diff options
Diffstat (limited to 'crypto/krb5/doc/html/_sources/admin/admin_commands')
12 files changed, 0 insertions, 2836 deletions
diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/index.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/index.rst.txt deleted file mode 100644 index e8dc76524ed6..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/index.rst.txt +++ /dev/null @@ -1,17 +0,0 @@ -Administration programs -======================== - -.. toctree:: - :maxdepth: 1 - - kadmin_local.rst - kadmind.rst - kdb5_util.rst - kdb5_ldap_util.rst - krb5kdc.rst - kprop.rst - kpropd.rst - kproplog.rst - ktutil.rst - k5srvutil.rst - sserver.rst diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt deleted file mode 100644 index 79502cf9eb98..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt +++ /dev/null @@ -1,69 +0,0 @@ -.. _k5srvutil(1): - -k5srvutil -========= - -SYNOPSIS --------- - -**k5srvutil** *operation* -[**-i**] -[**-f** *filename*] -[**-e** *keysalts*] - -DESCRIPTION ------------ - -k5srvutil allows an administrator to list keys currently in -a keytab, to obtain new keys for a principal currently in a keytab, -or to delete non-current keys from a keytab. - -*operation* must be one of the following: - -**list** - Lists the keys in a keytab, showing version number and principal - name. - -**change** - Uses the kadmin protocol to update the keys in the Kerberos - database to new randomly-generated keys, and updates the keys in - the keytab to match. If a key's version number doesn't match the - version number stored in the Kerberos server's database, then the - operation will fail. If the **-i** flag is given, k5srvutil will - prompt for confirmation before changing each key. If the **-k** - option is given, the old and new keys will be displayed. - Ordinarily, keys will be generated with the default encryption - types and key salts. This can be overridden with the **-e** - option. Old keys are retained in the keytab so that existing - tickets continue to work, but **delold** should be used after - such tickets expire, to prevent attacks against the old keys. - -**delold** - Deletes keys that are not the most recent version from the keytab. - This operation should be used some time after a change operation - to remove old keys, after existing tickets issued for the service - have expired. If the **-i** flag is given, then k5srvutil will - prompt for confirmation for each principal. - -**delete** - Deletes particular keys in the keytab, interactively prompting for - each key. - -In all cases, the default keytab is used unless this is overridden by -the **-f** option. - -k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in -place. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt deleted file mode 100644 index b4edc7924345..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt +++ /dev/null @@ -1,1003 +0,0 @@ -.. _kadmin(1): - -kadmin -====== - -SYNOPSIS --------- - -.. _kadmin_synopsis: - -**kadmin** -[**-O**\|\ **-N**] -[**-r** *realm*] -[**-p** *principal*] -[**-q** *query*] -[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] -[**-w** *password*] -[**-s** *admin_server*\ [:*port*]] -[command args...] - -**kadmin.local** -[**-r** *realm*] -[**-p** *principal*] -[**-q** *query*] -[**-d** *dbname*] -[**-e** *enc*:*salt* ...] -[**-m**] -[**-x** *db_args*] -[command args...] - - -DESCRIPTION ------------ - -kadmin and kadmin.local are command-line interfaces to the Kerberos V5 -administration system. They provide nearly identical functionalities; -the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using :ref:`kadmind(8)`. -Except as explicitly noted otherwise, this man page will use "kadmin" -to refer to both versions. kadmin provides for the maintenance of -Kerberos principals, password policies, and service key tables -(keytabs). - -The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` -(where *ADMINHOST* is the fully-qualified hostname of the admin -server). If the credentials cache contains a ticket for one of these -principals, and the **-c** credentials_cache option is specified, that -ticket is used to authenticate to kadmind. Otherwise, the **-p** and -**-k** options are used to specify the client Kerberos principal name -used to authenticate. Once kadmin has determined the principal name, -it requests a service ticket from the KDC, and uses that service -ticket to authenticate to kadmind. - -Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the primary KDC with sufficient permissions to read -the KDC database. If the KDC database uses the LDAP database module, -kadmin.local can be run on any host which can access the LDAP server. - - -OPTIONS -------- - -.. _kadmin_options: - -**-r** *realm* - Use *realm* as the default database realm. - -**-p** *principal* - Use *principal* to authenticate. Otherwise, kadmin will append - ``/admin`` to the primary principal name of the default ccache, - the value of the **USER** environment variable, or the username as - obtained with getpwuid, in order of preference. - -**-k** - Use a keytab to decrypt the KDC response instead of prompting for - a password. In this case, the default principal will be - ``host/hostname``. If there is no keytab specified with the - **-t** option, then the default keytab will be used. - -**-t** *keytab* - Use *keytab* to decrypt the KDC response. This can only be used - with the **-k** option. - -**-n** - Requests anonymous processing. Two types of anonymous principals - are supported. For fully anonymous Kerberos, configure PKINIT on - the KDC and configure **pkinit_anchors** in the client's - :ref:`krb5.conf(5)`. Then use the **-n** option with a principal - of the form ``@REALM`` (an empty principal name followed by the - at-sign and a realm name). If permitted by the KDC, an anonymous - ticket will be returned. A second form of anonymous tickets is - supported; these realm-exposed tickets hide the identity of the - client but not the client's realm. For this mode, use ``kinit - -n`` with a normal principal name. If supported by the KDC, the - principal (but not realm) will be replaced by the anonymous - principal. As of release 1.8, the MIT Kerberos KDC only supports - fully anonymous operation. - -**-c** *credentials_cache* - Use *credentials_cache* as the credentials cache. The cache - should contain a service ticket for the ``kadmin/admin`` or - ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified - hostname of the admin server) service; it can be acquired with the - :ref:`kinit(1)` program. If this option is not specified, kadmin - requests a new service ticket from the KDC, and stores it in its - own temporary ccache. - -**-w** *password* - Use *password* instead of prompting for one. Use this option with - care, as it may expose the password to other users on the system - via the process list. - -**-q** *query* - Perform the specified query and then exit. - -**-d** *dbname* - Specifies the name of the KDC database. This option does not - apply to the LDAP database module. - -**-s** *admin_server*\ [:*port*] - Specifies the admin server which kadmin should contact. - -**-m** - If using kadmin.local, prompt for the database master password - instead of reading it from a stash file. - -**-e** "*enc*:*salt* ..." - Sets the keysalt list to be used for any new keys created. See - :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible - values. - -**-O** - Force use of old AUTH_GSSAPI authentication flavor. - -**-N** - Prevent fallback to AUTH_GSSAPI authentication flavor. - -**-x** *db_args* - Specifies the database specific arguments. See the next section - for supported options. - -Starting with release 1.14, if any command-line arguments remain after -the options, they will be treated as a single query to be executed. -This mode of operation is intended for scripts and behaves differently -from the interactive mode in several respects: - -* Query arguments are split by the shell, not by kadmin. -* Informational and warning messages are suppressed. Error messages - and query output (e.g. for **get_principal**) will still be - displayed. -* Confirmation prompts are disabled (as if **-force** was given). - Password prompts will still be issued as required. -* The exit status will be non-zero if the query fails. - -The **-q** option does not carry these behavior differences; the query -will be processed as if it was entered interactively. The **-q** -option cannot be used in combination with a query in the remaining -arguments. - -.. _dboptions: - -DATABASE OPTIONS ----------------- - -Database options can be used to override database-specific defaults. -Supported options for the DB2 module are: - - **-x dbname=**\ \*filename* - Specifies the base filename of the DB2 database. - - **-x lockiter** - Make iteration operations hold the lock for the duration of - the entire operation, rather than temporarily releasing the - lock while handling each principal. This is the default - behavior, but this option exists to allow command line - override of a [dbmodules] setting. First introduced in - release 1.13. - - **-x unlockiter** - Make iteration operations unlock the database for each - principal, instead of holding the lock for the duration of the - entire operation. First introduced in release 1.13. - -Supported options for the LDAP module are: - - **-x host=**\ *ldapuri* - Specifies the LDAP server to connect to by a LDAP URI. - - **-x binddn=**\ *bind_dn* - Specifies the DN used to bind to the LDAP server. - - **-x bindpwd=**\ *password* - Specifies the password or SASL secret used to bind to the LDAP - server. Using this