

</dl>

</div>

-<p><a class="reference internal" href="kinit.html#kinit-1"><em>kinit</em></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, <a class="reference internal" href="klist.html#klist-1"><em>klist</em></a>), kerberos(1)</p>

+<p><a class="reference internal" href="kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, <a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a>,

+<a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -145,7 +136,7 @@ to be present in the collection.</dd>

<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">kswitch</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kswitch</a></li>

<li class="toctree-l3"><a class="reference internal" href="sclient.html">sclient</a></li>

</ul>

@@ -180,8 +171,8 @@ to be present in the collection.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>

diff --git a/doc/html/user/user_commands/kvno.html b/doc/html/user/user_commands/kvno.html
index 99f37f9ff0cd..e9d4fbce4241 100644
--- a/doc/html/user/user_commands/kvno.html
+++ b/doc/html/user/user_commands/kvno.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>kvno — MIT Kerberos Documentation</title>

+ <title>kvno — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

@@ -70,12 +68,15 @@

[<strong>-c</strong> <em>ccache</em>]

[<strong>-e</strong> <em>etype</em>]

+[<strong>-k</strong> <em>keytab</em>]

[<strong>-q</strong>]

-[<strong>-h</strong>]

+[<strong>-u</strong> | <strong>-S</strong> <em>sname</em>]

[<strong>-P</strong>]

-[<strong>-S</strong> <em>sname</em>]

-[<strong>-U</strong> <em>for_user</em>]

-<em>service1 service2</em> ...</p>

+[<strong>–cached-only</strong>]

+[<strong>–no-store</strong>]

+[<strong>–out-cache</strong> <em>cache</em>]

+[[{<strong>-F</strong> <em>cert_file</em> | {<strong>-I</strong> | <strong>-U</strong>} <em>for_user</em>} [<strong>-P</strong>]] | <strong>–u2u</strong> <em>ccache</em>]

+<em>service1 service2</em> …</p>

</div>

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

@@ -92,48 +93,71 @@ default)</dd>

<dd>Specifies the enctype which will be requested for the session key

of all the services named on the command line. This is useful in

certain backward compatibility situations.</dd>

+<dt><strong>-k</strong> <em>keytab</em></dt>

+<dd>Decrypt the acquired tickets using <em>keytab</em> to confirm their

+validity.</dd>

<dd>Suppress printing output when successful. If a service ticket

cannot be obtained, an error message will still be printed and

kvno will exit with nonzero status.</dd>

-<dt><strong>-h</strong></dt>

-<dd>Prints a usage statement and exits.</dd>

+<dt><strong>-u</strong></dt>

+<dd>Use the unknown name type in requested service principal names.

+This option Cannot be used with <em>-S</em>.</dd>

-<dd>Specifies that the <em>service1 service2</em> ... arguments are to be

+<dd>Specifies that the <em>service1 service2</em> … arguments are to be

treated as services for which credentials should be acquired using

constrained delegation. This option is only valid when used in

conjunction with protocol transition.</dd>

<dt><strong>-S</strong> <em>sname</em></dt>

-<dd>Specifies that the <em>service1 service2</em> ... arguments are

+<dd>Specifies that the <em>service1 service2</em> … arguments are

interpreted as hostnames, and the service principals are to be

constructed from those hostnames and the service name <em>sname</em>.