option may expose the password to other - users on the system via the process list; to avoid this, - instead stash the password using the **stashsrvpw** command of - :ref:`kdb5_ldap_util(8)`. - - **-x sasl_mech=**\ *mechanism* - Specifies the SASL mechanism used to bind to the LDAP server. - The bind DN is ignored if a SASL mechanism is used. New in - release 1.13. - - **-x sasl_authcid=**\ *name* - Specifies the authentication name used when binding to the - LDAP server with a SASL mechanism, if the mechanism requires - one. New in release 1.13. - - **-x sasl_authzid=**\ *name* - Specifies the authorization name used when binding to the LDAP - server with a SASL mechanism. New in release 1.13. - - **-x sasl_realm=**\ *realm* - Specifies the realm used when binding to the LDAP server with - a SASL mechanism, if the mechanism uses one. New in release - 1.13. - - **-x debug=**\ *level* - sets the OpenLDAP client library debug level. *level* is an - integer to be interpreted by the library. Debugging messages - are printed to standard error. New in release 1.12. - - -COMMANDS --------- - -When using the remote client, available commands may be restricted -according to the privileges specified in the :ref:`kadm5.acl(5)` file -on the admin server. - -.. _add_principal: - -add_principal -~~~~~~~~~~~~~ - - **add_principal** [*options*] *newprinc* - -Creates the principal *newprinc*, prompting twice for a password. If -no password policy is specified with the **-policy** option, and the -policy named ``default`` is assigned to the principal if it exists. -However, creating a policy named ``default`` will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the **-clearpolicy** option. - -This command requires the **add** privilege. - -Aliases: **addprinc**, **ank** - -Options: - -**-expire** *expdate* - (:ref:`getdate` string) The expiration date of the principal. - -**-pwexpire** *pwexpdate* - (:ref:`getdate` string) The password expiration date. - -**-maxlife** *maxlife* - (:ref:`duration` or :ref:`getdate` string) The maximum ticket life - for the principal. - -**-maxrenewlife** *maxrenewlife* - (:ref:`duration` or :ref:`getdate` string) The maximum renewable - life of tickets for the principal. - -**-kvno** *kvno* - The initial key version number. - -**-policy** *policy* - The password policy used by this principal. If not specified, the - policy ``default`` is used if it exists (unless **-clearpolicy** - is specified). - -**-clearpolicy** - Prevents any policy from being assigned when **-policy** is not - specified. - -{-\|+}\ **allow_postdated** - **-allow_postdated** prohibits this principal from obtaining - postdated tickets. **+allow_postdated** clears this flag. - -{-\|+}\ **allow_forwardable** - **-allow_forwardable** prohibits this principal from obtaining - forwardable tickets. **+allow_forwardable** clears this flag. - -{-\|+}\ **allow_renewable** - **-allow_renewable** prohibits this principal from obtaining - renewable tickets. **+allow_renewable** clears this flag. - -{-\|+}\ **allow_proxiable** - **-allow_proxiable** prohibits this principal from obtaining - proxiable tickets. **+allow_proxiable** clears this flag. - -{-\|+}\ **allow_dup_skey** - **-allow_dup_skey** disables user-to-user authentication for this - principal by prohibiting others from obtaining a service ticket - encrypted in this principal's TGT session key. - **+allow_dup_skey** clears this flag. - -{-\|+}\ **requires_preauth** - **+requires_preauth** requires this principal to preauthenticate - before being allowed to kinit. **-requires_preauth** clears this - flag. When **+requires_preauth** is set on a service principal, - the KDC will only issue service tickets for that service principal - if the client's initial authentication was performed using - preauthentication. - -{-\|+}\ **requires_hwauth** - **+requires_hwauth** requires this principal to preauthenticate - using a hardware device before being allowed to kinit. - **-requires_hwauth** clears this flag. When **+requires_hwauth** is - set on a service principal, the KDC will only issue service tickets - for that service principal if the client's initial authentication was - performed using a hardware device to preauthenticate. - -{-\|+}\ **ok_as_delegate** - **+ok_as_delegate** sets the **okay as delegate** flag on tickets - issued with this principal as the service. Clients may use this - flag as a hint that credentials should be delegated when - authenticating to the service. **-ok_as_delegate** clears this - flag. - -{-\|+}\ **allow_svr** - **-allow_svr** prohibits the issuance of service tickets for this - principal. In release 1.17 and later, user-to-user service - tickets are still allowed unless the **-allow_dup_skey** flag is - also set. **+allow_svr** clears this flag. - -{-\|+}\ **allow_tgs_req** - **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) - request for a service ticket for this principal is not permitted. - **+allow_tgs_req** clears this flag. - -{-\|+}\ **allow_tix** - **-allow_tix** forbids the issuance of any tickets for this - principal. **+allow_tix** clears this flag. - -{-\|+}\ **needchange** - **+needchange** forces a password change on the next initial - authentication to this principal. **-needchange** clears this - flag. - -{-\|+}\ **password_changing_service** - **+password_changing_service** marks this principal as a password - change service principal. - -{-\|+}\ **ok_to_auth_as_delegate** - **+ok_to_auth_as_delegate** allows this principal to acquire - forwardable tickets to itself from arbitrary users, for use with - constrained delegation. - -{-\|+}\ **no_auth_data_required** - **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from - being added to service tickets for the principal. - -{-\|+}\ **lockdown_keys** - **+lockdown_keys** prevents keys for this principal from leaving - the KDC via kadmind. The chpass and extract operations are denied - for a principal with this attribute. The chrand operation is - allowed, but will not return the new keys. The delete and rename - operations are also denied if this attribute is set, in order to - prevent a malicious administrator from replacing principals like - krbtgt/* or kadmin/* with new principals without the attribute. - This attribute can be set via the network protocol, but can only - be removed using kadmin.local. - -**-randkey** - Sets the key of the principal to a random value. - -**-nokey** - Causes the principal to be created with no key. New in release - 1.12. - -**-pw** *password* - Sets the password of the principal to the specified string and - does not prompt for a password. Note: using this option in a - shell script may expose the password to other users on the system - via the process list. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-x** *db_princ_args* - Indicates database-specific options. The options for the LDAP - database module are: - - **-x dn=**\ *dn* - Specifies the LDAP object that will contain the Kerberos - principal being created. - - **-x linkdn=**\ *dn* - Specifies the LDAP object to which the newly created Kerberos - principal object will point. - - **-x containerdn=**\ *container_dn* - Specifies the container object under which the Kerberos - principal is to be created. - - **-x tktpolicy=**\ *policy* - Associates a ticket policy to the Kerberos principal. - - .. note:: - - - The **containerdn** and **linkdn** options cannot be - specified with the **dn** option. - - If the *dn* or *containerdn* options are not specified while - adding the principal, the principals are created under the - principal container configured in the realm or the realm - container. - - *dn* and *containerdn* should be within the subtrees or - principal container configured in the realm. - -Example:: - - kadmin: addprinc jennifer - No policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: - Re-enter password for principal jennifer@ATHENA.MIT.EDU: - Principal "jennifer@ATHENA.MIT.EDU" created. - kadmin: - -.. _modify_principal: - -modify_principal -~~~~~~~~~~~~~~~~ - - **modify_principal** [*options*] *principal* - -Modifies the specified principal, changing the fields as specified. -The options to **add_principal** also apply to this command, except -for the **-randkey**, **-pw**, and **-e** options. In addition, the -option **-clearpolicy** will clear the current policy of a principal. - -This command requires the *modify* privilege. - -Alias: **modprinc** - -Options (in addition to the **addprinc** options): - -**-unlock** - Unlocks a locked principal (one which has received too many failed - authentication attempts without enough time between them according - to its password policy) so that it can successfully authenticate. - -.. _rename_principal: - -rename_principal -~~~~~~~~~~~~~~~~ - - **rename_principal** [**-force**] *old_principal* *new_principal* - -Renames the specified *old_principal* to *new_principal*. This -command prompts for confirmation, unless the **-force** option is -given. - -This command requires the **add** and **delete** privileges. - -Alias: **renprinc** - -.. _add_alias: - -add_alias -~~~~~~~~~ - - **add_alias** *alias_princ* *target_princ* - -Create an alias *alias_princ* pointing to *target_princ*. Aliases may -be chained (that is, *target_princ* may itself be an alias) up to a -depth of 10. - -This command requires the **add** privilege for *alias_princ* and the -**modify** privilege for *target_princ*. - -(New in release 1.22.) - -Aliases: **alias** - -.. _delete_principal: - -delete_principal -~~~~~~~~~~~~~~~~ - - **delete_principal** [**-force**] *principal* - -Deletes the specified *principal* or alias from the database. This -command prompts for deletion, unless the **-force** option is given. - -This command requires the **delete** privilege. - -Alias: **delprinc** - -.. _change_password: - -change_password -~~~~~~~~~~~~~~~ - - **change_password** [*options*] *principal* - -Changes the password of *principal*. Prompts for a new password if -neither **-randkey** or **-pw** is specified. - -This command requires the **changepw** privilege, or that the -principal running the program is the same as the principal being -changed. - -Alias: **cpw** - -The following options are available: - -**-randkey** - Sets the key of the principal to a random value. - -**-pw** *password* - Set the password to the specified string. Using this option in a - script may expose the password to other users on the system via - the process list. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-keepold** - Keeps the existing keys in the database. This flag is usually not - necessary except perhaps for ``krbtgt`` principals. - -Example:: - - kadmin: cpw systest - Enter password for principal systest@BLEEP.COM: - Re-enter password for principal systest@BLEEP.COM: - Password for systest@BLEEP.COM changed. - kadmin: - -.. _purgekeys: - -purgekeys -~~~~~~~~~ - - **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* - -Purges previously retained old keys (e.g., from **change_password --keepold**) from *principal*. If **-keepkvno** is specified, then -only purges keys with kvnos lower than *oldest_kvno_to_keep*. If -**-all** is specified, then all keys are purged. The **-all** option -is new in release 1.12. - -This command requires the **modify** privilege. - -.. _get_principal: - -get_principal -~~~~~~~~~~~~~ - - **get_principal** [**-terse**] *principal* - -Gets the attributes of principal. With the **-terse** option, outputs -fields as quoted tab-separated strings. - -This command requires the **inquire** privilege, or that the principal -running the the program to be the same as the one being listed. - -Alias: **getprinc** - -Examples:: - - kadmin: getprinc tlyu/admin - Principal: tlyu/admin@BLEEP.COM - Expiration date: [never] - Last password change: Mon Aug 12 14:16:47 EDT 1996 - Password expiration date: [never] - Maximum ticket life: 0 days 10:00:00 - Maximum renewable life: 7 days 00:00:00 - Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) - Last successful authentication: [never] - Last failed authentication: [never] - Failed password attempts: 0 - Number of keys: 1 - Key: vno 1, aes256-cts-hmac-sha384-192 - MKey: vno 1 - Attributes: - Policy: [none] - - kadmin: getprinc -terse systest - systest@BLEEP.COM 3 86400 604800 1 - 785926535 753241234 785900000 - tlyu/admin@BLEEP.COM 786100034 0 0 - kadmin: - -.. _list_principals: - -list_principals -~~~~~~~~~~~~~~~ - - **list_principals** [*expression*] - -Retrieves all or some principal names. *expression* is a shell-style -glob expression that can contain the wild-card characters ``?``, -``*``, and ``[]``. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an ``@`` character, an -``@`` character followed by the local realm is appended to the -expression. - -This command requires the **list** privilege. - -Alias: **listprincs**, **get_principals**, **getprincs** - -Example:: - - kadmin: listprincs test* - test3@SECURE-TEST.OV.COM - test2@SECURE-TEST.OV.COM - test1@SECURE-TEST.OV.COM - testuser@SECURE-TEST.OV.COM - kadmin: - -.. _get_strings: - -get_strings -~~~~~~~~~~~ - - **get_strings** *principal* - -Displays string attributes on *principal*. - -This command requires the **inquire** privilege. - -Alias: **getstrs** - -.. _set_string: - -set_string -~~~~~~~~~~ - - **set_string** *principal* *name* *value* - -Sets a string attribute on *principal*. String attributes are used to -supply per-principal configuration to the KDC and some KDC plugin -modules. The following string attribute names are recognized by the -KDC: - -**require_auth** - Specifies an authentication indicator which is required to - authenticate to the principal as a service. Multiple indicators - can be specified, separated by spaces; in this case any of the - specified indicators will be accepted. (New in release 1.14.) - -**session_enctypes** - Specifies the encryption types supported for session keys when the - principal is authenticated to as a server. See - :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the - accepted values. - -**otp** - Enables One Time Passwords (OTP) preauthentication for a client - *principal*. The *value* is a JSON string representing an array - of objects, each having optional ``type`` and ``username`` fields. - -**pkinit_cert_match** - Specifies a matching expression that defines the certificate - attributes required for the client certificate used by the - principal during PKINIT authentication. The matching expression - is in the same format as those used by the **pkinit_cert_match** - option in :ref:`krb5.conf(5)`. (New in release 1.16.) - -**pac_privsvr_enctype** - Forces the encryption type of the PAC KDC checksum buffers to the - specified encryption type for tickets issued to this server, by - deriving a key from the local krbtgt key if it is of a different - encryption type. It may be necessary to set this value to - "aes256-sha1" on the cross-realm krbtgt entry for an Active - Directory realm when using aes-sha2 keys on the local krbtgt - entry. - -This command requires the **modify** privilege. - -Alias: **setstr** - -Example:: - - set_string host/foo.mit.edu session_enctypes aes128-cts - set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" - -.. _del_string: - -del_string -~~~~~~~~~~ - - **del_string** *principal* *key* - -Deletes a string attribute from *principal*. - -This command requires the **delete** privilege. - -Alias: **delstr** - -.. _add_policy: - -add_policy -~~~~~~~~~~ - - **add_policy** [*options*] *policy* - -Adds a password policy named *policy* to the database. - -This command requires the **add** privilege. - -Alias: **addpol** - -The following options are available: - -**-maxlife** *time* - (:ref:`duration` or :ref:`getdate` string) Sets the maximum - lifetime of a password. - -**-minlife** *time* - (:ref:`duration` or :ref:`getdate` string) Sets the minimum - lifetime of a password. - -**-minlength** *length* - Sets the minimum length of a password. - -**-minclasses** *number* - Sets the minimum number of character classes required in a - password. The five character classes are lower case, upper case, - numbers, punctuation, and whitespace/unprintable characters. - -**-history** *number* - Sets the number of past keys kept for a principal. This option is - not supported with the LDAP KDC database module. - -.. _policy_maxfailure: - -**-maxfailure** *maxnumber* - Sets the number of authentication failures before the principal is - locked. Authentication failures are only tracked for principals - which require preauthentication. The counter of failed attempts - resets to 0 after a successful attempt to authenticate. A - *maxnumber* value of 0 (the default) disables lockout. - -.. _policy_failurecountinterval: - -**-failurecountinterval** *failuretime* - (:ref:`duration` or :ref:`getdate` string) Sets the allowable time - between authentication failures. If an authentication failure - happens after *failuretime* has elapsed since the previous - failure, the number of authentication failures is reset to 1. A - *failuretime* value of 0 (the default) means forever. - -.. _policy_lockoutduration: - -**-lockoutduration** *lockouttime* - (:ref:`duration` or :ref:`getdate` string) Sets the duration for - which the principal is locked from authenticating if too many - authentication failures occur without the specified failure count - interval elapsing. A duration of 0 (the default) means the - principal remains locked out until it is administratively unlocked - with ``modprinc -unlock``. - -**-allowedkeysalts** - Specifies the key/salt tuples supported for long-term keys when - setting or changing a principal's password/keys. See - :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the - accepted values, but note that key/salt tuples must be separated - with commas (',') only. To clear the allowed key/salt policy use - a value of '-'. - -Example:: - - kadmin: add_policy -maxlife "2 days" -minlength 5 guests - kadmin: - -.. _modify_policy: - -modify_policy -~~~~~~~~~~~~~ - - **modify_policy** [*options*] *policy* - -Modifies the password policy named *policy*. Options are as described -for **add_policy**. - -This command requires the **modify** privilege. - -Alias: **modpol** - -.. _delete_policy: - -delete_policy -~~~~~~~~~~~~~ - - **delete_policy** [**-force**] *policy* - -Deletes the password policy named *policy*. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals. - -This command requires the **delete** privilege. - -Alias: **delpol** - -Example:: - - kadmin: del_policy guests - Are you sure you want to delete the policy "guests"? - (yes/no): yes - kadmin: - -.. _get_policy: - -get_policy -~~~~~~~~~~ - - **get_policy** [ **-terse** ] *policy* - -Displays the values of the password policy named *policy*. With the -**-terse** flag, outputs the fields as quoted strings separated by -tabs. - -This command requires the **inquire** privilege. - -Alias: **getpol** - -Examples:: - - kadmin: get_policy admin - Policy: admin - Maximum password life: 180 days 00:00:00 - Minimum password life: 00:00:00 - Minimum password length: 6 - Minimum number of password character classes: 2 - Number of old keys kept: 5 - Reference count: 17 - - kadmin: get_policy -terse admin - admin 15552000 0 6 2 5 17 - kadmin: - -The "Reference count" is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful. - -.. _list_policies: - -list_policies -~~~~~~~~~~~~~ - - **list_policies** [*expression*] - -Retrieves all or some policy names. *expression* is a shell-style -glob expression that can contain the wild-card characters ``?