The service hostnames will be canonicalized according to the usual

rules for constructing service principals.</dd>

-<dt><strong>-U</strong> <em>for_user</em></dt>

+<dt><strong>-I</strong> <em>for_user</em></dt>

<dd>Specifies that protocol transition (S4U2Self) is to be used to

acquire a ticket on behalf of <em>for_user</em>. If constrained

delegation is not requested, the service name must match the

credentials cache client principal.</dd>

+<dt><strong>-U</strong> <em>for_user</em></dt>

+<dd>Same as -I, but treats <em>for_user</em> as an enterprise name.</dd>

+<dt><strong>-F</strong> <em>cert_file</em></dt>

+<dd>Specifies that protocol transition is to be used, identifying the

+client principal with the X.509 certificate in <em>cert_file</em>. The

+certificate file must be in PEM format.</dd>

+<dt><strong>–cached-only</strong></dt>

+<dd>Only retrieve credentials already present in the cache, not from

+the KDC. (Added in release 1.19.)</dd>

+<dt><strong>–no-store</strong></dt>

+<dd>Do not store retrieved credentials in the cache. If

+<strong>–out-cache</strong> is also specified, credentials will still be

+stored into the output credential cache. (Added in release 1.19.)</dd>

+<dt><strong>–out-cache</strong> <em>ccache</em></dt>

+<dd>Initialize <em>ccache</em> and store all retrieved credentials into it.

+Do not store acquired credentials in the input cache. (Added in

+release 1.19.)</dd>

+<dt><strong>–u2u</strong> <em>ccache</em></dt>

+<dd>Requests a user-to-user ticket. <em>ccache</em> must contain a local

+krbtgt ticket for the server principal. The reported version

+number will typically be 0, as the resulting ticket is not

+encrypted in the server’s long-term key.</dd>

</dl>

</div>

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

-<p>kvno uses the following environment variable:</p>

-<dl class="docutils">

-<dt><strong>KRB5CCNAME</strong></dt>

-<dd>Location of the credentials (ticket) cache.</dd>

-</dl>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt>

+<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt>

<dd>Default location of the credentials cache</dd>

</dl>

</div>

-<p><a class="reference internal" href="kinit.html#kinit-1"><em>kinit</em></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><em>kdestroy</em></a></p>

</div>

@@ -171,7 +195,7 @@ credentials cache client principal.</dd>

<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li>

<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">kvno</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kvno</a></li>

<li class="toctree-l3"><a class="reference internal" href="sclient.html">sclient</a></li>

</ul>

</li>

@@ -205,8 +229,8 @@ credentials cache client principal.</dd>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>

diff --git a/doc/html/user/user_commands/sclient.html b/doc/html/user/user_commands/sclient.html
index 141ff0aaef1d..20e98668ae61 100644
--- a/doc/html/user/user_commands/sclient.html
+++ b/doc/html/user/user_commands/sclient.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>sclient — MIT Kerberos Documentation</title>

+ <title>sclient — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User commands" href="index.html" />

</head>

@@ -61,7 +59,7 @@

- <div class="body">

+ <div class="body" role="main">

<span id="sclient-1"></span><h1>sclient<a class="headerlink" href="#sclient" title="Permalink to this headline">¶</a></h1>

@@ -72,13 +70,18 @@

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>sclient is a sample application, primarily useful for testing

-purposes. It contacts a sample server <a class="reference internal" href="../../admin/admin_commands/sserver.html#sserver-8"><em>sserver</em></a> and

+purposes. It contacts a sample server <a class="reference internal" href="../../admin/admin_commands/sserver.html#sserver-8"><span class="std std-ref">sserver</span></a> and

authenticates to it using Kerberos version 5 tickets, then displays

-the server’s response.</p>

+the server’s response.</p>

+</div>

+<div class="section" id="environment">

+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

+<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

+variables.</p>

</div>

-<p><a class="reference internal" href="kinit.html#kinit-1"><em>kinit</em></a>, <a class="reference internal" href="../../admin/admin_commands/sserver.html#sserver-8"><em>sserver</em></a></p>

+<p><a class="reference internal" href="kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="../../admin/admin_commands/sserver.html#sserver-8"><span class="std std-ref">sserver</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

</div>

@@ -93,6 +96,7 @@ the server’s response.</p>

<li><a class="reference internal" href="#">sclient</a><ul>

<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>

<li><a class="reference internal" href="#description">DESCRIPTION</a></li>

+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>

</ul>

</li>

@@ -114,7 +118,7 @@ the server’s response.</p>

<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">sclient</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">sclient</a></li>

</ul>

</li>

</ul>

@@ -147,8 +151,8 @@ the server’s response.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>