``, -``*``, and ``[]``. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed. - -This command requires the **list** privilege. - -Aliases: **listpols**, **get_policies**, **getpols**. - -Examples:: - - kadmin: listpols - test-pol - dict-only - once-a-min - test-pol-nopw - - kadmin: listpols t* - test-pol - test-pol-nopw - kadmin: - -.. _ktadd: - -ktadd -~~~~~ - - | **ktadd** [options] *principal* - | **ktadd** [options] **-glob** *princ-exp* - -Adds a *principal*, or all principals matching *princ-exp*, to a -keytab file. Each principal's keys are randomized in the process. -The rules for *princ-exp* are described in the **list_principals** -command. - -This command requires the **inquire** and **changepw** privileges. -With the **-glob** form, it also requires the **list** privilege. - -The options are: - -**-k[eytab]** *keytab* - Use *keytab* as the keytab file. Otherwise, the default keytab is - used. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the new keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-q** - Display less verbose information. - -**-norandkey** - Do not randomize the keys. The keys and their version numbers stay - unchanged. This option cannot be specified in combination with the - **-e** option. - -An entry for each of the principal's unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types. - -Alias: **xst** - -Example:: - - kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu - Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256-cts-hmac-sha1-96 added to keytab - FILE:/tmp/foo-new-keytab - kadmin: - -.. _ktremove: - -ktremove -~~~~~~~~ - - **ktremove** [options] *principal* [*kvno* | *all* | *old*] - -Removes entries for the specified *principal* from a keytab. Requires -no permissions, since this does not require database access. - -If the string "all" is specified, all entries for that principal are -removed; if the string "old" is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed. - -The options are: - -**-k[eytab]** *keytab* - Use *keytab* as the keytab file. Otherwise, the default keytab is - used. - -**-q** - Display less verbose information. - -Alias: **ktrem** - -Example:: - - kadmin: ktremove kadmin/admin all - Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab - kadmin: - -lock -~~~~ - -Lock database exclusively. Use with extreme caution! This command -only works with the DB2 KDC database module. - -unlock -~~~~~~ - -Release the exclusive database lock. - -list_requests -~~~~~~~~~~~~~ - -Lists available for kadmin requests. - -Aliases: **lr**, **?** - -quit -~~~~ - -Exit program. If the database was locked, the lock is released. - -Aliases: **exit**, **q** - - -HISTORY -------- - -The kadmin program was originally written by Tom Yu at MIT, as an -interface to the OpenVision Kerberos administration program. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt deleted file mode 100644 index bc66890def3d..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kadmind.rst.txt +++ /dev/null @@ -1,137 +0,0 @@ -.. _kadmind(8): - -kadmind -======= - -SYNOPSIS --------- - -**kadmind** -[**-x** *db_args*] -[**-r** *realm*] -[**-m**] -[**-nofork**] -[**-proponly**] -[**-port** *port-number*] -[**-P** *pid_file*] -[**-p** *kdb5_util_path*] -[**-K** *kprop_path*] -[**-k** *kprop_port*] -[**-F** *dump_file*] - -DESCRIPTION ------------ - -kadmind starts the Kerberos administration server. kadmind typically -runs on the primary Kerberos server, which stores the KDC database. -If the KDC database uses the LDAP module, the administration server -and the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as :ref:`kadmin(1)` and -:ref:`kpasswd(1)` to administer the information in these database. - -kadmind requires a number of configuration files to be set up in order -for it to work: - -:ref:`kdc.conf(5)` - The KDC configuration file contains configuration information for - the KDC and admin servers. kadmind uses settings in this file to - locate the Kerberos database, and is also affected by the - **acl_file**, **dict_file**, **kadmind_port**, and iprop-related - settings. - -:ref:`kadm5.acl(5)` - kadmind's ACL (access control list) tells it which principals are - allowed to perform administration actions. The pathname to the - ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` - variable; by default, it is |kdcdir|\ ``/kadm5.acl``. - -After the server begins running, it puts itself in the background and -disassociates itself from its controlling terminal. - -kadmind can be configured for incremental database propagation. -Incremental propagation allows replica KDC servers to receive -principal and policy updates incrementally instead of receiving full -dumps of the database. This facility can be enabled in the -:ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental -propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where -PRIMARY is the primary KDC's canonical host name, and REALM the realm -name). In release 1.13, this principal is automatically created and -registered into the datebase. - - -OPTIONS -------- - -**-r** *realm* - specifies the realm that kadmind will serve; if it is not - specified, the default realm of the host is used. - -**-m** - causes the master database password to be fetched from the - keyboard (before the server puts itself in the background, if not - invoked with the **-nofork** option) rather than from a file on - disk. - -**-nofork** - causes the server to remain in the foreground and remain - associated to the terminal. - -**-proponly** - causes the server to only listen and respond to Kerberos replica - incremental propagation polling requests. This option can be used - to set up a hierarchical propagation topology where a replica KDC - provides incremental updates to other Kerberos replicas. - -**-port** *port-number* - specifies the port on which the administration server listens for - connections. The default port is determined by the - **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. - -**-P** *pid_file* - specifies the file to which the PID of kadmind process should be - written after it starts up. This file can be used to identify - whether kadmind is still running and to allow init scripts to stop - the correct process. - -**-p** *kdb5_util_path* - specifies the path to the kdb5_util command to use when dumping the - KDB in response to full resync requests when iprop is enabled. - -**-K** *kprop_path* - specifies the path to the kprop command to use to send full dumps - to replicas in response to full resync requests. - -**-k** *kprop_port* - specifies the port by which the kprop process that is spawned by - kadmind connects to the replica kpropd, in order to transfer the - dump file during an iprop full resync request. - -**-F** *dump_file* - specifies the file path to be used for dumping the KDB in response - to full resync requests when iprop is enabled. - -**-x** *db_args* - specifies database-specific arguments. See :ref:`Database Options - <dboptions>` in :ref:`kadmin(1)` for supported arguments. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - -As of release 1.22, kadmind supports systemd socket activation via the -LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by -the caller must correspond to configured listener addresses (via the -**kadmind_listen** or **kpasswd_listen** variables or equivalents) or -they will be ignored. Any configured listener addresses that do not -correspond to caller-provided sockets will be ignored if socket -activation is used. - - -SEE ALSO --------- - -:ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, -:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt deleted file mode 100644 index 73a920f4388a..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt +++ /dev/null @@ -1,449 +0,0 @@ -.. _kdb5_ldap_util(8): - -kdb5_ldap_util -=============== - -SYNOPSIS --------- - -.. _kdb5_ldap_util_synopsis: - -**kdb5_ldap_util** -[**-D** *user_dn* [**-w** *passwd*]] -[**-H** *ldapuri*] -**command** -[*command_options*] - -.. _kdb5_ldap_util_synopsis_end: - - -DESCRIPTION ------------ - -kdb5_ldap_util allows an administrator to manage realms, Kerberos -services and ticket policies. - - -COMMAND-LINE OPTIONS --------------------- - -.. _kdb5_ldap_util_options: - -**-r** *realm* - Specifies the realm to be operated on. - -**-D** *user_dn* - Specifies the Distinguished Name (DN) of the user who has - sufficient rights to perform the operation on the LDAP server. - -**-w** *passwd* - Specifies the password of *user_dn*. This option is not - recommended. - -**-H** *ldapuri* - Specifies the URI of the LDAP server. - -By default, kdb5_ldap_util operates on the default realm (as specified -in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP -server in the same manner as :ref:kadmind(8)` would given the -parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. - -.. _kdb5_ldap_util_options_end: - - -COMMANDS --------- - -create -~~~~~~ - -.. _kdb5_ldap_util_create: - - **create** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-k** *mkeytype*] - [**-kv** *mkeyVNO*] - [**-M** *mkeyname*] - [**-m|-P** *password*\|\ **-sf** *stashfilename*] - [**-s**] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Creates realm in directory. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtree. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* - Specifies the DN of the container object in which the principals - of a realm will be created. If the container reference is not - configured for a realm, the principals will be created in the - realm container. - -**-k** *mkeytype* - Specifies the key type of the master key in the database. The - default is given by the **master_key_type** variable in - :ref:`kdc.conf(5)`. - -**-kv** *mkeyVNO* - Specifies the version number of the master key in the database; - the default is 1. Note that 0 is not allowed. - -**-M** *mkeyname* - Specifies the principal name for the master key in the database. - If not specified, the name is determined by the - **master_key_name** variable in :ref:`kdc.conf(5)`. - -**-m** - Specifies that the master database password should be read from - the TTY rather than fetched from a file on the disk. - -**-P** *password* - Specifies the master database password. This option is not - recommended. - -**-sf** *stashfilename* - Specifies the stash file of the master database password. - -**-s** - Specifies that the stash file is to be created. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB - Password for "cn=admin,o=org": - Initializing database for realm 'ATHENA.MIT.EDU' - You will be prompted for the database Master Password. - It is important that you NOT FORGET this password. - Enter KDC database master key: - Re-enter KDC database master key to verify: - -.. _kdb5_ldap_util_create_end: - -modify -~~~~~~ - -.. _kdb5_ldap_util_modify: - - **modify** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Modifies the attributes of a realm. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). This list replaces the existing list. - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtrees. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* Specifies the DN of the - container object in which the principals of a realm will be - created. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth - Password for "cn=admin,o=org": - shell% - -.. _kdb5_ldap_util_modify_end: - -view -~~~~ - -.. _kdb5_ldap_util_view: - - **view** - -Displays the attributes of a realm. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU view - Password for "cn=admin,o=org": - Realm Name: ATHENA.MIT.EDU - Subtree: ou=users,o=org - Subtree: ou=servers,o=org - SearchScope: ONE - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_end: - -destroy -~~~~~~~ - -.. _kdb5_ldap_util_destroy: - - **destroy** [**-f**] - -Destroys an existing realm. Options: - -**-f** - If specified, will not prompt the user for confirmation. - -Example:: - - shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy - Password for "cn=admin,o=org": - Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? - (type 'yes' to confirm)? yes - OK, deleting database of 'ATHENA.MIT.EDU'... - shell% - -.. _kdb5_ldap_util_destroy_end: - -list -~~~~ - -.. _kdb5_ldap_util_list: - - **list** - -Lists the names of realms under the container. - -Example:: - - shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list - Password for "cn=admin,o=org": - ATHENA.MIT.EDU - OPENLDAP.MIT.EDU - MEDIA-LAB.MIT.EDU - shell% - -.. _kdb5_ldap_util_list_end: - -stashsrvpw -~~~~~~~~~~ - -.. _kdb5_ldap_util_stashsrvpw: - - **stashsrvpw** - [**-f** *filename*] - *name* - -Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options: - -**-f** *filename* - Specifies the complete path of the service password file. By - default, ``/usr/local/var/service_passwd`` is used. - -*name* - Specifies the name of the object whose password is to be stored. - If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for - simple binding, this should be the distinguished name it will - use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** - variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is - configured for SASL binding, this should be the authentication - name it will use as given by the **ldap_kdc_sasl_authcid** or - **ldap_kadmind_sasl_authcid** variable. - -Example:: - - kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org - Password for "cn=service-kdc,o=org": - Re-enter password for "cn=service-kdc,o=org": - -.. _kdb5_ldap_util_stashsrvpw_end: - -create_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_create_policy: - - **create_policy** - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Creates a ticket policy in the directory. Options: - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals. - -*ticket_flags* - Specifies the ticket flags. If this option is not specified, by - default, no restriction will be set by the policy. Allowable - flags are documented in the description of the **add_principal** - command in :ref:`kadmin(1)`. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_create_policy_end: - -modify_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_modify_policy: - - **modify_policy** - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Modifies the attributes of a ticket policy. Options are same as for -**create_policy**. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_modify_policy_end: - -view_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_view_policy: - - **view_policy** - *policy_name* - -Displays the attributes of the named ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU view_policy tktpolicy - Password for "cn=admin,o=org": - Ticket policy: tktpolicy - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_policy_end: - -destroy_policy -~~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_destroy_policy: - - **destroy_policy** - [**-force**] - *policy_name* - -Destroys an existing ticket policy. Options: - -**-force** - Forces the deletion of the policy object. If not specified, the - user will be prompted for confirmation before deleting the policy. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU destroy_policy tktpolicy - Password for "cn=admin,o=org": - This will delete the policy object 'tktpolicy', are you sure? - (type 'yes' to confirm)? yes - ** policy object 'tktpolicy' deleted. - -.. _kdb5_ldap_util_destroy_policy_end: - -list_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_list_policy: - - **list_policy** - -Lists ticket policies. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU list_policy - Password for "cn=admin,o=org": - tktpolicy - tmppolicy - userpolicy - -.. _kdb5_ldap_util_list_policy_end: - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt deleted file mode 100644 index 8147e9766eee..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt +++ /dev/null @@ -1,510 +0,0 @@ -.. _kdb5_util(8): - -kdb5_util -========= - -SYNOPSIS --------- - -.. _kdb5_util_synopsis: - -**kdb5_util** -[**-r** *realm*] -[**-d** *dbname*] -[**-k** *mkeytype*] -[**-kv** *mkeyVNO*] -[**-M** *mkeyname*] -[**-m**] -[**-sf** *stashfilename*] -[**-P** *password*] -[**-x** *db_args*] -*command* [*command_options*] - -.. _kdb5_util_synopsis_end: - -DESCRIPTION ------------ - -kdb5_util allows an administrator to perform maintenance procedures on -the KDC database. Databases can be created, destroyed, and dumped to -or loaded from ASCII files. kdb5_util can create a Kerberos master -key stash file or perform live rollover of the master key. - -When kdb5_util is run, it attempts to acquire the master key and open -the database. However, execution continues regardless of whether or -not kdb5_util successfully opens the database, because the database -may not exist yet or the stash file may be corrupt. - -Note that some KDC database modules may not support all kdb5_util -commands. - - -COMMAND-LINE OPTIONS --------------------- - -.. _kdb5_util_options: - -**-r** *realm* - specifies the Kerberos realm of the database. - -**-d** *dbname* - specifies the name under which the principal database is stored; - by default the database is that listed in :ref:`kdc.conf(5)`. The - password policy database and lock files are also derived from this - value. - -**-k** *mkeytype* - specifies the key type of the master key in the database. The - default is given by the **master_key_type** variable in - :ref:`kdc.conf(5)`. - -**-kv** *mkeyVNO* - Specifies the version number of the master key in the database; - the default is 1. Note that 0 is not allowed. - -**-M** *mkeyname* - principal name for the master key in the database. If not - specified, the name is determined by the **master_key_name** - variable in :ref:`kdc.conf(5)`. - -**-m** - specifies that the master database password should be read from - the keyboard rather than fetched from a file on disk. - -**-sf** *stash_file* - specifies the stash filename of the master database password. If - not specified, the filename is determined by the - **key_stash_file** variable in :ref:`kdc.conf(5)`. - -**-P** *password* - specifies the master database password. Using this option may - expose the password to other users on the system via the process - list. - -**-x** *db_args* - specifies database-specific options. See :ref:`kadmin(1)` for - supported options. - -.. _kdb5_util_options_end: - - -COMMANDS --------- - -create -~~~~~~ - -.. _kdb5_util_create: - - **create** [**-s**] - -Creates a new database. If the **-s** option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run. - -.. _kdb5_util_create_end: - -destroy -~~~~~~~ - -.. _kdb5_util_destroy: - - **destroy** [**-f**] - -Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the **-f** argument, does not prompt the user. - -.. _kdb5_util_destroy_end: - -stash -~~~~~ - -.. _kdb5_util_stash: - - **stash** [**-f** *keyfile*] - -Stores the master principal's keys in a stash file. The **-f** -argument can be used to override the *keyfile* specified in -:ref:`kdc.conf(5)`. - -.. _kdb5_util_stash_end: - -dump -~~~~ - -.. _kdb5_util_dump: - - **dump** [**-b7**\|\ **-r13**\|\ **-r18**] - [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** - *mkey_file*] [**-rev**] [**-recurse**] [*filename* - [*principals*...]] - -Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, "kdb5_util -load_dump version 7". If filename is not specified, or is the string -"-", the dump is sent to standard output. Options: - -**-b7** - causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util - load_dump version 4"). This was the dump format produced on - releases prior to 1.2.2. - -**-r13** - causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on - releases prior to 1.8. - -**-r18** - causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util - load_dump version 6"). This was the dump format produced on - releases prior to 1.11. - -**-verbose** - causes the name of each principal and policy to be printed as it - is dumped. - -**-mkey_convert** - prompts for a new master key. This new master key will be used to - re-encrypt principal key data in the dumpfile. The principal keys - themselves will not be changed. - -**-new_mkey_file** *mkey_file* - the filename of a stash file. The master key in this stash file - will be used to re-encrypt the key data in the dumpfile. The key - data in the database will not be changed. - -**-rev** - dumps in reverse order. This may recover principals that do not - dump normally, in cases where database corruption has occurred. - -**-recurse** - causes the dump to walk the database recursively (btree only). - This may recover principals that do not dump normally, in cases - where database corruption has occurred. In cases of such - corruption, this option will probably retrieve more principals - than the **-rev** option will. - - .. versionchanged:: 1.15 - Release 1.15 restored the functionality of the **-recurse** - option. - - .. versionchanged:: 1.5 - The **-recurse** option ceased working until release 1.15, - doing a normal dump instead of a recursive traversal. - -.. _kdb5_util_dump_end: - -load -~~~~ - -.. _kdb5_util_load: - - **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] - [**-verbose**] [**-update**] *filename* - -Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the **-update** option is given, **load** creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the **-update** flag is required. - -Options: - -**-b7** - requires the database to be in the Kerberos 5 Beta 7 format - ("kdb5_util load_dump version 4"). This was the dump format - produced on releases prior to 1.2.2. - -**-r13** - requires the database to be in Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on - releases prior to 1.8. - -**-r18** - requires the database to be in Kerberos 5 1.8 format ("kdb5_util - load_dump version 6"). This was the dump format produced on - releases prior to 1.11. - -**-hash** - stores the database in hash format, if using the DB2 database - type. If this option is not specified, the database will be - stored in btree format. This option is not recommended, as - databases stored in hash format are known to corrupt data and lose - principals. - -**-verbose** - causes the name of each principal and policy to be printed as it - is dumped. - -**-update** - records from the dump file are added to or updated in the existing - database. Otherwise, a new database is created containing only - what is in the dump file and the old one destroyed upon successful - completion. - -.. _kdb5_util_load_end: - -ark -~~~ - - **ark** [**-e** *enc*:*salt*,...] *principal* - -Adds new random keys to *principal* at the next available key version -number. Keys for the current highest key version number will be -preserved. The **-e** option specifies the list of encryption and -salt types to be used for the new keys. - -add_mkey -~~~~~~~~ - - **add_mkey** [**-e** *etype*] [**-s**] - -Adds a new master key to the master key principal, but does not mark -it as active. Existing master keys will remain. The **-e** option -specifies the encryption type of the new master key; see -:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible -values. The **-s** option stashes the new master key in the stash -file, which will be created if it doesn't already exist. - -After a new master key is added, it should be propagated to replica -servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, -the stash files on the replica servers should be updated with the -kdb5_util **stash** command. Once those steps are complete, the key -is ready to be marked active with the kdb5_util **use_mkey** command. - -use_mkey -~~~~~~~~ - - **use_mkey** *mkeyVNO* [*time*] - -Sets the activation time of the master key specified by *mkeyVNO*. -Once a master key becomes active, it will be used to encrypt newly -created principal keys. If no *time* argument is given, the current -time is used, causing the specified master key version to become -active immediately. The format for *time* is :ref:`getdate` string. - -After a new master key becomes active, the kdb5_util -**update_princ_encryption** command can be used to update all -principal keys to be encrypted in the new master key. - -list_mkeys -~~~~~~~~~~ - - **list_mkeys** - -List all master keys, from most recent to earliest, in the master key -principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A -``*`` following an mkey denotes the currently active master key. - -purge_mkeys -~~~~~~~~~~~ - - **purge_mkeys** [**-f**] [**-n**] [**-v**] - -Delete master keys from the master key principal that are not used to -protect any principals. This command can be used to remove old master -keys all principal keys are protected by a newer master key. - -**-f** - does not prompt for confirmation. - -**-n** - performs a dry run, showing master keys that would be purged, but - not actually purging any keys. - -**-v** - gives more verbose output. - -update_princ_encryption -~~~~~~~~~~~~~~~~~~~~~~~ - - **update_princ_encryption** [**-f**] [**-n**] [**-v**] - [*princ-pattern*] - -Update all principal records (or only those matching the -*princ-pattern* glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using a different -version, and give a count at the end of the number of principals -updated. If the **-f** option is not given, ask for confirmation -before starting to make changes. The **-v** option causes each -principal processed to be listed, with an indication as to whether it -needed updating or not. The **-n** option performs a dry run, only -showing the actions which would have been taken. - -tabdump -~~~~~~~ - - **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] - *dumptype* - -Dump selected fields of the database in a tabular format suitable for -reporting (e.g., using traditional Unix text processing tools) or -importing into relational databases. The data format is tab-separated -(default), or optionally comma-separated (CSV), with a fixed number of -columns. The output begins with a header line containing field names, -unless suppression is requested using the **-H** option. - -The *dumptype* parameter specifies the name of an output table (see -below). - -Options: - -**-H** - suppress writing the field names in a header line - -**-c** - use comma separated values (CSV) format, with minimal quoting, - instead of the default tab-separated (unquoted, unescaped) format - -**-e** - write empty hexadecimal string fields as empty fields instead of - as "-1". - -**-n** - produce numeric output for fields that normally have symbolic - output, such as enctypes and flag names. Also requests output of - time stamps as decimal POSIX time_t values. - -**-o** *outfile* - write the dump to the specified output file instead of to standard - output - -Dump types: - -**alias** - principal alias information - - **aliasname** - the name of the alias - **targetname** - the target of the alias - -**keydata** - principal encryption key information, including actual key data - (which is still encrypted in the master key) - - **name** - principal name - **keyindex** - index of this key in the principal's key list - **kvno** - key version number - **enctype** - encryption type - **key** - key data as a hexadecimal string - **salttype** - salt type - **salt** - salt data as a hexadecimal string - -**keyinfo** - principal encryption key information (as in **keydata** above), - excluding actual key data - -**princ_flags** - principal boolean attributes. Flag names print as hexadecimal - numbers if the **-n** option is specified, and all flag positions - are printed regardless of whether or not they are set. If **-n** - is not specified, print all known flag names for each principal, - but only print hexadecimal flag names if the corresponding flag is - set. - - **name** - principal name - **flag** - flag name - **value** - boolean value (0 for clear, or 1 for set) - -**princ_lockout** - state information used for tracking repeated password failures - - **name** - principal name - **last_success** - time stamp of most recent successful authentication - **last_failed** - time stamp of most recent failed authentication - **fail_count** - count of failed attempts - -**princ_meta** - principal metadata - - **name** - principal name - **modby** - name of last principal to modify this principal - **modtime** - timestamp of last modification - **lastpwd** - timestamp of last password change - **policy** - policy object name - **mkvno** - key version number of the master key that encrypts this - principal's key data - **hist_kvno** - key version number of the history key that encrypts the key - history data for this principal - -**princ_stringattrs** - string attributes (key/value pairs) - - **name** - principal name - **key** - attribute name - **value** - attribute value - -**princ_tktpolicy** - per-principal ticket policy data, including maximum ticket - lifetimes - - **name** - principal name - **expiration** - principal expiration date - **pw_expiration** - password expiration date - **max_life** - maximum ticket lifetime - **max_renew_life** - maximum renewable ticket lifetime - -Examples:: - - $ kdb5_util tabdump -o keyinfo.txt keyinfo - $ cat keyinfo.txt - name keyindex kvno enctype salttype salt - K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 - foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - $ sqlite3 - sqlite> .mode tabs - sqlite> .import keyinfo.txt keyinfo - sqlite> select * from keyinfo where enctype like 'aes256-%'; - K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 - sqlite> .quit - $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt - K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kprop.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kprop.rst.txt deleted file mode 100644 index a118b2625d91..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kprop.rst.txt +++ /dev/null @@ -1,60 +0,0 @@ -.. _kprop(8): - -kprop -===== - -SYNOPSIS --------- - -**kprop** -[**-r** *realm*] -[**-f** *file*] -[**-d**] -[**-P** *port*] -[**-s** *keytab*] -*replica_host* - - -DESCRIPTION ------------ - -kprop is used to securely propagate a Kerberos V5 database dump file -from the primary Kerberos server to a replica Kerberos server, which is -specified by *replica_host*. The dump file must be created by -:ref:`kdb5_util(8)`. - - -OPTIONS -------- - -**-r** *realm* - Specifies the realm of the primary server. - -**-f** *file* - Specifies the filename where the dumped principal database file is - to be found; by default the dumped database file is normally - |kdcdir|\ ``/replica_datatrans``. - -**-P** *port* - Specifies the port to use to contact the :ref:`kpropd(8)` server - on the remote host. - -**-d** - Prints debugging information. - -**-s** *keytab* - Specifies the location of the keytab file. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, -:ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kpropd.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kpropd.rst.txt deleted file mode 100644 index 30c66c7e26a4..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kpropd.rst.txt +++ /dev/null @@ -1,144 +0,0 @@ -.. _kpropd(8): - -kpropd -====== - -SYNOPSIS --------- - -**kpropd** -[**-r** *realm*] -[**-A** *admin_server*] -[**-a** *acl_file*] -[**-f** *replica_dumpfile*] -[**-F** *principal_database*] -[**-p** *kdb5_util_prog*] -[**-P** *port*] -[**--pid-file**\ =\ *pid_file*] -[**-D**] -[**-d**] -[**-s** *keytab_file*] - -DESCRIPTION ------------ - -The *kpropd* command runs on the replica KDC server. It listens for -update requests made by the :ref:`kprop(8)` program. If incremental -propagation is enabled, it periodically requests incremental updates -from the primary KDC. - -When the replica receives a kprop request from the primary, kpropd -accepts the dumped KDC database and places it in a file, and then runs -:ref:`kdb5_util(8)` to load the dumped database into the active -database which is used by :ref:`krb5kdc(8)`. This allows the primary -Kerberos server to use :ref:`kprop(8)` to propagate its database to -the replica servers. Upon a successful download of the KDC database -file, the replica Kerberos server will have an up-to-date KDC -database. - -Where incremental propagation is not used, kpropd is commonly invoked -out of inetd(8) as a nowait service. This is done by adding a line to -the ``/etc/inetd.conf`` file which looks like this:: - - kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd - -kpropd can also run as a standalone daemon, backgrounding itself and -waiting for connections on port 754 (or the port specified with the -**-P** option if given). Standalone mode is required for incremental -propagation. Starting in release 1.11, kpropd automatically detects -whether it was run from inetd and runs in standalone mode if it is -not. Prior to release 1.11, the **-S** option is required to run -kpropd in standalone mode; this option is now accepted for backward -compatibility but does nothing. - -Incremental propagation may be enabled with the **iprop_enable** -variable in :ref:`kdc.conf(5)`. If incremental propagation is -enabled, the replica periodically polls the primary KDC for updates, at -an interval determined by the **iprop_replica_poll** variable. If the -replica receives updates, kpropd updates its log file with any updates -from the primary. :ref:`kproplog(8)` can be used to view a summary of -the update entry log on the replica KDC. If incremental propagation -is enabled, the principal ``kiprop/replicahostname@REALM`` (where -*replicahostname* is the name of the replica KDC host, and *REALM* is -the name of the Kerberos realm) must be present in the replica's -keytab file. - -:ref:`kproplog(8)` can be used to force full replication when iprop is -enabled. - - -OPTIONS --------- - -**-r** *realm* - Specifies the realm of the primary server. - -**-A** *admin_server* - Specifies the server to be contacted for incremental updates; by - default, the primary admin server is contacted. - -**-f** *file* - Specifies the filename where the dumped principal database file is - to be stored; by default the dumped database file is |kdcdir|\ - ``/from_master``. - -**-F** *kerberos_db* - Path to the Kerberos database file, if not the default. - -**-p** - Allows the user to specify the pathname to the :ref:`kdb5_util(8)` - program; by default the pathname used is |sbindir|\ - ``/kdb5_util``. - -**-D** - In this mode, kpropd will not detach itself from the current job - and run in the background. Instead, it will run in the - foreground. - -**-d** - Turn on debug mode. kpropd will print out debugging messages - during the database propogation and will run in the foreground - (implies **-D**). - -**-P** - Allow for an alternate port number for kpropd to listen on. This - is only useful in combination with the **-S** option. - -**-a** *acl_file* - Allows the user to specify the path to the kpropd.acl file; by - default the path used is |kdcdir|\ ``/kpropd.acl``. - -**--pid-file**\ =\ *pid_file* - In standalone mode, write the process ID of the daemon into - *pid_file*. - -**-s** *keytab_file* - Path to a keytab to use for acquiring acceptor credentials. - -**-x** *db_args* - Database-specific arguments. See :ref:`Database Options - <dboptions>` in :ref:`kadmin(1)` for supported arguments. - - -FILES ------ - -kpropd.acl - Access file for kpropd; the default location is - ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line - containing the principal of a host from which the local machine - will allow Kerberos database propagation via :ref:`kprop(8)`. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, -:ref:`kerberos(7)`, inetd(8) diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/kproplog.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/kproplog.rst.txt deleted file mode 100644 index 3b72cfa032e0..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/kproplog.rst.txt +++ /dev/null @@ -1,85 +0,0 @@ -.. _kproplog(8): - -kproplog -======== - -SYNOPSIS --------- - -**kproplog** [**-h**] [**-e** *num*] [-v] -**kproplog** [-R] - - -DESCRIPTION ------------ - -The kproplog command displays the contents of the KDC database update -log to standard output. It can be used to keep track of incremental -updates to the principal database. The update log file contains the -update log maintained by the :ref:`kadmind(8)` process on the primary -KDC server and the :ref:`kpropd(8)` process on the replica KDC -servers. When updates occur, they are logged to this file. -Subsequently any KDC replica configured for incremental updates will -request the current data from the primary KDC and update their log -file with any updates returned. - -The kproplog command requires read access to the update log file. It -will display update entries only for the KDC it runs on. - -If no options are specified, kproplog displays a summary of the update -log. If invoked on the primary, kproplog also displays all of the -update entries. If invoked on a replica KDC server, kproplog displays -only a summary of the updates, which includes the serial number of the -last update received and the associated time stamp of the last update. - - -OPTIONS -------- - -**-R** - Reset the update log. This forces full resynchronization. If - used on a replica then that replica will request a full resync. - If used on the primary then all replicas will request full - resyncs. - -**-h** - Display a summary of the update log. This information includes - the database version number, state of the database, the number of - updates in the log, the time stamp of the first and last update, - and the version number of the first and last update entry. - -**-e** *num* - Display the last *num* update entries in the log. This is useful - when debugging synchronization between KDC servers. - -**-v** - Display individual attributes per update. An example of the - output generated for one entry:: - - Update Entry - Update serial # : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kpropd(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt deleted file mode 100644 index 97fbe5ed7d10..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt +++ /dev/null @@ -1,121 +0,0 @@ -.. _krb5kdc(8): - -krb5kdc -======= - -SYNOPSIS --------- - -**krb5kdc** -[**-x** *db_args*] -[**-d** *dbname*] -[**-k** *keytype*] -[**-M** *mkeyname*] -[**-p** *portnum*] -[**-m**] -[**-r** *realm*] -[**-n**] -[**-w** *numworkers*] -[**-P** *pid_file*] -[**-T** *time_offset*] - - -DESCRIPTION ------------ - -krb5kdc is the Kerberos version 5 Authentication Service and Key -Distribution Center (AS/KDC). - - -OPTIONS -------- - -The **-r** *realm* option specifies the realm for which the server -should provide service. This option may be specified multiple times -to serve multiple realms. If no **-r** option is given, the default -realm (as specified in :ref:`krb5.conf(5)`) will be served. - -The **-d** *dbname* option specifies the name under which the -principal database can be found. This option does not apply to the -LDAP database. - -The **-k** *keytype* option specifies the key type of the master key -to be entered manually as a password when **-m** is given; the default -is |defmkey|. - -The **-M** *mkeyname* option specifies the principal name for the -master key in the database (usually ``K/M`` in the KDC's realm). - -The **-m** option specifies that the master database password should -be fetched from the keyboard rather than from a stash file. - -The **-n** option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. - -The **-P** *pid_file* option tells the KDC to write its PID into -*pid_file* after it starts up. This can be used to identify whether -the KDC is still running and to allow init scripts to stop the correct -process. - -The **-p** *portnum* option specifies the default UDP and TCP port -numbers which the KDC should listen on for Kerberos version 5 -requests, as a comma-separated list. This value overrides the port -numbers specified in the :ref:`kdcdefaults` section of -:ref:`kdc.conf(5)`, but may be overridden by realm-specific values. -If no value is given from any source, the default port is 88. - -The **-w** *numworkers* option tells the KDC to fork *numworkers* -processes to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file if -the **-P** option is also given) acts as a supervisor. The supervisor -will relay SIGHUP signals to the worker subprocesses, and will -terminate the worker subprocess if the it is itself terminated or if -any other worker process exits. - -The **-x** *db_args* option specifies database-specific arguments. -See :ref:`Database Options <dboptions>` in :ref:`kadmin(1)` for -supported arguments. - -The **-T** *offset* option specifies a time offset, in seconds, which -the KDC will operate under. It is intended only for testing purposes. - -EXAMPLE -------- - -The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. Per-realm options that can -be specified on the command line pertain for each realm that follows -it and are superseded by subsequent definitions of the same option. - -For example:: - - krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 - -specifies that the KDC listen on port 2001 for REALM1 and on port 2002 -for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the :ref:`kdc.conf(5)` file. The location of this file -may be specified by the **KRB5_KDC_PROFILE** environment variable. -Per-realm parameters specified in this file take precedence over -options specified on the command line. See the :ref:`kdc.conf(5)` -description for further details. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - -As of release 1.22, krb5kdc supports systemd socket activation via the -LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by -the caller must correspond to configured listener addresses (via the -**kdc_listen** variable or equivalent) or they will be ignored. Any -configured listener addresses that do not correspond to -caller-provided sockets will be ignored if socket activation is used. - - -SEE ALSO --------- - -:ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, -:ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/ktutil.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/ktutil.rst.txt deleted file mode 100644 index fd83f0ad9b9f..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/ktutil.rst.txt +++ /dev/null @@ -1,129 +0,0 @@ -.. _ktutil(1): - -ktutil -====== - -SYNOPSIS --------- - -**ktutil** - - -DESCRIPTION ------------ - -The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab. (Kerberos -V4 srvtab files are no longer supported.) - - -COMMANDS --------- - -list -~~~~ - - **list** [**-t**] [**-k**] [**-e**] - -Displays the current keylist. If **-t**, **-k**, and/or **-e** are -specified, also display the timestamp, key contents, or enctype -(respectively). - -Alias: **l** - -read_kt -~~~~~~~ - - **read_kt** *keytab* - -Read the Kerberos V5 keytab file *keytab* into the current keylist. - -Alias: **rkt** - -write_kt -~~~~~~~~ - - **write_kt** *keytab* - -Write the current keylist into the Kerberos V5 keytab file *keytab*. - -Alias: **wkt** - -clear_list -~~~~~~~~~~ - - **clear_list** - -Clear the current keylist. - -Alias: **clear** - -delete_entry -~~~~~~~~~~~~ - - **delete_entry** *slot* - -Delete the entry in slot number *slot* from the current keylist. - -Alias: **delent** - -add_entry -~~~~~~~~~ - - **add_entry** {**-key**\|\ **-password**} **-p** *principal* - **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] - -Add *principal* to keylist using key or password. If the **-f** flag -is specified, salt information will be fetched from the KDC; in this -case the **-e** flag may be omitted, or it may be supplied to force a -particular enctype. If the **-f** flag is not specified, the **-e** -flag must be specified, and the default salt will be used unless -overridden with the **-s** option. - -Alias: **addent** - -list_requests -~~~~~~~~~~~~~ - - **list_requests** - -Displays a listing of available commands. - -Aliases: **lr**, **?** - -quit -~~~~ - - **quit** - -Quits ktutil. - -Aliases: **exit**, **q** - - -EXAMPLE -------- - - :: - - ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes128-cts-hmac-sha1-96 - Password for alice@BLEEP.COM: - ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes256-cts-hmac-sha1-96 - Password for alice@BLEEP.COM: - ktutil: write_kt alice.keytab - ktutil: - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/admin/admin_commands/sserver.rst.txt b/crypto/krb5/doc/html/_sources/admin/admin_commands/sserver.rst.txt deleted file mode 100644 index a8dcf5d5b4f8..000000000000 --- a/crypto/krb5/doc/html/_sources/admin/admin_commands/sserver.rst.txt +++ /dev/null @@ -1,112 +0,0 @@ -.. _sserver(8): - -sserver -======= - -SYNOPSIS --------- - -**sserver** -[ **-p** *port* ] -[ **-S** *keytab* ] -[ *server_port* ] - - -DESCRIPTION ------------ - -sserver and :ref:`sclient(1)` are a simple demonstration client/server -application. When sclient connects to sserver, it performs a Kerberos -authentication, and then sserver returns to sclient the Kerberos -principal which was used for the Kerberos authentication. It makes a -good test that Kerberos has been successfully installed on a machine. - -The service name used by sserver and sclient is sample. Hence, -sserver will require that there be a keytab entry for the service -``sample/hostname.domain.name@REALM.NAME``. This keytab is generated -using the :ref:`kadmin(1)` program. The keytab file is usually -installed as |keytab|. - -The **-S** option allows for a different keytab than the default. - -sserver is normally invoked out of inetd(8), using a line in -``/etc/inetd.conf`` that looks like this:: - - sample stream tcp nowait root /usr/local/sbin/sserver sserver - -Since ``sample`` is normally not a port defined in ``/etc/services``, -you will usually have to add a line to ``/etc/services`` which looks -like this:: - - sample 13135/tcp - -When using sclient, you will first have to have an entry in the -Kerberos database, by using :ref:`kadmin(1)`, and then you have to get -Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running -the sclient program on a different host than the sserver it will be -connecting to, be sure that both hosts have an entry in /etc/services -for the sample tcp port, and that the same port number is in both -files. - -When you run sclient you should see something like this:: - - sendauth succeeded, reply is: - reply len 32, contents: - You are nlgilman@JIMI.MIT.EDU - - -COMMON ERROR MESSAGES ---------------------- - -1) kinit returns the error:: - - kinit: Client not found in Kerberos database while getting - initial credentials - - This means that you didn't create an entry for your username in the - Kerberos database. - -2) sclient returns the error:: - - unknown service sample/tcp; check /etc/services - - This means that you don't have an entry in /etc/services for the - sample tcp port. - -3) sclient returns the error:: - - connect: Connection refused - - This probably means you didn't edit /etc/inetd.conf correctly, or - you didn't restart inetd after editing inetd.conf. - -4) sclient returns the error:: - - sclient: Server not found in Kerberos database while using - sendauth - - This means that the ``sample/hostname@LOCAL.REALM`` service was not - defined in the Kerberos database; it should be created using - :ref:`kadmin(1)`, and a keytab file needs to be generated to make - the key for that service principal available for sclient. - -5) sclient returns the error:: - - sendauth rejected, error reply is: - "No such file or directory" - - This probably means sserver couldn't find the keytab file. It was - probably not installed in the proper directory. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) |